C702 - CHFI Final Exam Preparation
C702 - CHFI FINAL EXAM PREPARATION FOR 2025/2026
COMPLETE 200 QUESTIONS AND CORRECT ANSWERS |ALREADY
GRADED A+||BRAND NEW!!
Identify the following project, which was launched by the National Institute of
Standards and Technology (NIST), that establishes a "methodology for testing
computer forensics software tools by development of general tool specifications,
test procedures, test criteria, test sets, and test hardware."
A. Computer Forensic Investigation Project (CFIP)
B. Computer Forensic Hardware Project (CFHP)
C. Enterprise Theory of Investigation (ETI)
D. Computer Forensic Tool Testing Project (CFTTP)
D. Computer Forensic Tool Testing Project (CFTTP)
Ref: Module 2, page 126
First responders can collect or recover data from any computer system or device
that holds electronic information.
A. False
B. True
A. False
Ref: Module 2, page 129
What is not one of the measures a system or network administrator should take
when responding to an incident.
A. Immediately power down the computer if an ongoing attack is detected.
B. Document every detail relevant to the incident.
C. Transfer copies of system logs onto a clean media.
D. Record what is on the screen if the computer is switched on.
A. Immediately power down the computer if an ongoing attack is detected.
Ref: Module 2, page 131
1|Page
, C702 - CHFI Final Exam Preparation
Written consent from the authority is sufficient to commence search and seizure
activity.
A. True
B. False
A. True
Ref: Module 2, page 140
When obtaining evidence, what action should a forensic investigator take if a
computer is switched on and the screen is viewable?
A. Photograph the screen.
B. Unplug the cable from the wall.
C. Remove the battery.
D. Move the mouse slowly.
A. Photograph the screen.
Ref: Module 2, page 154
Data duplication includes bit-by-bit copying of original data using a software or
hardware tool.
A. False
B. True
B. True
Ref: Module 2, page 177
Which of the following is not a digital data storage type?
A. Optical storage devices
B. Magnetic storage devices
C. Quantum storage devices
D. Flash memory devices
C. Quantum storage devices
Ref: Module 3, page 358
What is not a Windows file system?
A. NTFS
2|Page
, C702 - CHFI Final Exam Preparation
B. FAT32
C. FAT
D. EXT3
D. EXT3
Ref: Module 3, page 256
Which field type refers to the volume descriptor as a primary?
A. Number 2
B. Number 0
C. Number 1
D. Number 3
C. Number 1
Ref: Module 3, page 316
Which logical drive holds the information regarding the data and files that are
stored in the disk?
A. Tertiary partition
B. Extended partition
C. Primary partition
D. Secondary partition
B. Extended partition
Ref: Module 3, page 230
How large is the partition table structure that stores information about the
partitions present on the hard disk?
A. 32-byte
B. 64-bit
C. 32-bit
D. 64-byte
D. 64-byte
Ref: Module 3, page 227
3|Page
, C702 - CHFI Final Exam Preparation
How many bytes are used for the disk signature in the structure of a master boot
record (MBR)?
A. 24
B. 8
C. 2
D. 64
C. 2
Ref: Module 3, page 229
In the GUID Partition Table, which Logical Block Address contains the Partition
Entry Array?
A. LBA 1
B. LBA 2
C. LBA 3
D. LBA 0
B. LBA 2
Ref: Module 3, page 235
Which of the following describes when the user restarts the system via the
operating system?
A. Warm booting
B. Hot booting
C. Cold booting
D. Hard booting
A. Warm booting
Ref: Module 3, page 238
Which Windows operating system powers on and starts up using either the
traditional BIOS-MBR method or the newer UEFI-GPT method?
A. Windows 8
B. Windows 7
C. Windows Vista
D. Windows XP
4|Page
C702 - CHFI FINAL EXAM PREPARATION FOR 2025/2026
COMPLETE 200 QUESTIONS AND CORRECT ANSWERS |ALREADY
GRADED A+||BRAND NEW!!
Identify the following project, which was launched by the National Institute of
Standards and Technology (NIST), that establishes a "methodology for testing
computer forensics software tools by development of general tool specifications,
test procedures, test criteria, test sets, and test hardware."
A. Computer Forensic Investigation Project (CFIP)
B. Computer Forensic Hardware Project (CFHP)
C. Enterprise Theory of Investigation (ETI)
D. Computer Forensic Tool Testing Project (CFTTP)
D. Computer Forensic Tool Testing Project (CFTTP)
Ref: Module 2, page 126
First responders can collect or recover data from any computer system or device
that holds electronic information.
A. False
B. True
A. False
Ref: Module 2, page 129
What is not one of the measures a system or network administrator should take
when responding to an incident.
A. Immediately power down the computer if an ongoing attack is detected.
B. Document every detail relevant to the incident.
C. Transfer copies of system logs onto a clean media.
D. Record what is on the screen if the computer is switched on.
A. Immediately power down the computer if an ongoing attack is detected.
Ref: Module 2, page 131
1|Page
, C702 - CHFI Final Exam Preparation
Written consent from the authority is sufficient to commence search and seizure
activity.
A. True
B. False
A. True
Ref: Module 2, page 140
When obtaining evidence, what action should a forensic investigator take if a
computer is switched on and the screen is viewable?
A. Photograph the screen.
B. Unplug the cable from the wall.
C. Remove the battery.
D. Move the mouse slowly.
A. Photograph the screen.
Ref: Module 2, page 154
Data duplication includes bit-by-bit copying of original data using a software or
hardware tool.
A. False
B. True
B. True
Ref: Module 2, page 177
Which of the following is not a digital data storage type?
A. Optical storage devices
B. Magnetic storage devices
C. Quantum storage devices
D. Flash memory devices
C. Quantum storage devices
Ref: Module 3, page 358
What is not a Windows file system?
A. NTFS
2|Page
, C702 - CHFI Final Exam Preparation
B. FAT32
C. FAT
D. EXT3
D. EXT3
Ref: Module 3, page 256
Which field type refers to the volume descriptor as a primary?
A. Number 2
B. Number 0
C. Number 1
D. Number 3
C. Number 1
Ref: Module 3, page 316
Which logical drive holds the information regarding the data and files that are
stored in the disk?
A. Tertiary partition
B. Extended partition
C. Primary partition
D. Secondary partition
B. Extended partition
Ref: Module 3, page 230
How large is the partition table structure that stores information about the
partitions present on the hard disk?
A. 32-byte
B. 64-bit
C. 32-bit
D. 64-byte
D. 64-byte
Ref: Module 3, page 227
3|Page
, C702 - CHFI Final Exam Preparation
How many bytes are used for the disk signature in the structure of a master boot
record (MBR)?
A. 24
B. 8
C. 2
D. 64
C. 2
Ref: Module 3, page 229
In the GUID Partition Table, which Logical Block Address contains the Partition
Entry Array?
A. LBA 1
B. LBA 2
C. LBA 3
D. LBA 0
B. LBA 2
Ref: Module 3, page 235
Which of the following describes when the user restarts the system via the
operating system?
A. Warm booting
B. Hot booting
C. Cold booting
D. Hard booting
A. Warm booting
Ref: Module 3, page 238
Which Windows operating system powers on and starts up using either the
traditional BIOS-MBR method or the newer UEFI-GPT method?
A. Windows 8
B. Windows 7
C. Windows Vista
D. Windows XP
4|Page
