Back to Computer Hacking Forensic Investigator CHFI questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Computer Hacking Forensic Investigator CHFI practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

13
scenario questions
CHFI
exam code
EC-Council
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related CHFI topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1easymultiple choice
Full question →

Refer to the exhibit. A first responder runs the netstat command on a compromised Windows workstation. Which of the following conclusions is BEST supported by the output?

Exhibit

Refer to the exhibit.

C:\Users\Forensic> netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    192.168.1.10:49152     10.2.3.4:443           ESTABLISHED     1234
  TCP    192.168.1.10:49153     192.168.1.1:80         TIME_WAIT       0
  TCP    192.168.1.10:49154     10.2.3.4:80            ESTABLISHED     1234
  UDP    0.0.0.0:5353           *:*                                    5678
Question 2hardmultiple choice
Full question →

Refer to the exhibit. The FTK Imager output shows a disk with an NTFS partition. The examiner notes that the $MFT mirror is at cluster 2. What is the logical size of the $MFT mirror in bytes?

Exhibit

Refer to the exhibit.

FTK Imager command output:

Sector size: 512
Total sectors: 625142448
Partition start: 2048
Partition end: 625139712
Partition type: NTFS (07)

Flags: 0x80 (Bootable)

File system: NTFS
Volume label: EVIDENCE_DRIVE
Serial number: 1234-5678

$MFT mirror: cluster 2
$MFT: cluster 0
Clusters per record: 1
Bytes per cluster: 4096
Question 3mediummultiple choice
Full question →

Refer to the exhibit. During a malware investigation, a forensic analyst runs the commands shown. What is the most likely conclusion?

Exhibit

Refer to the exhibit.

C:\> tasklist /svc
Image Name                     PID Services
========================= ======== ============================================
svchost.exe                   1236 CryptSvc, Dnscache, LmHosts, EventSystem
svchost.exe                   1344 W32Time, WdiServiceHost
svchost.exe                    768 BFE, MpsSvc
notepad.exe                   1456 N/A
svchost.exe                    524 SessionEnv, TermService, UmRdpService
rundll32.exe                  1500 N/A

C:\> netstat -ano | findstr :4444
  TCP    0.0.0.0:4444           0.0.0.0:0              LISTENING       1500

C:\> wmic process where processid=1500 get executablepath
ExecutablePath
C:\Windows\System32\rundll32.exe
Question 4easymultiple choice
Full question →

Based on the log exhibit, what type of attack is occurring?

Exhibit

Refer to the exhibit.

Nov 12 09:23:45 server1 sshd[1234]: Failed password for root from 10.0.0.5 port 22 ssh2
Nov 12 09:24:10 server1 sshd[1235]: Failed password for root from 10.0.0.5 port 22 ssh2
Nov 12 09:24:35 server1 sshd[1236]: Failed password for root from 10.0.0.5 port 22 ssh2
... (repeated every 25 seconds)
Question 5mediummultiple choice
Full question →

Based on the ARP table exhibit, what is the most likely security issue?

Network Topology
Interface:0x5Refer to the exhibit.C:\> arp -aInternet Address Physical Address Type192.168.1.1 00-1a-2b-3c-4d-5e dynamic192.168.1.101 00-1a-2b-3c-4d-5e dynamic192.168.1.102 00-1a-2b-3c-4d-5e dynamic
Question 6mediummultiple choice
Full question →

You are a forensic analyst investigating a suspected malware infection on a Windows 10 workstation. The user reports that the system has been slow and that unexpected pop-ups appear. You have acquired a memory dump and a disk image. During analysis, you find a suspicious process named 'svch0st.exe' running with PID 4567. The process has loaded several DLLs, including 'wininet.dll' and 'ws2_32.dll'. You also find that the process has an active TCP connection to an external IP address 203.0.113.5 on port 4444. In the disk image, you find an executable file at C:\Users\Public\svch0st.exe with a creation date that matches the start of symptoms. The file's hash is not in any known malware database. You decide to perform dynamic analysis by running the file in a sandbox. However, the sandbox environment has no network connectivity. The executable runs but does not exhibit any malicious behavior. What should you do next to determine if the file is malicious?

Question 7mediummultiple choice
Full question →

Refer to the exhibit. An analyst recovers this binary log entry from a MySQL server. What does the timestamp '190101 10:00:00' represent?

Exhibit

Refer to the exhibit.

```
MySQL Binary Log Entry:
# at 12345678
#190101 10:00:00 server id 1  end_log_pos 12345679 CRC32 0x12345678 	Query	thread_id=100	exec_time=0	error_code=0
SET TIMESTAMP=1546334400/*!*/;
DELETE FROM users WHERE id=5
/*!*/;
```
Question 8mediummultiple choice
Full question →

During a malware investigation, an analyst discovers a suspicious file with a hash value that matches known malware. However, the file fails to execute and does not exhibit any malicious behavior in a sandbox. What is the most likely reason for this discrepancy?

Question 9hardmultiple choice
Full question →

Refer to the exhibit. An investigator is examining a disk image using TSK. The output from 'fls' shows the directory structure. What is the significance of the entry 'V/V 113-128-1: $OrphanFiles'?

Exhibit

Refer to the exhibit.

C:\> fls -f ntfs -o 2048 image.dd
r/r 4-128-3: $AttrDef
r/r 8-128-2: $BadClus
r/r 6-128-2: $Bitmap
r/r 7-128-1: $Boot
r/r 11-128-3: $Extend
r/r 2-128-1: $LogFile
r/r 0-128-1: $MFT
r/r 1-128-1: $MFTMirr
r/r 9-128-8: $Secure
r/r 10-128-1: $UpCase
r/r 3-128-3: $Volume
r/r 108-128-2: Users
r/r 109-128-3: ProgramData
r/r 110-128-2: Windows
r/r 111-128-1: Program Files
r/r 112-128-1: Program Files (x86)
V/V 113-128-1: $OrphanFiles
r/r 114-128-3: autoexec.bat
r/r 115-128-1: config.sys
Question 10hardmultiple choice
Full question →

Refer to the exhibit. A forensic examiner is analyzing a Windows system and sees the above NTFS file metadata. The user claims the file was last accessed at 09:15. Which of the following best explains the discrepancy?

Exhibit

Refer to the exhibit.

=== File System Analysis Report ===
Drive: /dev/sda1 (NTFS)
Inode: 2345
File: critical_data.docx
Creation Time: 2024-03-10 09:15:00 UTC
Last Modified: 2024-03-10 09:20:00 UTC
Last Access: 2024-03-10 09:25:00 UTC
$LogFile Sequence Number: 123456
$UsnJrnl: Entry 7890
=== End of Report ===
Question 11easymultiple choice
Full question →

Refer to the exhibit. An investigator runs the queries on an Oracle database during a live forensic acquisition. What does the output indicate about the database transaction state?

Exhibit

Refer to the exhibit.

```
SQL> SELECT * FROM v$transaction;

ADDR           XIDUSN XIDSLOT XIDSQN  UBAFIL  UBABLK  UBASQN  UBAOFF  STATUS   START_SCNBAS START_SCNWRP
-------------- ------ ------- ------  ------  ------  ------  ------  -------- ------------ ------------
00000000C0F8  10     12      123456  4       5678    890     0       ACTIVE   1234567890   1

SQL> SELECT COUNT(*) FROM v$transaction WHERE status='ACTIVE';

  COUNT(*)
----------
         1
```
Question 12mediummultiple choice
Full question →

During a forensic investigation, the analyst runs netstat -ano on a compromised workstation. Based on the exhibit, which connection is MOST suspicious and should be investigated further?

Exhibit

Refer to the exhibit.

```
C:\>netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       1234
  TCP    192.168.1.10:49152     203.0.113.5:443        ESTABLISHED     5678
  TCP    192.168.1.10:49153     192.168.1.1:53         TIME_WAIT       0
  UDP    0.0.0.0:5353           *:*                                    910
  UDP    192.168.1.10:137       *:*                                    910
```
Question 13mediummultiple choice
Full question →

Based on the exhibit, what is the most likely indication of malware persistence?

Exhibit

Refer to the exhibit.

C:\Users\Admin> sc query | findstr /i "service"
SERVICE_NAME: WinDefend
DISPLAY_NAME: Windows Defender Antivirus Service
STATE: 4 RUNNING

C:\Users\Admin> tasklist /svc
Image Name PID Services
================= ======== ============================================
svchost.exe 1234 WinDefend
svchost.exe 5678 BFE, MpsSvc
services.exe 4321 

C:\Users\Admin> netstat -ano | findstr :4444
  TCP    0.0.0.0:4444   0.0.0.0:0    LISTENING     4321

These CHFI practice questions are part of Courseiva's free EC-Council certification practice question bank. Courseiva provides original exam-style CHFI questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.