Computer Hacking Forensic Investigator (CHFI) Exam

530 Questions and Answers

Computer Hacking Forensic Investigator (CHFI) practice exam – digital forensics tools, cybercrime investigation, and exam preparation materials

What is the CHFI 312-49 Exam?

The 312-49: Computer Hacking Forensic Investigator (CHFI) exam is a globally recognized certification offered by EC-Council, designed for cybersecurity professionals who specialize in digital forensics and cybercrime investigation. The CHFI certification validates your expertise in identifying hacking attacks, properly extracting evidence, conducting thorough investigations, and preserving data for legal purposes. It is an essential credential for anyone pursuing a career in digital forensics, incident response, or law enforcement cybersecurity roles.

What You Will Learn

With this CHFI practice exam from Exam Sage, you will gain the knowledge and confidence needed to pass the real exam on your first attempt. Each question is designed to reflect real-world forensics scenarios, tools, and concepts. Our practice questions are thoroughly researched and carefully crafted to meet the current CHFI exam objectives.

By preparing with this resource, you will learn how to:

  • Conduct computer and mobile forensic investigations

  • Identify digital evidence in compliance with legal standards

  • Recover deleted or encrypted files from various operating systems

  • Utilize forensic tools like FTK, EnCase, Autopsy, and more

  • Analyze logs, file systems, memory dumps, and network traffic

  • Document findings and maintain the chain of custody

  • Understand the legal and ethical aspects of digital forensics

Topics Covered

This practice exam is fully aligned with the latest CHFI exam blueprint and includes detailed explanations for every question. Topics include, but are not limited to:

  • Computer Forensics Fundamentals

  • Digital Evidence Collection and Preservation

  • Anti-Forensics Techniques and Countermeasures

  • Operating System Forensics (Windows, Linux, macOS)

  • File System Forensics (NTFS, FAT, ext3/ext4)

  • Steganography and Image File Forensics

  • Network Forensics and Packet Analysis

  • Email and Social Media Forensics

  • Malware Forensics and Memory Analysis

  • Mobile Device Forensics

  • Cloud Forensics and Virtual Environments

  • Incident Response and Legal Considerations

  • Tools such as FTK, Autopsy, EnCase, X-Ways, and more

Why Choose Exam Sage for Your CHFI Preparation?

At Exam Sage, we understand that passing cybersecurity certification exams requires more than just reading a textbook. Our CHFI practice test offers:

  • Over 500 expertly written multiple-choice questions

  • Detailed explanations for every correct answer

  • Real-world scenarios that mimic the actual exam format

  • Plenty of revision and reinforcement opportunities

  • Updated content that reflects the latest version of the 312-49 exam

  • Easy digital download format for flexible learning

Whether you’re a digital forensics analyst, law enforcement professional, or an IT security specialist, our practice exam is your most reliable study tool.

Who Should Use This Practice Exam?

This CHFI practice exam is ideal for:

  • Digital Forensics Professionals

  • Cybersecurity Analysts

  • IT Auditors and Security Officers

  • Law Enforcement Investigators

  • Incident Response Teams

  • Ethical Hackers expanding their expertise

  • Anyone preparing for the EC-Council CHFI 312-49 exam

Prepare Smarter. Succeed Faster.

Elevate your cybersecurity career by earning your CHFI certification. Use Exam Sage’s high-quality practice exam to prepare thoroughly, identify knowledge gaps, and build the confidence you need to succeed. Start your forensic investigation journey today with Exam Sage — where your exam success begins.

Sample Questions and Answers

1. What is the primary purpose of computer forensics in incident response?

A) To recover deleted files only
B) To analyze network traffic for optimization
C) To preserve, identify, extract, and document digital evidence
D) To enhance computer performance

Answer: C
Explanation: The core goal of computer forensics is to preserve the integrity of digital evidence while identifying, extracting, and documenting it to support legal proceedings or incident response.

2. Which of the following best describes the chain of custody?

A) Process of encrypting data
B) Documentation of evidence handling from collection to presentation
C) Technique for recovering deleted data
D) Software used to scan networks

Answer: B
Explanation: Chain of custody is a detailed and documented process that tracks who collected, handled, and analyzed evidence to ensure it remains admissible in court.

3. What is the first step in the forensic investigation process?

A) Evidence analysis
B) Securing the scene
C) Reporting findings
D) Presentation of evidence

Answer: B
Explanation: Securing the scene is critical to prevent contamination or alteration of evidence before beginning collection or analysis.

4. Which tool is commonly used for disk imaging during a forensic investigation?

A) Wireshark
B) FTK Imager
C) Nmap
D) Metasploit

Answer: B
Explanation: FTK Imager is widely used to create exact forensic images (bit-by-bit copies) of hard drives, preserving data for analysis.

5. What does hashing a file help ensure in forensic analysis?

A) Improves file transfer speed
B) Compresses the file size
C) Verifies file integrity
D) Encrypts the file for security

Answer: C
Explanation: Hashing produces a unique digital fingerprint for a file, ensuring it hasn’t been altered during investigation.

6. What is the primary file system used by Windows operating systems for storing file metadata?

A) FAT32
B) NTFS
C) ext4
D) HFS+

Answer: B
Explanation: NTFS stores detailed file metadata such as timestamps, permissions, and file attributes, which are crucial for forensic investigations.

7. Which of the following is NOT a volatile data source?

A) RAM contents
B) CPU cache
C) Hard disk drive contents
D) Network connections

Answer: C
Explanation: Hard drives contain non-volatile data, while RAM, CPU cache, and network connections are volatile and lost when powered off.

8. What type of attack involves intercepting communication between two parties without their knowledge?

A) Phishing
B) Man-in-the-middle
C) Denial-of-service
D) SQL injection

Answer: B
Explanation: A man-in-the-middle attack intercepts and possibly alters communication between two parties secretly.

9. Which of the following is NOT an appropriate method for preserving volatile data?

A) Taking a memory dump
B) Documenting active network connections
C) Powering off the system immediately
D) Capturing system processes

Answer: C
Explanation: Powering off the system causes loss of volatile data like RAM content, so investigators aim to capture volatile data before shutdown.

10. What is the primary purpose of steganography detection in forensic analysis?

A) Detecting hidden data within files
B) Encrypting sensitive files
C) Recovering deleted files
D) Scanning for malware

Answer: A
Explanation: Steganography involves hiding data within other files, and forensic analysts aim to detect and extract such concealed information.

11. Which Linux command is commonly used to view active network connections?

A) ls
B) netstat
C) ps
D) chmod

Answer: B
Explanation: The netstat command lists active network connections and listening ports, helpful for forensic network analysis.

12. When collecting evidence, why is it important to make a forensic image instead of working on the original device?

A) To avoid legal issues
B) To increase investigation speed
C) To preserve the original evidence’s integrity
D) To compress the data

Answer: C
Explanation: Working on a copy ensures the original evidence remains untouched and admissible in court.

13. Which of the following is a key characteristic of metadata in forensic investigations?

A) Only file size
B) Data about data, such as timestamps and ownership
C) Encryption keys
D) User passwords

Answer: B
Explanation: Metadata provides contextual information about data, including creation/modification times, permissions, and ownership.

14. What is the role of a write-blocker device in forensic imaging?

A) Speeds up imaging
B) Prevents any write operations to the original storage media
C) Erases hidden partitions
D) Encrypts the disk image

Answer: B
Explanation: Write-blockers allow read-only access to storage devices, preventing accidental modification during evidence collection.

15. Which of the following is an example of a file signature (magic number) used in forensic analysis?

A) 0x89504E47 for PNG files
B) SHA-256 hash
C) File extension .exe
D) Last modified date

Answer: A
Explanation: File signatures identify file types regardless of extensions by their unique hexadecimal patterns.

16. What does the term “slack space” refer to in computer forensics?

A) Unallocated space on a hard drive
B) The difference between allocated file size and cluster size
C) Memory used by running processes
D) Temporary files created by the OS

Answer: B
Explanation: Slack space is leftover space in a cluster after the end of a file, which may contain remnants of previous data.

17. Which phase in the forensic process involves interpreting data to determine what happened?

A) Collection
B) Analysis
C) Identification
D) Presentation

Answer: B
Explanation: Analysis involves examining the collected evidence to understand the sequence of events and identify relevant facts.

18. Which tool is commonly used for password cracking during forensic investigations?

A) EnCase
B) John the Ripper
C) Wireshark
D) Netcat

Answer: B
Explanation: John the Ripper is a widely-used password cracking tool for testing password strength or recovering passwords.

19. What is the difference between static and live forensics?

A) Static deals with powered-off systems; live deals with powered-on systems
B) Static is faster than live forensics
C) Live forensics involves only network traffic analysis
D) Static uses encryption, live uses decryption

Answer: A
Explanation: Static forensics analyzes offline (powered-off) systems, while live forensics captures data from running systems.

20. In file recovery, what is the purpose of carving?

A) Encrypting files for security
B) Extracting files from unallocated disk space without file system metadata
C) Compressing recovered files
D) Deleting malicious files

Answer: B
Explanation: Carving recovers files based on file signatures from raw disk data, bypassing the file system structures.

21. Which artifact is commonly examined to trace user web activity?

A) Registry entries
B) DNS cache
C) Browser history files
D) All of the above

Answer: D
Explanation: All these artifacts can provide insight into user web activity during forensic analysis.

22. Which of the following is a key consideration when presenting digital evidence in court?

A) The evidence must be encrypted
B) The evidence must be reproducible and authentic
C) The evidence must be publicly accessible
D) The evidence must be deleted after trial

Answer: B
Explanation: For digital evidence to be admissible, it must be shown to be authentic and its collection reproducible without tampering.

23. What is the function of a forensic workstation?

A) A standard PC for daily tasks
B) A dedicated system for forensic data acquisition and analysis
C) A server hosting websites
D) A tool for creating virtual machines

Answer: B
Explanation: Forensic workstations are specially configured computers with write-blockers, forensic software, and hardware for evidence processing.

24. What is a volatile data source that must be captured immediately during live forensics?

A) Files on the hard drive
B) Network connections and processes in RAM
C) Email archives
D) User manuals

Answer: B
Explanation: Volatile data like active processes, network connections, and memory contents disappear when the system powers down.

25. What kind of attack exploits vulnerabilities in SQL databases?

A) SQL Injection
B) Cross-site scripting
C) Brute force attack
D) Phishing

Answer: A
Explanation: SQL Injection attacks exploit vulnerabilities in database queries to manipulate or retrieve unauthorized data.

26. What is the typical format of a forensic image?

A) ISO
B) RAW (dd)
C) ZIP
D) EXE

Answer: B
Explanation: RAW format creates an exact sector-by-sector copy of a disk, preserving all data including deleted and slack space.

27. What does the term “data carving” specifically target?

A) Encrypted files only
B) Extracting files without file system metadata
C) Deleting unused files
D) Compressing large files

Answer: B
Explanation: Data carving recovers files by searching for file signatures directly in raw data, useful when metadata is missing.

28. Which Windows artifact records recently accessed files and folders?

A) Prefetch files
B) MFT (Master File Table)
C) Event logs
D) Recycle Bin

Answer: A
Explanation: Prefetch files are Windows artifacts that log frequently accessed applications and files, useful in forensic timelines.

29. What is the main advantage of using write-blockers?

A) Speed up file copying
B) Prevent changes to evidence storage media
C) Enhance network security
D) Automate evidence analysis

Answer: B
Explanation: Write-blockers prevent accidental writes to the original media, preserving the original evidence integrity.

30. In forensic analysis, what is meant by “memory dump”?

A) Transferring data to external storage
B) Capturing the entire contents of system RAM at a point in time
C) Removing malware from memory
D) Backing up hard drive contents

Answer: B
Explanation: A memory dump captures all data in RAM, which can contain valuable forensic artifacts such as running processes, passwords, and encryption keys.

31. What is the primary function of the Master File Table (MFT) in NTFS?

A) To store user credentials
B) To keep metadata about every file and directory on the volume
C) To manage network connections
D) To encrypt files on the system

Answer: B
Explanation: The MFT stores detailed metadata for all files and directories on NTFS, including size, timestamps, and location.

32. Which forensic technique is used to detect rootkits on a system?

A) Memory analysis
B) Network sniffing
C) Disk defragmentation
D) File hashing

Answer: A
Explanation: Rootkits often hide in memory; memory analysis can uncover hidden processes or modules injected into the system.

33. What type of forensic evidence can be obtained from swap or page files?

A) Deleted files
B) Encrypted emails
C) Data fragments from RAM swapped to disk
D) System logs

Answer: C
Explanation: Swap/page files may contain parts of memory swapped to disk, which can reveal volatile data not directly accessible.

34. What is a typical indicator of a compromised Windows Registry during a forensic examination?

A) Presence of unknown startup entries
B) Missing desktop background
C) Large file sizes on disk
D) Slow internet connection

Answer: A
Explanation: Unknown or suspicious startup entries in the Registry may indicate malware or persistent threats.

35. During evidence acquisition, what is the recommended file format to store hash values?

A) Plain text file
B) Proprietary encrypted format
C) Standard hash dump file like MD5 or SHA1
D) Compressed archive

Answer: C
Explanation: Hash values should be stored in a standardized format for verification and reproducibility.

36. Which type of attack targets a user’s credentials by capturing keystrokes?

A) Man-in-the-middle
B) Keylogger attack
C) SQL Injection
D) Denial-of-service

Answer: B
Explanation: Keyloggers record keystrokes, allowing attackers to capture passwords and sensitive data.

37. What is the primary purpose of timeline analysis in digital forensics?

A) To create a chronological sequence of system and user activities
B) To recover deleted files
C) To encrypt sensitive data
D) To compress forensic images

Answer: A
Explanation: Timeline analysis reconstructs the sequence of events to help investigators understand what happened and when.

38. Which tool is often used for live memory analysis during an incident?

A) Autopsy
B) Volatility Framework
C) EnCase
D) Wireshark

Answer: B
Explanation: Volatility is a powerful open-source tool designed for analyzing memory dumps and extracting forensic artifacts.

39. When analyzing network traffic, what is the purpose of a packet sniffer?

A) Encrypt data packets
B) Capture and analyze network packets in real time
C) Delete malicious packets
D) Compress network traffic

Answer: B
Explanation: Packet sniffers like Wireshark capture and analyze live or recorded network packets for forensic analysis.

40. What does the acronym Triage mean in digital forensics?

A) The process of encrypting data
B) Prioritizing evidence collection based on importance and volatility
C) Deleting unnecessary files
D) Creating disk images

Answer: B
Explanation: Triage prioritizes evidence to focus on the most critical and perishable data first.

41. Which forensic artifact can reveal the list of recently connected USB devices?

A) Prefetch files
B) Windows Registry USBStor key
C) Event logs
D) Pagefile.sys

Answer: B
Explanation: The Registry key USBStor logs USB device connections, useful for tracking external device usage.

42. What is the significance of the “pagefile.sys” in Windows forensics?

A) It stores the system boot logs
B) It is a swap file that can contain fragments of memory, including passwords and running processes
C) It contains user documents
D) It is a backup file for the Registry

Answer: B
Explanation: Pagefile.sys acts as virtual memory, storing swapped out RAM pages, potentially containing valuable forensic data.

43. What is the first thing an investigator should do when arriving at a live system during an incident?

A) Shut down the system immediately
B) Document system state and capture volatile data
C) Disconnect the system from the network
D) Remove the hard disk for imaging

Answer: B
Explanation: The investigator must document and capture volatile data before shutting down or disconnecting to prevent loss of evidence.

44. What is the function of slack space in forensic investigations?

A) It stores the operating system kernel
B) It may contain residual data from previous files that can be recovered
C) It holds temporary internet files only
D) It is used exclusively for system backups

Answer: B
Explanation: Slack space is unused space in disk clusters which may contain remnants of old data, often overlooked but important.

45. What does “artifact” mean in computer forensics?

A) A deleted file
B) Any piece of data or metadata that provides evidence
C) The encrypted portion of a hard drive
D) The backup file

Answer: B
Explanation: An artifact can be any data, metadata, log entry, or file that provides information about system activity.

46. In a forensic investigation, what is meant by “data carving”?

A) Encrypting data on a disk
B) Recovering files from unallocated space based on file signatures
C) Copying files to another system
D) Scanning for malware

Answer: B
Explanation: Data carving reconstructs files from raw data segments, often without metadata or file tables.

47. What type of evidence is typically most fragile and requires immediate collection?

A) Network logs
B) Hard disk contents
C) Volatile memory (RAM)
D) Backups

Answer: C
Explanation: RAM is volatile and lost when the system is powered off, so it must be captured promptly.

48. What is the difference between hashing and encryption?

A) Hashing is reversible, encryption is not
B) Hashing produces a fixed-size digest; encryption scrambles data that can be reversed with a key
C) Both are reversible
D) Both are irreversible

Answer: B
Explanation: Hashing creates a fixed-size, irreversible digest for integrity checking, while encryption scrambles data but can be decrypted with the proper key.

49. What is a volatile artifact that can help identify running processes during a live forensic capture?

A) MFT entries
B) RAM contents
C) File slack space
D) Browser cookies

Answer: B
Explanation: RAM contains active process information, running services, and other transient data useful in live analysis.

50. What type of malware typically attempts to hide itself by gaining administrative privileges and embedding deep into the operating system?

A) Virus
B) Trojan
C) Rootkit
D) Worm

Answer: C
Explanation: Rootkits operate at a low level to conceal malware and activities, often gaining admin privileges to evade detection.

51. What is the primary purpose of digital signature verification in forensic evidence?

A) To encrypt evidence files
B) To verify that data has not been altered since signing
C) To recover deleted files
D) To speed up data transmission

Answer: B
Explanation: Digital signatures ensure evidence integrity by confirming that files haven’t been changed since they were signed.

52. Which file format is commonly used to store system event logs in Windows?

A) .evt or .evtx
B) .log only
C) .txt
D) .xml

Answer: A
Explanation: Windows event logs use .evt (older) and .evtx (newer) formats to record system, security, and application events.

53. Why is documentation critical during forensic investigations?

A) To provide a record for courtroom testimony and preserve evidence authenticity
B) To increase investigation speed
C) To delete irrelevant files
D) To automate report writing

Answer: A
Explanation: Proper documentation ensures all steps are traceable and defensible in legal contexts.

54. In forensic investigations, what is meant by “data wiping”?

A) Recovering deleted files
B) Securely erasing data to prevent recovery
C) Copying data to a backup location
D) Encrypting files

Answer: B
Explanation: Data wiping securely deletes data so it cannot be recovered by forensic methods.

55. What kind of attack uses social engineering to gain user credentials?

A) Phishing
B) Brute force
C) Malware injection
D) Man-in-the-middle

Answer: A
Explanation: Phishing tricks users into revealing credentials by impersonating legitimate services.

56. Which artifact can help determine the last login time of a Windows user?

A) Security event log
B) System restore points
C) Recycle Bin
D) Prefetch files

Answer: A
Explanation: Security event logs record user logins and logouts, helping determine user activity timelines.

57. Which of these is an example of a live data source?

A) Hard disk image
B) RAM
C) Backup tapes
D) Archived emails

Answer: B
Explanation: RAM is volatile and exists only while the system is powered on, making it a live data source.

58. What does “write-blocking” prevent?

A) Reading data from a disk
B) Modifying or writing data to a disk during acquisition
C) Encrypting evidence
D) Transferring data over the network

Answer: B
Explanation: Write-blockers protect evidence by preventing any write operations to the original disk.

59. What is the purpose of forensic hashing algorithms like MD5 and SHA-1?

A) Encrypt evidence files
B) Verify data integrity by generating unique digital fingerprints
C) Compress files
D) Backup data

Answer: B
Explanation: These algorithms generate hash values that uniquely represent the data, used to verify integrity.

60. Which forensic artifact contains information about installed programs and Windows OS settings?

A) NTUSER.DAT
B) Pagefile.sys
C) Registry hives
D) Event logs

Answer: C
Explanation: The Windows Registry stores configuration settings, installed programs, and system information relevant in investigations.

You may also like...