Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← OS and File System Forensics practice sets

CHFI OS and File System Forensics • Complete Question Bank

CHFI OS and File System Forensics — All Questions With Answers

Complete CHFI OS and File System Forensics question bank — all 0 questions with answers and detailed explanations.

10
Questions
Free
No signup
Certifications/CHFI/Practice Test/OS and File System Forensics/All Questions
Question 1mediummultiple choice
Read the full OS and File System Forensics explanation →

During a forensic investigation of a compromised Linux server, an investigator needs to recover deleted files from an ext4 filesystem. Which method should the investigator use to maximize recovery of file content, considering the filesystem may have been partially overwritten?

Question 2hardmultiple choice
Read the full OS and File System Forensics explanation →

A forensic analyst is examining a Windows 10 system and needs to determine the last boot time of the system. Which registry hive and key should the analyst query to find this information?

Question 3easymultiple choice
Read the full OS and File System Forensics explanation →

During a forensic investigation, an analyst needs to preserve the integrity of evidence on a hard drive. Which of the following is the best practice for acquiring an image of the drive?

Question 4mediummulti select
Read the full OS and File System Forensics explanation →

Which TWO of the following are valid locations in a Windows system where forensic evidence of USB device connection can be found?

Question 5mediummultiple choice
Read the full OS and File System Forensics explanation →

You are a forensic investigator responding to a security incident at a medium-sized company. The incident involved an attacker gaining unauthorized access to a Windows Server 2019 system. The server was taken offline by the IT team immediately after detection. Your task is to acquire forensic evidence from the server's hard drive. The server has a single 500 GB NTFS partition. You have a forensic workstation with a write blocker, a SATA-to-USB adapter, and a forensic imaging tool that supports both dd and EWF (E01) formats. The server is still physically in the server room, and the IT team has powered it off. You need to create a forensic image that preserves the integrity of the evidence and allows for efficient analysis. Which of the following is the most appropriate course of action?

Question 6mediummulti select
Read the full OS and File System Forensics explanation →

During a forensic investigation of a Windows 10 system, you need to analyze the file system to recover deleted files. Which TWO file system artifacts would be most useful for this purpose?

Question 7hardmultiple choice
Read the full network assurance explanation →

A forensic analyst is reviewing the syslog from a compromised Linux server. Based on the exhibit, what does the 'orphan inode deleted' message indicate?

Exhibit

Refer to the exhibit.

=== Linux log excerpt (var/log/syslog) ===
Jan 12 10:15:32 server1 kernel: [ 1234.5678] EXT4-fs (sda1): recovery complete
Jan 12 10:15:33 server1 kernel: [ 1234.5680] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null)
Jan 12 10:15:34 server1 sshd[2345]: Accepted publickey for root from 192.168.1.10 port 54321 ssh2: RSA SHA256:abc...
Jan 12 10:15:35 server1 sshd[2346]: Received disconnect from 192.168.1.10 port 54321:11: disconnected by user
Jan 12 10:15:36 server1 kernel: [ 1234.5700] EXT4-fs (sda1): 1 orphan inode deleted
Jan 12 10:15:37 server1 kernel: [ 1234.5702] EXT4-fs (sda1): 1 orphan inode deleted
Question 8easymultiple choice
Read the full OS and File System Forensics explanation →

You are a forensic investigator responding to an incident on a Windows 10 workstation used by a finance manager. The user reports that a critical spreadsheet containing quarterly budget data was accidentally deleted from the Desktop yesterday at approximately 3:00 PM. The system has been used normally since then, and the user has not emptied the Recycle Bin. You have created a forensic image of the drive using FTK Imager. The Recycle Bin contains a file named 'Quarterly_Budget.xlsx', but it appears to be a shortcut (size 1 KB). The user insists the original file was several megabytes. You need to recover the original file. Which action should you take next?

Question 9mediumdrag order
Read the full OS and File System Forensics explanation →

Drag and drop the steps to perform a forensic analysis of a Windows registry using RegRipper into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 10mediummatching
Read the full OS and File System Forensics explanation →

Match each forensic acquisition method to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Collecting data from a running system

Collecting data from powered-off media

Copying only active files and metadata

Bit-for-bit copy of entire storage device

Collecting only fragments of unallocated space

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CHFI Practice Test 1 — 10 Questions→CHFI Practice Test 2 — 10 Questions→CHFI Practice Test 3 — 10 Questions→CHFI Practice Test 4 — 10 Questions→CHFI Practice Test 5 — 10 Questions→CHFI Practice Exam 1 — 20 Questions→CHFI Practice Exam 2 — 20 Questions→CHFI Practice Exam 3 — 20 Questions→CHFI Practice Exam 4 — 20 Questions→Free CHFI Practice Test 1 — 30 Questions→Free CHFI Practice Test 2 — 30 Questions→Free CHFI Practice Test 3 — 30 Questions→CHFI Practice Questions 1 — 50 Questions→CHFI Practice Questions 2 — 50 Questions→CHFI Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsOS and File System ForensicsApplication, Email and Cloud ForensicsMobile and Malware ForensicsNetwork and Cloud ForensicsDatabase and Application ForensicsMalware Forensics

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All OS and File System Forensics setsAll OS and File System Forensics questionsCHFI Practice Hub