CERTIFIED HACKING FORENSIC
INVESTIGATOR (CHFI) NEWEST 2026 EXAM
PREP WITH QUESTIONS AND CORRECT
ANSWERS GRADED A+
What are two types of gathering information from an executable
file? Correct Answer Static analysis and Dynamic analysis
Static analysis involves collecting information about and from the
executable without launching it.
Dynamic analysis involves running the executable in a monitored
environment.
In Linux every file has nine permission bits, choose all that apply.
Correct Answer Setuid, Sticky bit, Setgid
(Setuid bits have an octal value of 4000
Setgid bits have an octal value of 2000
Sticky bits have an octal value of 1000 however, Linux silently
ignores this type. Sticky bits were important as a modifier for
executable files on early UNIX systems)
What is true about the PE Header? Correct Answer 64-byte
structure called IMAGE_DOS_HEADER
First DWORD value refers to address of the new EXE file
,Value is defined in ntimage.h header file
What best defines a Portable Executable (PE)? Correct Answer
Data structure for Windows OS loader to manage wrapped
executable code
Format for executables, object code and DLLs used in 32- and
64-bit versions of Windows
What is the table of functions called that DLLs maintain? Correct
Answer Export
What is true about MAC times? Correct Answer MAC times are
time stamps referring to the time at which the file was last
modified in some way and MAC stands for modified, accessed
and created
What statements reflect how time stamps are displayed or
changed in the NTFS file system? Correct Answer When a file is
moved from one folder to another on the same file system, the file
keeps the same modification and creation dates
When a file is copied from one folder to another on the same file
system, the file keeps the same modification date, but the
creation date is updated to the current date and time
What tools can be used to view metadata? Correct Answer
Metaviewer, Metadata Analyzer and iScrub
,Some events are recorded by default. Others are recorded based
on the audit configuration in the PolAdEvt registry key. Other
aspects are maintained in what registry key? Correct Answer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Eventlog\Event Log
What is the ELF_LOG_SIGNATURE? Correct Answer Signature
of the Windows event log
(The event log header is the first 48 bytes and the magic number
appears as eLfL in ASCII.)
What format does Vista use for event logs? Correct Answer XML
What command displays a list of the available event logs in Vista?
Correct Answer wevtutil el
HKEY_LOCAL_MACHINE\SAM supports what? Correct Answer
Sam, Sam.log, Sam.sav
(SAM stands for Security Accounts Manager. It contains Windows
passwords)
Where are IIS Web server logs most often maintained? Correct
Answer %WinDir%\System32\LogFiles directory
, DHCP Service Activity Logs are stored where? Correct Answer
%SystemRoot%\System32\DHCP
Windows Firewall logs are stored where? Correct Answer
%SystemRoot%\pfirewall.log
LogParser.exe -o:DATAGRID "select * from system" is what type
of command? Correct Answer Microsoft Log Parsing
(Microsoft Log Parser accepts three arguments:
i - input
o - output
query similar to SQL)
What is Event ID 624? Correct Answer recorded when an account
is created
What is Event ID 642 Correct Answer gives information about
changes to an account
What is Event ID 632 Correct Answer member added to global
security group
What is Event ID 633 Correct Answer member removed from
global security group
INVESTIGATOR (CHFI) NEWEST 2026 EXAM
PREP WITH QUESTIONS AND CORRECT
ANSWERS GRADED A+
What are two types of gathering information from an executable
file? Correct Answer Static analysis and Dynamic analysis
Static analysis involves collecting information about and from the
executable without launching it.
Dynamic analysis involves running the executable in a monitored
environment.
In Linux every file has nine permission bits, choose all that apply.
Correct Answer Setuid, Sticky bit, Setgid
(Setuid bits have an octal value of 4000
Setgid bits have an octal value of 2000
Sticky bits have an octal value of 1000 however, Linux silently
ignores this type. Sticky bits were important as a modifier for
executable files on early UNIX systems)
What is true about the PE Header? Correct Answer 64-byte
structure called IMAGE_DOS_HEADER
First DWORD value refers to address of the new EXE file
,Value is defined in ntimage.h header file
What best defines a Portable Executable (PE)? Correct Answer
Data structure for Windows OS loader to manage wrapped
executable code
Format for executables, object code and DLLs used in 32- and
64-bit versions of Windows
What is the table of functions called that DLLs maintain? Correct
Answer Export
What is true about MAC times? Correct Answer MAC times are
time stamps referring to the time at which the file was last
modified in some way and MAC stands for modified, accessed
and created
What statements reflect how time stamps are displayed or
changed in the NTFS file system? Correct Answer When a file is
moved from one folder to another on the same file system, the file
keeps the same modification and creation dates
When a file is copied from one folder to another on the same file
system, the file keeps the same modification date, but the
creation date is updated to the current date and time
What tools can be used to view metadata? Correct Answer
Metaviewer, Metadata Analyzer and iScrub
,Some events are recorded by default. Others are recorded based
on the audit configuration in the PolAdEvt registry key. Other
aspects are maintained in what registry key? Correct Answer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Eventlog\Event Log
What is the ELF_LOG_SIGNATURE? Correct Answer Signature
of the Windows event log
(The event log header is the first 48 bytes and the magic number
appears as eLfL in ASCII.)
What format does Vista use for event logs? Correct Answer XML
What command displays a list of the available event logs in Vista?
Correct Answer wevtutil el
HKEY_LOCAL_MACHINE\SAM supports what? Correct Answer
Sam, Sam.log, Sam.sav
(SAM stands for Security Accounts Manager. It contains Windows
passwords)
Where are IIS Web server logs most often maintained? Correct
Answer %WinDir%\System32\LogFiles directory
, DHCP Service Activity Logs are stored where? Correct Answer
%SystemRoot%\System32\DHCP
Windows Firewall logs are stored where? Correct Answer
%SystemRoot%\pfirewall.log
LogParser.exe -o:DATAGRID "select * from system" is what type
of command? Correct Answer Microsoft Log Parsing
(Microsoft Log Parser accepts three arguments:
i - input
o - output
query similar to SQL)
What is Event ID 624? Correct Answer recorded when an account
is created
What is Event ID 642 Correct Answer gives information about
changes to an account
What is Event ID 632 Correct Answer member added to global
security group
What is Event ID 633 Correct Answer member removed from
global security group
