CHFI · topic practice

Evidence Acquisition and Duplication practice questions

Practise Computer Hacking Forensic Investigator CHFI Evidence Acquisition and Duplication practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Evidence Acquisition and Duplication

What the exam tests

What to know about Evidence Acquisition and Duplication

Evidence Acquisition and Duplication questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Evidence Acquisition and Duplication exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Evidence Acquisition and Duplication questions

20 questions · select your answer, then reveal the explanation

During a forensic investigation, you are asked to acquire the contents of RAM from a live Windows 10 system without causing system instability. Which tool would be most appropriate for this task?

You are imaging a suspect's hard drive using a write blocker and dd command. After imaging, you verify the hash of the original drive and the image file. The original drive hash is SHA1: A1B2C3D4E5..., and the image hash is SHA1: F6G7H8I9J0... What is the most likely cause of the mismatch?

A forensic examiner needs to acquire a hard drive that is part of a RAID 5 array. The RAID controller is unavailable. What is the best approach to acquire the data?

During a network forensic investigation, you need to capture live network traffic from a switch span port. Which tool would best capture the traffic in a forensically sound manner?

You are acquiring a laptop with a self-encrypting drive (SED) that is powered on and logged in. What is the best method to acquire the drive while preserving encrypted data?

Which of the following is the primary purpose of using a hardware write blocker during disk acquisition?

During a forensic acquisition, you notice that the target drive has bad sectors. What is the best approach to acquire the drive?

Which TWO of the following are valid methods for acquiring volatile data from a live Windows system? (Choose two.)

Which THREE of the following are acceptable best practices when acquiring evidence from a mobile device? (Choose three.)

The command used to acquire a disk image resulted in an I/O error. What is the most likely cause?

Exhibit

Refer to the exhibit.

[root@forensics ~]# dc3dd if=/dev/sda of=/evidence/sda.img hash=sha256 log=/evidence/log.txt

Output:

Fatal error: Input/output error while reading /dev/sda

Based on the acquisition log, what can be concluded about the integrity of the acquired image?

Exhibit

Refer to the exhibit.

Forensic Acquisition Log:

Source: /dev/sdb
Image: /mnt/evidence/case001.dd
Hash (MD5): Source= a1b2c3d4e5f6... Image= a1b2c3d4e5f6...
Hash (SHA1): Source= 1234567890ab... Image= 1234567890ab...

Verification: Passed

You are a forensic examiner responding to a data breach incident at a medium-sized company. The incident response team has identified a Windows Server 2019 that may contain evidence of unauthorized access. The server is running and logged in with administrative privileges. The server has 32 GB of RAM, a 1 TB SSD (bitlocker encrypted, but unlocked), and is connected to the corporate network. The server is running several critical business applications, and the IT manager asks you to minimize downtime. You have a forensic workstation with write blockers, a hardware acquisition tool, and various software tools. What is the best course of action to acquire evidence while preserving integrity and minimizing downtime?

During a forensic investigation, an analyst needs to acquire the contents of a live server's RAM without altering the evidence. Which tool and technique should the analyst use to minimize the footprint on the system?

Which TWO of the following are valid reasons for using a hardware write blocker during disk acquisition? (Choose two.)

You are a forensic investigator responding to a suspected data breach at a financial institution. The incident response team has isolated a Windows 10 workstation used by a former employee. The system is still powered on, and the login screen is displayed. Your task is to acquire forensic evidence in a defensible manner. The following actions are available:

A. Immediately pull the power cord to perform a cold acquisition of the hard drive. B. Capture volatile data (RAM, network connections, running processes) using a trusted tool on a USB drive, then shut down normally and remove the hard drive for imaging. C. Boot the system from a forensic live CD and create a forensic image of the hard drive while the system is running. D. Use the built-in Windows backup to create a system image to an external drive.

Which action is the most appropriate first step in this scenario?

During acquisition of a live Linux server, the forensic examiner runs the following command: # dd if=/dev/sda of=/mnt/evidence/disk.dd conv=noerror,sync bs=4k. Which TWO statements are true about this acquisition?

Refer to the exhibit. An investigator runs fsstat and dstat on a captured image. What is the total capacity of the volume?

Exhibit

Refer to the exhibit.

# fsstat /dev/sdb1
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: NTFS
Volume Serial Number: 1234ABCD5678EF90
Volume Name: Evidence
Number of MFT Records: 1024
MFT Record Size: 1024 bytes

# dstat /dev/sdb1
DETAILS OF DISK STATISTICS
--------------------------------------------
Total Sectors: 2097152
Sector Size: 512 bytes
Cluster Size: 4096 bytes
Free Clusters: 524288

You are a forensic investigator responding to a data breach at a financial institution. The compromised server is a Windows Server 2019 running a custom trading application. The server is still powered on and connected to the production network. The incident response team has instructed you to acquire forensic evidence while minimizing downtime. The server has 2 TB of storage with 500 GB used. You have a forensic workstation with a write-blocker and an empty 2 TB external drive. The server's RAM is 64 GB. You need to acquire both volatile data (RAM) and a forensic image of the disk. However, the legal team requires a verified bit-for-bit copy with cryptographic hash verification. Additionally, the server's performance is critical; acquiring RAM via network is not feasible due to bandwidth constraints. Which of the following is the best course of action?

Drag and drop the steps to conduct a memory acquisition using DumpIt on a Windows system into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each network protocol to its well-known port number (TCP/UDP).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

21

23

161

389

3389

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Evidence Acquisition and Duplication sessions

Start a Evidence Acquisition and Duplication only practice session

Every question in these sessions is drawn from the Evidence Acquisition and Duplication domain — nothing else.

Related practice questions

Related CHFI topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CHFI exam test about Evidence Acquisition and Duplication?
Evidence Acquisition and Duplication questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Evidence Acquisition and Duplication questions in a focused session?
Yes — the session launcher on this page draws every question from the Evidence Acquisition and Duplication domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CHFI topics?
Use the topic links above to move to related areas, or go back to the CHFI question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CHFI exam covers. They are not copied from any real exam or dump site.