CHFI · topic practice

Network and Cloud Forensics practice questions

Practise Computer Hacking Forensic Investigator CHFI Network and Cloud Forensics practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Network and Cloud Forensics

What the exam tests

What to know about Network and Cloud Forensics

Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.

IaaS, PaaS and SaaS responsibilities and examples.

Public, private, hybrid and community cloud deployment models.

On-premises vs cloud trade-offs: cost, control, scalability.

How cloud connectivity options (VPN, Direct Connect, ExpressRoute) work.

Watch out for

Common Network and Cloud Forensics exam traps

  • IaaS gives you infrastructure control; SaaS gives you only the application.
  • Hybrid cloud combines on-premises and public cloud — not two public clouds.
  • Cloud does not automatically mean cheaper or more secure.
  • Management responsibility shifts with each service model (IaaSPaaSSaaS).

Practice set

Network and Cloud Forensics questions

20 questions · select your answer, then reveal the explanation

An investigator needs to capture network traffic from a live network segment without altering the traffic flow. Which technique should they use?

During a cloud forensics investigation, the investigator discovers that the cloud provider uses shared storage for multiple tenants. Which challenge is MOST likely to arise when acquiring a forensic image?

A forensic analyst is investigating a network breach and finds that the attacker used a technique that bypasses Network Access Control (NAC). Which of the following methods is commonly used to evade 802.1X authentication?

A security team needs to preserve network evidence for a potential legal case. What is the BEST practice for capturing volatile network data?

In a cloud forensic investigation, the analyst needs to obtain a memory dump of a virtual machine. Which method is considered forensically sound?

An organization uses a cloud-based SIEM to collect logs from multiple sources. The investigator notices gaps in the log data for a critical system during the incident timeframe. What is the MOST likely cause?

During a network forensic investigation, the analyst recovers a PCAP file. What type of information can be directly extracted from this file?

An investigator is analyzing cloud storage logs and finds an entry showing that a file was accessed using the root credentials from an IP address in a different geographic region. The organization has strict policies against root usage. What should the investigator do FIRST?

A forensic analyst is examining a network intrusion detection system (NIDS) alert that triggered on a packet with the FIN, PSH, and URG flags set. What type of scan does this indicate?

Which TWO of the following are common challenges in cloud forensics?

Which THREE of the following are essential steps in network forensic investigation?

Which TWO of the following are effective methods for detecting a man-in-the-middle attack on a network?

Based on the ARP table exhibit, what is the most likely security issue?

Network Topology
Interface:0x5Refer to the exhibit.C:\> arp -aInternet Address Physical Address Type192.168.1.1 00-1a-2b-3c-4d-5e dynamic192.168.1.101 00-1a-2b-3c-4d-5e dynamic192.168.1.102 00-1a-2b-3c-4d-5e dynamic

An investigator finds the above IAM policy attached to an S3 bucket. What is the security concern?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}

Based on the log exhibit, what type of attack is occurring?

Exhibit

Refer to the exhibit.

Nov 12 09:23:45 server1 sshd[1234]: Failed password for root from 10.0.0.5 port 22 ssh2
Nov 12 09:24:10 server1 sshd[1235]: Failed password for root from 10.0.0.5 port 22 ssh2
Nov 12 09:24:35 server1 sshd[1236]: Failed password for root from 10.0.0.5 port 22 ssh2
... (repeated every 25 seconds)
Question 16hardmultiple choice
Read the full NAT/PAT explanation →

You are a forensic investigator for a healthcare organization that uses a hybrid cloud model. Your team receives an alert that a large amount of protected health information (PHI) was exfiltrated from an AWS S3 bucket to an external IP address. The organization uses AWS CloudTrail for API logging and VPC Flow Logs for network traffic. The incident occurred between 02:00 and 03:00 UTC. Upon reviewing CloudTrail logs, you see that the bucket policy was modified at 01:55 UTC to allow public read access, and then a series of GetObject requests from an IP address in a foreign country occurred. The VPC Flow Logs show outbound traffic from the bucket's VPC to that IP. The bucket policy change was made using the root user credentials of the AWS account. The organization has multi-factor authentication (MFA) enabled for all users, including root. However, the CloudTrail log for the policy change does not indicate MFA usage. You need to determine the most likely root cause of the breach. Which of the following is the most plausible explanation?

Question 17mediummultiple choice
Read the full NAT/PAT explanation →

You are investigating a network breach at a financial institution. The organization uses a network-based intrusion detection system (NIDS) and maintains full packet capture (PCAP) for critical segments. The incident allegedly started with a spear-phishing email that delivered a remote access trojan (RAT). The security team has isolated the infected host and provided you with a disk image of the host and a PCAP file covering the network traffic from the host for the 24-hour period before isolation. In the PCAP, you see a series of TCP connections from the host to an external IP address on port 443 (HTTPS). The external IP is known to be associated with a command-and-control (C2) server. However, the disk image shows no evidence of the RAT binary or any malicious files. The host's antivirus logs are clean. Which of the following is the most likely explanation for the lack of evidence on the disk?

Question 18hardmultiple choice
Read the full NAT/PAT explanation →

During a forensic investigation of a cloud environment, a forensic analyst discovers that the virtual machine (VM) used by a suspect was terminated three days prior. The cloud provider offers snapshots, backups, and instance metadata. Which of the following is the BEST course of action to recover forensic evidence?

A forensic investigator needs to capture network traffic from a SPAN port on a switch to analyze an ongoing compromise. Which tool should the investigator use to collect the full packet capture (pcap) for later analysis?

A cloud forensic analyst is tasked with preserving evidence from an AWS S3 bucket that may contain malicious files. The bucket is publicly accessible, and the analyst wants to create a forensically sound copy. Which method BEST ensures integrity and chain of custody?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Network and Cloud Forensics sessions

Start a Network and Cloud Forensics only practice session

Every question in these sessions is drawn from the Network and Cloud Forensics domain — nothing else.

Related practice questions

Related CHFI topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CHFI exam test about Network and Cloud Forensics?
Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Network and Cloud Forensics questions in a focused session?
Yes — the session launcher on this page draws every question from the Network and Cloud Forensics domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CHFI topics?
Use the topic links above to move to related areas, or go back to the CHFI question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CHFI exam covers. They are not copied from any real exam or dump site.