CHFI · topic practice

OS and Network Forensics practice questions

Practise Computer Hacking Forensic Investigator CHFI OS and Network Forensics practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: OS and Network Forensics

What the exam tests

What to know about OS and Network Forensics

OS and Network Forensics questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common OS and Network Forensics exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

OS and Network Forensics questions

20 questions · select your answer, then reveal the explanation

A security analyst investigates a Windows system and finds an event with ID 4625 in the Security log. What does this event indicate?

During a forensic analysis of a compromised Linux server, you notice that the file /var/log/auth.log has been cleared. However, you find that the attacker's commands are still partially recoverable. Which artifact most likely contains the attacker's command history?

A forensic analyst recovers a USB device from a suspect's computer. Which Windows registry key should be examined to determine the first time the USB device was connected?

An analyst suspects that an attacker used a web shell to execute commands on a Windows web server. Which Windows event ID should the analyst look for to detect service installation that may have been used for persistence?

A forensic examiner is analyzing a Mac system and wants to review system logs that record various activities, including application launches and kernel events. Which logging system on macOS should be examined?

In Windows forensics, which artifact is used to track recently accessed files and folders via the 'Recent Items' feature?

Question 7mediummultiple choice
Read the full NAT/PAT explanation →

A network analyst is reviewing a packet capture and sees a large number of TCP SYN packets sent to various ports on a single host from multiple source IPs. This pattern is most indicative of which type of attack?

During a Linux forensic investigation, you find that the file /etc/cron.d/evil contains the entry: '* * * * * root /bin/bash /root/backdoor.sh'. What persistence mechanism is being used?

Which of the following Windows registry keys is commonly used by malware to achieve persistence by executing a program at user logon?

In network forensics, which tool is commonly used to analyze and visualize NetFlow data to identify network traffic patterns?

A forensic analyst is examining a Windows system and finds that the UserAssist key in the NTUSER.DAT hive contains entries with Rot13-encoded names. What is the primary purpose of the UserAssist key?

An attacker has compromised a Linux server and edited the /etc/passwd file to change a user's UID to 0. What is the likely goal of this modification?

A forensic analyst is examining a Windows system and wants to identify recently accessed files and programs. Which TWO artifacts should the analyst prioritize? (Select TWO.)

A security team is analyzing a compromised Linux server. Indicators suggest the attacker used a web shell. Which THREE of the following are common persistence mechanisms that may be found on the system? (Select THREE.)

An investigator is analyzing a Windows system and wants to find evidence of USB device usage. Which TWO registry keys should be examined? (Select TWO.)

A security analyst reviews Windows Security Event Logs and finds multiple Event ID 4625 entries from a single source IP address targeting various usernames. Which type of attack is MOST likely occurring?

During a forensic investigation of a compromised Linux server, you find the following entry in /var/log/auth.log: 'Mar 10 03:14:15 server sshd[1234]: Accepted publickey for root from 10.0.0.5 port 54321 ssh2: RSA SHA256:AbCdEf123456'. Which artifact should you examine next to determine if unauthorized key-based access occurred?

Question 18easymultiple choice
Read the full NAT/PAT explanation →

Which Windows artifact is primarily used to determine the execution history of applications, including the path and run count?

A forensic analyst discovers an unusual entry in the Windows Registry under 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run'. Which persistence mechanism does this represent?

In a macOS forensic investigation, which log system provides a timeline of high-level system events such as application launches and user logins?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused OS and Network Forensics sessions

Start a OS and Network Forensics only practice session

Every question in these sessions is drawn from the OS and Network Forensics domain — nothing else.

Related practice questions

Related CHFI topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CHFI exam test about OS and Network Forensics?
OS and Network Forensics questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just OS and Network Forensics questions in a focused session?
Yes — the session launcher on this page draws every question from the OS and Network Forensics domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CHFI topics?
Use the topic links above to move to related areas, or go back to the CHFI question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CHFI exam covers. They are not copied from any real exam or dump site.