Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCHFITopicsDatabase and Application Forensics
Free · No Signup RequiredEC-Council · CHFI

CHFI Database and Application Forensics Practice Questions

17+ practice questions focused on Database and Application Forensics — one of the most tested topics on the Computer Hacking Forensic Investigator CHFI exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Database and Application Forensics Practice

Exam Domains

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Database and Application Forensics Questions

Practice all 17+ →
1.

During a database forensic investigation, an analyst discovers that multiple rows in a MySQL table have been deleted. The binary logs are enabled. Which approach should the analyst use to recover the deleted data?

A.Restore the transaction log files from backup and mount them to recover the deleted rows.
B.Use the 'SHOW UNDO' command to retrieve the deleted rows from undo tablespace.
C.Query the information_schema database to retrieve deleted rows from the data dictionary.
D.Parse the binary logs using mysqlbinlog to extract the DELETE statements and reconstruct the lost data.

Explanation: MySQL binary logs record all changes to the database, including DELETE statements. The mysqlbinlog utility can parse these logs to reconstruct the exact DELETE operations, allowing the analyst to reverse-engineer the deleted rows by extracting the row data from the log events. This is the standard forensic method for recovering deleted data when binary logging is enabled.

2.

A forensic analyst is investigating a compromised web application that uses an Oracle database. The analyst suspects that SQL injection was used to extract sensitive data. Which Oracle log source would provide evidence of the injected SQL statements?

A.Control file
B.Redo log files
C.Listener log (listener.log)
D.Alert log (alert_SID.log)

Explanation: The listener.log is the correct source because Oracle's listener records all client connections and SQL*Net traffic, including the raw SQL statements sent to the database. When SQL injection is performed, the injected payload is transmitted as part of the SQL query over the network, and the listener log captures these exact statements, providing direct evidence of the attack.

3.

An organization uses Microsoft SQL Server 2019 with full recovery model. A database administrator accidentally executed a DROP TABLE statement. The transaction log was backed up immediately after the incident. Which forensic technique would allow the analyst to restore the dropped table?

A.Restore the transaction log backup taken after the DROP TABLE and apply it to the database.
B.Use the RESTORE LOG statement with the NO_TRUNCATE option to recover the table.
C.Perform a tail-log backup, then restore the full backup and all subsequent transaction log backups, stopping before the DROP TABLE.
D.Restore the most recent full backup and ignore subsequent transaction log backups.

Explanation: Option C is correct because, under the full recovery model, point-in-time recovery is required to undo the DROP TABLE. By performing a tail-log backup (to capture any transactions after the last log backup), then restoring the full backup and all subsequent transaction log backups with STOPAT or STOPBEFOREMARK to the moment just before the DROP TABLE, the analyst can recover the table without losing other transactions. This is the only method that preserves the dropped table's data while maintaining database consistency.

4.

During a forensic investigation of a MongoDB database, the analyst needs to identify which user executed a particular write operation. Which MongoDB log or feature should the analyst examine?

A.Journal (journal directory)
B.System log (mongod.log)
C.Audit log (auditLog)
D.Oplog (local.oplog.rs)

Explanation: The audit log (auditLog) is the correct source because it is specifically designed to record user authentication and database operations, including which user executed a write operation. MongoDB's audit system captures detailed events such as insert, update, and delete commands along with the authenticated user identity, making it the definitive forensic artifact for user attribution.

5.

A forensic analyst is examining a PostgreSQL database server that was compromised. The attacker gained superuser access and deleted several rows from a critical table. The database is configured with WAL (Write-Ahead Log) archiving. Which method would allow the analyst to identify the exact time the deletions occurred?

A.Review the pg_stat_activity view to see the history of queries executed.
B.Examine the archive_status directory to find the timestamp of the WAL file that contains the deletion.
C.Query the pg_audit table to retrieve a log of all DELETE statements.
D.Use the pg_waldump utility to parse the WAL files and identify DELETE operations with timestamps.

Explanation: D is correct because `pg_waldump` is the PostgreSQL utility specifically designed to parse Write-Ahead Log (WAL) files and display their contents in a human-readable format, including the exact timestamps and operation types (e.g., DELETE). Since the database uses WAL archiving, the archived WAL segments will contain a record of every data modification, allowing the analyst to pinpoint when the deletions occurred.

+12 more Database and Application Forensics questions available

Practice all Database and Application Forensics questions

How to master Database and Application Forensics for CHFI

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Database and Application Forensics. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Database and Application Forensics questions on the CHFI frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many CHFI Database and Application Forensics questions are on the real exam?

The exact number varies per candidate. Database and Application Forensics is tested as part of the Computer Hacking Forensic Investigator CHFI blueprint. Practicing with targeted Database and Application Forensics questions ensures you can handle any format or difficulty that appears.

Are these CHFI Database and Application Forensics practice questions free?

Yes. Courseiva provides free CHFI practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Database and Application Forensics one of the harder CHFI topics?

Difficulty is subjective, but Database and Application Forensics is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Database and Application Forensics practice session with instant scoring and detailed explanations.

Start Database and Application Forensics Practice →

Topic Info

Topic

Database and Application Forensics

Exam

CHFI

Questions available

17+