Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCHFITopicsOS and File System Forensics
Free · No Signup RequiredEC-Council · CHFI

CHFI OS and File System Forensics Practice Questions

10+ practice questions focused on OS and File System Forensics — one of the most tested topics on the Computer Hacking Forensic Investigator CHFI exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start OS and File System Forensics Practice

Exam Domains

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample OS and File System Forensics Questions

Practice all 10+ →
1.

During a forensic investigation of a compromised Linux server, an investigator needs to recover deleted files from an ext4 filesystem. Which method should the investigator use to maximize recovery of file content, considering the filesystem may have been partially overwritten?

A.Use 'foremost' to carve files based on file headers and footers.
B.Use 'grep -a' to search the raw disk for file signatures.
C.Use 'scalpel' to perform a deep scan of the filesystem.
D.Use 'extundelete' to recover files from the ext4 filesystem.

Explanation: Foremost is the correct choice because it performs file carving based on headers and footers, which can recover file content even when the filesystem metadata (such as inodes) is damaged or partially overwritten. Unlike undelete tools that rely on intact filesystem structures, foremost scans the raw disk blocks for known file signatures, making it effective for recovering files from an ext4 filesystem that has experienced partial overwriting.

2.

A forensic analyst is examining a Windows 10 system and needs to determine the last boot time of the system. Which registry hive and key should the analyst query to find this information?

A.NTUSER.DAT hive, key 'Control Panel\Desktop\'
B.SYSTEM hive, key 'CurrentControlSet\Control\Windows\', value 'ShutdownTime'
C.SOFTWARE hive, key 'Microsoft\Windows NT\CurrentVersion\'
D.SAM hive, key 'SAM\Domains\Account\Users\'

Explanation: The SYSTEM hive stores system-wide configuration data, and the key 'CurrentControlSet\Control\Windows\' contains the 'ShutdownTime' value, which records the last system shutdown time. Since the last boot time is effectively the time after the last shutdown, querying this value provides the necessary information. This is a standard forensic artifact for determining system uptime and boot events on Windows 10.

3.

During a forensic investigation, an analyst needs to preserve the integrity of evidence on a hard drive. Which of the following is the best practice for acquiring an image of the drive?

A.Use the 'dd' command to create a raw image without a write blocker.
B.Connect the drive to a forensic workstation and use the operating system's copy command.
C.Use a hardware write blocker and create a bit-stream image.
D.Format the drive before imaging to ensure no hidden data is missed.

Explanation: Option C is correct because using a hardware write blocker ensures that no write commands from the forensic workstation reach the suspect drive, preserving its integrity at the physical level. Creating a bit-stream image (sector-by-sector copy) captures all data, including slack space and unallocated clusters, which is essential for thorough forensic analysis. This combination is the gold standard in digital forensics, as mandated by best practices like those from NIST and the ACPO principles.

4.

Which TWO of the following are valid locations in a Windows system where forensic evidence of USB device connection can be found?

A.SYSTEM\CurrentControlSet\Enum\USBSTOR registry key
B.Amcache.hve file
C.SetupAPI.dev.log file
D.Event Logs with source 'Device Setup'

Explanation: The SYSTEM\CurrentControlSet\Enum\USBSTOR registry key is a primary location where Windows records every USB storage device that has been connected to the system. Each device is listed under this key with a unique instance ID, including the vendor ID, product ID, and serial number, providing persistent evidence of USB connections even after the device is removed.

5.

You are a forensic investigator responding to a security incident at a medium-sized company. The incident involved an attacker gaining unauthorized access to a Windows Server 2019 system. The server was taken offline by the IT team immediately after detection. Your task is to acquire forensic evidence from the server's hard drive. The server has a single 500 GB NTFS partition. You have a forensic workstation with a write blocker, a SATA-to-USB adapter, and a forensic imaging tool that supports both dd and EWF (E01) formats. The server is still physically in the server room, and the IT team has powered it off. You need to create a forensic image that preserves the integrity of the evidence and allows for efficient analysis. Which of the following is the most appropriate course of action?

A.Boot the server using a forensic live CD, connect an external USB drive to the server, and use 'dd' to create a raw image on the external drive.
B.Use the server's built-in backup utility to create a system state backup and copy it to a network share.
C.Remove the hard drive, connect it via a write blocker to the forensic workstation, and then use 'dd' over a network connection to send the image to a remote server.
D.Remove the hard drive, connect it via a write blocker to the forensic workstation, and create an EWF (E01) image stored locally on the forensic workstation's internal drive.

Explanation: Option D is correct because it follows best practices for forensic acquisition: removing the hard drive and connecting it via a write blocker ensures that no data is altered during imaging. Using EWF (E01) format provides compression, metadata, and integrity checks (e.g., CRC32, MD5, SHA-1), which are essential for efficient analysis and evidence preservation. Storing the image locally on the forensic workstation avoids network latency and potential data corruption.

+5 more OS and File System Forensics questions available

Practice all OS and File System Forensics questions

How to master OS and File System Forensics for CHFI

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of OS and File System Forensics. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

OS and File System Forensics questions on the CHFI frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many CHFI OS and File System Forensics questions are on the real exam?

The exact number varies per candidate. OS and File System Forensics is tested as part of the Computer Hacking Forensic Investigator CHFI blueprint. Practicing with targeted OS and File System Forensics questions ensures you can handle any format or difficulty that appears.

Are these CHFI OS and File System Forensics practice questions free?

Yes. Courseiva provides free CHFI practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is OS and File System Forensics one of the harder CHFI topics?

Difficulty is subjective, but OS and File System Forensics is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full OS and File System Forensics practice session with instant scoring and detailed explanations.

Start OS and File System Forensics Practice →

Topic Info

Topic

OS and File System Forensics

Exam

CHFI

Questions available

10+