Back to Computer Hacking Forensic Investigator CHFI questions

Scenario-based practice

Hard Difficulty Questions

Practise Computer Hacking Forensic Investigator CHFI practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
CHFI
exam code
EC-Council
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related CHFI topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

During a forensic investigation, an analyst needs to acquire the contents of a live server's RAM without altering the evidence. Which tool and technique should the analyst use to minimize the footprint on the system?

Question 2hardmultiple choice
Full question →

You are a forensic investigator responding to a data breach at a mid-sized company. The company uses a hybrid cloud environment with AWS for production workloads and on-premises servers for legacy applications. The breach was detected when an internal monitoring system flagged unusual outbound traffic from an AWS EC2 instance (i-0a1b2c3d4e5f) to an external IP address (198.51.100.20) on TCP port 4444 during off-hours. The EC2 instance runs a Linux-based web server. The security team has already isolated the instance by removing its security group rules and stopping the instance. You have been provided with the following: (1) AWS CloudTrail logs for the past 72 hours, (2) VPC Flow Logs for the same period, (3) a snapshot of the instance’s root volume (EBS), and (4) the instance metadata log from the AWS console. The company’s incident response policy requires preservation of all volatile data before powering off the instance. Which of the following steps should you take FIRST to ensure a forensically sound investigation?

Question 3hardmulti select
Full question →

Which TWO of the following are valid techniques for collecting volatile network evidence from a live system during incident response?

Question 4hardmultiple choice
Full question →

Refer to the exhibit. The FTK Imager output shows a disk with an NTFS partition. The examiner notes that the $MFT mirror is at cluster 2. What is the logical size of the $MFT mirror in bytes?

Exhibit

Refer to the exhibit.

FTK Imager command output:

Sector size: 512
Total sectors: 625142448
Partition start: 2048
Partition end: 625139712
Partition type: NTFS (07)

Flags: 0x80 (Bootable)

File system: NTFS
Volume label: EVIDENCE_DRIVE
Serial number: 1234-5678

$MFT mirror: cluster 2
$MFT: cluster 0
Clusters per record: 1
Bytes per cluster: 4096
Question 5hardmulti select
Full question →

Which THREE of the following are indicators of malware persistence via registry run keys? (Choose three.)

Question 6hardmulti select
Full question →

Which THREE of the following are essential steps in the incident response process as defined by NIST SP 800-61? (Select exactly 3.)

Question 7hardmultiple choice
Full question →

During an incident response, a first responder needs to preserve the integrity of evidence. Which action ensures the best chain of custody?

Question 8hardmultiple choice
Full question →

During an incident response, a first responder needs to collect evidence from a Linux server that is still running. The server has sensitive data and cannot be shut down. Which technique is BEST for acquiring a forensic image of the hard disk?

Question 9hardmultiple choice
Full question →

A forensic lab is designing a network architecture to ensure the integrity of evidence during acquisition. What is the most critical design consideration?

Question 10hardmultiple choice
Full question →

An organization uses a cloud-based SIEM to collect logs from multiple sources. The investigator notices gaps in the log data for a critical system during the incident timeframe. What is the MOST likely cause?

Question 11hardmultiple choice
Full question →

A forensic analyst is investigating a network breach and finds that the attacker used a technique that bypasses Network Access Control (NAC). Which of the following methods is commonly used to evade 802.1X authentication?

Question 12hardmultiple choice
Full question →

An investigator finds the above IAM policy attached to an S3 bucket. What is the security concern?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
Question 13hardmultiple choice
Full question →

You are acquiring a laptop with a self-encrypting drive (SED) that is powered on and logged in. What is the best method to acquire the drive while preserving encrypted data?

Question 14hardmulti select
Full question →

Which TWO of the following are effective methods for detecting a man-in-the-middle attack on a network?

Question 15hardmultiple choice
Full question →

An organization uses Microsoft SQL Server 2019 with full recovery model. A database administrator accidentally executed a DROP TABLE statement. The transaction log was backed up immediately after the incident. Which forensic technique would allow the analyst to restore the dropped table?

Question 16hardmultiple choice
Full question →

You are a forensic investigator responding to an incident at a financial institution. The organization uses Microsoft SQL Server 2016 for its transaction processing system. The database is configured with full recovery model and transaction log backups are taken every 15 minutes. The incident response team has identified that an attacker gained access to the database server via compromised credentials and executed a series of malicious SQL statements, including data exfiltration and deletion of critical records. The time of the attack is estimated to be between 2:00 PM and 2:05 PM. The last full backup was taken at 12:00 AM (midnight) the same day. Transaction log backups are available for the entire day. The last transaction log backup before the attack was taken at 1:45 PM. The next transaction log backup after the attack was taken at 2:15 PM. The database is still online and being used by the business. Management wants to recover the database to a point just before the attack (2:00 PM) to minimize data loss, while preserving evidence for investigation. Which of the following actions should you take FIRST?

Question 17hardmultiple choice
Full question →

A forensic analyst is examining a PostgreSQL database server that was compromised. The attacker gained superuser access and deleted several rows from a critical table. The database is configured with WAL (Write-Ahead Log) archiving. Which method would allow the analyst to identify the exact time the deletions occurred?

Question 18hardmultiple choice
Full question →

An organization suspects a stealthy malware infection on a critical server. Traditional antivirus and EDR solutions have not detected anything. Which forensic approach would be most effective in identifying the malware, given that it likely resides only in memory?

Question 19hardmultiple choice
Full question →

Refer to the exhibit. An investigator is examining a disk image using TSK. The output from 'fls' shows the directory structure. What is the significance of the entry 'V/V 113-128-1: $OrphanFiles'?

Exhibit

Refer to the exhibit.

C:\> fls -f ntfs -o 2048 image.dd
r/r 4-128-3: $AttrDef
r/r 8-128-2: $BadClus
r/r 6-128-2: $Bitmap
r/r 7-128-1: $Boot
r/r 11-128-3: $Extend
r/r 2-128-1: $LogFile
r/r 0-128-1: $MFT
r/r 1-128-1: $MFTMirr
r/r 9-128-8: $Secure
r/r 10-128-1: $UpCase
r/r 3-128-3: $Volume
r/r 108-128-2: Users
r/r 109-128-3: ProgramData
r/r 110-128-2: Windows
r/r 111-128-1: Program Files
r/r 112-128-1: Program Files (x86)
V/V 113-128-1: $OrphanFiles
r/r 114-128-3: autoexec.bat
r/r 115-128-1: config.sys
Question 20hardmulti select
Full question →

Which TWO of the following are common indicators of a rootkit infection on a Windows system?

These CHFI practice questions are part of Courseiva's free EC-Council certification practice question bank. Courseiva provides original exam-style CHFI questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.