CHFI
CHFI Study Guide Exam Questions and
Answers
Question 1
What is a swap file?
Correct Answer
Space on a hard disk used as virtual memory expansion for RAM
Question 2
System time is one example of volatile information that forensic investigators should
collect. What are types of time that should be recorded?
Correct Answer
System time, wall time, time system has been running
(Date /t and Time /t can be typed in a command prompt in windows to retrieve the
system time)
Question 3
Choose the list of tools and commands used to determine logged-on users:
Correct Answer
PsLoggedOn, Net Sessions, LogonSession
Question 4
What tools can be used to see which files are open?
Correct Answer
Net file, PsFile, Openfiles
(Net file reveals names of all open shared files and the number of file locks, PsFile
shows list of files open remotely, openfiles can be used to list or disconnect all open
files and folders)
Page 1 of 98
, CHFI
Question 5
True or False: When connections are made to other systems using NetBIOS
communications, the system will maintain a list of other systems connected. By
viewing the contents of the name table cache, an investigator might be able to find
other systems affected.
Correct Answer
True
(A cache is duplicate data stored in a temporary location so a computer can rapidly
access that data. In this case, the NetBIOS Remote Cache Name Table may contain a
list of systems that a computer has connected to.
nbtstat -c can be used to view the cache of NetBIOS names on the host operating
system)
Question 6
It appears the suspect's computer is connected to a network, what is one thing an
investigator should look for?
Correct Answer
Network connections
(Information about network connections can expire over time so an investigator
must collect evidence as soon as possible after an incident.)
Question 7
What are two commands to obtain network information?
Correct Answer
netstat -ano & netstat -r
( netstat -ano shows active connections including protocol, local address,
foreign address, state and PID
netstat -r shows the routing table netstat -b displays the executable involved in
creating the connection netstat -v is used in conjunction with -b to show sequence
of components involved)
Question 8
What are two ways to view running processes on Windows?
Correct Answer
TaskManager & Tasklist command
Page 2 of 98
, CHFI
Question 9
When there is an open network connection, some process must be responsible for
using that connection. What commands can be used to view the port?
Correct Answer
netstat -o & fport
( netstat -o shows process to port mappings netstat -b shows the executable
involved in creating each connection (Windows XP) * fport shows process-to-port
mappings but must be executed with administrator privileges)
Question 10
What command can be used to view command history?
Correct Answer
doskey /history & scroll up in the command window
(If a command window is open, the investigator can scroll up to see command
history. But the attacker may have typed cls to clear the screen. Then, the
investigator can use the doskey /history command to see the history.)
Question 11
What are two registry settings that could impact a forensic analysis and investigation?
Correct Answer
ClearPageFileAtShutdown & DisableLastAccess
( ClearPageFileAtShutdown - tells the OS to clear the page file when the
system is shut down. This will clear virtual memory in the swap file.
DisableLastAccess - disables updating of the last access times on files so the
timestamp might not be accurate)
Question 12
What is the Index.dat file used for?
Correct Answer
AutoComplete & Redundant information such as visited URLs, search queries,
recently opened files
( Index.dat is used for redundant information such as AutoComplete
information. Index.dat can be found in the History folder for Internet Explorer)
Page 3 of 98
, CHFI
Question 13
Which of the following is true about the swap file?
Correct Answer
Hidden file in the root directory called pagefile.sys & Registry path is
HKEY_LOCAL_MACHINE_SYSTEM\CurrentControlSet\Control\Session
Manager\Memory Management
(The swap file can be organized as a contiguous space so fewer I/O operations are
required to read and write. It is a hidden file in the root directory called
pagefile.sys.)
Question 14
Each process of Windows is represented as an _______.
Correct Answer
Executive process
(Each process on a Windows system is represented as an executive process or
EProcess. EProcess block is a data structure containing attributes of the process and
pointers to threads and process environment blocks.)
Question 15
What command is used to view EProcess block?
Correct Answer
dt -a -b -v _EPROCESS
Question 16
What is the most important element of EProcess?
Correct Answer
PEB - Process Environment Block
Page 4 of 98
CHFI Study Guide Exam Questions and
Answers
Question 1
What is a swap file?
Correct Answer
Space on a hard disk used as virtual memory expansion for RAM
Question 2
System time is one example of volatile information that forensic investigators should
collect. What are types of time that should be recorded?
Correct Answer
System time, wall time, time system has been running
(Date /t and Time /t can be typed in a command prompt in windows to retrieve the
system time)
Question 3
Choose the list of tools and commands used to determine logged-on users:
Correct Answer
PsLoggedOn, Net Sessions, LogonSession
Question 4
What tools can be used to see which files are open?
Correct Answer
Net file, PsFile, Openfiles
(Net file reveals names of all open shared files and the number of file locks, PsFile
shows list of files open remotely, openfiles can be used to list or disconnect all open
files and folders)
Page 1 of 98
, CHFI
Question 5
True or False: When connections are made to other systems using NetBIOS
communications, the system will maintain a list of other systems connected. By
viewing the contents of the name table cache, an investigator might be able to find
other systems affected.
Correct Answer
True
(A cache is duplicate data stored in a temporary location so a computer can rapidly
access that data. In this case, the NetBIOS Remote Cache Name Table may contain a
list of systems that a computer has connected to.
nbtstat -c can be used to view the cache of NetBIOS names on the host operating
system)
Question 6
It appears the suspect's computer is connected to a network, what is one thing an
investigator should look for?
Correct Answer
Network connections
(Information about network connections can expire over time so an investigator
must collect evidence as soon as possible after an incident.)
Question 7
What are two commands to obtain network information?
Correct Answer
netstat -ano & netstat -r
( netstat -ano shows active connections including protocol, local address,
foreign address, state and PID
netstat -r shows the routing table netstat -b displays the executable involved in
creating the connection netstat -v is used in conjunction with -b to show sequence
of components involved)
Question 8
What are two ways to view running processes on Windows?
Correct Answer
TaskManager & Tasklist command
Page 2 of 98
, CHFI
Question 9
When there is an open network connection, some process must be responsible for
using that connection. What commands can be used to view the port?
Correct Answer
netstat -o & fport
( netstat -o shows process to port mappings netstat -b shows the executable
involved in creating each connection (Windows XP) * fport shows process-to-port
mappings but must be executed with administrator privileges)
Question 10
What command can be used to view command history?
Correct Answer
doskey /history & scroll up in the command window
(If a command window is open, the investigator can scroll up to see command
history. But the attacker may have typed cls to clear the screen. Then, the
investigator can use the doskey /history command to see the history.)
Question 11
What are two registry settings that could impact a forensic analysis and investigation?
Correct Answer
ClearPageFileAtShutdown & DisableLastAccess
( ClearPageFileAtShutdown - tells the OS to clear the page file when the
system is shut down. This will clear virtual memory in the swap file.
DisableLastAccess - disables updating of the last access times on files so the
timestamp might not be accurate)
Question 12
What is the Index.dat file used for?
Correct Answer
AutoComplete & Redundant information such as visited URLs, search queries,
recently opened files
( Index.dat is used for redundant information such as AutoComplete
information. Index.dat can be found in the History folder for Internet Explorer)
Page 3 of 98
, CHFI
Question 13
Which of the following is true about the swap file?
Correct Answer
Hidden file in the root directory called pagefile.sys & Registry path is
HKEY_LOCAL_MACHINE_SYSTEM\CurrentControlSet\Control\Session
Manager\Memory Management
(The swap file can be organized as a contiguous space so fewer I/O operations are
required to read and write. It is a hidden file in the root directory called
pagefile.sys.)
Question 14
Each process of Windows is represented as an _______.
Correct Answer
Executive process
(Each process on a Windows system is represented as an executive process or
EProcess. EProcess block is a data structure containing attributes of the process and
pointers to threads and process environment blocks.)
Question 15
What command is used to view EProcess block?
Correct Answer
dt -a -b -v _EPROCESS
Question 16
What is the most important element of EProcess?
Correct Answer
PEB - Process Environment Block
Page 4 of 98
