CHFI · topic practice

Incident Response and First Responder Skills practice questions

Practise Computer Hacking Forensic Investigator CHFI Incident Response and First Responder Skills practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Incident Response and First Responder Skills

What the exam tests

What to know about Incident Response and First Responder Skills

Incident Response and First Responder Skills questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Incident Response and First Responder Skills exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Incident Response and First Responder Skills questions

20 questions · select your answer, then reveal the explanation

An analyst receives an alert indicating a suspicious process (PID 3342) is making outbound connections on port 443 to an unknown IP. The system is a Windows 10 workstation. Which first responder action is MOST appropriate?

A security team suspects a data breach via an external attacker. The incident response plan requires preservation of evidence for legal proceedings. Which order of volatility should the first responder follow?

During an incident response, a first responder needs to collect evidence from a Linux server that is still running. The server has sensitive data and cannot be shut down. Which technique is BEST for acquiring a forensic image of the hard disk?

A first responder arrives at a scene where a computer is powered on and a user is logged in. An incident is suspected. What should the responder do FIRST?

You are responding to a suspected malware infection on a Windows 10 system. The system is still running. Which of the following should you collect FIRST?

During an incident response, a first responder needs to preserve the integrity of evidence. Which action ensures the best chain of custody?

A first responder is called to investigate a potential insider threat. The suspect's computer is turned off. What is the BEST procedure?

A first responder is responding to a ransomware incident on a Windows server. Which TWO actions should be performed to preserve evidence? (Choose two.)

During the initial response to a suspected data exfiltration, which THREE pieces of volatile data should be collected first? (Choose three.)

Refer to the exhibit. A first responder runs netstat -ano on a Windows system. Which connection is MOST likely indicative of a potential C2 communication?

Exhibit

Refer to the exhibit.

Exhibit:
C:\> netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    192.168.1.10:49152     10.0.0.5:80            ESTABLISHED     3342
  TCP    192.168.1.10:49153     203.0.113.50:443       TIME_WAIT       1204
  TCP    192.168.1.10:49154     192.168.1.1:53         TIME_WAIT       2016
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       1056
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       668
  UDP    0.0.0.0:123            *:*                                    888
  UDP    0.0.0.0:1900           *:*                                    4320

Refer to the exhibit. A first responder runs the command on a Linux server. Which process should be considered MOST suspicious and investigated immediately?

Exhibit

Refer to the exhibit.

Exhibit:
$ ps aux | grep -E "bash|nc|python|perl"

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root      1245  0.0  0.1  21908  3420 ?        S    10:15   0:00 /bin/bash
root      1302  0.0  0.0  12368   876 ?        S    10:16   0:00 nc -lvp 4444
root      1310  0.5  0.2  30240  5678 ?        S    10:17   0:02 python /tmp/.payload.py
root      1325  0.0  0.0  12368   912 ?        S    10:18   0:00 perl /tmp/.script.pl
Question 12hardmultiple choice
Read the full wireless explanation →

You are a first responder for a medium-sized company with 500 employees. The incident response team has been alerted to a possible data breach involving the CEO's laptop, which is a Windows 10 system. The CEO reports that the laptop has been acting strangely, with unusual pop-ups and slow performance. The laptop is currently powered on and connected to the corporate network via Wi-Fi. The CEO is logged in and has several applications open, including email and a web browser. The security team suspects malware may be exfiltrating sensitive documents. As the first responder, you must decide the best course of action to preserve evidence and contain the threat while minimizing impact on business operations. Which action should you take FIRST?

During incident response, a first responder discovers a compromised system with signs of an active command-and-control (C2) connection. What is the MOST important immediate action to preserve evidence and prevent further damage?

Which THREE of the following are essential steps in the incident response process as defined by NIST SP 800-61? (Select exactly 3.)

Refer to the exhibit. During incident response, a first responder runs 'netstat -ano' on a compromised Windows system. Which connection is most likely to be the command-and-control (C2) channel and should be prioritized for isolation?

Exhibit

Refer to the exhibit.

C:\> netstat -ano
Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    192.168.1.100:1045     203.0.113.5:4444      ESTABLISHED     1234
  TCP    192.168.1.100:1046     192.168.1.1:443        ESTABLISHED     5678
  TCP    192.168.1.100:1047     10.0.0.1:22            ESTABLISHED     9012
  TCP    192.168.1.100:1048     198.51.100.7:80        TIME_WAIT       3456

You are a first responder for a medium-sized enterprise. The Help Desk received multiple reports that users cannot access the company's internal web application (app.example.com) hosted on a Windows Server 2019 VM. The server is also running a MySQL database and an FTP service for file transfers. You remote into the server and find that the web server (IIS) is still running, but the application pool is stopped. The event logs show multiple failed logon attempts from an external IP address (198.51.100.23) for the local administrator account around the time the issues started. The FTP service log shows successful anonymous logins from the same IP minutes before the web app failure. The MySQL log shows a query 'DROP TABLE users;' executed at 03:15 AM. The current time is 04:00 AM. What immediate action should you take?

During the initial response to a suspected data breach, a first responder discovers a live system with active network connections. The responder needs to preserve evidence while minimizing alteration. Which of the following is the MOST appropriate first step?

Which TWO actions are essential for a first responder when securing an incident scene involving a compromised server? (Select exactly two.)

Refer to the exhibit. A first responder runs the netstat command on a compromised Windows workstation. Which of the following conclusions is BEST supported by the output?

Exhibit

Refer to the exhibit.

C:\Users\Forensic> netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    192.168.1.10:49152     10.2.3.4:443           ESTABLISHED     1234
  TCP    192.168.1.10:49153     192.168.1.1:80         TIME_WAIT       0
  TCP    192.168.1.10:49154     10.2.3.4:80            ESTABLISHED     1234
  UDP    0.0.0.0:5353           *:*                                    5678

Drag and drop the steps to capture network traffic with Wireshark for forensic analysis into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Incident Response and First Responder Skills sessions

Start a Incident Response and First Responder Skills only practice session

Every question in these sessions is drawn from the Incident Response and First Responder Skills domain — nothing else.

Related practice questions

Related CHFI topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CHFI exam test about Incident Response and First Responder Skills?
Incident Response and First Responder Skills questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Incident Response and First Responder Skills questions in a focused session?
Yes — the session launcher on this page draws every question from the Incident Response and First Responder Skills domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CHFI topics?
Use the topic links above to move to related areas, or go back to the CHFI question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CHFI exam covers. They are not copied from any real exam or dump site.