CHFI
CHFI Exam Questions and Answers
Question 1
What is the First Step required in preparing a computer for forensics investigation?
A. Do not turn the computer off or on, run any programs, or attempt to access data
on a computer
B. Secure any relevant media
C. Suspend automated document destruction and recycling policies that may pertain
to any relevant media or users at Issue
D. Identify the type of data you are seeking, the Information you are looking for, and
the urgency level of the examination
Correct Answer
a
Question 2
Network forensics can be defined as the sniffing, recording, acquisition and analysis
of the network traffic and event logs in order to investigate a network security
incident
A. True
B. False
Correct Answer
a
Question 3
Which of the following commands shows you the names of all open shared files on a
server and number of file locks on each file?
A. Net sessions
B. Net file
C. Netconfig
D. Net share
Correct Answer
b
Page 1 of 65
, CHFI
Question 4
The Recycle Bin exists as a metaphor for throwing files away, but it also allows user to
retrieve and restore files. Once the file is moved to the recycle bin, a record is added
to the log file that exists in the Recycle Bin.
Which of the following files contains records that correspond to each deleted file in
the Recycle Bin?
A. INFO2 file
B. INFO1 file
C. LOGINFO2 file
D. LOGINFO1 file
Correct Answer
a
Question 5
Email archiving is a systematic approach to save and protect the data contained in
emails so that it can be accessed fast at a later date. There are two main archive types,
namely Local Archive and Server Storage Archive. Which of the following statements
is correct while dealing with local archives?
A. It is difficult to deal with the webmail as there is no offline archive in most cases. So
consult your counsel on the case as to the best way to approach and gain access to
the required data on servers
B. Local archives do not have evidentiary value as the email client may alter the
message data
C. Local archives should be stored together with the server storage archives in order
to be admissible in a court of law
D. Server storage archives are the server information and settings stored on a local
system whereas the local archives are the local email client information stored on the
mail server
Correct Answer
a
Page 2 of 65
, CHFI
Question 6
Which of the following email headers specifies an address for mailer-generated
errors, like "no such user" bounce messages, to go to (instead of the sender's
address)?
A. Errors-To header
B. Content-Transfer-Encoding header
C. Mime-Version header
D. Content-Type header
Correct Answer
a
Question 7
Which of the following commands shows you all of the network services running on
Windows- based servers?
A. Net start
B. Net use
C. Net Session
D. Net share
Correct Answer
a
Question 8
Email archiving is a systematic approach to save and protect the data contained in
emails so that it can tie easily accessed at a later date.
A. True
B. False
Correct Answer
a
Page 3 of 65
, CHFI
Question 9
Windows Security Accounts Manager (SAM) is a registry file which stores passwords
in a hashed format.
SAM file in Windows is located at:
A. C:\windows\system32\config\SAM
B. C:\windows\system32\con\SAM
C. C:\windows\system32\Boot\SAM
D. C:\windows\system32\drivers\SAM
Correct Answer
a
Question 10
FAT32 is a 32-bit version of FAT file system using smaller clusters and results in
efficient storage capacity. What is the maximum drive size supported?
A. 1 terabytes
B. 2 terabytes
C. 3 terabytes
D. 4 terabytes
Correct Answer
b
Question 11
In which step of the computer forensics investigation methodology would you run
MD5 checksum on the evidence?
A. Obtain search warrant
B. Evaluate and secure the scene
C. Collect the evidence
D. Acquire the data
Correct Answer
d
Page 4 of 65
CHFI Exam Questions and Answers
Question 1
What is the First Step required in preparing a computer for forensics investigation?
A. Do not turn the computer off or on, run any programs, or attempt to access data
on a computer
B. Secure any relevant media
C. Suspend automated document destruction and recycling policies that may pertain
to any relevant media or users at Issue
D. Identify the type of data you are seeking, the Information you are looking for, and
the urgency level of the examination
Correct Answer
a
Question 2
Network forensics can be defined as the sniffing, recording, acquisition and analysis
of the network traffic and event logs in order to investigate a network security
incident
A. True
B. False
Correct Answer
a
Question 3
Which of the following commands shows you the names of all open shared files on a
server and number of file locks on each file?
A. Net sessions
B. Net file
C. Netconfig
D. Net share
Correct Answer
b
Page 1 of 65
, CHFI
Question 4
The Recycle Bin exists as a metaphor for throwing files away, but it also allows user to
retrieve and restore files. Once the file is moved to the recycle bin, a record is added
to the log file that exists in the Recycle Bin.
Which of the following files contains records that correspond to each deleted file in
the Recycle Bin?
A. INFO2 file
B. INFO1 file
C. LOGINFO2 file
D. LOGINFO1 file
Correct Answer
a
Question 5
Email archiving is a systematic approach to save and protect the data contained in
emails so that it can be accessed fast at a later date. There are two main archive types,
namely Local Archive and Server Storage Archive. Which of the following statements
is correct while dealing with local archives?
A. It is difficult to deal with the webmail as there is no offline archive in most cases. So
consult your counsel on the case as to the best way to approach and gain access to
the required data on servers
B. Local archives do not have evidentiary value as the email client may alter the
message data
C. Local archives should be stored together with the server storage archives in order
to be admissible in a court of law
D. Server storage archives are the server information and settings stored on a local
system whereas the local archives are the local email client information stored on the
mail server
Correct Answer
a
Page 2 of 65
, CHFI
Question 6
Which of the following email headers specifies an address for mailer-generated
errors, like "no such user" bounce messages, to go to (instead of the sender's
address)?
A. Errors-To header
B. Content-Transfer-Encoding header
C. Mime-Version header
D. Content-Type header
Correct Answer
a
Question 7
Which of the following commands shows you all of the network services running on
Windows- based servers?
A. Net start
B. Net use
C. Net Session
D. Net share
Correct Answer
a
Question 8
Email archiving is a systematic approach to save and protect the data contained in
emails so that it can tie easily accessed at a later date.
A. True
B. False
Correct Answer
a
Page 3 of 65
, CHFI
Question 9
Windows Security Accounts Manager (SAM) is a registry file which stores passwords
in a hashed format.
SAM file in Windows is located at:
A. C:\windows\system32\config\SAM
B. C:\windows\system32\con\SAM
C. C:\windows\system32\Boot\SAM
D. C:\windows\system32\drivers\SAM
Correct Answer
a
Question 10
FAT32 is a 32-bit version of FAT file system using smaller clusters and results in
efficient storage capacity. What is the maximum drive size supported?
A. 1 terabytes
B. 2 terabytes
C. 3 terabytes
D. 4 terabytes
Correct Answer
b
Question 11
In which step of the computer forensics investigation methodology would you run
MD5 checksum on the evidence?
A. Obtain search warrant
B. Evaluate and secure the scene
C. Collect the evidence
D. Acquire the data
Correct Answer
d
Page 4 of 65
