Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCHFIStudy Guide

EC-Council · 2026 Edition

CHFI Study Guide — How to Pass Computer Hacking Forensic Investigator

A complete preparation guide written by EC-Council-certified engineers. Covers the exam format,all 13 blueprint domains, a week-by-week study plan, and proven tips for passing first time.

3–4 months

Prep time

Advanced

Difficulty

125

Exam questions

700/1000

Pass mark

Exam OverviewPractice TestExam DomainsSample QuestionsStudy Guide

On this page

  1. 1. CHFI Exam at a Glance
  2. 2. Why Earn the CHFI?
  3. 3. Exam Domains & Weights
  4. 4. Study Plan
  5. 5. Exam Tips
  6. 6. Practice Questions

CHFI Exam at a Glance

Exam code

CHFI

Full name

Computer Hacking Forensic Investigator

Vendor

EC-Council

Duration

240 minutes

Questions

125 items

Passing score

700/1000 (scaled)

Domains covered

13 blueprint domains

Recommended experience

2+ years of information security or digital forensics work experience recommended

Typical prep time

3–4 months

Why Earn the CHFI?

CHFI is the leading digital forensics certification. It validates the skills to investigate computer crimes, collect and preserve digital evidence, perform forensic analysis, and present findings in court — skills required for incident response and law enforcement support roles.

Job roles this opens

Digital Forensics InvestigatorIncident ResponderForensic AnalystLaw Enforcement (Cyber Crime)eDiscovery Analyst

CHFI Exam Domains

Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.

Computer Forensics Investigation Process
Computer Forensics Fundamentals and Process
Storage Forensics and File System Analysis
Incident Response and First Responder Skills
Computer Forensics Lab
Evidence Acquisition and Duplication
OS and Network Forensics
OS and File System Forensics
Application, Email and Cloud Forensics
Mobile and Malware Forensics
Network and Cloud Forensics
Database and Application Forensics
Malware Forensics

Detailed domain breakdown with subtopics →

CHFI Study Plan

Weeks 1–3

Computer Forensics Investigation Process: methodology, legal standards, chain of custody, documentation

Tip: The computer forensics investigation process: First Response (secure the scene, photograph equipment in place) → Seizure and Acquisition (create forensic image, document serial numbers) → Analysis (examine the image, not original) → Reporting (document findings in court-admissible format). Know what happens if any step is skipped — evidence may be inadmissible.

Weeks 4–6

Disk and File System Forensics: file systems (NTFS, FAT32, ext4), deleted file recovery, slack space

Tip: Know how file deletion works at the filesystem level: deleting a file marks the space as available but does not overwrite data until the OS writes new data to that location. This is why deleted file recovery is possible. Know tools: Autopsy, FTK (Forensic Toolkit), EnCase — and what each does.

Weeks 7–9

Network Forensics, Email Forensics, and Log Analysis

Tip: Email header analysis is a CHFI core skill. Know what each email header field contains: Received (each hop the email passed through, in reverse chronological order), From, Reply-To, X-Originating-IP (sender's IP address). Questions give an email header and ask you to trace the origin or identify spoofing.

Weeks 10–13

Mobile Forensics, Cloud Forensics, Malware Forensics, and Anti-Forensics

Tip: Mobile device forensics: know the acquisition types — physical (bit-by-bit image of flash memory, most complete), logical (file system level, misses deleted data), and cloud backup (quick but limited). Faraway/aviation mode must be enabled before imaging to prevent remote wipe. Know the Cellebrite UFED as the primary mobile forensics tool.

CHFI Exam Tips

The order of volatility in evidence collection: CPU cache and registers → RAM → swap/paging file → network connections → running processes → hard disk → removable media → backup media. Collect the most volatile evidence first — it is lost when the system is powered off.

Write blockers are mandatory when acquiring disk images to prevent accidental modification of evidence. Know hardware write blockers (physical device between disk and computer) and software write blockers (block write system calls). The acquisition must produce a forensic image with hash verification (MD5 or SHA-256) to prove integrity.

Steganography detection tools appear on CHFI: Stegdetect identifies JPEG files with hidden data, StegSpy detects multiple steganography tools. Know that steganography detection is statistical — tools look for anomalies in file data that suggest hidden content.

Anti-forensics techniques tested on CHFI: secure deletion (overwrite data before release — wipe utilities vs simple delete), encryption (makes data inaccessible without the key), steganography (hides data in plain sight), and log tampering (clearing Windows Event Log, modifying system logs). Know how investigators detect and counter each technique.

CHFI CHFIv10 exam: 150 questions, 4 hours. The practical component requires hands-on lab skills with forensic tools. If your exam includes a practical component, ensure you have used Autopsy, FTK Imager, Wireshark, Volatility (memory forensics), and basic Kali Linux forensics tools before exam day.

Ready to practice CHFI?

Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.

Free Practice TestStart Practising

CHFI concept guides

Deep-dive explanations of the key topics tested on CHFI — with exam key points and common misconceptions.

CHFI

Digital forensics is about finding evidence after something has gone wrong — and making sure that evidence holds up in court or in an incident report.

Related Study Guides

CEH

EC-Council CEH

CS0-003

CompTIA CySA+

CISA

ISACA CISA