CHFI · topic practice

OS and File System Forensics practice questions

Practise Computer Hacking Forensic Investigator CHFI OS and File System Forensics practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
10 questionsDomain: OS and File System Forensics

What the exam tests

What to know about OS and File System Forensics

OS and File System Forensics questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common OS and File System Forensics exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

OS and File System Forensics questions

10 questions · select your answer, then reveal the explanation

During a forensic investigation of a compromised Linux server, an investigator needs to recover deleted files from an ext4 filesystem. Which method should the investigator use to maximize recovery of file content, considering the filesystem may have been partially overwritten?

A forensic analyst is examining a Windows 10 system and needs to determine the last boot time of the system. Which registry hive and key should the analyst query to find this information?

During a forensic investigation, an analyst needs to preserve the integrity of evidence on a hard drive. Which of the following is the best practice for acquiring an image of the drive?

Which TWO of the following are valid locations in a Windows system where forensic evidence of USB device connection can be found?

You are a forensic investigator responding to a security incident at a medium-sized company. The incident involved an attacker gaining unauthorized access to a Windows Server 2019 system. The server was taken offline by the IT team immediately after detection. Your task is to acquire forensic evidence from the server's hard drive. The server has a single 500 GB NTFS partition. You have a forensic workstation with a write blocker, a SATA-to-USB adapter, and a forensic imaging tool that supports both dd and EWF (E01) formats. The server is still physically in the server room, and the IT team has powered it off. You need to create a forensic image that preserves the integrity of the evidence and allows for efficient analysis. Which of the following is the most appropriate course of action?

During a forensic investigation of a Windows 10 system, you need to analyze the file system to recover deleted files. Which TWO file system artifacts would be most useful for this purpose?

A forensic analyst is reviewing the syslog from a compromised Linux server. Based on the exhibit, what does the 'orphan inode deleted' message indicate?

Exhibit

Refer to the exhibit.

=== Linux log excerpt (var/log/syslog) ===
Jan 12 10:15:32 server1 kernel: [ 1234.5678] EXT4-fs (sda1): recovery complete
Jan 12 10:15:33 server1 kernel: [ 1234.5680] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null)
Jan 12 10:15:34 server1 sshd[2345]: Accepted publickey for root from 192.168.1.10 port 54321 ssh2: RSA SHA256:abc...
Jan 12 10:15:35 server1 sshd[2346]: Received disconnect from 192.168.1.10 port 54321:11: disconnected by user
Jan 12 10:15:36 server1 kernel: [ 1234.5700] EXT4-fs (sda1): 1 orphan inode deleted
Jan 12 10:15:37 server1 kernel: [ 1234.5702] EXT4-fs (sda1): 1 orphan inode deleted

You are a forensic investigator responding to an incident on a Windows 10 workstation used by a finance manager. The user reports that a critical spreadsheet containing quarterly budget data was accidentally deleted from the Desktop yesterday at approximately 3:00 PM. The system has been used normally since then, and the user has not emptied the Recycle Bin. You have created a forensic image of the drive using FTK Imager. The Recycle Bin contains a file named 'Quarterly_Budget.xlsx', but it appears to be a shortcut (size 1 KB). The user insists the original file was several megabytes. You need to recover the original file. Which action should you take next?

Drag and drop the steps to perform a forensic analysis of a Windows registry using RegRipper into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each forensic acquisition method to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Collecting data from a running system

Collecting data from powered-off media

Copying only active files and metadata

Bit-for-bit copy of entire storage device

Collecting only fragments of unallocated space

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused OS and File System Forensics sessions

Start a OS and File System Forensics only practice session

Every question in these sessions is drawn from the OS and File System Forensics domain — nothing else.

Related practice questions

Related CHFI topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CHFI exam test about OS and File System Forensics?
OS and File System Forensics questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just OS and File System Forensics questions in a focused session?
Yes — the session launcher on this page draws every question from the OS and File System Forensics domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CHFI topics?
Use the topic links above to move to related areas, or go back to the CHFI question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CHFI exam covers. They are not copied from any real exam or dump site.