CHFI MISSED QUESTIONS – EC-COUNCIL COMPUTER HACKING
FORENSIC INVESTIGATOR (CHFI) REVIEW WITH 100 CORRECT
ANSWERS FOR EXAM RETAKE PREP (2025) WITH MOST TESTED
QUESTIONS
THIS RESOURCE PROVIDES A TARGETED REVIEW OF MISSED QUESTIONS FROM THE EC-
COUNCIL CHFI (COMPUTER HACKING FORENSIC INVESTIGATOR) EXAM. IT FOCUSES ON
DIGITAL EVIDENCE HANDLING, INCIDENT RESPONSE TECHNIQUES, DATA RECOVERY, AND
SYSTEM FORENSICS. IDEAL FOR CANDIDATES PREPARING FOR A CHFI RETAKE OR LOOKING
TO STRENGTHEN THEIR KNOWLEDGE IN KEY FORENSIC AREAS FOR THE 2025 CERTIFICATION
EXAM.
What technique used by Encase makes it virtually impossible to tamper with evidence once it has
been acquired?
A. Every byte of the file(s) is given an MD5 hash to match against a master file
B. Every byte of the file(s) is verified using 32-bit CRC
C. Every byte of the file(s) is copied to three different hard drives
D. Every byte of the file(s) is encrypted using three different method - CORRECT ANSWER-B. Every
byte of the file(s) is verified using 32-bit CRC
What will the following command accomplish?dd if=/dev/xxx of=mbr.backup bs=512 count=1
A. Back up the master boot record
B. Restore the master boot record
C. Mount the master boot record on the first partition of the hard drive
D. Restore the first 512 bytes of the first partition of the hard drive - CORRECT ANSWER-A. Back up
the master boot record
A forensics investigator is searching the hard drive of a computer for files that were recently moved
to the Recycle Bin. He searches for files in C:\RECYCLED using a command line tool but does not find
anything. What is the reason for this?
A. He should search in C:\Windows\System32\RECYCLED folder
B. The Recycle Bin does not exist on the hard drive
C. The files are hidden and he must use switch to view themThe files are hidden and he must use ?
switch to view them
,D. Only FAT system contains RECYCLED folder and not NTFS - CORRECT ANSWER-C. The files are
hidden and he must use switch to view themThe files are hidden and he must use ? switch to view
them
You have compromised a lower-level administrator account on an Active Directory network of a
small company in Dallas, Texas. You discover Domain Controllers through enumeration. You connect
to one of the Domain Controllers on port 389 using ldp.exe.What are you trying to accomplish here?
A. Enumerate domain user accounts and built-in groups
B. Enumerate MX and A records from DNS
C. Establish a remote connection to the Domain Controller
D. Poison the DNS records with false records - CORRECT ANSWER-A. Enumerate domain user
accounts and built-in groups
Printing under a Windows Computer normally requires which one of the following files types to be
created?
A. EME
B. MEM
C. EMF
D. CME - CORRECT ANSWER-C. EMF
A honey pot deployed with the IP 172.16.1.108 was compromised by an attacker .Given below is an
excerpt from a Snort binary capture of the attack. Decipher the activity carried out by the attacker
by studying the log. Please note that you are required to infer only what is explicit in the
excerpt.(Note: The student is being tested on concepts learnt during passive OS fingerprinting, basic
TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.)
03/15-20:21:24.107053 211.185.125.124:3500 -> 172.16.1.108:111TCP TTL:43 TOS:0x0 ID:29726
IpLen:20 DgmLen:52 DF***A**** Seq: 0x9B6338C5 Ack: 0x5820ADD0 Win: 0x7D78 TcpLen: 32TCP
Options (3) => NOP NOP TS: 23678634
2878772=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=03/1
5-20:21:24.452051 211.185.125.124:789 -> 172.16.1.103:111UDP TTL:43 TOS:0x0 ID:29733 IpLen:20
DgmLen:84Len: 64 -01 0A 8A 0A 00 00 00 00 00 00 00 02 00 0 - CORRECT ANSWER-A. The attacker
has conducted a network sweep on port 111
In what way do the procedures for dealing with evidence in a criminal case differ from the
procedures for dealing with evidence in a civil case?
A. evidence must be handled in the same way regardless of the type of case
B. evidence procedures are not important unless you work for a law enforcement agency
, C. evidence in a criminal case must be secured more tightly than in a civil case
D. evidence in a civil case must be secured more tightly than in a criminal case - CORRECT
ANSWER-C. evidence in a criminal case must be secured more tightly than in a civil case
When an investigator contacts by telephone the domain administrator or controller listed by a whois
lookup to request all e-mails sent and received for a user account be preserved, what U.S.C. statute
authorizes this phone call and obligates the ISP to preserve e-mail records?
A. Title 18, Section 1030
B. Title 18, Section 2703(d)
C. Title 18, Section Chapter 90
D. Title 18, Section 2703(f) - CORRECT ANSWER-Answer : D
Explanation:18 U.S.C. 1029 Fraud and Related Activity in Connection with Access Devices18 U.S.C.
1030 Fraud and Related Activity in Connection with Computers18 U.S.C. 2703 Required Disclosure of
Customer Communications Records18 U.S.C. 2703(d) Requirements for Court Order18 U.S.C. 2703(f)
Requirement to Preserve Evidence
What is considered a grant of a property right given to an individual who discovers or invents a new
machine, process, useful composition of matter or manufacture?
A. Copyright
B. Design patent
C. Trademark
D. Utility patent - CORRECT ANSWER-D. Utility patent
When you carve an image, recovering the image depends on which of the following skills?
A. Recognizing the pattern of the header content
B. Recovering the image from a tape backup
C. Recognizing the pattern of a corrupt file
D. Recovering the image from the tape backup - CORRECT ANSWER-A. Recognizing the pattern of
the header content
A packet is sent to a router that does not have the packet destination address in its route table, how
will the packet get to its properA packet is sent to a router that does not have the packet?
destination address in its route table, how will the packet get to its proper destination?
FORENSIC INVESTIGATOR (CHFI) REVIEW WITH 100 CORRECT
ANSWERS FOR EXAM RETAKE PREP (2025) WITH MOST TESTED
QUESTIONS
THIS RESOURCE PROVIDES A TARGETED REVIEW OF MISSED QUESTIONS FROM THE EC-
COUNCIL CHFI (COMPUTER HACKING FORENSIC INVESTIGATOR) EXAM. IT FOCUSES ON
DIGITAL EVIDENCE HANDLING, INCIDENT RESPONSE TECHNIQUES, DATA RECOVERY, AND
SYSTEM FORENSICS. IDEAL FOR CANDIDATES PREPARING FOR A CHFI RETAKE OR LOOKING
TO STRENGTHEN THEIR KNOWLEDGE IN KEY FORENSIC AREAS FOR THE 2025 CERTIFICATION
EXAM.
What technique used by Encase makes it virtually impossible to tamper with evidence once it has
been acquired?
A. Every byte of the file(s) is given an MD5 hash to match against a master file
B. Every byte of the file(s) is verified using 32-bit CRC
C. Every byte of the file(s) is copied to three different hard drives
D. Every byte of the file(s) is encrypted using three different method - CORRECT ANSWER-B. Every
byte of the file(s) is verified using 32-bit CRC
What will the following command accomplish?dd if=/dev/xxx of=mbr.backup bs=512 count=1
A. Back up the master boot record
B. Restore the master boot record
C. Mount the master boot record on the first partition of the hard drive
D. Restore the first 512 bytes of the first partition of the hard drive - CORRECT ANSWER-A. Back up
the master boot record
A forensics investigator is searching the hard drive of a computer for files that were recently moved
to the Recycle Bin. He searches for files in C:\RECYCLED using a command line tool but does not find
anything. What is the reason for this?
A. He should search in C:\Windows\System32\RECYCLED folder
B. The Recycle Bin does not exist on the hard drive
C. The files are hidden and he must use switch to view themThe files are hidden and he must use ?
switch to view them
,D. Only FAT system contains RECYCLED folder and not NTFS - CORRECT ANSWER-C. The files are
hidden and he must use switch to view themThe files are hidden and he must use ? switch to view
them
You have compromised a lower-level administrator account on an Active Directory network of a
small company in Dallas, Texas. You discover Domain Controllers through enumeration. You connect
to one of the Domain Controllers on port 389 using ldp.exe.What are you trying to accomplish here?
A. Enumerate domain user accounts and built-in groups
B. Enumerate MX and A records from DNS
C. Establish a remote connection to the Domain Controller
D. Poison the DNS records with false records - CORRECT ANSWER-A. Enumerate domain user
accounts and built-in groups
Printing under a Windows Computer normally requires which one of the following files types to be
created?
A. EME
B. MEM
C. EMF
D. CME - CORRECT ANSWER-C. EMF
A honey pot deployed with the IP 172.16.1.108 was compromised by an attacker .Given below is an
excerpt from a Snort binary capture of the attack. Decipher the activity carried out by the attacker
by studying the log. Please note that you are required to infer only what is explicit in the
excerpt.(Note: The student is being tested on concepts learnt during passive OS fingerprinting, basic
TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.)
03/15-20:21:24.107053 211.185.125.124:3500 -> 172.16.1.108:111TCP TTL:43 TOS:0x0 ID:29726
IpLen:20 DgmLen:52 DF***A**** Seq: 0x9B6338C5 Ack: 0x5820ADD0 Win: 0x7D78 TcpLen: 32TCP
Options (3) => NOP NOP TS: 23678634
2878772=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=03/1
5-20:21:24.452051 211.185.125.124:789 -> 172.16.1.103:111UDP TTL:43 TOS:0x0 ID:29733 IpLen:20
DgmLen:84Len: 64 -01 0A 8A 0A 00 00 00 00 00 00 00 02 00 0 - CORRECT ANSWER-A. The attacker
has conducted a network sweep on port 111
In what way do the procedures for dealing with evidence in a criminal case differ from the
procedures for dealing with evidence in a civil case?
A. evidence must be handled in the same way regardless of the type of case
B. evidence procedures are not important unless you work for a law enforcement agency
, C. evidence in a criminal case must be secured more tightly than in a civil case
D. evidence in a civil case must be secured more tightly than in a criminal case - CORRECT
ANSWER-C. evidence in a criminal case must be secured more tightly than in a civil case
When an investigator contacts by telephone the domain administrator or controller listed by a whois
lookup to request all e-mails sent and received for a user account be preserved, what U.S.C. statute
authorizes this phone call and obligates the ISP to preserve e-mail records?
A. Title 18, Section 1030
B. Title 18, Section 2703(d)
C. Title 18, Section Chapter 90
D. Title 18, Section 2703(f) - CORRECT ANSWER-Answer : D
Explanation:18 U.S.C. 1029 Fraud and Related Activity in Connection with Access Devices18 U.S.C.
1030 Fraud and Related Activity in Connection with Computers18 U.S.C. 2703 Required Disclosure of
Customer Communications Records18 U.S.C. 2703(d) Requirements for Court Order18 U.S.C. 2703(f)
Requirement to Preserve Evidence
What is considered a grant of a property right given to an individual who discovers or invents a new
machine, process, useful composition of matter or manufacture?
A. Copyright
B. Design patent
C. Trademark
D. Utility patent - CORRECT ANSWER-D. Utility patent
When you carve an image, recovering the image depends on which of the following skills?
A. Recognizing the pattern of the header content
B. Recovering the image from a tape backup
C. Recognizing the pattern of a corrupt file
D. Recovering the image from the tape backup - CORRECT ANSWER-A. Recognizing the pattern of
the header content
A packet is sent to a router that does not have the packet destination address in its route table, how
will the packet get to its properA packet is sent to a router that does not have the packet?
destination address in its route table, how will the packet get to its proper destination?
