National Polytechnic Institute CHFI Practice Test

Approved & Edited by ProProfs Editorial Team

The editorial team at ProProfs Quizzes consists of a select group of subject experts, trivia writers, and quiz masters who have authored over 10,000 quizzes taken by more than 100 million users. This team includes our in-house seasoned quiz moderators and subject matter experts. Our editorial experts, spread across the world, are rigorously trained using our comprehensive guidelines to ensure that you receive the highest quality quizzes.

Learn about Our Editorial Process

| By Dale

Dale

Community Contributor

Quizzes Created: 6 | Total Attempts: 4,200

Questions: 150 | Attempts: 890 | Updated: Mar 15, 2023

Questions

Settings

Feedback

During the Quiz End of Quiz

Play as

Quiz Flashcard

Create your own Quiz

National Polytechnic Institute CHFI Practice Test - Quiz

Questions and Answers

1.

Which of the following tasks DOES NOT come under the investigation phase of a cybercrime forensic investigation case?
- A.
  
  Secure the evidence
- B.
  
  First response
- C.
  
  Data collection
- D.
  
  Data analysis
Correct Answer
B. First response

Explanation
The following are the Computer Forensics Investigation Methodology:

First Response

Search and Seizure

Collect the Evidence

Secure the Evidence

Data Acquisition

Data Analysis

Evidence Assessment

Documentation and Reporting

Testify as an Expert Witness

Rate this question:
2.

Which of the following is a record of the: characteristics of a file system, including its size, the block size, the empty and the filled blocks and their respective counts, the size and location of the inode tables, the disk block map, and usage information, and the size of the block groups?
- A.
  
  Inode table
- B.
  
  Superblock
- C.
  
  Mount Count
- D.
  
  Master Boot Record (MBR)
Correct Answer
B. Superblock

Explanation
The superblock is a record that contains important information about a file system, including its size, block size, empty and filled blocks, inode table size and location, disk block map, usage information, and the size of block groups. It serves as a key data structure in a file system and is typically located at the beginning of the file system. The superblock provides essential metadata that allows the operating system to manage the file system effectively and efficiently.

Rate this question:
3.

Which of the following tool captures and allows you to interactively browse the traffic on a network?
- A.
  
  RegScanner
- B.
  
  ThumbsDisplay
- C.
  
  Wireshark
- D.
  
  Security Task Manager
Correct Answer
C. Wireshark

Explanation
Wireshark is a tool that captures and allows users to interactively browse network traffic. It is a popular network protocol analyzer that can be used to monitor and analyze network packets in real-time. Wireshark provides detailed information about network protocols, packet headers, and data payload, allowing users to troubleshoot network issues, detect network attacks, and analyze network performance. It is widely used by network administrators and security professionals to gain insights into network traffic and identify potential security vulnerabilities.

Rate this question:
4.

Which of the following Android libraries are used to render 2D (SGL) or 3D (OpenGL/ES) graphics content to the screen?
- A.
  
  OpenGL/ES and SGL
- B.
  
  WebKit
- C.
  
  Surface Manager
- D.
  
  Media framework
Correct Answer
A. OpenGL/ES and SGL

Explanation
The correct answer is OpenGL/ES and SGL. These two Android libraries are used to render 2D or 3D graphics content to the screen. OpenGL/ES is a widely used graphics API that allows developers to create high-performance 2D and 3D graphics on Android devices. SGL (Software Graphics Library) is a software-based graphics library that provides a simplified interface for rendering 2D graphics. Both libraries are essential for creating visually appealing and interactive graphics applications on Android.

Rate this question:
5.

Which of the following built-in Linux commands can be used by forensic investigators to copy data from a disk drive?
- A.
  
  Expr
- B.
  
  Diff
- C.
  
  Lprm
- D.
  
  Dd and dcfldd
Correct Answer
D. Dd and dcfldd

Explanation
The correct answer is "dd and dcfldd". These are built-in Linux commands that can be used by forensic investigators to copy data from a disk drive. The "dd" command is commonly used for creating disk images or copying data from one location to another, while "dcfldd" is an enhanced version of "dd" with additional features for forensic purposes. These commands are essential tools for investigators to preserve and analyze data without altering the original source.

Rate this question:
6.

Which of the following network attacks refers to sending huge volumes of email to an address in an attempt to overflow the mailbox, or overwhelm the server where the email address is hosted, to cause a denial-of-service attack?
- A.
  
  Email spamming
- B.
  
  Phishing
- C.
  
  Mail bombing
- D.
  
  Email spoofing
Correct Answer
C. Mail bombing

Explanation
Mail bombing refers to sending huge volumes of email to an address in an attempt to overflow the mailbox or overwhelm the server where the email address is hosted, causing a denial-of-service attack. This attack can disrupt the normal functioning of the email server, making it difficult for legitimate users to access their emails. It is a form of cyber attack that aims to disrupt the communication channels and cause inconvenience or damage to the targeted individual or organization.

Rate this question:
7.

Which tool does the investigator use to extract artifacts left by Google Drive on the system?
- A.
  
  VirusTotal
- B.
  
  RAM Capturer
- C.
  
  WebBrowserPassView
- D.
  
  Deep Log Analyzer
Correct Answer
B. RAM Capturer

Explanation
RAM Capturer is the tool used by investigators to extract artifacts left by Google Drive on the system. RAM Capturer is a forensic tool that allows the investigator to capture the contents of a computer's RAM (Random Access Memory) in order to analyze and extract valuable information. By analyzing the captured RAM, investigators can potentially find evidence of Google Drive usage, such as file uploads, downloads, or other activities that may be relevant to the investigation.

Rate this question:
8.

Which of the following files DOES NOT use Object Linking and Embedding (OLE) technology to embed and link to other objects?
- A.
  
  MS-office Word Document
- B.
  
  Portable Document Format
- C.
  
  MS-office Word PowerPoint
- D.
  
  MS-office Word OneNote
Correct Answer
B. Portable Document Format

Explanation
The Portable Document Format (PDF) does not use Object Linking and Embedding (OLE) technology to embed and link to other objects. While MS-office Word Document, MS-office Word PowerPoint, and MS-office Word OneNote all use OLE technology to embed and link to other objects, PDF files do not have this functionality. PDF files are designed to be platform-independent and retain their formatting regardless of the software or hardware used to view them, which is why they do not rely on OLE technology.

Rate this question:
9.

Company ABC has employed a firewall, IDS, Antivirus, Domain Controller, and SIEM. The company's domain controller goes down. From which system would you begin your investigation?
- A.
  
  IDS
- B.
  
  SIEM
- C.
  
  Domain Controller
- D.
  
  Firewall
Correct Answer
C. Domain Controller

Explanation
If the domain controller goes down, it is logical to begin the investigation from the domain controller itself. The domain controller is a critical component in managing and authenticating user accounts, permissions, and network resources within a Windows domain. Its failure can have a significant impact on the overall network functionality. By investigating the domain controller, one can identify the root cause of the issue and take appropriate actions to restore its functionality, ensuring the smooth operation of the network.

Rate this question:
10.

Which code does the FAT file system use to mark the file as deleted?
- A.
  
  H5e
- B.
  
  ESh
- C.
  
  5Eh
- D.
  
  E5h
Correct Answer
D. E5h

Explanation
In the FAT file system, the OS replaces the first letter of a deleted file name with a hex byte code, E5h. E5h is a special tag that indicates the deleted file.

Rate this question:
11.

Jacky encrypts her documents using a password. It is known that she uses her daughter's year of birth as part of the password. Which password cracking technique would be optimal to crack her password?
- A.
  
  Hybrid attack
- B.
  
  Brute force attack
- C.
  
  Syllable attack
- D.
  
  Rule-based attack
Correct Answer
A. Hybrid attack

Explanation
A hybrid attack would be the optimal password cracking technique in this scenario because it combines different methods to increase the chances of success. Since it is known that Jacky uses her daughter's year of birth as part of the password, a hybrid attack can combine a dictionary attack with a brute force attack. It can first try common passwords based on dictionary words, including her daughter's year of birth, and then systematically try all possible combinations of characters if the dictionary attack fails. This approach maximizes the efficiency of the password cracking process.

Rate this question:
12.

Ron, a computer forensics expert, is investigating a case involving corporate espionage. He has recovered several mobile computing devices from the crime scene. One of the evidence that Ron possesses is a mobile phone from Nokia that was left in ON condition. Ron needs to recover the IMEI number of the device to establish the identity of the device owner. Which of the following key combinations can he use to recover the IMEI number?
- A.
  
  *IMEI#
- B.
  
  #*06*#
- C.
  
  #06#*
- D.
  
  *#06#
Correct Answer
D. *#06#

Explanation
Ron can use the key combination *#06# to recover the IMEI number of the Nokia mobile phone.

Rate this question:
13.

A computer used in an alleged software piracy ring has been taken to a forensics lab for investigation. After searching for three days, the investigators have found no trace of illegal activity. As a last effort, the investigators decide to examine the slack space of the computer’s hard drive. What information will this produce for the investigators?
- A.
  
  Data contained in the BIOS
- B.
  
  Recently deleted files
- C.
  
  Data contained in the master boot record (MBR)
- D.
  
  Data from the sectors of the disk
Correct Answer
B. Recently deleted files

Explanation
Examining the slack space of a computer's hard drive can provide information about recently deleted files. When files are deleted, they are not immediately erased from the hard drive but rather marked as available space. By examining the slack space, investigators may be able to recover fragments or remnants of these deleted files, which could potentially provide evidence of illegal activity in the alleged software piracy ring.

Rate this question:
14.

Report writing is a crucial stage in the outcome of an investigation. Which information should NOT be included in the report section?
- A.
  
  Purpose of the report
- B.
  
  Author of the report
- C.
  
  Incident summary
- D.
  
  Speculation or opinion as to the cause of the incident
Correct Answer
D. Speculation or opinion as to the cause of the incident

Explanation
In a report section, it is important to provide factual information based on evidence rather than speculation or personal opinions. Including speculation or opinions as to the cause of the incident can undermine the credibility and objectivity of the report. The purpose of the report, the author, and an incident summary are all relevant and necessary information to include in a report.

Rate this question:
15.

Linux operating system has two types of typical bootloaders namely LILO (Linux Loader) and GRUB (Grand Unified Bootloader). In which stage of the booting process do the bootloaders become active?
- A.
  
  BIOS Stage
- B.
  
  Kernel Stage
- C.
  
  BootROM Stage
- D.
  
  Bootloader Stage
Correct Answer
B. Kernel Stage

Explanation
The bootloaders become active in the Kernel Stage of the booting process. At this stage, the BIOS has already completed its tasks and handed over control to the bootloader. The bootloader's main function is to load the operating system kernel into memory and initialize it. It allows the user to choose which operating system to boot if there are multiple options available. Once the kernel is loaded, it takes over the control and continues the booting process.

Rate this question:
16.

The investigator wants to examine changes made to the system’s registry by the suspect program. Which of the following tool can help the investigator?
- A.
  
  What's Running
- B.
  
  RAM Capturer
- C.
  
  TRIPWIRE
- D.
  
  Regshot
Correct Answer
D. Regshot

Explanation
Regshot is an open-source (LGPL) registry compare utility that allows you to take a snapshot of your registry quickly and then compare it with a second one - done after doing system changes or installing a new software product.

Rate this question:
17.

Which among the following U.S. laws requires financial institutions – companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance – to protect their customers’ information against security threats?
- A.
  
  GLBA
- B.
  
  FISMA
- C.
  
  SOX
- D.
  
  HIPAA
Correct Answer
A. GLBA

Explanation
The correct answer is GLBA. The Gramm-Leach-Bliley Act (GLBA) is a U.S. law that requires financial institutions to protect their customers' information against security threats. This law applies to companies that offer financial products or services such as loans, financial or investment advice, or insurance. GLBA mandates that these institutions implement safeguards to ensure the security and confidentiality of customer information, as well as protect against unauthorized access to or use of this information.

Rate this question:
18.

Stephen is checking an image using Compare Files by The Wizard, and he sees the file signature is shown as: FF D8 FF E1 What is the file type of the image?
- A.
  
  GIF
- B.
  
  JPEG
- C.
  
  PNG
- D.
  
  BMP
Correct Answer
B. JPEG

Explanation
GIF [Hex: 47 49 46]
JPEG [Hex: ff d8 ff]
PNG [Hex: 89 50 4e]
BMP [Hex: 42 4d]

Rate this question:
19.

Which among the following search warrants allows the first responder to search and seize the victim’s computer components such as hardware, software, storage devices, and documentation?
- A.
  
  Citizen Informant Search Warrant
- B.
  
  Electronic Storage Device Search Warrant
- C.
  
  IT Bench Search Warrant
- D.
  
  Service Provider Search Warrant
Correct Answer
B. Electronic Storage Device Search Warrant

Explanation
An Electronic Storage Device Search Warrant allows the first responder to search and seize the victim’s computer components such as:
• Hardware
• Software
• Storage devices
• Documentation

If the crime involves the Internet, the first responder needs information about the victim’s computer from the service provider end. A Service Provider Search Warrant allows first responders or investigators to consult the service provider and obtain the available victim’s computer information.
First responders can obtain the following information from the service provider:
• Service records
• Billing records
• Subscriber information

Rate this question:
20.

Which of the following standard represents a legal precedent set in 1993 by the Supreme Court of the United States regarding the admissibility of expert witnesses' testimony during federal legal proceedings?
- A.
  
  Daubert
- B.
  
  Frye
- C.
  
  IOCE
- D.
  
  SWGDE & SWGIT
Correct Answer
A. Daubert

Explanation
The Daubert Standard, a legal act established in 1993 by the Supreme Court of the United States, explains about the rule of evidence regarding the admissibility of the expert witnesses’ testimony during the federal legal proceedings. Under this act, the plaintiff or defendant can raise a motion to exclude the unqualified evidence at a jury trial.
In Daubert Standard Act, the Supreme Court passed a rule for federal trial judges to act as “gatekeepers” of scientific evidence. The trial judges should analyze the proffered expert witnesses to decide whether their testimony is both “relevant” and “reliable”. The relevance of a testimony decides whether the expert’s evidence applies to the facts of the case or not. The counsel can opt for Daubert motion before or during the trial to stop the presentation of ineffectual evidence to the jury. The expert’s testimony should be based on the evidence and facts of the case. An expert witness uses the scientific method of investigation to describe that the evidence is reliable and relevant to the case.

Rate this question:
21.

Which of the following attacks allows an attacker to access restricted directories, including application source code, configuration, and critical system files, and to execute commands outside of the web server's root directory?
- A.
  
  Unvalidated input
- B.
  
  Directory traversal
- C.
  
  Security misconfiguration
- D.
  
  Parameter/form tampering
Correct Answer
B. Directory traversal

Explanation
Directory traversal is an attack that allows an attacker to access restricted directories and execute commands outside of the web server's root directory. This attack takes advantage of vulnerabilities in the application's input validation and file path handling. By manipulating file paths, the attacker can bypass security measures and gain unauthorized access to sensitive files, such as application source code, configuration files, and critical system files. This can lead to further exploitation and compromise of the system's integrity and confidentiality.

Rate this question:
22.

BMP (Bitmap) is a standard file format for computers running the Windows operating system. BMP images can range from black and white (1 bit per pixel) up to 24-bit color (16.7 million colors). Each bitmap file contains a header, the RGBQUAD array, information header, and image data. Which of the following element specifies the dimensions, compression type, and color format for the bitmap?
- A.
  
  The RGBQUAD array
- B.
  
  Information header
- C.
  
  Header
- D.
  
  Image data
Correct Answer
B. Information header

Explanation
BMP File Structure:
Every bitmap file contains the following data structure:
-- File header: The first part of the header that includes the data about the type, size, and layout of a file.
-- Information header: A header component that contains the dimensions, compression type, and color format for the bitmap.
-- The RGBQUAD array: A color table that comprises the array of elements equal to the colors present in the bitmap; this color
table does not support bitmaps with 24 color bits, as each pixel is represented by24-bit RGB values in the actual bitmap.
-- Image data: The array of bytes that contains bitmap image data; image data comprises color and shading information for
each pixel. A bitmap file always has 42 4D as the first characters in a hexadecimal representation. These characters translate
to BM in the ASCII code.

Rate this question:
23.

Which of the following is NOT an anti-forensics technique?
- A.
  
  Data Deduplication
- B.
  
  Password Protection
- C.
  
  Encryption
- D.
  
  Steganography
Correct Answer
A. Data Deduplication

Explanation
⦿ Data/File Deletion
⦿ Password Protection
⦿ Steganography
⦿ Steganalysis
⦿ Data Hiding in File System Structures
⦿ Trail Obfuscation
⦿ Artifact Wiping
⦿ Overwriting Data/Metadata
⦿ Encryption
⦿ Encrypted Network Protocols
⦿ Program Packers
⦿ Rootkits
⦿ Minimize Footprint
⦿ Exploiting Forensics Tools Bugs
⦿ Detecting Forensics Tool Activities

Rate this question:
24.

Which of the following techniques creates a replica of an evidence media?
- A.
  
  Data Extraction
- B.
  
  Data Deduplication
- C.
  
  Bit Stream Imaging
- D.
  
  Backup
Correct Answer
C. Bit Stream Imaging

Explanation
Bit Stream Imaging is a technique that creates a replica of an evidence media. It involves creating a bit-by-bit copy of the entire storage device, including both allocated and unallocated space. This process ensures that all data, including deleted or hidden files, is preserved in its original form. By creating a replica, investigators can analyze the evidence without altering or damaging the original media, maintaining its integrity for legal purposes.

Rate this question:
25.

Wireless access control attacks aim to penetrate a network by evading WLAN access control measures such as AP MAC filters and Wi-Fi port access controls. Which of the following wireless access control attacks allow the attacker to set up a rogue access point outside the corporate perimeter and then lure the employees of the organization to connect to it?
- A.
  
  Client mis-association
- B.
  
  Ad-hoc associations
- C.
  
  Rogue access points
- D.
  
  MAC spoofing
Correct Answer
A. Client mis-association

Explanation
Client mis-association is a wireless access control attack where the attacker sets up a rogue access point outside the corporate perimeter and tricks employees into connecting to it. This attack takes advantage of the fact that clients will automatically connect to a familiar network, even if it is a malicious one. By impersonating a legitimate network, the attacker can intercept sensitive information or launch further attacks on the connected devices. This attack bypasses WLAN access control measures such as AP MAC filters and Wi-Fi port access controls, allowing the attacker to gain unauthorized access to the network.

Rate this question:
26.

Where does the Windows 10 system store the metadata of the deleted files?
- A.
  
  INFO file
- B.
  
  INFO2 file
- C.
  
  Recycle Bin
- D.
  
  Deletes it permanently
Correct Answer
B. INFO2 file

Explanation
In Windows versions newer than Vista and XP, the OS stores the complete path and file or folder name in a hidden file called INFO2. This file remains inside the Recycled or Recycler folder and stores information about the deleted file. It is a master database file and very crucial for the recovery of data. INFO2 contains various details of deleted files such as original file name, original file size, the date and time of deletion, unique identifying number, and the drive number that the file came from.

Rate this question:
27.

Rusty, a computer forensics apprentice, uses the command “nbtstat -c” while analyzing the network information in a suspect system. What information is he looking for?
- A.
  
  Contents of the NetBIOS name cache
- B.
  
  Contents of the network routing table
- C.
  
  Network connections
- D.
  
  Status of the network carrier
Correct Answer
A. Contents of the NetBIOS name cache

Explanation
nbtstat -c: This option shows the contents of the NetBIOS name cache, which contains NetBIOS name-to-IP address mappings.

Rate this question:

1
0
28.

Netstat is a tool for collecting information regarding network connections. It provides a simple view of TCP and UDP connections, and their state and network traffic statistics. Which of the following commands shows you the TCP and UDP network connections, listening ports, and the identifiers?
- A.
  
  Netstat –s
- B.
  
  Netstat –r
- C.
  
  Netstat –b
- D.
  
  Netstat –ano
Correct Answer
D. Netstat –ano

Explanation
Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-x] [-t] [interval]

-a..............Displays all connections and listening ports.
-b..............Displays the executable involved in creating each connection or listening
.................port. In some cases well-known executables host multiple independent
.................components, and in these cases the sequence of components involved in
.................creating the connection or listening port is displayed. In this case the
.................executable name is in [ ] at the bottom, on top is the component it called,
.................and so forth until TCP/IP was reached. Note that this option can be time-
.................consuming and will fail unless you have sufficient permissions.
-e..............Displays Ethernet statistics. This may be combined with the -s option.
-f...............Displays Fully Qualified Domain Names (FQDN) for foreign addresses.
-n..............Displays addresses and port numbers in numerical form.
-o..............Displays the owning process ID associated with each connection.
-p proto....Shows connections for the protocol specified by proto; proto may be any
.................of: TCP, UDP, TCPv6, or UDPv6. If used with the -s option to display per-
.................protocol statistics, proto may be any of: IP, IPv6, ICMP, ICMPv6, TCP,
.................TCPv6, UDP, or UDPv6.
-q..............Displays all connections, listening ports, and bound non-listening TCP
.................ports. Bound non-listening ports may or may not be associated with an
.................active connection.
-r...............Displays the routing table.
-s..............Displays per-protocol statistics. By default, statistics are shown for IP,
.................IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be
.................used to specify a subset of the default.
-t...............Displays the current connection offload state.
-x..............Displays NetworkDirect connections, listeners, and shared endpoints.
-y..............Displays the TCP connection template for all connections. Cannot be
.................combined with the other options.
interval....Redisplays selected statistics, pausing interval seconds between each
.................display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat
.................will print the current configuration information once.

Rate this question:
29.

Which password cracking technique uses every possible combination of character sets?
- A.
  
  Rainbow table attack
- B.
  
  Dictionary attack
- C.
  
  Brute force attack
- D.
  
  Rule-based attack
Correct Answer
C. Brute force attack

Explanation
A brute force attack is a password cracking technique that uses every possible combination of character sets to guess the correct password. It systematically tries all possible combinations until it finds the correct one. This method is time-consuming and resource-intensive, but it is effective against weak passwords that lack complexity or length. Unlike other techniques like dictionary attacks or rule-based attacks, which rely on pre-existing databases or patterns, a brute force attack does not make any assumptions and tries all possibilities.

Rate this question:
30.

Raw data acquisition format creates _________ of a data set or suspect drive.
- A.
  
  Compressed image files
- B.
  
  Simple sequential flat files
- C.
  
  Segmented image files
- D.
  
  Segmented files
Correct Answer
B. Simple sequential flat files

Explanation
Simple sequential flat files are created by the raw data acquisition format. These files store data in a sequential manner, where each record is stored one after the other. This format is simple and easy to understand, making it useful for analyzing and processing data sets or suspect drives. Unlike compressed or segmented files, simple sequential flat files do not involve any complex compression or segmentation techniques, making them a straightforward choice for raw data acquisition.

Rate this question:
31.

An executive had leaked the company trade secrets through an external drive. What process should the investigation team take if they could retrieve his system?
- A.
  
  Malware Analysis
- B.
  
  Real-Time Analysis
- C.
  
  Postmortem Analysis
- D.
  
  Packet Analysis
Correct Answer
C. Postmortem Analysis

Explanation
Postmortem analysis refers to the investigation and analysis of an incident after it has occurred. In this scenario, the investigation team should conduct a postmortem analysis of the executive's system to gather evidence and understand the extent of the trade secret leak. This process involves examining the system's logs, files, and any other relevant data to determine how the leak occurred, identify any vulnerabilities or security breaches, and develop strategies to prevent similar incidents in the future.

Rate this question:
32.

Ivanovich, a forensic investigator, is trying to extract the complete information about running processes from a system. Where should he look apart from the RAM and virtual memory?
- A.
  
  Slack space
- B.
  
  Files and documents
- C.
  
  Application data
- D.
  
  Swap space
Correct Answer
D. Swap space

Explanation
Swap space is an area of the hard drive that is used as virtual memory when the RAM is full. It is a part of the operating system's memory management system. By looking into the swap space, Ivanovich can find information about the running processes that are currently stored there. This can provide him with additional details and insights about the system's activity and resource usage, complementing the information he can gather from the RAM and virtual memory.

Rate this question:
33.

A forensic examiner is examining a Windows system seized from a crime scene. During the examination of a suspect file, he discovered that the file is password protected. He tried guessing the password using the suspect’s available information but without any success. Which of the following tool can help the investigator to solve this issue?
- A.
  
  Cain & Abel
- B.
  
  Colasoft’s Capsa
- C.
  
  Xplico
- D.
  
  Recuva
Correct Answer
A. Cain & Abel

Explanation
Cain & Abel is a tool commonly used by forensic investigators to recover passwords. It can perform various password cracking techniques, such as dictionary attacks and brute-force attacks, to attempt to guess the password of a protected file. This tool would be helpful in this scenario as the forensic examiner can use it to try different password combinations and potentially gain access to the suspect file.

Rate this question:
34.

Graphics Interchange Format (GIF) is a ____ RGB bitmap image format for images with up to 256 distinct colors per frame.
- A.
  
  8-bit
- B.
  
  24-bit
- C.
  
  32-bit
- D.
  
  16-bit
Correct Answer
A. 8-bit

Explanation
GIF is a bitmap image format that supports up to 256 distinct colors per frame. The term "8-bit" refers to the color depth of the image, indicating that each pixel in the GIF can be represented by 8 bits, allowing for a maximum of 256 different colors. This limitation in color range makes GIF suitable for simple graphics and animations, but not ideal for displaying complex images with a wide range of colors.

Rate this question:
35.

What does the 63.78.199.4(161) denote in a Cisco router log? Mar 14 22:57:53.425 EST: %SEC-6-IPACCESSLOGP: list internet-inbound denied udp 66.56.16.77(1029) -> 63.78.199.4(161), 1 packet
- A.
  
  Login IP address
- B.
  
  Destination IP address
- C.
  
  Source IP address
- D.
  
  None of the above
Correct Answer
B. Destination IP address

Explanation
The given Cisco router log entry shows that a packet was denied from the source IP address 66.56.16.77 on UDP port 1029 to the destination IP address 63.78.199.4 on port 161. Therefore, the 63.78.199.4(161) in the log denotes the destination IP address and port number.

Rate this question:
36.

An expert witness is a ____________ who is normally appointed by a party to assist the formulation and preparation of a party’s claim or defense.
- A.
  
  Expert advisor
- B.
  
  Crime scene spectator
- C.
  
  Ex-criminal
- D.
  
  Government officer
Correct Answer
A. Expert advisor

Explanation
An expert witness is someone who is appointed by a party to assist in the formulation and preparation of their claim or defense. They provide specialized knowledge and expertise in a particular field relevant to the case. They are not a crime scene spectator or an ex-criminal, and while a government officer may sometimes serve as an expert witness, the term "expert advisor" more accurately describes the role and responsibilities of an expert witness.

Rate this question:
37.

Which of the following examinations refers to the process of providing the opposing side in a trial the opportunity to question a witness?
- A.
  
  Cross-Examination
- B.
  
  Direct-Examination
- C.
  
  Witness Examination
- D.
  
  Indirect Examination
Correct Answer
A. Cross-Examination

Explanation
Cross-Examination refers to the process in a trial where the opposing side is given the opportunity to question a witness. During cross-examination, the opposing attorney aims to challenge the credibility, accuracy, or consistency of the witness's testimony. This is done by asking leading questions and attempting to elicit information that may undermine the witness's account or support the opposing party's case. The purpose of cross-examination is to test the witness's testimony and expose any weaknesses or inconsistencies in their statements.

Rate this question:
38.

POP3 (Post Office Protocol 3) is a standard protocol for receiving an email that deletes mail on the server as soon as the user downloads it. When a message arrives, the POP3 server appends it to the bottom of the recipient's account file, which can be retrieved by the email client at any preferred time. Email client connects to the POP3 server at __________ by default to fetch emails.
- A.
  
  Port 123
- B.
  
  Port 110
- C.
  
  Port 115
- D.
  
  Port 109
Correct Answer
B. Port 110

Explanation
The correct answer is Port 110. POP3 uses Port 110 by default for the email client to connect to the POP3 server and fetch emails. This port allows the email client to establish a connection with the server and retrieve the emails from the recipient's account file.

Rate this question:
39.

Tasklist command displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer. Which of the following tasklist commands provides information about the listed processes, including the image name, PID, name, and the number of the session for the process?
- A.
  
  Tasklist /u
- B.
  
  Tasklist /p
- C.
  
  Tasklist /s
- D.
  
  Tasklist /v
Correct Answer
D. Tasklist /v

Explanation
The tasklist command with the /v option provides information about the listed processes, including the image name, PID, name, and the number of the session for the process. This option is used to display verbose information about each process, giving a more detailed view of the listed tasks.

Rate this question:
40.

Sniffers that place NICs in promiscuous mode work at what layer of the OSI model?
- A.
  
  Network
- B.
  
  Session
- C.
  
  Transport
- D.
  
  Physical
Correct Answer
D. Physical

Explanation
Sniffers that place NICs in promiscuous mode work at the Physical layer of the OSI model. The Physical layer is responsible for the transmission and reception of raw bit streams over a physical medium. By operating at this layer, sniffers can capture all network traffic passing through the network interface card (NIC) without being restricted to specific protocols or ports. This allows them to monitor and analyze network packets regardless of the higher-layer protocols being used.

Rate this question:
41.

Smith, an employee of a reputed forensic investigation firm, has been hired by a private organization to investigate a laptop that is suspected to be involved in the hacking of the organization’s DC server. Smith wants to find all the values typed into the Run box in the Start menu. Which of the following registry keys will Smith check to find the above information?
- A.
  
  RunMRU key
- B.
  
  MountedDevices key
- C.
  
  TypedURLs key
- D.
  
  UserAssist Key
Correct Answer
A. RunMRU key

Explanation
Smith, as a forensic investigator, is looking for values typed into the Run box in the Start menu on a laptop suspected of being involved in hacking. To find this information, Smith will check the "RunMRU" key in the registry. The RunMRU key stores a list of the most recently used programs and commands that have been executed using the Run box. By examining this key, Smith can identify the values that have been typed into the Run box and gather evidence related to the hacking incident.

Rate this question:
42.

A state department site was recently attacked, and all the servers had their hard disks erased. The incident response team sealed the area and commenced an investigation. During evidence collection, they came across a USB flash drive that did not have the standard labeling on it. The incident team inserted the flash drive into an isolated system and found that the system disk was accidentally erased. They decided to call in the FBI for further investigation. Meanwhile, they shortlisted possible suspects including three summer interns. Where did the incident team go wrong?
- A.
  
  They tampered with the evidence by using it
- B.
  
  They called in the FBI without correlating with the fingerprint data
- C.
  
  They examined the actual evidence on an unrelated system
- D.
  
  They attempted to implicate personnel without proof
Correct Answer
A. They tampered with the evidence by using it

Explanation
The incident team went wrong by tampering with the evidence by using the USB flash drive. By inserting the flash drive into an isolated system, they unintentionally erased the system disk, which could potentially compromise the integrity of the evidence. It is crucial to handle and preserve evidence carefully to ensure its admissibility and maintain the chain of custody.

Rate this question:
43.

Which MySQL log file contains information on server start and stop?
- A.
  
  General query log file
- B.
  
  Error log file
- C.
  
  Slow query log file
- D.
  
  Binary log
Correct Answer
B. Error log file

Explanation
Status and log files stored in data directory include:
1. Process ID file (HOSTNAME.pid), contains the process ID created when the
server starts
2. Error log (HOSTNAME.err), contains the information associated with the
startup and shutdown events, and errors
3. General query log (HOSTNAME.log), logs the client connections and activities
4. Binary log (HOSTNAME-bin.nnnnnn), contains the events that describe the
changes occurred in the database
5. Binary log index (HOSTNAME-bin.index), contains the list of all the binary log
files currently available in the data directory
6. Relay log (HOSTNAMErelay-bin.n), contains the events that describe the
changes occurred in the database
7. Relay log index (HOSTNAMErelay-bin.index), contains the list of all the relay
log files currently available in the data directory
8. Master info file (master.info) created by a replication slave server, that contains
the essential parameters used for
connecting to the master slave
9. Relay log info file (relay-log.info) created by a replication slave server, that
contains the status of relay log processing
10. Slow query log (HOSTNAMEslow.log), a text file that contains statements
which take longer processing time

Rate this question:
44.

Which rule requires an original recording to be provided to prove the content of a recording?
- A.
  
  1004
- B.
  
  1002
- C.
  
  1005
- D.
  
  1003
Correct Answer
B. 1002

Explanation
Rule 1002: Requirement of Original To prove the content of a writing, recording, or photograph, the original writing , recording, or photograph is required, except as otherwise provided in these rules or by Act of Congress.

Rate this question:
45.

Which of the following Windows-based tools displays who is logged onto a computer, either locally or remotely?
- A.
  
  TCPView
- B.
  
  Process Monitor
- C.
  
  Tokenmon
- D.
  
  PSLoggedon
Correct Answer
D. PSLoggedon

Explanation
PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one. If you specify a user name instead of a computer, PsLoggedOn searches the computers in the network neighborhood and tells you if the user is currently logged on.

Rate this question:
46.

Which of the following are small pieces of data sent from a website and stored on the user's computer by the user's web browser to track, validate, and maintain specific user information?
- A.
  
  Cookies
- B.
  
  Open files
- C.
  
  Web Browser Cache
- D.
  
  Temporary Files
Correct Answer
A. Cookies

Explanation
Cookies are small pieces of data that are sent from a website and stored on the user's computer by the user's web browser. They are used to track, validate, and maintain specific user information. Cookies enable websites to remember user preferences, track user behavior, and provide personalized experiences. They are commonly used for authentication, session management, and storing user-specific settings.

Rate this question:
47.

What value of the "Boot Record Signature" is used to indicate that the bootloader exists?
- A.
  
  A100
- B.
  
  AA55
- C.
  
  AA00
- D.
  
  00AA
Correct Answer
B. AA55

Explanation
The value "AA55" is used as the "Boot Record Signature" to indicate the presence of the bootloader. This value acts as a unique identifier for the bootloader, allowing the system to recognize its existence during the booting process.

Rate this question:
48.

Smith, a forensic examiner, was analyzing a hard disk image to find and acquire deleted sensitive files. He stumbled upon a $Recycle.Bin folder in the root directory of the disk. Identify the operating system in use?
- A.
  
  Windows 8.1
- B.
  
  Linux
- C.
  
  Windows XP
- D.
  
  Windows 98
Correct Answer
A. Windows 8.1

Explanation
The presence of the $Recycle.Bin folder in the root directory of the disk indicates that the operating system in use is Windows. This folder is used by Windows operating systems to store deleted files before they are permanently removed. Since the question does not provide any specific details about the version of Windows, we can infer that the operating system is Windows 8.1 based on the available options.

Rate this question:
49.

Hard disk data addressing is a method of allotting addresses to each _______ of data on a hard disk.
- A.
  
  Hard disk block
- B.
  
  Logical block
- C.
  
  Operating system block
- D.
  
  Physical block
Correct Answer
D. Physical block

Explanation
In hard disk data addressing, addresses are allotted to each physical block of data on a hard disk. This means that the data on the hard disk is divided into physical blocks, and each block is assigned a specific address. This allows the operating system to locate and access the data stored on the hard disk efficiently.

Rate this question:
50.

Adam, a forensic investigator, is investigating an attack on Microsoft Exchange Server of a large organization. As the first step of the investigation, he examined the PRIV.EDB file and found the source from where the mail originated and the name of the file that disappeared upon execution. Now, he wants to examine the MIME stream content. Which of the following files is he going to examine?
- A.
  
  PUB.EDB
- B.
  
  Gwcheck.db
- C.
  
  PRIV.STM
- D.
  
  PRIV.EDB
Correct Answer
C. PRIV.STM

Explanation
Adam, the forensic investigator, is investigating an attack on the Microsoft Exchange Server. After examining the PRIV.EDB file, he was able to determine the source of the email and the name of the file that disappeared upon execution. Now, he needs to examine the MIME stream content. To do this, he will examine the PRIV.STM file.

Rate this question:

Quiz Review Timeline +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

Current Version
Mar 15, 2023

Quiz Edited by
ProProfs Editorial Team
May 29, 2019

Quiz Created by
Dale

National Polytechnic Institute CHFI Practice Test

Which of the following tasks DOES NOT come under the investigation phase of a cybercrime forensic investigation case?

Which of the following is a record of the: characteristics of a file system, including its size, the block size, the empty and the filled blocks and their respective counts, the size and location of the inode tables, the disk block map, and usage information, and the size of the block groups?

Which of the following tool captures and allows you to interactively browse the traffic on a network?

Which of the following Android libraries are used to render 2D (SGL) or 3D (OpenGL/ES) graphics content to the screen?

Which of the following built-in Linux commands can be used by forensic investigators to copy data from a disk drive?

Which of the following network attacks refers to sending huge volumes of email to an address in an attempt to overflow the mailbox, or overwhelm the server where the email address is hosted, to cause a denial-of-service attack?

Which tool does the investigator use to extract artifacts left by Google Drive on the system?

Which of the following files DOES NOT use Object Linking and Embedding (OLE) technology to embed and link to other objects?

Company ABC has employed a firewall, IDS, Antivirus, Domain Controller, and SIEM. The company's domain controller goes down. From which system would you begin your investigation?

Which code does the FAT file system use to mark the file as deleted?

Jacky encrypts her documents using a password. It is known that she uses her daughter's year of birth as part of the password. Which password cracking technique would be optimal to crack her password?

Report writing is a crucial stage in the outcome of an investigation. Which information should NOT be included in the report section?

Linux operating system has two types of typical bootloaders namely LILO (Linux Loader) and GRUB (Grand Unified Bootloader). In which stage of the booting process do the bootloaders become active?

The investigator wants to examine changes made to the system’s registry by the suspect program. Which of the following tool can help the investigator?

Which among the following U.S. laws requires financial institutions – companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance – to protect their customers’ information against security threats?

Stephen is checking an image using Compare Files by The Wizard, and he sees the file signature is shown as: FF D8 FF E1 What is the file type of the image?

Which among the following search warrants allows the first responder to search and seize the victim’s computer components such as hardware, software, storage devices, and documentation?

Which of the following standard represents a legal precedent set in 1993 by the Supreme Court of the United States regarding the admissibility of expert witnesses' testimony during federal legal proceedings?

Which of the following attacks allows an attacker to access restricted directories, including application source code, configuration, and critical system files, and to execute commands outside of the web server's root directory?

Which of the following is NOT an anti-forensics technique?

Which of the following techniques creates a replica of an evidence media?

Where does the Windows 10 system store the metadata of the deleted files?

Rusty, a computer forensics apprentice, uses the command “nbtstat -c” while analyzing the network information in a suspect system. What information is he looking for?

Netstat is a tool for collecting information regarding network connections. It provides a simple view of TCP and UDP connections, and their state and network traffic statistics. Which of the following commands shows you the TCP and UDP network connections, listening ports, and the identifiers?

Which password cracking technique uses every possible combination of character sets?

Raw data acquisition format creates _________ of a data set or suspect drive.

An executive had leaked the company trade secrets through an external drive. What process should the investigation team take if they could retrieve his system?

Ivanovich, a forensic investigator, is trying to extract the complete information about running processes from a system. Where should he look apart from the RAM and virtual memory?

Graphics Interchange Format (GIF) is a ____ RGB bitmap image format for images with up to 256 distinct colors per frame.

What does the 63.78.199.4(161) denote in a Cisco router log? Mar 14 22:57:53.425 EST: %SEC-6-IPACCESSLOGP: list internet-inbound denied udp 66.56.16.77(1029) -> 63.78.199.4(161), 1 packet

An expert witness is a ____________ who is normally appointed by a party to assist the formulation and preparation of a party’s claim or defense.

Which of the following examinations refers to the process of providing the opposing side in a trial the opportunity to question a witness?

Sniffers that place NICs in promiscuous mode work at what layer of the OSI model?

Which MySQL log file contains information on server start and stop?

Which rule requires an original recording to be provided to prove the content of a recording?

Which of the following Windows-based tools displays who is logged onto a computer, either locally or remotely?

Which of the following are small pieces of data sent from a website and stored on the user's computer by the user's web browser to track, validate, and maintain specific user information?

What value of the "Boot Record Signature" is used to indicate that the bootloader exists?

Smith, a forensic examiner, was analyzing a hard disk image to find and acquire deleted sensitive files. He stumbled upon a $Recycle.Bin folder in the root directory of the disk. Identify the operating system in use?

Hard disk data addressing is a method of allotting addresses to each _______ of data on a hard disk.