Question 167 of 1,000
Network and Cloud ForensicsmediumMultiple ChoiceObjective-mapped

Quick Answer

The correct answer is using the AWS CLI sync command with the --checksum-mode flag, as this method best ensures integrity and chain of custody when performing a forensically sound copy of an S3 bucket. This approach automatically computes and compares SHA256 checksums during the transfer, guaranteeing that every object arrives without corruption or alteration, while also preserving critical metadata and timestamps that establish a reliable chain of custody. On the Computer Hacking Forensic Investigator CHFI exam, this question tests your understanding of cloud forensic acquisition procedures, specifically how to maintain evidentiary integrity in AWS environments—a common trap is selecting a simple copy or download command that lacks automated verification, leaving the evidence vulnerable to undetected bit-flips or truncation. Remember the memory tip: “Sync with checksum seals the chain,” meaning the sync command combined with checksum verification locks in both data integrity and the forensic audit trail.

CHFI Network and Cloud Forensics Practice Question

This CHFI practice question tests your understanding of network and cloud forensics. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A cloud forensic analyst is tasked with preserving evidence from an AWS S3 bucket that may contain malicious files. The bucket is publicly accessible, and the analyst wants to create a forensically sound copy. Which method BEST ensures integrity and chain of custody?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Use the AWS CLI sync command with the --checksum-mode flag to verify integrity during transfer.

Option D is correct because the AWS CLI `sync` command with the `--checksum-mode` flag automatically computes and compares checksums (e.g., SHA256) during the transfer, ensuring data integrity without manual intervention. This method also preserves metadata and timestamps, which is critical for maintaining a forensically sound copy and chain of custody in cloud forensics.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Download each object via the AWS Management Console and compute SHA256 hashes manually.

    Why it's wrong here

    Manual hashing is error-prone and not automated; no built-in integrity check.

  • Use the AWS CLI cp command recursively without any flags.

    Why it's wrong here

    Without checksum verification, the copy may not be bit-for-bit identical.

  • Generate a presigned URL for the bucket and use wget to download all files.

    Why it's wrong here

    Presigned URLs provide access but do not ensure integrity of the copy.

  • Use the AWS CLI sync command with the --checksum-mode flag to verify integrity during transfer.

    Why this is correct

    The sync command can verify checksums (e.g., SHA256) to ensure data integrity.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the misconception that any download method (like `cp` or `wget`) inherently preserves integrity, but the trap is that only explicit checksum verification (e.g., `--checksum-mode`) provides cryptographic assurance required for forensic soundness and chain of custody.

Detailed technical explanation

How to think about this question

The `--checksum-mode` flag in AWS CLI v2 enables the use of SHA256 checksums for both upload and download operations, overriding the default behavior that relies on MD5-based ETags (which are not cryptographically secure for forensic integrity). Under the hood, the CLI computes the SHA256 hash of each file before transfer and compares it with the server-side hash after transfer, logging any mismatches. In a real-world scenario, this ensures that even if the S3 bucket is publicly accessible and subject to concurrent modifications, the forensic copy remains verifiable and admissible in court.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A practitioner preparing for the CHFI exam encounters this exact type of scenario on the job. The correct answer here is not the most general option — it is the best answer for the specific constraint described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Real exam questions reward reading the full scenario before eliminating options, because the constraint defines which answer fits.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related CHFI practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free CHFI practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this CHFI question test?

Network and Cloud Forensics — This question tests Network and Cloud Forensics — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Use the AWS CLI sync command with the --checksum-mode flag to verify integrity during transfer. — Option D is correct because the AWS CLI `sync` command with the `--checksum-mode` flag automatically computes and compares checksums (e.g., SHA256) during the transfer, ensuring data integrity without manual intervention. This method also preserves metadata and timestamps, which is critical for maintaining a forensically sound copy and chain of custody in cloud forensics.

What should I do if I get this CHFI question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This CHFI practice question is part of Courseiva's free EC-Council certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CHFI exam.