CHFI · topic practice

Computer Forensics Investigation Process practice questions

Practise Computer Hacking Forensic Investigator CHFI Computer Forensics Investigation Process practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
10 questionsDomain: Computer Forensics Investigation Process

What the exam tests

What to know about Computer Forensics Investigation Process

Computer Forensics Investigation Process questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Computer Forensics Investigation Process exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Computer Forensics Investigation Process questions

10 questions · select your answer, then reveal the explanation

During a forensic investigation, an analyst discovers that the suspect's hard drive was encrypted using BitLocker. The analyst has obtained the recovery key. Which of the following is the best next step to ensure data integrity?

A CHFI analyst is called to investigate a suspected data breach. The IT team has already shut down the server. Which of the following is the most appropriate order of actions to preserve evidence?

An incident responder has acquired a forensic image of a Linux server suspected of being compromised. The image was taken using 'dd' with no compression. The analyst needs to verify the integrity of the image. Which command should be used and what should be compared?

Which TWO of the following are considered essential steps in the computer forensics investigation process according to EC-Council guidelines?

An analyst executed the commands shown in the exhibit on a Windows system to prepare a forensic image for analysis. What is the most likely reason for the error message from e2fsck?

Exhibit

Refer to the exhibit.

C:\> fsutil volume dismount C:

C:\> diskpart
DISKPART> select volume 1
DISKPART> attribute volume clear readonly
DISKPART> exit

C:\> e2fsck -fn image.dd

e2fsck 1.45.6 (20-Mar-2020)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
image.dd: ********** WARNING: Filesystem still has errors **********

You are a CHFI analyst responding to a security incident at a medium-sized financial firm. The IT team reports that an employee's workstation (Windows 10, single SSD) was used to access sensitive customer data without authorization. The workstation is still running, and the employee is currently logged in. The IT team has isolated the machine from the network but has not powered it off. You have been called to perform forensic acquisition. The company policy requires preservation of volatile data and a full disk image. The machine has 16 GB RAM and a 512 GB SSD. You have a forensic toolkit including FTK Imager, win32dd (for memory acquisition), and a write-blocker. Which of the following is the best course of action?

Drag and drop the steps to perform forensic imaging of a hard drive using FTK Imager into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps to perform a forensic analysis of a PDF file for hidden data or malicious content into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each forensic tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Acquisition and preview of disk images

Forensic analysis and evidence processing

Memory forensics and analysis

Network packet capture and analysis

Open-source file system analysis

Match each email forensic artifact to its source.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Message source (RFC 5322 headers)

Microsoft Outlook personal folder

Microsoft Exchange server

Unix-based email clients

Individual email message export

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Computer Forensics Investigation Process sessions

Start a Computer Forensics Investigation Process only practice session

Every question in these sessions is drawn from the Computer Forensics Investigation Process domain — nothing else.

Related practice questions

Related CHFI topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CHFI exam test about Computer Forensics Investigation Process?
Computer Forensics Investigation Process questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Computer Forensics Investigation Process questions in a focused session?
Yes — the session launcher on this page draws every question from the Computer Forensics Investigation Process domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CHFI topics?
Use the topic links above to move to related areas, or go back to the CHFI question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CHFI exam covers. They are not copied from any real exam or dump site.