Back to Computer Hacking Forensic Investigator CHFI questions

Scenario-based practice

Drag and Drop Matching Questions

Practise Computer Hacking Forensic Investigator CHFI practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

10
scenario questions
CHFI
exam code
EC-Council
vendor

Scenario guide

How to approach drag and drop matching questions

Matching questions give you two columns — concepts, commands, or protocols on the left, and their definitions or use-cases on the right. You drag each left item to its correct match. These appear on most certification exams and punish superficial memorisation.

Quick answer

Drag and Drop Matching Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related CHFI topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummatching
Full question →

Match each forensic tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Acquisition and preview of disk images

Forensic analysis and evidence processing

Memory forensics and analysis

Network packet capture and analysis

Open-source file system analysis

Question 2mediummatching
Full question →

Match each network protocol to its well-known port number (TCP/UDP).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

21

23

161

389

3389

Question 3mediummatching
Full question →

Match each email forensic artifact to its source.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Message source (RFC 5322 headers)

Microsoft Outlook personal folder

Microsoft Exchange server

Unix-based email clients

Individual email message export

Question 4mediummatching
Full question →

Match each forensic artifact to its location in Windows (typical).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

C:\Windows\Prefetch

C:\Windows\System32\winevt\Logs

C:\$Recycle.Bin

C:\Windows\System32\config

C:\Users\[user]\AppData\Local\Microsoft\Windows\Explorer

Question 5mediummatching
Full question →

Match each file system to its typical maximum volume size (as commonly encountered).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

2 TB

256 TB

128 PB

1 EB

8 EB

Question 6mediummatching
Full question →

Match each file carving technique to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses file signatures to find start and end

Uses internal file structure metadata

Reassembles fragmented files

Uses statistical models to identify file types

Handles files split into two fragments

Question 7mediummatching
Full question →

Match each Windows Registry hive to its stored information.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

User account passwords and hashes

System configuration and device drivers

Installed software and settings

Security policies and user rights

Per-user settings and preferences

Question 8mediummatching
Full question →

Match each steganography technique to its carrier medium.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Image files (BMP, PNG)

Audio files (WAV, MP3)

GIF images

JPEG images

Plain text or documents

Question 9mediummatching
Full question →

Match each forensic acquisition method to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Collecting data from a running system

Collecting data from powered-off media

Copying only active files and metadata

Bit-for-bit copy of entire storage device

Collecting only fragments of unallocated space

Question 10mediummatching
Full question →

Match each log type to its typical content.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Login attempts, privilege use

Driver failures, system crashes

Application errors and events

Allowed/blocked network connections

HTTP requests, IP addresses, user agents

These CHFI practice questions are part of Courseiva's free EC-Council certification practice question bank. Courseiva provides original exam-style CHFI questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.