CHFI · topic practice

Application, Email and Cloud Forensics practice questions

Practise Computer Hacking Forensic Investigator CHFI Application, Email and Cloud Forensics practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Application, Email and Cloud Forensics

What the exam tests

What to know about Application, Email and Cloud Forensics

Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.

IaaS, PaaS and SaaS responsibilities and examples.

Public, private, hybrid and community cloud deployment models.

On-premises vs cloud trade-offs: cost, control, scalability.

How cloud connectivity options (VPN, Direct Connect, ExpressRoute) work.

Watch out for

Common Application, Email and Cloud Forensics exam traps

  • IaaS gives you infrastructure control; SaaS gives you only the application.
  • Hybrid cloud combines on-premises and public cloud — not two public clouds.
  • Cloud does not automatically mean cheaper or more secure.
  • Management responsibility shifts with each service model (IaaSPaaSSaaS).

Practice set

Application, Email and Cloud Forensics questions

20 questions · select your answer, then reveal the explanation

A security analyst reviews an Apache access log entry: 192.168.1.5 - - [10/Jan/2024:08:12:35 +0000] "GET /index.php?id=1 UNION SELECT username,password FROM users-- HTTP/1.1" 200 4321 "-" "Mozilla/5.0". What type of attack is MOST likely indicated?

Question 2mediummultiple choice
Read the full NAT/PAT explanation →

During an investigation, an analyst extracts email headers from a suspicious email. The header includes: Received: from mail.attacker.com (192.168.1.100); DKIM-Signature: v=1; a=rsa-sha256; d=legitbank.com; s=selector1; bh=...; The email claims to be from support@legitbank.com. Which indicator strongly suggests email spoofing?

A forensic analyst is examining a Docker container suspected of being used for malicious activities. The container was running an Alpine Linux image and was stopped 2 hours ago. Which of the following is the BEST first step to collect volatile evidence?

A cloud forensics investigator is analyzing an incident in AWS. The suspect is alleged to have deleted an S3 bucket. Which AWS service log would contain the DeleteBucket API call details, including the source IP and user identity?

Question 5easymultiple choice
Read the full NAT/PAT explanation →

Which tool is specifically designed to analyze email headers and track the path an email took across mail servers?

An investigator examining a compromised web server finds a file named shell.aspx in the uploads directory. The file contains code that accepts commands via HTTP POST and executes them on the server. What is the MOST likely type of attack?

A forensic examiner needs to analyze a Microsoft Outlook PST file from a suspect's computer. Which tool is BEST suited to parse and extract emails, attachments, and metadata from the PST file?

An organization uses Azure. A security analyst needs to investigate a suspicious login event. Which Azure log contains details about user sign-ins, including IP address, timestamp, and success/failure status?

In database forensics, which type of log records every transaction (including INSERT, UPDATE, DELETE) and allows reconstruction of database changes over time?

An analyst finds the following in an IIS log: 10.0.0.5, -, 02/15/2024, 14:23:56, GET /../../windows/system32/cmd.exe, 404, 0, 0, 0, Mozilla/4.0. Which attack technique does this log entry represent?

During a cloud forensic investigation, the analyst discovers that the suspect used AWS IAM credentials to launch unauthorized EC2 instances. The suspect claims the credentials were stolen. Which log would the analyst examine to determine the source IP address from which the credentials were used?

Which of the following is a significant challenge in cloud forensics compared to traditional digital forensics?

Which TWO pieces of information can be obtained from an email's Received headers to help trace the email's origin? (Select TWO)

Which THREE of the following are common challenges specific to cloud forensics? (Select THREE)

Which TWO of the following are indicators of a webshell attack found in web server logs? (Select TWO)

An analyst examining Apache access logs finds the following entry: 192.168.1.10 - - [10/Oct/2023:13:55:36 -0400] "GET /search.php?q=1'%20OR%20'1'='1 HTTP/1.1" 200 5324 "-" "Mozilla/5.0". Which of the following attacks is MOST likely occurring?

During a forensic investigation of a suspected data breach, you are asked to analyze email headers to trace the origin of a phishing email. Which header field provides the IP address of the sending SMTP server?

A security analyst is investigating a containerized application running on a Docker host. The analyst needs to collect forensic evidence from a stopped container without starting it. Which of the following Docker commands should be used to export the container's filesystem as a tar archive?

While investigating a compromised web server, you discover a file named 'shell.php' in the web root. The file contains the following code: <?php system($_GET['cmd']); ?>. Which of the following best describes this file?

An incident responder is analyzing AWS CloudTrail logs to determine if an unauthorized user accessed an S3 bucket. Which of the following CloudTrail event fields should be examined to identify the IAM user or role that made the API call?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Application, Email and Cloud Forensics sessions

Start a Application, Email and Cloud Forensics only practice session

Every question in these sessions is drawn from the Application, Email and Cloud Forensics domain — nothing else.

Related practice questions

Related CHFI topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CHFI exam test about Application, Email and Cloud Forensics?
Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Application, Email and Cloud Forensics questions in a focused session?
Yes — the session launcher on this page draws every question from the Application, Email and Cloud Forensics domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CHFI topics?
Use the topic links above to move to related areas, or go back to the CHFI question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CHFI exam covers. They are not copied from any real exam or dump site.