CHFI · topic practice

Database and Application Forensics practice questions

Practise Computer Hacking Forensic Investigator CHFI Database and Application Forensics practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
17 questionsDomain: Database and Application Forensics

What the exam tests

What to know about Database and Application Forensics

Database and Application Forensics questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Database and Application Forensics exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Database and Application Forensics questions

17 questions · select your answer, then reveal the explanation

During a database forensic investigation, an analyst discovers that multiple rows in a MySQL table have been deleted. The binary logs are enabled. Which approach should the analyst use to recover the deleted data?

A forensic analyst is investigating a compromised web application that uses an Oracle database. The analyst suspects that SQL injection was used to extract sensitive data. Which Oracle log source would provide evidence of the injected SQL statements?

An organization uses Microsoft SQL Server 2019 with full recovery model. A database administrator accidentally executed a DROP TABLE statement. The transaction log was backed up immediately after the incident. Which forensic technique would allow the analyst to restore the dropped table?

During a forensic investigation of a MongoDB database, the analyst needs to identify which user executed a particular write operation. Which MongoDB log or feature should the analyst examine?

A forensic analyst is examining a PostgreSQL database server that was compromised. The attacker gained superuser access and deleted several rows from a critical table. The database is configured with WAL (Write-Ahead Log) archiving. Which method would allow the analyst to identify the exact time the deletions occurred?

Which TWO of the following are valid methods for collecting volatile data from a live database server during an incident response?

Which THREE of the following are essential steps in the forensic analysis of a compromised web application that uses a MySQL backend?

Refer to the exhibit. An analyst recovers this binary log entry from a MySQL server. What does the timestamp '190101 10:00:00' represent?

Exhibit

Refer to the exhibit.

```
MySQL Binary Log Entry:
# at 12345678
#190101 10:00:00 server id 1  end_log_pos 12345679 CRC32 0x12345678 	Query	thread_id=100	exec_time=0	error_code=0
SET TIMESTAMP=1546334400/*!*/;
DELETE FROM users WHERE id=5
/*!*/;
```

You are a forensic investigator responding to an incident at a financial institution. The organization uses Microsoft SQL Server 2016 for its transaction processing system. The database is configured with full recovery model and transaction log backups are taken every 15 minutes. The incident response team has identified that an attacker gained access to the database server via compromised credentials and executed a series of malicious SQL statements, including data exfiltration and deletion of critical records. The time of the attack is estimated to be between 2:00 PM and 2:05 PM. The last full backup was taken at 12:00 AM (midnight) the same day. Transaction log backups are available for the entire day. The last transaction log backup before the attack was taken at 1:45 PM. The next transaction log backup after the attack was taken at 2:15 PM. The database is still online and being used by the business. Management wants to recover the database to a point just before the attack (2:00 PM) to minimize data loss, while preserving evidence for investigation. Which of the following actions should you take FIRST?

During a database forensic investigation, an analyst finds that the SQL Server transaction log contains gaps. Which TWO actions should the analyst take to preserve evidence integrity and recover missing transactions?

Refer to the exhibit. An investigator runs the queries on an Oracle database during a live forensic acquisition. What does the output indicate about the database transaction state?

Exhibit

Refer to the exhibit.

```
SQL> SELECT * FROM v$transaction;

ADDR           XIDUSN XIDSLOT XIDSQN  UBAFIL  UBABLK  UBASQN  UBAOFF  STATUS   START_SCNBAS START_SCNWRP
-------------- ------ ------- ------  ------  ------  ------  ------  -------- ------------ ------------
00000000C0F8  10     12      123456  4       5678    890     0       ACTIVE   1234567890   1

SQL> SELECT COUNT(*) FROM v$transaction WHERE status='ACTIVE';

  COUNT(*)
----------
         1
```

You are investigating a suspected data exfiltration incident at a financial institution. The database is MySQL 8.0 running on Linux. The security team suspects that a user with administrative privileges exported sensitive customer records via SELECT INTO OUTFILE and then deleted the output file. The MySQL general log is enabled and located at /var/log/mysql/mysql.log. However, the log file appears to be truncated and only contains entries from the last hour. The binary log is also enabled, and the binary log files are stored in /var/lib/mysql/binlog.000001 through binlog.000005. The database is actively being used. Which of the following is the BEST course of action to recover evidence of the SELECT INTO OUTFILE command that may have occurred 3 hours ago?

During a database forensic investigation, an analyst recovers a MySQL binary log file (binlog.000012) from a compromised server. Which command should the analyst use to extract the actual SQL statements from this binary log in a human-readable format?

Refer to the exhibit. A database administrator finds the above error log entries when attempting to start the MySQL service. The server was working fine yesterday. What is the most likely cause of this issue?

Exhibit

Refer to the exhibit.

Exhibit:
```
MySQL Error Log Entry:
[ERROR] Plugin 'InnoDB' init function returned error.
[ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
[ERROR] Unknown/unsupported storage engine: InnoDB
[ERROR] Aborting
```

A forensic investigator is analyzing a Microsoft SQL Server instance that was compromised. The investigator wants to identify all login attempts that failed due to incorrect passwords. Which system function or view should be queried?

Question 16mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the steps to perform a forensic examination of a mobile device (Android) using Cellebrite UFED into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each file carving technique to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses file signatures to find start and end

Uses internal file structure metadata

Reassembles fragmented files

Uses statistical models to identify file types

Handles files split into two fragments

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Database and Application Forensics sessions

Start a Database and Application Forensics only practice session

Every question in these sessions is drawn from the Database and Application Forensics domain — nothing else.

Related practice questions

Related CHFI topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CHFI exam test about Database and Application Forensics?
Database and Application Forensics questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Database and Application Forensics questions in a focused session?
Yes — the session launcher on this page draws every question from the Database and Application Forensics domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CHFI topics?
Use the topic links above to move to related areas, or go back to the CHFI question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CHFI exam covers. They are not copied from any real exam or dump site.