20+ practice questions focused on Evidence Acquisition and Duplication — one of the most tested topics on the Computer Hacking Forensic Investigator CHFI exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Evidence Acquisition and Duplication PracticeDuring a forensic investigation, you are asked to acquire the contents of RAM from a live Windows 10 system without causing system instability. Which tool would be most appropriate for this task?
Explanation: Belkasoft RAM Capturer is the most appropriate tool for acquiring RAM from a live Windows 10 system because it is designed specifically for live memory acquisition on Windows, uses a lightweight kernel-mode driver to read physical memory without causing system instability, and supports acquisition from 64-bit systems. Unlike other tools, it minimizes interaction with the target process list and avoids loading unnecessary user-mode components that could trigger crashes or alter the memory state.
You are imaging a suspect's hard drive using a write blocker and dd command. After imaging, you verify the hash of the original drive and the image file. The original drive hash is SHA1: A1B2C3D4E5..., and the image hash is SHA1: F6G7H8I9J0... What is the most likely cause of the mismatch?
Explanation: The hash mismatch indicates that the data on the original drive and the image file are not identical. A write blocker malfunction that allowed writes to the original drive during the imaging process would alter the source data after the initial hash was computed, causing the final hash of the original drive to differ from the hash of the image file taken at a different point in time. This is the most direct cause of a hash mismatch because the write blocker's primary purpose is to prevent any modification to the evidence.
A forensic examiner needs to acquire a hard drive that is part of a RAID 5 array. The RAID controller is unavailable. What is the best approach to acquire the data?
Explanation: When the RAID controller is unavailable, the only reliable method to acquire the data is to image each physical disk individually using a forensic write blocker, then reconstruct the logical RAID 5 volume in a forensic software tool (e.g., FTK Imager, X-Ways Forensics, or EnCase). This preserves the original evidence on each disk and allows the examiner to rebuild the array by specifying the stripe size, parity rotation, and disk order, which is essential because RAID 5 distributes data and parity across all disks and can tolerate a single disk failure.
During a network forensic investigation, you need to capture live network traffic from a switch span port. Which tool would best capture the traffic in a forensically sound manner?
Explanation: Wireshark is the best tool for capturing live network traffic from a switch SPAN port in a forensically sound manner because it provides a robust graphical interface for real-time packet capture and analysis, supports full packet capture with timestamps, and can write captures directly to a pcapng file format that preserves packet integrity and metadata. Its ability to run in promiscuous mode ensures all traffic from the SPAN port is captured without altering the data, meeting forensic requirements for accuracy and completeness.
You are acquiring a laptop with a self-encrypting drive (SED) that is powered on and logged in. What is the best method to acquire the drive while preserving encrypted data?
Explanation: When a self-encrypting drive (SED) is powered on and logged in, the drive's hardware encryption key is already loaded and the data is accessible through the operating system. The best method to preserve the encrypted data in its decrypted state is to acquire a logical image from the running OS, which captures files and metadata without powering off the drive and losing the decryption context. Removing power or rebooting would cause the SED to lock, requiring the authentication key again and potentially altering the data state.
+15 more Evidence Acquisition and Duplication questions available
Practice all Evidence Acquisition and Duplication questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Evidence Acquisition and Duplication. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Evidence Acquisition and Duplication questions on the CHFI frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Evidence Acquisition and Duplication is tested as part of the Computer Hacking Forensic Investigator CHFI blueprint. Practicing with targeted Evidence Acquisition and Duplication questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free CHFI practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Evidence Acquisition and Duplication is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Evidence Acquisition and Duplication practice session with instant scoring and detailed explanations.
Start Evidence Acquisition and Duplication Practice →