CHFI · topic practice

Mobile and Malware Forensics practice questions

Practise Computer Hacking Forensic Investigator CHFI Mobile and Malware Forensics practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Mobile and Malware Forensics

What the exam tests

What to know about Mobile and Malware Forensics

Mobile and Malware Forensics questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Mobile and Malware Forensics exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Mobile and Malware Forensics questions

20 questions · select your answer, then reveal the explanation

During a mobile forensics investigation, an analyst needs to acquire data from an iPhone that cannot be bypassed via passcode. The device is locked, and the analyst has the passcode. Which acquisition method provides the MOST comprehensive data extraction?

A security analyst is reviewing output from a Cuckoo Sandbox analysis of a suspicious executable. The report shows that the process created a mutex named 'Global\GLOBAL_MUTEX_123' and modified the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\. Which behavioral indicator is MOST evident?

In an Android forensic investigation, an examiner extracts the /data/data/com.whatsapp/databases/msgstore.db file. The database contains a table 'messages' with columns 'key_remote_jid', 'data', and 'timestamp'. Which SQL query would retrieve all messages sent to a specific contact with a phone number ending in '1234'?

A forensic analyst is examining a Windows malware sample using static analysis. Which tool is BEST suited for viewing the PE header structure, including sections, imports, and exports?

Question 5mediummultiple choice
Read the full NAT/PAT explanation →

During an iOS forensic examination, an analyst extracts an iTunes backup and finds the file '3d0d7e5fb2ce288813306e4d4636395e047a3d28'. Which type of data does this file typically contain?

A forensic examiner is analyzing an Android device that has been factory reset. Which artefact is MOST likely to persist after a factory reset, providing potential evidence of prior usage?

Question 7hardmultiple choice
Read the full NAT/PAT explanation →

An analyst runs 'regshot' before and after executing a suspicious binary. The report shows that the binary added a value to HKLM\SYSTEM\CurrentControlSet\Services\MyService with 'ImagePath' pointing to C:\Windows\system32\malware.exe and 'Start' set to 2. What is the MOST likely purpose?

A malware analyst uses Cuckoo Sandbox to analyze a sample. The report shows that the sample sends HTTP POST requests to 'http://malicious.example.com/gate.php' with encrypted data. Which type of indicator of compromise (IoC) is this?

Which mobile forensics tool is specifically designed for physical extraction of iOS devices, including bypassing passcodes and extracting full file system images?

During dynamic analysis of a malware sample, an analyst uses Process Monitor to capture registry and file system activity. Which filter would be MOST effective in identifying attempts to create a persistence mechanism?

An iOS forensic analyst extracts the Keychain from an iTunes backup. Within the Keychain, they find an entry with class 'Generic Password', service 'com.apple.sbd', and account 'iCloud'. What type of data does this entry MOST likely contain?

A security analyst detects that a system's 'SeDebugPrivilege' is enabled for a suspicious process. Which technique is the malware MOST likely attempting to use?

A forensic examiner is analyzing a mobile device that may have been tampered with to erase evidence. Which TWO anti-forensic techniques are commonly encountered in mobile forensics? (Select TWO.)

A malware analyst is performing static analysis on a packed executable. Which THREE techniques are effective for unpacking or analyzing packed malware? (Select THREE.)

An analyst is investigating a potential data breach on an Android device. Which TWO artefacts are MOST useful for determining which third-party apps were installed and used? (Select TWO.)

Question 16mediummultiple choice
Read the full NAT/PAT explanation →

During an iOS forensic examination, an analyst extracts an iTunes backup and finds a file named 'SMS.db'. Which of the following tools is BEST suited to parse and analyze this SQLite database for SMS and iMessage content?

A security analyst runs a dynamic analysis of a suspected malware sample using Cuckoo Sandbox. The report shows that the sample created a mutex named 'Global\MyMaliciousMutex', added a registry run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and attempted to communicate with an IP address 185.10.68.12 on port 443. Which of the following is the BEST immediate indicator of compromise (IoC) to share with the threat intelligence team?

In Android forensics, which of the following acquisition methods provides the most complete and forensically sound image of the device's internal storage?

During a malware analysis session, an analyst uses Process Monitor (Procmon) to observe a suspicious executable. Which of the following behavioral indicators would MOST strongly suggest the malware is attempting to establish persistence?

An iOS forensic analyst is examining data from an iCloud backup and finds a file named 'call_history.db'. Which SQLite table within this database is MOST likely to contain the duration and timestamp of each phone call?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Mobile and Malware Forensics sessions

Start a Mobile and Malware Forensics only practice session

Every question in these sessions is drawn from the Mobile and Malware Forensics domain — nothing else.

Related practice questions

Related CHFI topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CHFI exam test about Mobile and Malware Forensics?
Mobile and Malware Forensics questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Mobile and Malware Forensics questions in a focused session?
Yes — the session launcher on this page draws every question from the Mobile and Malware Forensics domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CHFI topics?
Use the topic links above to move to related areas, or go back to the CHFI question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CHFI exam covers. They are not copied from any real exam or dump site.