Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Network and Cloud Forensics practice sets

CHFI Network and Cloud Forensics • Complete Question Bank

CHFI Network and Cloud Forensics — All Questions With Answers

Complete CHFI Network and Cloud Forensics question bank — all 0 questions with answers and detailed explanations.

27
Questions
Free
No signup
Certifications/CHFI/Practice Test/Network and Cloud Forensics/All Questions
Question 1easymultiple choice
Read the full Network and Cloud Forensics explanation →

An investigator needs to capture network traffic from a live network segment without altering the traffic flow. Which technique should they use?

Question 2mediummultiple choice
Read the full Network and Cloud Forensics explanation →

During a cloud forensics investigation, the investigator discovers that the cloud provider uses shared storage for multiple tenants. Which challenge is MOST likely to arise when acquiring a forensic image?

Question 3hardmultiple choice
Read the full Network and Cloud Forensics explanation →

A forensic analyst is investigating a network breach and finds that the attacker used a technique that bypasses Network Access Control (NAC). Which of the following methods is commonly used to evade 802.1X authentication?

Question 4easymultiple choice
Read the full Network and Cloud Forensics explanation →

A security team needs to preserve network evidence for a potential legal case. What is the BEST practice for capturing volatile network data?

Question 5mediummultiple choice
Read the full Network and Cloud Forensics explanation →

In a cloud forensic investigation, the analyst needs to obtain a memory dump of a virtual machine. Which method is considered forensically sound?

Question 6hardmultiple choice
Read the full Network and Cloud Forensics explanation →

An organization uses a cloud-based SIEM to collect logs from multiple sources. The investigator notices gaps in the log data for a critical system during the incident timeframe. What is the MOST likely cause?

Question 7easymultiple choice
Read the full Network and Cloud Forensics explanation →

During a network forensic investigation, the analyst recovers a PCAP file. What type of information can be directly extracted from this file?

Question 8mediummultiple choice
Read the full Network and Cloud Forensics explanation →

An investigator is analyzing cloud storage logs and finds an entry showing that a file was accessed using the root credentials from an IP address in a different geographic region. The organization has strict policies against root usage. What should the investigator do FIRST?

Question 9hardmultiple choice
Read the full Network and Cloud Forensics explanation →

A forensic analyst is examining a network intrusion detection system (NIDS) alert that triggered on a packet with the FIN, PSH, and URG flags set. What type of scan does this indicate?

Question 10easymulti select
Read the full Network and Cloud Forensics explanation →

Which TWO of the following are common challenges in cloud forensics?

Question 11mediummulti select
Read the full Network and Cloud Forensics explanation →

Which THREE of the following are essential steps in network forensic investigation?

Question 12hardmulti select
Read the full Network and Cloud Forensics explanation →

Which TWO of the following are effective methods for detecting a man-in-the-middle attack on a network?

Question 13mediummultiple choice
Read the full Network and Cloud Forensics explanation →

Based on the ARP table exhibit, what is the most likely security issue?

Network Topology
Interface:0x5Refer to the exhibit.C:\> arp -aInternet Address Physical Address Type192.168.1.1 00-1a-2b-3c-4d-5e dynamic192.168.1.101 00-1a-2b-3c-4d-5e dynamic192.168.1.102 00-1a-2b-3c-4d-5e dynamic
Question 14hardmultiple choice
Read the full Network and Cloud Forensics explanation →

An investigator finds the above IAM policy attached to an S3 bucket. What is the security concern?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
Question 15easymultiple choice
Read the full Network and Cloud Forensics explanation →

Based on the log exhibit, what type of attack is occurring?

Exhibit

Refer to the exhibit.

Nov 12 09:23:45 server1 sshd[1234]: Failed password for root from 10.0.0.5 port 22 ssh2
Nov 12 09:24:10 server1 sshd[1235]: Failed password for root from 10.0.0.5 port 22 ssh2
Nov 12 09:24:35 server1 sshd[1236]: Failed password for root from 10.0.0.5 port 22 ssh2
... (repeated every 25 seconds)
Question 16hardmultiple choice
Read the full NAT/PAT explanation →

You are a forensic investigator for a healthcare organization that uses a hybrid cloud model. Your team receives an alert that a large amount of protected health information (PHI) was exfiltrated from an AWS S3 bucket to an external IP address. The organization uses AWS CloudTrail for API logging and VPC Flow Logs for network traffic. The incident occurred between 02:00 and 03:00 UTC. Upon reviewing CloudTrail logs, you see that the bucket policy was modified at 01:55 UTC to allow public read access, and then a series of GetObject requests from an IP address in a foreign country occurred. The VPC Flow Logs show outbound traffic from the bucket's VPC to that IP. The bucket policy change was made using the root user credentials of the AWS account. The organization has multi-factor authentication (MFA) enabled for all users, including root. However, the CloudTrail log for the policy change does not indicate MFA usage. You need to determine the most likely root cause of the breach. Which of the following is the most plausible explanation?

Question 17mediummultiple choice
Read the full NAT/PAT explanation →

You are investigating a network breach at a financial institution. The organization uses a network-based intrusion detection system (NIDS) and maintains full packet capture (PCAP) for critical segments. The incident allegedly started with a spear-phishing email that delivered a remote access trojan (RAT). The security team has isolated the infected host and provided you with a disk image of the host and a PCAP file covering the network traffic from the host for the 24-hour period before isolation. In the PCAP, you see a series of TCP connections from the host to an external IP address on port 443 (HTTPS). The external IP is known to be associated with a command-and-control (C2) server. However, the disk image shows no evidence of the RAT binary or any malicious files. The host's antivirus logs are clean. Which of the following is the most likely explanation for the lack of evidence on the disk?

Question 18hardmultiple choice
Read the full NAT/PAT explanation →

During a forensic investigation of a cloud environment, a forensic analyst discovers that the virtual machine (VM) used by a suspect was terminated three days prior. The cloud provider offers snapshots, backups, and instance metadata. Which of the following is the BEST course of action to recover forensic evidence?

Question 19easymultiple choice
Read the full Network and Cloud Forensics explanation →

A forensic investigator needs to capture network traffic from a SPAN port on a switch to analyze an ongoing compromise. Which tool should the investigator use to collect the full packet capture (pcap) for later analysis?

Question 20mediummultiple choice
Read the full Network and Cloud Forensics explanation →

A cloud forensic analyst is tasked with preserving evidence from an AWS S3 bucket that may contain malicious files. The bucket is publicly accessible, and the analyst wants to create a forensically sound copy. Which method BEST ensures integrity and chain of custody?

Question 21hardmulti select
Read the full Network and Cloud Forensics explanation →

Which TWO of the following are valid techniques for collecting volatile network evidence from a live system during incident response?

Question 22mediummultiple choice
Read the full Network and Cloud Forensics explanation →

During a forensic investigation, the analyst runs netstat -ano on a compromised workstation. Based on the exhibit, which connection is MOST suspicious and should be investigated further?

Exhibit

Refer to the exhibit.

```
C:\>netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       1234
  TCP    192.168.1.10:49152     203.0.113.5:443        ESTABLISHED     5678
  TCP    192.168.1.10:49153     192.168.1.1:53         TIME_WAIT       0
  UDP    0.0.0.0:5353           *:*                                    910
  UDP    192.168.1.10:137       *:*                                    910
```
Question 23hardmultiple choice
Read the full Network and Cloud Forensics explanation →

You are a forensic investigator responding to a data breach at a mid-sized company. The company uses a hybrid cloud environment with AWS for production workloads and on-premises servers for legacy applications. The breach was detected when an internal monitoring system flagged unusual outbound traffic from an AWS EC2 instance (i-0a1b2c3d4e5f) to an external IP address (198.51.100.20) on TCP port 4444 during off-hours. The EC2 instance runs a Linux-based web server. The security team has already isolated the instance by removing its security group rules and stopping the instance. You have been provided with the following: (1) AWS CloudTrail logs for the past 72 hours, (2) VPC Flow Logs for the same period, (3) a snapshot of the instance’s root volume (EBS), and (4) the instance metadata log from the AWS console. The company’s incident response policy requires preservation of all volatile data before powering off the instance. Which of the following steps should you take FIRST to ensure a forensically sound investigation?

Question 24easymulti select
Read the full NAT/PAT explanation →

During a cloud forensic investigation of an AWS EC2 instance, which TWO sources should be preserved to capture volatile data before instance termination?

Question 25hardmultiple choice
Read the full Network and Cloud Forensics explanation →

You are investigating a network breach at a financial institution. The perimeter firewall logs show an inbound connection from IP 203.0.113.5 to the internal web server (192.168.1.10) on TCP port 443 at 02:34:12 UTC. At 02:34:15, an outbound connection from the web server to an external IP 198.51.100.20 on TCP port 80 is logged. Simultaneously, a network intrusion detection system (NIDS) detected a SQL injection payload in the inbound HTTP request. The web server's access logs show a successful login to the admin panel at 02:34:18 from the same external IP 203.0.113.5. The database server (192.168.1.20) logs show a query execution at 02:34:20 that exported customer records. The company uses a jump box for administrative access, and all admin sessions are logged. The jump box logs show no activity during the incident. The web server hosts a public-facing application and is in a DMZ. The database server is in the internal network, with a firewall rule allowing only the web server to connect to it on TCP port 3306. Which course of action is MOST appropriate to determine the root cause and scope?

Question 26mediumdrag order
Read the full Network and Cloud Forensics explanation →

Drag and drop the steps to create a forensic timeline using the Sleuth Kit (TSK) and log2timeline into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 27mediummatching
Read the full Network and Cloud Forensics explanation →

Match each forensic artifact to its location in Windows (typical).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

C:\Windows\Prefetch

C:\Windows\System32\winevt\Logs

C:\$Recycle.Bin

C:\Windows\System32\config

C:\Users\[user]\AppData\Local\Microsoft\Windows\Explorer

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CHFI Practice Test 1 — 10 Questions→CHFI Practice Test 2 — 10 Questions→CHFI Practice Test 3 — 10 Questions→CHFI Practice Test 4 — 10 Questions→CHFI Practice Test 5 — 10 Questions→CHFI Practice Exam 1 — 20 Questions→CHFI Practice Exam 2 — 20 Questions→CHFI Practice Exam 3 — 20 Questions→CHFI Practice Exam 4 — 20 Questions→Free CHFI Practice Test 1 — 30 Questions→Free CHFI Practice Test 2 — 30 Questions→Free CHFI Practice Test 3 — 30 Questions→CHFI Practice Questions 1 — 50 Questions→CHFI Practice Questions 2 — 50 Questions→CHFI Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsOS and File System ForensicsApplication, Email and Cloud ForensicsMobile and Malware ForensicsNetwork and Cloud ForensicsDatabase and Application ForensicsMalware Forensics

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Network and Cloud Forensics setsAll Network and Cloud Forensics questionsCHFI Practice Hub