CHFI || Questions and Correct Detailed Answers
What is the First Step required in preparing a computer for forensics investigation?
A. Do not turn the computer off or on, run any programs, or attempt to access data on a computer
B. Secure any relevant media
C. Suspend automated document destruction and recycling policies that may pertain to any
relevant media or users at Issue
D. Identify the type of data you are seeking, the Information you are looking for, and the urgency
level of the examination correct answers a
Network forensics can be defined as the sniffing, recording, acquisition and analysis of the
network traffic and event logs in order to investigate a network security incident
A. True
B. False correct answers a
Which of the following commands shows you the names of all open shared files on a server and
number of file locks on each file?
A. Net sessions
B. Net file
C. Netconfig
D. Net share correct answers b
The Recycle Bin exists as a metaphor for throwing files away, but it also allows user to retrieve
and restore files. Once the file is moved to the recycle bin, a record is added to the log file that
exists in the Recycle Bin.
,Which of the following files contains records that correspond to each deleted file in the Recycle
Bin?
A. INFO2 file
B. INFO1 file
C. LOGINFO2 file
D. LOGINFO1 file correct answers a
Email archiving is a systematic approach to save and protect the data contained in emails so that
it can be accessed fast at a later date. There are two main archive types, namely Local Archive
and Server Storage Archive. Which of the following statements is correct while dealing with
local archives?
A. It is difficult to deal with the webmail as there is no offline archive in most cases. So consult
your counsel on the case as to the best way to approach and gain access to the required data on
servers
B. Local archives do not have evidentiary value as the email client may alter the message data
C. Local archives should be stored together with the server storage archives in order to be
admissible in a court of law
D. Server storage archives are the server information and settings stored on a local system
whereas the local archives are the local email client information stored on the mail server correct
answers a
Which of the following email headers specifies an address for mailer-generated errors, like "no
such user" bounce messages, to go to (instead of the sender's address)?
A. Errors-To header
B. Content-Transfer-Encoding header
C. Mime-Version header
D. Content-Type header correct answers a
,Which of the following commands shows you all of the network services running on Windows-
based servers?
A. Net start
B. Net use
C. Net Session
D. Net share correct answers a
Email archiving is a systematic approach to save and protect the data contained in emails so that
it can tie easily accessed at a later date.
A. True
B. False correct answers a
Windows Security Accounts Manager (SAM) is a registry file which stores passwords in a
hashed format.
SAM file in Windows is located at:
A. C:\windows\system32\config\SAM
B. C:\windows\system32\con\SAM
C. C:\windows\system32\Boot\SAM
D. C:\windows\system32\drivers\SAM correct answers a
FAT32 is a 32-bit version of FAT file system using smaller clusters and results in efficient storage
capacity. What is the maximum drive size supported?
, A. 1 terabytes
B. 2 terabytes
C. 3 terabytes
D. 4 terabytes correct answers b
In which step of the computer forensics investigation methodology would you run MD5
checksum on the evidence?
A. Obtain search warrant
B. Evaluate and secure the scene
C. Collect the evidence
D. Acquire the data correct answers d
Network forensics allows Investigators 10 inspect network traffic and logs to identify and locate
the attack system
Network forensics can reveal: (Select three answers)
A. Source of security incidents' and network attacks
B. Path of the attack
C. Intrusion techniques used by attackers
D. Hardware configuration of the attacker's system correct answers a b c
TCP/IP (Transmission Control Protocol/Internet Protocol) is a communication protocol used to
connect different hosts in the Internet. It contains four layers, namely the network interface layer.
Internet layer, transport layer, and application layer.
Which of the following protocols works under the transport layer of TCP/IP?
What is the First Step required in preparing a computer for forensics investigation?
A. Do not turn the computer off or on, run any programs, or attempt to access data on a computer
B. Secure any relevant media
C. Suspend automated document destruction and recycling policies that may pertain to any
relevant media or users at Issue
D. Identify the type of data you are seeking, the Information you are looking for, and the urgency
level of the examination correct answers a
Network forensics can be defined as the sniffing, recording, acquisition and analysis of the
network traffic and event logs in order to investigate a network security incident
A. True
B. False correct answers a
Which of the following commands shows you the names of all open shared files on a server and
number of file locks on each file?
A. Net sessions
B. Net file
C. Netconfig
D. Net share correct answers b
The Recycle Bin exists as a metaphor for throwing files away, but it also allows user to retrieve
and restore files. Once the file is moved to the recycle bin, a record is added to the log file that
exists in the Recycle Bin.
,Which of the following files contains records that correspond to each deleted file in the Recycle
Bin?
A. INFO2 file
B. INFO1 file
C. LOGINFO2 file
D. LOGINFO1 file correct answers a
Email archiving is a systematic approach to save and protect the data contained in emails so that
it can be accessed fast at a later date. There are two main archive types, namely Local Archive
and Server Storage Archive. Which of the following statements is correct while dealing with
local archives?
A. It is difficult to deal with the webmail as there is no offline archive in most cases. So consult
your counsel on the case as to the best way to approach and gain access to the required data on
servers
B. Local archives do not have evidentiary value as the email client may alter the message data
C. Local archives should be stored together with the server storage archives in order to be
admissible in a court of law
D. Server storage archives are the server information and settings stored on a local system
whereas the local archives are the local email client information stored on the mail server correct
answers a
Which of the following email headers specifies an address for mailer-generated errors, like "no
such user" bounce messages, to go to (instead of the sender's address)?
A. Errors-To header
B. Content-Transfer-Encoding header
C. Mime-Version header
D. Content-Type header correct answers a
,Which of the following commands shows you all of the network services running on Windows-
based servers?
A. Net start
B. Net use
C. Net Session
D. Net share correct answers a
Email archiving is a systematic approach to save and protect the data contained in emails so that
it can tie easily accessed at a later date.
A. True
B. False correct answers a
Windows Security Accounts Manager (SAM) is a registry file which stores passwords in a
hashed format.
SAM file in Windows is located at:
A. C:\windows\system32\config\SAM
B. C:\windows\system32\con\SAM
C. C:\windows\system32\Boot\SAM
D. C:\windows\system32\drivers\SAM correct answers a
FAT32 is a 32-bit version of FAT file system using smaller clusters and results in efficient storage
capacity. What is the maximum drive size supported?
, A. 1 terabytes
B. 2 terabytes
C. 3 terabytes
D. 4 terabytes correct answers b
In which step of the computer forensics investigation methodology would you run MD5
checksum on the evidence?
A. Obtain search warrant
B. Evaluate and secure the scene
C. Collect the evidence
D. Acquire the data correct answers d
Network forensics allows Investigators 10 inspect network traffic and logs to identify and locate
the attack system
Network forensics can reveal: (Select three answers)
A. Source of security incidents' and network attacks
B. Path of the attack
C. Intrusion techniques used by attackers
D. Hardware configuration of the attacker's system correct answers a b c
TCP/IP (Transmission Control Protocol/Internet Protocol) is a communication protocol used to
connect different hosts in the Internet. It contains four layers, namely the network interface layer.
Internet layer, transport layer, and application layer.
Which of the following protocols works under the transport layer of TCP/IP?
