Free · No account needed · No credit card

Computer Hacking Forensic Investigator CHFI Practice Test

1,000 questions with instant explanations, domain breakdown, and wrong-answer analysis. Built for the real exam.

Instant feedback after each answer
Full explanations included
Domain score breakdown
Real exam: 240 min
Pass mark: 700%

Sample questions with explanations

This is exactly what you see during practice — question, options, and a full explanation after you answer.

Q1Incident Response and First Responder Skillseasy
Full explanation →

An analyst receives an alert indicating a suspicious process (PID 3342) is making outbound connections on port 443 to an unknown IP. The system is a Windows 10 workstation. Which first responder action is MOST appropriate?

Capture a full memory dump using a tool like FTK Imager (Memory Capture) or DumpIt.Correct
BImmediately disconnect the system from the network to contain the threat.
CCheck the Windows Event Logs for related entries.
DReboot the system to clear any malicious processes from memory.

Capturing a full memory dump (option A) is the most appropriate first responder action because it preserves the volatile state of the suspicious process (PID 3342) and its associated artifacts (e.g., network connections, loaded DLLs, encryption keys) before any further system cha…Read full explanation

Q2Incident Response and First Responder Skillsmedium
Full explanation →

A security team suspects a data breach via an external attacker. The incident response plan requires preservation of evidence for legal proceedings. Which order of volatility should the first responder follow?

ACapture disk image, then memory, then network connections.
BRecord network connections, capture disk image, then memory.
Capture memory, record network connections, acquire disk image, then collect backups.Correct
DCollect backups first, then disk image, then memory.

Option C is correct because the order of volatility (OOV) dictates that the most volatile data (memory/registers) must be captured first, followed by network connections, then disk images, and finally backups. This sequence minimizes data loss and ensures evidence integrity for l…Read full explanation

Q3Incident Response and First Responder Skillshard
Full explanation →

During an incident response, a first responder needs to collect evidence from a Linux server that is still running. The server has sensitive data and cannot be shut down. Which technique is BEST for acquiring a forensic image of the hard disk?

AUse dd if=/dev/sda of=/mnt/evidence/image.dd conv=noerror,sync
Use dd if=/dev/sda of=/mnt/evidence/image.dd bs=4MCorrect
CUse dd if=/dev/mapper/root of=/mnt/evidence/image.dd
DUse dd if=/dev/sda1 of=/mnt/evidence/image.dd

Option B is correct because it uses dd with a 4M block size, which improves acquisition speed while still producing a bit-for-bit forensic image of the entire disk (/dev/sda). The conv=noerror,sync option in A is unnecessary for a live acquisition from a healthy disk and can mask…Read full explanation

Untimed Practice

Answer at your own pace. Explanation and domain tag shown immediately after each answer.

Timed Practice

Countdown timer starts immediately. Results and domain scores shown at the end — just like the real exam.

Why practice here?

Full explanations on every question

Not just the right answer — you get exactly why each wrong option is wrong, so you learn the concept, not the answer.

Domain score breakdown

After each session see your score by exam domain so you know exactly where to focus study time.

100% free, forever

No subscription, no trial, no email wall. Start a session in under 10 seconds.

Exam-style questions

Scenario-based, precise wording, realistic distractors — written to match what you actually see on exam day.

← All CHFI questionsCHFI exam guideStudy guidePractice by domain