Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Evidence Acquisition and Duplication practice sets

CHFI Evidence Acquisition and Duplication • Complete Question Bank

CHFI Evidence Acquisition and Duplication — All Questions With Answers

Complete CHFI Evidence Acquisition and Duplication question bank — all 0 questions with answers and detailed explanations.

20
Questions
Free
No signup
Certifications/CHFI/Practice Test/Evidence Acquisition and Duplication/All Questions
Question 1mediummultiple choice
Read the full Evidence Acquisition and Duplication explanation →

During a forensic investigation, you are asked to acquire the contents of RAM from a live Windows 10 system without causing system instability. Which tool would be most appropriate for this task?

Question 2hardmultiple choice
Read the full Evidence Acquisition and Duplication explanation →

You are imaging a suspect's hard drive using a write blocker and dd command. After imaging, you verify the hash of the original drive and the image file. The original drive hash is SHA1: A1B2C3D4E5..., and the image hash is SHA1: F6G7H8I9J0... What is the most likely cause of the mismatch?

Question 3easymultiple choice
Read the full Evidence Acquisition and Duplication explanation →

A forensic examiner needs to acquire a hard drive that is part of a RAID 5 array. The RAID controller is unavailable. What is the best approach to acquire the data?

Question 4mediummultiple choice
Read the full Evidence Acquisition and Duplication explanation →

During a network forensic investigation, you need to capture live network traffic from a switch span port. Which tool would best capture the traffic in a forensically sound manner?

Question 5hardmultiple choice
Read the full Evidence Acquisition and Duplication explanation →

You are acquiring a laptop with a self-encrypting drive (SED) that is powered on and logged in. What is the best method to acquire the drive while preserving encrypted data?

Question 6easymultiple choice
Read the full Evidence Acquisition and Duplication explanation →

Which of the following is the primary purpose of using a hardware write blocker during disk acquisition?

Question 7mediummultiple choice
Read the full Evidence Acquisition and Duplication explanation →

During a forensic acquisition, you notice that the target drive has bad sectors. What is the best approach to acquire the drive?

Question 8mediummulti select
Read the full Evidence Acquisition and Duplication explanation →

Which TWO of the following are valid methods for acquiring volatile data from a live Windows system? (Choose two.)

Question 9hardmulti select
Read the full Evidence Acquisition and Duplication explanation →

Which THREE of the following are acceptable best practices when acquiring evidence from a mobile device? (Choose three.)

Question 10mediummultiple choice
Read the full Evidence Acquisition and Duplication explanation →

The command used to acquire a disk image resulted in an I/O error. What is the most likely cause?

Exhibit

Refer to the exhibit.

[root@forensics ~]# dc3dd if=/dev/sda of=/evidence/sda.img hash=sha256 log=/evidence/log.txt

Output:

Fatal error: Input/output error while reading /dev/sda
Question 11hardmultiple choice
Read the full Evidence Acquisition and Duplication explanation →

Based on the acquisition log, what can be concluded about the integrity of the acquired image?

Exhibit

Refer to the exhibit.

Forensic Acquisition Log:

Source: /dev/sdb
Image: /mnt/evidence/case001.dd
Hash (MD5): Source= a1b2c3d4e5f6... Image= a1b2c3d4e5f6...
Hash (SHA1): Source= 1234567890ab... Image= 1234567890ab...

Verification: Passed
Question 12hardmultiple choice
Read the full Evidence Acquisition and Duplication explanation →

You are a forensic examiner responding to a data breach incident at a medium-sized company. The incident response team has identified a Windows Server 2019 that may contain evidence of unauthorized access. The server is running and logged in with administrative privileges. The server has 32 GB of RAM, a 1 TB SSD (bitlocker encrypted, but unlocked), and is connected to the corporate network. The server is running several critical business applications, and the IT manager asks you to minimize downtime. You have a forensic workstation with write blockers, a hardware acquisition tool, and various software tools. What is the best course of action to acquire evidence while preserving integrity and minimizing downtime?

Question 13hardmultiple choice
Read the full Evidence Acquisition and Duplication explanation →

During a forensic investigation, an analyst needs to acquire the contents of a live server's RAM without altering the evidence. Which tool and technique should the analyst use to minimize the footprint on the system?

Question 14easymulti select
Read the full Evidence Acquisition and Duplication explanation →

Which TWO of the following are valid reasons for using a hardware write blocker during disk acquisition? (Choose two.)

Question 15hardmultiple choice
Read the full Evidence Acquisition and Duplication explanation →

You are a forensic investigator responding to a suspected data breach at a financial institution. The incident response team has isolated a Windows 10 workstation used by a former employee. The system is still powered on, and the login screen is displayed. Your task is to acquire forensic evidence in a defensible manner. The following actions are available:

A. Immediately pull the power cord to perform a cold acquisition of the hard drive. B. Capture volatile data (RAM, network connections, running processes) using a trusted tool on a USB drive, then shut down normally and remove the hard drive for imaging. C. Boot the system from a forensic live CD and create a forensic image of the hard drive while the system is running. D. Use the built-in Windows backup to create a system image to an external drive.

Which action is the most appropriate first step in this scenario?

Question 16mediummulti select
Read the full Evidence Acquisition and Duplication explanation →

During acquisition of a live Linux server, the forensic examiner runs the following command: # dd if=/dev/sda of=/mnt/evidence/disk.dd conv=noerror,sync bs=4k. Which TWO statements are true about this acquisition?

Question 17easymultiple choice
Read the full Evidence Acquisition and Duplication explanation →

Refer to the exhibit. An investigator runs fsstat and dstat on a captured image. What is the total capacity of the volume?

Exhibit

Refer to the exhibit.

# fsstat /dev/sdb1
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: NTFS
Volume Serial Number: 1234ABCD5678EF90
Volume Name: Evidence
Number of MFT Records: 1024
MFT Record Size: 1024 bytes

# dstat /dev/sdb1
DETAILS OF DISK STATISTICS
--------------------------------------------
Total Sectors: 2097152
Sector Size: 512 bytes
Cluster Size: 4096 bytes
Free Clusters: 524288
Question 18hardmultiple choice
Read the full Evidence Acquisition and Duplication explanation →

You are a forensic investigator responding to a data breach at a financial institution. The compromised server is a Windows Server 2019 running a custom trading application. The server is still powered on and connected to the production network. The incident response team has instructed you to acquire forensic evidence while minimizing downtime. The server has 2 TB of storage with 500 GB used. You have a forensic workstation with a write-blocker and an empty 2 TB external drive. The server's RAM is 64 GB. You need to acquire both volatile data (RAM) and a forensic image of the disk. However, the legal team requires a verified bit-for-bit copy with cryptographic hash verification. Additionally, the server's performance is critical; acquiring RAM via network is not feasible due to bandwidth constraints. Which of the following is the best course of action?

Question 19mediumdrag order
Read the full Evidence Acquisition and Duplication explanation →

Drag and drop the steps to conduct a memory acquisition using DumpIt on a Windows system into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 20mediummatching
Read the full Evidence Acquisition and Duplication explanation →

Match each network protocol to its well-known port number (TCP/UDP).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

21

23

161

389

3389

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CHFI Practice Test 1 — 10 Questions→CHFI Practice Test 2 — 10 Questions→CHFI Practice Test 3 — 10 Questions→CHFI Practice Test 4 — 10 Questions→CHFI Practice Test 5 — 10 Questions→CHFI Practice Exam 1 — 20 Questions→CHFI Practice Exam 2 — 20 Questions→CHFI Practice Exam 3 — 20 Questions→CHFI Practice Exam 4 — 20 Questions→Free CHFI Practice Test 1 — 30 Questions→Free CHFI Practice Test 2 — 30 Questions→Free CHFI Practice Test 3 — 30 Questions→CHFI Practice Questions 1 — 50 Questions→CHFI Practice Questions 2 — 50 Questions→CHFI Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsOS and File System ForensicsApplication, Email and Cloud ForensicsMobile and Malware ForensicsNetwork and Cloud ForensicsDatabase and Application ForensicsMalware Forensics

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Evidence Acquisition and Duplication setsAll Evidence Acquisition and Duplication questionsCHFI Practice Hub