Back to Computer Hacking Forensic Investigator CHFI

EC-Council exam questions

Computer Hacking Forensic Investigator CHFI practice test

Practise diagnosing and fixing storage device failures and RAID array issues as tested on CHFI.

1,000
practice questions
13
topics covered
CHFI
exam code
EC-Council
vendor

Study modes

Three ways to study

Start with the Study Sheet to learn the material, switch to Practice Tests for active recall, then take a Mock Exam to simulate the real thing.

Study Sheet

All 1,000 questions with correct answers and explanations already visible. Read at your own pace — no time pressure.

Start reading →

Practice Test

Answer first, then see feedback and explanation. Tracks your score per session. Best for active recall and identifying weak areas.

Mock Exam

Full timed simulation with countdown. Answers hidden until the end. Includes all question types just like the real exam.

Start mock exam →

Study Sheet

All 1,000 CHFI questions with answers

Every question in the bank, paginated 75 per page. Correct answers and full explanations are revealed upfront — ideal for first-pass learning and pre-exam review.

14 pages · 75 questions per page · 1,000 total

Related practice questions

Study CHFI by topic

Topic pages go deep on individual concepts — each one covers a specific exam topic with questions, explanations, and study notes.

Courseiva uses original exam-style practice questions created for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps. Learn the difference →

Sample questions

Computer Hacking Forensic Investigator CHFI practice questions

Start practice test

Which TWO of the following are valid reasons for using a hardware write blocker during disk acquisition? (Choose two.)

During a forensic investigation, an analyst needs to acquire the contents of a live server's RAM without altering the evidence. Which tool and technique should the analyst use to minimize the footprint on the system?

You are a forensic investigator responding to a data breach at a mid-sized company. The company uses a hybrid cloud environment with AWS for production workloads and on-premises servers for legacy applications. The breach was detected when an internal monitoring system flagged unusual outbound traffic from an AWS EC2 instance (i-0a1b2c3d4e5f) to an external IP address (198.51.100.20) on TCP port 4444 during off-hours. The EC2 instance runs a Linux-based web server. The security team has already isolated the instance by removing its security group rules and stopping the instance. You have been provided with the following: (1) AWS CloudTrail logs for the past 72 hours, (2) VPC Flow Logs for the same period, (3) a snapshot of the instance’s root volume (EBS), and (4) the instance metadata log from the AWS console. The company’s incident response policy requires preservation of all volatile data before powering off the instance. Which of the following steps should you take FIRST to ensure a forensically sound investigation?

Which TWO of the following are valid techniques for collecting volatile network evidence from a live system during incident response?

A first responder is responding to a ransomware incident on a Windows server. Which TWO actions should be performed to preserve evidence? (Choose two.)

Refer to the exhibit. A first responder runs the netstat command on a compromised Windows workstation. Which of the following conclusions is BEST supported by the output?

Exhibit

Refer to the exhibit.

C:\Users\Forensic> netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    192.168.1.10:49152     10.2.3.4:443           ESTABLISHED     1234
  TCP    192.168.1.10:49153     192.168.1.1:80         TIME_WAIT       0
  TCP    192.168.1.10:49154     10.2.3.4:80            ESTABLISHED     1234
  UDP    0.0.0.0:5353           *:*                                    5678

Refer to the exhibit. The FTK Imager output shows a disk with an NTFS partition. The examiner notes that the $MFT mirror is at cluster 2. What is the logical size of the $MFT mirror in bytes?

Exhibit

Refer to the exhibit.

FTK Imager command output:

Sector size: 512
Total sectors: 625142448
Partition start: 2048
Partition end: 625139712
Partition type: NTFS (07)

Flags: 0x80 (Bootable)

File system: NTFS
Volume label: EVIDENCE_DRIVE
Serial number: 1234-5678

$MFT mirror: cluster 2
$MFT: cluster 0
Clusters per record: 1
Bytes per cluster: 4096

Refer to the exhibit. During a malware investigation, a forensic analyst runs the commands shown. What is the most likely conclusion?

Exhibit

Refer to the exhibit.

C:\> tasklist /svc
Image Name                     PID Services
========================= ======== ============================================
svchost.exe                   1236 CryptSvc, Dnscache, LmHosts, EventSystem
svchost.exe                   1344 W32Time, WdiServiceHost
svchost.exe                    768 BFE, MpsSvc
notepad.exe                   1456 N/A
svchost.exe                    524 SessionEnv, TermService, UmRdpService
rundll32.exe                  1500 N/A

C:\> netstat -ano | findstr :4444
  TCP    0.0.0.0:4444           0.0.0.0:0              LISTENING       1500

C:\> wmic process where processid=1500 get executablepath
ExecutablePath
C:\Windows\System32\rundll32.exe

A forensic investigator is analyzing a Microsoft SQL Server instance that was compromised. The investigator wants to identify all login attempts that failed due to incorrect passwords. Which system function or view should be queried?

Which THREE of the following are indicators of malware persistence via registry run keys? (Choose three.)

Which THREE of the following are essential steps in the incident response process as defined by NIST SP 800-61? (Select exactly 3.)

During an incident response, a first responder needs to preserve the integrity of evidence. Which action ensures the best chain of custody?

Which TWO of the following are considered essential steps in the computer forensics investigation process according to EC-Council guidelines?

During incident response, a first responder discovers a compromised system with signs of an active command-and-control (C2) connection. What is the MOST important immediate action to preserve evidence and prevent further damage?

During an incident response, a first responder needs to collect evidence from a Linux server that is still running. The server has sensitive data and cannot be shut down. Which technique is BEST for acquiring a forensic image of the hard disk?

Match each forensic tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Acquisition and preview of disk images

Forensic analysis and evidence processing

Memory forensics and analysis

Network packet capture and analysis

Open-source file system analysis

Which of the following is the primary purpose of using a hardware write blocker during disk acquisition?

Which THREE of the following are recommended practices for maintaining the integrity of digital evidence in a forensics lab?

A forensic lab is designing a network architecture to ensure the integrity of evidence during acquisition. What is the most critical design consideration?

You are a forensic analyst in a corporate lab. A compromised server was taken offline and brought to the lab. The server runs Windows Server 2019 with a RAID 5 array of three 1TB SATA drives. The drives are hot-swappable. The server was shut down properly before removal. The lab has a forensic workstation with write-blockers, a hardware RAID controller, and imaging software. The analyst needs to acquire a forensic image of the RAID array. What is the correct course of action?

During a network forensic investigation, you need to capture live network traffic from a switch span port. Which tool would best capture the traffic in a forensically sound manner?

The command used to acquire a disk image resulted in an I/O error. What is the most likely cause?

Exhibit

Refer to the exhibit.

[root@forensics ~]# dc3dd if=/dev/sda of=/evidence/sda.img hash=sha256 log=/evidence/log.txt

Output:

Fatal error: Input/output error while reading /dev/sda

An organization uses a cloud-based SIEM to collect logs from multiple sources. The investigator notices gaps in the log data for a critical system during the incident timeframe. What is the MOST likely cause?

A forensic analyst is investigating a network breach and finds that the attacker used a technique that bypasses Network Access Control (NAC). Which of the following methods is commonly used to evade 802.1X authentication?

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

Exam question guide

How to use these CHFI questions

Use these questions as active recall, not passive reading. Try the question first, review the answer choices, then open the explanation and connect the result back to the exam topic.

Quick answer

Tests ability to diagnose and resolve storage device and RAID array failures.

Identifying failed hard drives and SSDs

Troubleshooting RAID 0, 1, 5, and 10

Interpreting POST codes and beep sequences

Checking SATA cables and power connections

These CHFI practice questions are part of Courseiva's free EC-Council certification practice question bank. Courseiva provides original exam-style CHFI questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.