Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Incident Response and First Responder Skills practice sets

CHFI Incident Response and First Responder Skills • Complete Question Bank

CHFI Incident Response and First Responder Skills — All Questions With Answers

Complete CHFI Incident Response and First Responder Skills question bank — all 0 questions with answers and detailed explanations.

23
Questions
Free
No signup
Certifications/CHFI/Practice Test/Incident Response and First Responder Skills/All Questions
Question 1easymultiple choice
Read the full Incident Response and First Responder Skills explanation →

An analyst receives an alert indicating a suspicious process (PID 3342) is making outbound connections on port 443 to an unknown IP. The system is a Windows 10 workstation. Which first responder action is MOST appropriate?

Question 2mediummultiple choice
Read the full Incident Response and First Responder Skills explanation →

A security team suspects a data breach via an external attacker. The incident response plan requires preservation of evidence for legal proceedings. Which order of volatility should the first responder follow?

Question 3hardmultiple choice
Read the full Incident Response and First Responder Skills explanation →

During an incident response, a first responder needs to collect evidence from a Linux server that is still running. The server has sensitive data and cannot be shut down. Which technique is BEST for acquiring a forensic image of the hard disk?

Question 4easymultiple choice
Read the full Incident Response and First Responder Skills explanation →

A first responder arrives at a scene where a computer is powered on and a user is logged in. An incident is suspected. What should the responder do FIRST?

Question 5mediummultiple choice
Read the full Incident Response and First Responder Skills explanation →

You are responding to a suspected malware infection on a Windows 10 system. The system is still running. Which of the following should you collect FIRST?

Question 6hardmultiple choice
Read the full Incident Response and First Responder Skills explanation →

During an incident response, a first responder needs to preserve the integrity of evidence. Which action ensures the best chain of custody?

Question 7easymultiple choice
Read the full Incident Response and First Responder Skills explanation →

A first responder is called to investigate a potential insider threat. The suspect's computer is turned off. What is the BEST procedure?

Question 8mediummulti select
Read the full Incident Response and First Responder Skills explanation →

A first responder is responding to a ransomware incident on a Windows server. Which TWO actions should be performed to preserve evidence? (Choose two.)

Question 9hardmulti select
Read the full Incident Response and First Responder Skills explanation →

During the initial response to a suspected data exfiltration, which THREE pieces of volatile data should be collected first? (Choose three.)

Question 10hardmultiple choice
Read the full Incident Response and First Responder Skills explanation →

Refer to the exhibit. A first responder runs netstat -ano on a Windows system. Which connection is MOST likely indicative of a potential C2 communication?

Exhibit

Refer to the exhibit.

Exhibit:
C:\> netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    192.168.1.10:49152     10.0.0.5:80            ESTABLISHED     3342
  TCP    192.168.1.10:49153     203.0.113.50:443       TIME_WAIT       1204
  TCP    192.168.1.10:49154     192.168.1.1:53         TIME_WAIT       2016
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       1056
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       668
  UDP    0.0.0.0:123            *:*                                    888
  UDP    0.0.0.0:1900           *:*                                    4320
Question 11easymultiple choice
Read the full Incident Response and First Responder Skills explanation →

Refer to the exhibit. A first responder runs the command on a Linux server. Which process should be considered MOST suspicious and investigated immediately?

Exhibit

Refer to the exhibit.

Exhibit:
$ ps aux | grep -E "bash|nc|python|perl"

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root      1245  0.0  0.1  21908  3420 ?        S    10:15   0:00 /bin/bash
root      1302  0.0  0.0  12368   876 ?        S    10:16   0:00 nc -lvp 4444
root      1310  0.5  0.2  30240  5678 ?        S    10:17   0:02 python /tmp/.payload.py
root      1325  0.0  0.0  12368   912 ?        S    10:18   0:00 perl /tmp/.script.pl
Question 12hardmultiple choice
Read the full wireless explanation →

You are a first responder for a medium-sized company with 500 employees. The incident response team has been alerted to a possible data breach involving the CEO's laptop, which is a Windows 10 system. The CEO reports that the laptop has been acting strangely, with unusual pop-ups and slow performance. The laptop is currently powered on and connected to the corporate network via Wi-Fi. The CEO is logged in and has several applications open, including email and a web browser. The security team suspects malware may be exfiltrating sensitive documents. As the first responder, you must decide the best course of action to preserve evidence and contain the threat while minimizing impact on business operations. Which action should you take FIRST?

Question 13mediummultiple choice
Read the full Incident Response and First Responder Skills explanation →

During incident response, a first responder discovers a compromised system with signs of an active command-and-control (C2) connection. What is the MOST important immediate action to preserve evidence and prevent further damage?

Question 14hardmulti select
Read the full Incident Response and First Responder Skills explanation →

Which THREE of the following are essential steps in the incident response process as defined by NIST SP 800-61? (Select exactly 3.)

Question 15easymultiple choice
Read the full Incident Response and First Responder Skills explanation →

Refer to the exhibit. During incident response, a first responder runs 'netstat -ano' on a compromised Windows system. Which connection is most likely to be the command-and-control (C2) channel and should be prioritized for isolation?

Exhibit

Refer to the exhibit.

C:\> netstat -ano
Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    192.168.1.100:1045     203.0.113.5:4444      ESTABLISHED     1234
  TCP    192.168.1.100:1046     192.168.1.1:443        ESTABLISHED     5678
  TCP    192.168.1.100:1047     10.0.0.1:22            ESTABLISHED     9012
  TCP    192.168.1.100:1048     198.51.100.7:80        TIME_WAIT       3456
Question 16mediummultiple choice
Read the full Incident Response and First Responder Skills explanation →

You are a first responder for a medium-sized enterprise. The Help Desk received multiple reports that users cannot access the company's internal web application (app.example.com) hosted on a Windows Server 2019 VM. The server is also running a MySQL database and an FTP service for file transfers. You remote into the server and find that the web server (IIS) is still running, but the application pool is stopped. The event logs show multiple failed logon attempts from an external IP address (198.51.100.23) for the local administrator account around the time the issues started. The FTP service log shows successful anonymous logins from the same IP minutes before the web app failure. The MySQL log shows a query 'DROP TABLE users;' executed at 03:15 AM. The current time is 04:00 AM. What immediate action should you take?

Question 17mediummultiple choice
Read the full Incident Response and First Responder Skills explanation →

During the initial response to a suspected data breach, a first responder discovers a live system with active network connections. The responder needs to preserve evidence while minimizing alteration. Which of the following is the MOST appropriate first step?

Question 18hardmulti select
Read the full Incident Response and First Responder Skills explanation →

Which TWO actions are essential for a first responder when securing an incident scene involving a compromised server? (Select exactly two.)

Question 19easymultiple choice
Read the full Incident Response and First Responder Skills explanation →

Refer to the exhibit. A first responder runs the netstat command on a compromised Windows workstation. Which of the following conclusions is BEST supported by the output?

Exhibit

Refer to the exhibit.

C:\Users\Forensic> netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    192.168.1.10:49152     10.2.3.4:443           ESTABLISHED     1234
  TCP    192.168.1.10:49153     192.168.1.1:80         TIME_WAIT       0
  TCP    192.168.1.10:49154     10.2.3.4:80            ESTABLISHED     1234
  UDP    0.0.0.0:5353           *:*                                    5678
Question 20mediumdrag order
Read the full Incident Response and First Responder Skills explanation →

Drag and drop the steps to capture network traffic with Wireshark for forensic analysis into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 21mediumdrag order
Read the full Incident Response and First Responder Skills explanation →

Drag and drop the steps to perform a forensic analysis of a USB drive to identify the connected computer using Windows artifacts into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 22mediummatching
Read the full Incident Response and First Responder Skills explanation →

Match each file system to its typical maximum volume size (as commonly encountered).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

2 TB

256 TB

128 PB

1 EB

8 EB

Question 23mediummatching
Read the full Incident Response and First Responder Skills explanation →

Match each log type to its typical content.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Login attempts, privilege use

Driver failures, system crashes

Application errors and events

Allowed/blocked network connections

HTTP requests, IP addresses, user agents

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CHFI Practice Test 1 — 10 Questions→CHFI Practice Test 2 — 10 Questions→CHFI Practice Test 3 — 10 Questions→CHFI Practice Test 4 — 10 Questions→CHFI Practice Test 5 — 10 Questions→CHFI Practice Exam 1 — 20 Questions→CHFI Practice Exam 2 — 20 Questions→CHFI Practice Exam 3 — 20 Questions→CHFI Practice Exam 4 — 20 Questions→Free CHFI Practice Test 1 — 30 Questions→Free CHFI Practice Test 2 — 30 Questions→Free CHFI Practice Test 3 — 30 Questions→CHFI Practice Questions 1 — 50 Questions→CHFI Practice Questions 2 — 50 Questions→CHFI Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsOS and File System ForensicsApplication, Email and Cloud ForensicsMobile and Malware ForensicsNetwork and Cloud ForensicsDatabase and Application ForensicsMalware Forensics

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Incident Response and First Responder Skills setsAll Incident Response and First Responder Skills questionsCHFI Practice Hub