Back to Computer Hacking Forensic Investigator CHFI questions

Scenario-based practice

Select Two (Multi-Select) Questions

Practise Computer Hacking Forensic Investigator CHFI practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
CHFI
exam code
EC-Council
vendor

Scenario guide

How to approach select two (multi-select) questions

Multi-select questions tell you to 'Choose TWO' or 'Choose THREE'. Getting partial credit is not a thing — you must select all correct answers with no incorrect ones. The stem always states how many to choose, so trust it. These questions require precision, not best-guess elimination.

Quick answer

Select Two (Multi-Select) Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related CHFI topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1easymulti select
Full question →

Which TWO of the following are valid reasons for using a hardware write blocker during disk acquisition? (Choose two.)

Question 2hardmulti select
Full question →

Which TWO of the following are valid techniques for collecting volatile network evidence from a live system during incident response?

Question 3mediummulti select
Full question →

A first responder is responding to a ransomware incident on a Windows server. Which TWO actions should be performed to preserve evidence? (Choose two.)

Question 4hardmulti select
Full question →

Which THREE of the following are indicators of malware persistence via registry run keys? (Choose three.)

Question 5hardmulti select
Full question →

Which THREE of the following are essential steps in the incident response process as defined by NIST SP 800-61? (Select exactly 3.)

Question 6mediummulti select
Full question →

Which TWO of the following are considered essential steps in the computer forensics investigation process according to EC-Council guidelines?

Question 7mediummulti select
Full question →

Which THREE of the following are recommended practices for maintaining the integrity of digital evidence in a forensics lab?

Question 8mediummulti select
Full question →

Which THREE of the following are essential steps in network forensic investigation?

Question 9hardmulti select
Full question →

Which TWO of the following are effective methods for detecting a man-in-the-middle attack on a network?

Question 10easymulti select
Full question →

Which TWO of the following are valid methods for collecting volatile data from a live database server during an incident response?

Question 11mediummulti select
Full question →

Which THREE of the following are essential steps in the forensic analysis of a compromised web application that uses a MySQL backend?

Question 12mediummulti select
Full question →

Which THREE of the following are best practices for conducting malware forensics in a safe and effective manner?

Question 13hardmulti select
Full question →

Which TWO of the following are common indicators of a rootkit infection on a Windows system?

Question 14mediummulti select
Full question →

Which TWO of the following are valid locations in a Windows system where forensic evidence of USB device connection can be found?

Question 15mediummulti select
Full question →

A mobile forensic examiner is analyzing an Android device that has been factory reset. Which TWO of the following artefacts are MOST likely to still be recoverable after a factory reset? (Select TWO)

Question 16mediummulti select
Full question →

An analyst is investigating a potential data breach on an Android device. Which TWO artefacts are MOST useful for determining which third-party apps were installed and used? (Select TWO.)

Question 17hardmulti select
Full question →

During dynamic analysis of a malware sample, an analyst observes the following: creation of a mutex named `Global\{9A2D7E1C-3F4B-4A5E-9B8C-1D2E3F4A5B6C}`, a registry key under `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` named `WindowsUpdate`, and outbound TCP traffic to `203.0.113.5:443`. Which THREE of the following indicators of compromise (IoCs) should be documented?

Question 18easymulti select
Full question →

Which TWO of the following are anti-forensic techniques used by malware to evade detection?

Question 19mediummulti select
Full question →

A forensic analyst is examining an Android device using ADB extraction. Which TWO statements about ADB extraction are true?

Question 20mediummulti select
Full question →

An incident responder is analyzing a compromised Windows workstation. Which TWO artifacts would provide the STRONGEST evidence of a malware persistence mechanism?

These CHFI practice questions are part of Courseiva's free EC-Council certification practice question bank. Courseiva provides original exam-style CHFI questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.