10+ practice questions focused on OS and File System Forensics — one of the most tested topics on the Computer Hacking Forensic Investigator CHFI exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start OS and File System Forensics PracticeDuring a forensic investigation of a compromised Linux server, an investigator needs to recover deleted files from an ext4 filesystem. Which method should the investigator use to maximize recovery of file content, considering the filesystem may have been partially overwritten?
Explanation: Foremost is the correct choice because it performs file carving based on headers and footers, which can recover file content even when the filesystem metadata (such as inodes) is damaged or partially overwritten. Unlike undelete tools that rely on intact filesystem structures, foremost scans the raw disk blocks for known file signatures, making it effective for recovering files from an ext4 filesystem that has experienced partial overwriting.
A forensic analyst is examining a Windows 10 system and needs to determine the last boot time of the system. Which registry hive and key should the analyst query to find this information?
Explanation: The SYSTEM hive stores system-wide configuration data, and the key 'CurrentControlSet\Control\Windows\' contains the 'ShutdownTime' value, which records the last system shutdown time. Since the last boot time is effectively the time after the last shutdown, querying this value provides the necessary information. This is a standard forensic artifact for determining system uptime and boot events on Windows 10.
During a forensic investigation, an analyst needs to preserve the integrity of evidence on a hard drive. Which of the following is the best practice for acquiring an image of the drive?
Explanation: Option C is correct because using a hardware write blocker ensures that no write commands from the forensic workstation reach the suspect drive, preserving its integrity at the physical level. Creating a bit-stream image (sector-by-sector copy) captures all data, including slack space and unallocated clusters, which is essential for thorough forensic analysis. This combination is the gold standard in digital forensics, as mandated by best practices like those from NIST and the ACPO principles.
Which TWO of the following are valid locations in a Windows system where forensic evidence of USB device connection can be found?
Explanation: The SYSTEM\CurrentControlSet\Enum\USBSTOR registry key is a primary location where Windows records every USB storage device that has been connected to the system. Each device is listed under this key with a unique instance ID, including the vendor ID, product ID, and serial number, providing persistent evidence of USB connections even after the device is removed.
You are a forensic investigator responding to a security incident at a medium-sized company. The incident involved an attacker gaining unauthorized access to a Windows Server 2019 system. The server was taken offline by the IT team immediately after detection. Your task is to acquire forensic evidence from the server's hard drive. The server has a single 500 GB NTFS partition. You have a forensic workstation with a write blocker, a SATA-to-USB adapter, and a forensic imaging tool that supports both dd and EWF (E01) formats. The server is still physically in the server room, and the IT team has powered it off. You need to create a forensic image that preserves the integrity of the evidence and allows for efficient analysis. Which of the following is the most appropriate course of action?
Explanation: Option D is correct because it follows best practices for forensic acquisition: removing the hard drive and connecting it via a write blocker ensures that no data is altered during imaging. Using EWF (E01) format provides compression, metadata, and integrity checks (e.g., CRC32, MD5, SHA-1), which are essential for efficient analysis and evidence preservation. Storing the image locally on the forensic workstation avoids network latency and potential data corruption.
+5 more OS and File System Forensics questions available
Practice all OS and File System Forensics questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of OS and File System Forensics. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
OS and File System Forensics questions on the CHFI frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. OS and File System Forensics is tested as part of the Computer Hacking Forensic Investigator CHFI blueprint. Practicing with targeted OS and File System Forensics questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free CHFI practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but OS and File System Forensics is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full OS and File System Forensics practice session with instant scoring and detailed explanations.
Start OS and File System Forensics Practice →