17+ practice questions focused on Database and Application Forensics — one of the most tested topics on the Computer Hacking Forensic Investigator CHFI exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Database and Application Forensics PracticeDuring a database forensic investigation, an analyst discovers that multiple rows in a MySQL table have been deleted. The binary logs are enabled. Which approach should the analyst use to recover the deleted data?
Explanation: MySQL binary logs record all changes to the database, including DELETE statements. The mysqlbinlog utility can parse these logs to reconstruct the exact DELETE operations, allowing the analyst to reverse-engineer the deleted rows by extracting the row data from the log events. This is the standard forensic method for recovering deleted data when binary logging is enabled.
A forensic analyst is investigating a compromised web application that uses an Oracle database. The analyst suspects that SQL injection was used to extract sensitive data. Which Oracle log source would provide evidence of the injected SQL statements?
Explanation: The listener.log is the correct source because Oracle's listener records all client connections and SQL*Net traffic, including the raw SQL statements sent to the database. When SQL injection is performed, the injected payload is transmitted as part of the SQL query over the network, and the listener log captures these exact statements, providing direct evidence of the attack.
An organization uses Microsoft SQL Server 2019 with full recovery model. A database administrator accidentally executed a DROP TABLE statement. The transaction log was backed up immediately after the incident. Which forensic technique would allow the analyst to restore the dropped table?
Explanation: Option C is correct because, under the full recovery model, point-in-time recovery is required to undo the DROP TABLE. By performing a tail-log backup (to capture any transactions after the last log backup), then restoring the full backup and all subsequent transaction log backups with STOPAT or STOPBEFOREMARK to the moment just before the DROP TABLE, the analyst can recover the table without losing other transactions. This is the only method that preserves the dropped table's data while maintaining database consistency.
During a forensic investigation of a MongoDB database, the analyst needs to identify which user executed a particular write operation. Which MongoDB log or feature should the analyst examine?
Explanation: The audit log (auditLog) is the correct source because it is specifically designed to record user authentication and database operations, including which user executed a write operation. MongoDB's audit system captures detailed events such as insert, update, and delete commands along with the authenticated user identity, making it the definitive forensic artifact for user attribution.
A forensic analyst is examining a PostgreSQL database server that was compromised. The attacker gained superuser access and deleted several rows from a critical table. The database is configured with WAL (Write-Ahead Log) archiving. Which method would allow the analyst to identify the exact time the deletions occurred?
Explanation: D is correct because `pg_waldump` is the PostgreSQL utility specifically designed to parse Write-Ahead Log (WAL) files and display their contents in a human-readable format, including the exact timestamps and operation types (e.g., DELETE). Since the database uses WAL archiving, the archived WAL segments will contain a record of every data modification, allowing the analyst to pinpoint when the deletions occurred.
+12 more Database and Application Forensics questions available
Practice all Database and Application Forensics questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Database and Application Forensics. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Database and Application Forensics questions on the CHFI frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Database and Application Forensics is tested as part of the Computer Hacking Forensic Investigator CHFI blueprint. Practicing with targeted Database and Application Forensics questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free CHFI practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Database and Application Forensics is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Database and Application Forensics practice session with instant scoring and detailed explanations.
Start Database and Application Forensics Practice →