8/17/25, 4:08
PM
chfi book questions and Answers 2025/2026
What must an investigator do in Investigators need to document all the forensics processes
order to offer a good report to a applied to identify, gather, analyze, preserve, and report the
court of law and ease the evidence in order to offer a good report to a court of law and
prosecution? ease the prosecution.
Which answer best describes flash Flash memory is a non-volatile electronically erasable and re
memory? programmable storage medium that is capable of retaining data
even in the absence of power.
Which of the following is the A reserved area of 32,768 bytes at the beginning of the disk is
correct number of bytes reserved present for use in booting CD-ROM on a computer (system
at the beginning of a CD-ROM area).
for booting a computer?
Number 0: boot
record Number 1:
Field Type volume descriptors? primary
Number 2:
supplementary
Number 3: volume
partition Number 255:
set terminator
Which field is the standard The second field is the standard identifier and is set to CD001 for a
identifier set to CD001 for a CD- CD-ROM compliant to the ISO 9660 standard.
ROM compliant to the ISO 9660
standard?
Which of the following is a data BIOS Parameter Block (BPB) is data structure situated at sector 1
structure situated at sector 1 in in the volume boot record of a hard disk and explains the
the volume boot record of a hard physical layout of a disk volume.
disk to explain the physical layout
of a disk volume?
MBR almost always refers to the master partition table
partition sector of a disk, also
known as:
What is the last addressable the negative addressing of the logical blocks starts from the end of the
block where negative addressing volume with
of the logical blocks starts from -1 as the last addressable block
the end of the volume in GPT?
1/
12
, 8/17/25, 4:08
PM
LBA 0: protective
Logical Block Addresses (LBA) MBR LBA 1: GPT
common slots: header
LBA 2: partition entry
array LBA 34: first
usable sector
a command that can help the investigator parse GPTs of both
Get-BootSector
types of hard disks including the ones formatted with either
UEFI or MBR.
analyzes the GUID partition table to find the exact type of boot
Get-PartitionTable
sector (Master Boot Record or GUID PartitionTable) and displays
the partition object
Windows:
GPT disk access partitioning tools, DiskPart MAC:
per OS: Disk Utility
Linux: GNU
Parted
On Macintosh computers, On Intel-based Macintosh computers, EFI initializes the rest of the
which architecture utilizes EFI hardware interfaces.
to initialize the hardware
interfaces after the Boot ROM
performs POST?
The first reserved sector is the Volume Boot Record or VBR,
FAT File System Layout
which comprises the BIOS Parameter Block (BPB) containing basic
file system information, such as type of file system and pointers to
-Reserved Area-
the position of the other sections as well as the operating system's
boot loader code.
Holds two duplicates of the File Allocation Table to help the
FAT File System Layout system check for the empty or idle spaces. Contains detailed
information about clusters and their contents including files and
-FAT Area- directories. Extra copies contained in this file system are in perfect
sync with writes and read, and will replace when the first or main
FAT seems to include mistakes or damages.
occupies the largest part of a partition, stores the actual file and
FAT File System Layout
directory data. The FAT file system fills the unused parts or spaces
with a filler estimation of 0xF6 based on the INT 1Eh's Disk
-Data Area-
Parameter Table (DPT). The FAT supports read-only, hidden,
system, and archive attributes.
consists of data that the document framework uses to get to the volume
FAT Partition Boot Sector
*in UNIX this is called the super block
How many bytes does a Directory entry is a data structure (32 bytes) allotted for each file and
Directory Entry have allotted for directory
each file and directory in the FAT
file system?
2/
12
PM
chfi book questions and Answers 2025/2026
What must an investigator do in Investigators need to document all the forensics processes
order to offer a good report to a applied to identify, gather, analyze, preserve, and report the
court of law and ease the evidence in order to offer a good report to a court of law and
prosecution? ease the prosecution.
Which answer best describes flash Flash memory is a non-volatile electronically erasable and re
memory? programmable storage medium that is capable of retaining data
even in the absence of power.
Which of the following is the A reserved area of 32,768 bytes at the beginning of the disk is
correct number of bytes reserved present for use in booting CD-ROM on a computer (system
at the beginning of a CD-ROM area).
for booting a computer?
Number 0: boot
record Number 1:
Field Type volume descriptors? primary
Number 2:
supplementary
Number 3: volume
partition Number 255:
set terminator
Which field is the standard The second field is the standard identifier and is set to CD001 for a
identifier set to CD001 for a CD- CD-ROM compliant to the ISO 9660 standard.
ROM compliant to the ISO 9660
standard?
Which of the following is a data BIOS Parameter Block (BPB) is data structure situated at sector 1
structure situated at sector 1 in in the volume boot record of a hard disk and explains the
the volume boot record of a hard physical layout of a disk volume.
disk to explain the physical layout
of a disk volume?
MBR almost always refers to the master partition table
partition sector of a disk, also
known as:
What is the last addressable the negative addressing of the logical blocks starts from the end of the
block where negative addressing volume with
of the logical blocks starts from -1 as the last addressable block
the end of the volume in GPT?
1/
12
, 8/17/25, 4:08
PM
LBA 0: protective
Logical Block Addresses (LBA) MBR LBA 1: GPT
common slots: header
LBA 2: partition entry
array LBA 34: first
usable sector
a command that can help the investigator parse GPTs of both
Get-BootSector
types of hard disks including the ones formatted with either
UEFI or MBR.
analyzes the GUID partition table to find the exact type of boot
Get-PartitionTable
sector (Master Boot Record or GUID PartitionTable) and displays
the partition object
Windows:
GPT disk access partitioning tools, DiskPart MAC:
per OS: Disk Utility
Linux: GNU
Parted
On Macintosh computers, On Intel-based Macintosh computers, EFI initializes the rest of the
which architecture utilizes EFI hardware interfaces.
to initialize the hardware
interfaces after the Boot ROM
performs POST?
The first reserved sector is the Volume Boot Record or VBR,
FAT File System Layout
which comprises the BIOS Parameter Block (BPB) containing basic
file system information, such as type of file system and pointers to
-Reserved Area-
the position of the other sections as well as the operating system's
boot loader code.
Holds two duplicates of the File Allocation Table to help the
FAT File System Layout system check for the empty or idle spaces. Contains detailed
information about clusters and their contents including files and
-FAT Area- directories. Extra copies contained in this file system are in perfect
sync with writes and read, and will replace when the first or main
FAT seems to include mistakes or damages.
occupies the largest part of a partition, stores the actual file and
FAT File System Layout
directory data. The FAT file system fills the unused parts or spaces
with a filler estimation of 0xF6 based on the INT 1Eh's Disk
-Data Area-
Parameter Table (DPT). The FAT supports read-only, hidden,
system, and archive attributes.
consists of data that the document framework uses to get to the volume
FAT Partition Boot Sector
*in UNIX this is called the super block
How many bytes does a Directory entry is a data structure (32 bytes) allotted for each file and
Directory Entry have allotted for directory
each file and directory in the FAT
file system?
2/
12
