CHFI · topic practice

Computer Forensics Lab practice questions

Practise Computer Hacking Forensic Investigator CHFI Computer Forensics Lab practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
15 questionsDomain: Computer Forensics Lab

What the exam tests

What to know about Computer Forensics Lab

Computer Forensics Lab questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Computer Forensics Lab exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Computer Forensics Lab questions

15 questions · select your answer, then reveal the explanation

During a forensic investigation, an analyst needs to acquire data from a live Windows system without altering the system's state. Which tool should the analyst use to capture the contents of RAM?

A forensic lab is designing a network architecture to ensure the integrity of evidence during acquisition. What is the most critical design consideration?

A forensic analyst is troubleshooting a write-blocker that is not working correctly. The analyst connected the write-blocker between the suspect drive and the forensic workstation, but the workstation still shows the drive as writable. What is the most likely cause?

A forensic lab is establishing a chain of custody procedure. Which practice is considered best according to CHFI guidelines?

Which TWO of the following are essential components of a computer forensics lab according to CHFI best practices?

Which THREE of the following are recommended practices for maintaining the integrity of digital evidence in a forensics lab?

You are a forensic analyst in a corporate lab. A compromised server was taken offline and brought to the lab. The server runs Windows Server 2019 with a RAID 5 array of three 1TB SATA drives. The drives are hot-swappable. The server was shut down properly before removal. The lab has a forensic workstation with write-blockers, a hardware RAID controller, and imaging software. The analyst needs to acquire a forensic image of the RAID array. What is the correct course of action?

A forensic lab manager is setting up a new lab and must decide on the physical security measures. Which of the following is the MOST important to implement first?

Refer to the exhibit. A forensic examiner is analyzing a Windows system and sees the above NTFS file metadata. The user claims the file was last accessed at 09:15. Which of the following best explains the discrepancy?

Exhibit

Refer to the exhibit.

=== File System Analysis Report ===
Drive: /dev/sda1 (NTFS)
Inode: 2345
File: critical_data.docx
Creation Time: 2024-03-10 09:15:00 UTC
Last Modified: 2024-03-10 09:20:00 UTC
Last Access: 2024-03-10 09:25:00 UTC
$LogFile Sequence Number: 123456
$UsnJrnl: Entry 7890
=== End of Report ===

Which TWO of the following are essential requirements for a computer forensics lab according to best practices?

A forensic examiner is setting up a new lab. Which THREE of the following practices are essential for maintaining the integrity of digital evidence?

Refer to the exhibit. The FTK Imager output shows a disk with an NTFS partition. The examiner notes that the $MFT mirror is at cluster 2. What is the logical size of the $MFT mirror in bytes?

Exhibit

Refer to the exhibit.

FTK Imager command output:

Sector size: 512
Total sectors: 625142448
Partition start: 2048
Partition end: 625139712
Partition type: NTFS (07)

Flags: 0x80 (Bootable)

File system: NTFS
Volume label: EVIDENCE_DRIVE
Serial number: 1234-5678

$MFT mirror: cluster 2
$MFT: cluster 0
Clusters per record: 1
Bytes per cluster: 4096
Question 13easymultiple choice
Read the full NAT/PAT explanation →

You are a forensic examiner at a corporate security firm. You receive a laptop from the HR department that belonged to a terminated employee. The laptop was used for company business and is suspected of containing unauthorized file-sharing software. The laptop is running Windows 10 with BitLocker drive encryption enabled. Before shutdown, the employee was logged into the system. HR claims the laptop was shut down properly and then handed over within an hour. You are asked to acquire a forensic image of the hard drive for analysis. However, when you boot the laptop, you are prompted for the BitLocker recovery key. HR does not have the key, and the employee refuses to cooperate. The laptop also has a TPM chip. Which of the following is the most appropriate course of action to acquire the data?

Drag and drop the steps to recover deleted files using Recuva into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each Windows Registry hive to its stored information.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

User account passwords and hashes

System configuration and device drivers

Installed software and settings

Security policies and user rights

Per-user settings and preferences

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Computer Forensics Lab sessions

Start a Computer Forensics Lab only practice session

Every question in these sessions is drawn from the Computer Forensics Lab domain — nothing else.

Related practice questions

Related CHFI topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CHFI exam test about Computer Forensics Lab?
Computer Forensics Lab questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Computer Forensics Lab questions in a focused session?
Yes — the session launcher on this page draws every question from the Computer Forensics Lab domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CHFI topics?
Use the topic links above to move to related areas, or go back to the CHFI question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CHFI exam covers. They are not copied from any real exam or dump site.