CHFI Missed Questions and Answers | Latest update
100% Pass
When searching through file headers for picture file formats, what should be searched to find
a JPEG file in hexadecimal format?
A. FF D8 FF E0 00 10
B. FF FF FF FF FF FF
C. FF 00 FF 00 FF 00
D. EF 00 EF 00 EF 00 - ✔✔A. FF D8 FF E0 00 10
What type of file is represented by a colon (:) with a name following it in the Master
FileTable (MFT) of an NTFS disk?
A. Compressed file
B. Data stream file
C. Encrypted file
D. Reserved file - ✔✔B. Data stream file
When carrying out a forensics investigation, why should you never delete a partition on a
dynamic disk?
,A. All virtual memory will be deleted
B. The wrong partition may be set to active
C. This action can corrupt the disk
D. The computer will be set in a constant reboot state - ✔✔C. This action can corrupt the disk
Jacob is a computer forensics investigator with over 10 years experience in investigations and
has written over 50 articles on computer forensics. He has been called upon as a qualified
witness to testify the accuracy and integrity of the technical log files gathered in an
investigation into computer fraud. What is the term used for Jacob testimony in this
case?computer fraud. What is the term used for Jacob? testimony in this case?
A. Justification
B. Authentication
C. Reiteration
D. Certification - ✔✔B. Authentication
What is the slave device connected to the secondary IDE controller on a Linux OS referred to?
A. hda
B. hdd
C. hdb
D. hdc - ✔✔B. hdd
,During an investigation, an employee was found to have deleted harassing emails that were sent
to someone else. The company was using Microsoft Exchange and had message tracking
enabled. Where could the investigator search to find the message tracking log file on the
Exchange server?
A. C:\Program Files\Exchsrvr\servername.log
B. D:\Exchsrvr\Message Tracking\servername.log
C. C:\Exchsrvr\Message Tracking\servername.log
D. C:\Program Files\Microsoft Exchange\srvr\servername.log - ✔✔A.
C:\Program Files\Exchsrvr\servername.log
What file is processed at the end of a Windows XP boot to initialize the logon dialog box?
A. NTOSKRNL.EXE
B. NTLDR
C. LSASS.EXE
D. NTDETECT.COM - ✔✔C. LSASS.EXE
Paraben Lockdown device uses which operating system to write hard drive
data?Paraben?Lockdown device uses which operating system to write hard drive data?
A. Mac OS
B. Red Hat
, C. Unix
D. Windows - ✔✔D. Windows
A picture file is recovered from a computer under investigation. During the investigation
process, the file is enlarged 500% to get a better view of its contents. The picture quality is not
degraded at all from this process. What kind of picture is this file?its contents. The picture?
quality is not degraded at all from this process. What kind of picture is this file?
A. Raster image
B. Vector image
C. Metafile image
D. Catalog image - ✔✔B. Vector image
What advantage does the tool Evidor have over the built-in Windows search?
A. It can find deleted files even after they have been physically removed
B. It can find bad sectors on the hard drive
C. It can search slack space
D. It can find files hidden within ADS - ✔✔C. It can search slack space
In the context of file deletion process, which of the following statement holds true?
A. When files are deleted, the data is overwritten and the cluster marked as available
100% Pass
When searching through file headers for picture file formats, what should be searched to find
a JPEG file in hexadecimal format?
A. FF D8 FF E0 00 10
B. FF FF FF FF FF FF
C. FF 00 FF 00 FF 00
D. EF 00 EF 00 EF 00 - ✔✔A. FF D8 FF E0 00 10
What type of file is represented by a colon (:) with a name following it in the Master
FileTable (MFT) of an NTFS disk?
A. Compressed file
B. Data stream file
C. Encrypted file
D. Reserved file - ✔✔B. Data stream file
When carrying out a forensics investigation, why should you never delete a partition on a
dynamic disk?
,A. All virtual memory will be deleted
B. The wrong partition may be set to active
C. This action can corrupt the disk
D. The computer will be set in a constant reboot state - ✔✔C. This action can corrupt the disk
Jacob is a computer forensics investigator with over 10 years experience in investigations and
has written over 50 articles on computer forensics. He has been called upon as a qualified
witness to testify the accuracy and integrity of the technical log files gathered in an
investigation into computer fraud. What is the term used for Jacob testimony in this
case?computer fraud. What is the term used for Jacob? testimony in this case?
A. Justification
B. Authentication
C. Reiteration
D. Certification - ✔✔B. Authentication
What is the slave device connected to the secondary IDE controller on a Linux OS referred to?
A. hda
B. hdd
C. hdb
D. hdc - ✔✔B. hdd
,During an investigation, an employee was found to have deleted harassing emails that were sent
to someone else. The company was using Microsoft Exchange and had message tracking
enabled. Where could the investigator search to find the message tracking log file on the
Exchange server?
A. C:\Program Files\Exchsrvr\servername.log
B. D:\Exchsrvr\Message Tracking\servername.log
C. C:\Exchsrvr\Message Tracking\servername.log
D. C:\Program Files\Microsoft Exchange\srvr\servername.log - ✔✔A.
C:\Program Files\Exchsrvr\servername.log
What file is processed at the end of a Windows XP boot to initialize the logon dialog box?
A. NTOSKRNL.EXE
B. NTLDR
C. LSASS.EXE
D. NTDETECT.COM - ✔✔C. LSASS.EXE
Paraben Lockdown device uses which operating system to write hard drive
data?Paraben?Lockdown device uses which operating system to write hard drive data?
A. Mac OS
B. Red Hat
, C. Unix
D. Windows - ✔✔D. Windows
A picture file is recovered from a computer under investigation. During the investigation
process, the file is enlarged 500% to get a better view of its contents. The picture quality is not
degraded at all from this process. What kind of picture is this file?its contents. The picture?
quality is not degraded at all from this process. What kind of picture is this file?
A. Raster image
B. Vector image
C. Metafile image
D. Catalog image - ✔✔B. Vector image
What advantage does the tool Evidor have over the built-in Windows search?
A. It can find deleted files even after they have been physically removed
B. It can find bad sectors on the hard drive
C. It can search slack space
D. It can find files hidden within ADS - ✔✔C. It can search slack space
In the context of file deletion process, which of the following statement holds true?
A. When files are deleted, the data is overwritten and the cluster marked as available
