Forensics and Network Intrusion
Comprehensive Exam Bank — 200 Questions
Covering All CHFI Examination Domains
Digital Forensics Fundamentals | Legal Framework | Data Acquisition
File Systems & OS Forensics | Network Forensics | Malware Analysis
Mobile Device Forensics | Web & Email Forensics | Cloud Forensics
Incident Response | Steganography & Anti-Forensics | Case Scenarios
Prepared for WGU C702 Course Assessment
2026 Edition
,Section 1: Digital Forensics Fundamentals (Q1–Q25)
Q1: A financial institution discovers that an employee has been transferring customer funds to offshore accounts over a
six-month period. Management wants to pursue criminal charges. Which type of cybercrime investigation best describes
this scenario?
A. Civil cybercrime investigation
B. Criminal cybercrime investigation [CORRECT]
C. Administrative cybercrime investigation
D. Regulatory compliance audit
Correct Answer: B
Rationale: This is a criminal cybercrime investigation because the employee committed theft and fraud, which are violations of criminal
law punishable by imprisonment. Civil investigations deal with disputes between private parties, while administrative investigations focus
on policy or regulatory violations.
Q2: What is the primary definition of computer forensics as established in the CHFI body of knowledge?
A. The study of computer hardware components for manufacturing defects
B. The process of collecting, preserving, analyzing, and presenting digital evidence in a manner that is legally
acceptable [CORRECT]
C. The practice of penetration testing to identify network vulnerabilities
D. The discipline of designing secure computer networks and firewalls
Correct Answer: B
Rationale: Computer forensics is defined as the scientific process of collecting, preserving, analyzing, and presenting digital evidence in
a court of law. It is not penetration testing, hardware study, or network design.
Q3: During a corporate investigation, a forensic examiner is asked to determine whether an employee violated the
company's acceptable use policy by accessing social media on a work computer. This type of investigation falls under
which category?
A. Criminal investigation
B. Civil litigation support
C. Administrative investigation [CORRECT]
D. Military tribunal investigation
Correct Answer: C
Rationale: An administrative investigation deals with violations of organizational policies, rules, or regulations. Criminal investigations
involve violations of criminal statutes, and civil litigation supports legal disputes between parties.
Q4: According to CHFI methodology, which of the following is the Enterprise Theory of Investigation (ETI)?
A. A theory that focuses only on individual criminal acts in isolation
B. An approach that examines the entire enterprise structure, including its operations, personnel, and financial
flows, to understand criminal activity [CORRECT]
C. A method limited to analyzing only the technical infrastructure of an organization
D. A framework exclusively used for investigating government agencies
Correct Answer: B
Rationale: The Enterprise Theory of Investigation (ETI) looks at the entire organization as a whole, examining its structure, personnel,
finances, and operations to understand the full scope of criminal activity. It goes beyond examining isolated incidents.
Q5: A forensic investigator arrives at a scene where a computer is still running and displaying an active chat session. The
suspect is nearby. What should be the investigator's first action according to forensic methodology?
A. Immediately pull the power cord from the computer
B. Photograph the screen and document the active session before shutting down [CORRECT]
2
, C. Begin making a forensic image of the hard drive immediately
D. Interrogate the suspect about the chat session content
Correct Answer: B
Rationale: The first step in forensic methodology is to identify and document the current state of evidence. Photographing the screen
captures volatile data before it is lost. Pulling the power cord without documentation would destroy volatile evidence.
Q6: Which of the following is NOT one of the primary objectives of computer forensics?
A. To recover, analyze, and present computer-based evidence in court
B. To identify the perpetrator of a digital crime
C. To prevent all future cyber attacks through network hardening [CORRECT]
D. To preserve the integrity of digital evidence throughout the investigation
Correct Answer: C
Rationale: Preventing future cyber attacks through network hardening is the goal of cybersecurity and information assurance, not
computer forensics. The primary forensic objectives are evidence recovery, analysis, court presentation, perpetrator identification, and
evidence integrity preservation.
Q7: An investigator is following the cybercrime investigation methodology and has completed the identification phase.
The next step involves legally obtaining and documenting digital evidence. Which methodology step is this?
A. Preparation
B. Preservation [CORRECT]
C. Analysis
D. Presentation
Correct Answer: B
Rationale: After identification, the preservation phase involves legally obtaining evidence through proper authorization, ensuring the
chain of custody, and documenting the evidence in its current state. Preparation comes before identification, and analysis follows
preservation.
Q8: In the CHFI investigation methodology, what is the correct sequence of phases?
A. Analysis, Identification, Preservation, Presentation, Reporting
B. Identification, Preservation, Collection, Analysis, Presentation, Reporting [CORRECT]
C. Collection, Analysis, Preservation, Identification, Reporting
D. Preparation, Analysis, Collection, Presentation, Reporting
Correct Answer: B
Rationale: The standard CHFI investigation methodology follows: Identification, Preservation, Collection, Analysis, Presentation, and
Reporting. This sequence ensures evidence is properly identified before being preserved and collected.
Q9: A company suspects that a former employee stole trade secrets before resigning. The company's legal team wants to
use forensic findings in a civil lawsuit against the former employee. Which objective of computer forensics is most
relevant here?
A. Identifying how the breach occurred to prevent future incidents
B. Presenting legally admissible digital evidence to support the civil claim [CORRECT]
C. Prosecuting the individual under criminal statutes
D. Conducting a penetration test to find remaining vulnerabilities
Correct Answer: B
Rationale: When forensic findings are intended for use in litigation, the key objective is presenting legally admissible evidence. Criminal
prosecution would require law enforcement involvement, and penetration testing serves a different purpose entirely.
Q10: Which type of cybercrime involves a dispute between two private parties where one party seeks damages or
injunctive relief from the other?
A. Criminal cybercrime
B. Civil cybercrime [CORRECT]
3
, C. Administrative cybercrime
D. Military cybercrime
Correct Answer: B
Rationale: Civil cybercrime involves disputes between private entities or individuals where the remedy is typically monetary damages or
court orders. Criminal cybercrime involves prosecution by the state for offenses against society.
Q11: A forensic examiner is hired to investigate whether a competitor stole proprietary software code. The evidence will
be presented in a civil court. How does this differ from a criminal forensic investigation?
A. Civil cases require proof beyond a reasonable doubt
B. Civil cases require a lower burden of proof (preponderance of evidence) compared to criminal cases
[CORRECT]
C. Civil cases do not require any digital evidence
D. Civil cases cannot use forensic reports as evidence
Correct Answer: B
Rationale: Civil cases require a preponderance of evidence (more likely than not), while criminal cases require proof beyond a
reasonable doubt. Both can use digital evidence and forensic reports, but the standard of proof differs significantly.
Q12: What distinguishes administrative cybercrime investigations from criminal investigations?
A. Administrative investigations can result in imprisonment of the suspect
B. Administrative investigations focus on policy violations and may result in sanctions like termination or
suspension [CORRECT]
C. Administrative investigations are conducted exclusively by law enforcement
D. Administrative investigations require a court order to begin
Correct Answer: B
Rationale: Administrative investigations focus on violations of organizational policies or regulations, with outcomes such as termination,
suspension, or policy changes. They do not result in criminal penalties like imprisonment and are typically conducted internally.
Q13: An investigator using the Enterprise Theory of Investigation discovers that a company's accounting department has
been systematically falsifying records. The investigation reveals that multiple employees, including supervisors, are
involved. What is the key advantage of using ETI in this case?
A. It allows the investigator to focus only on the lowest-level employee
B. It provides a comprehensive understanding of the criminal enterprise, including all participants and their roles
[CORRECT]
C. It eliminates the need for digital evidence collection
D. It replaces the need for search warrants
Correct Answer: B
Rationale: ETI provides a holistic view of criminal activity within an organization, identifying all participants, their roles, and the full
scope of the enterprise. It does not eliminate the need for evidence collection or warrants.
Q14: Which phase of the cybercrime investigation methodology involves creating a bit-by-bit copy of the original
evidence?
A. Identification
B. Preservation
C. Collection [CORRECT]
D. Analysis
Correct Answer: C
Rationale: The collection phase involves creating forensic duplicates (bit-by-bit copies) of evidence. Preservation focuses on protecting
evidence integrity, identification involves recognizing potential evidence, and analysis involves examining the collected data.
Q15: A law enforcement officer responds to a report of child exploitation material on a suspect's computer. The officer
seizes the computer and requests a forensic examination. Which category of cybercrime investigation does this
4