CHFI - Computer Hacking Forensic Investigator Investigating Web Attacks Questions and Answers

Question 1

An investigator analyzing Apache access logs discovers the following entry: `89.163.146.13 - - [10/Mar/2026:14:32:54 +0000] "GET /products.php?id=105' OR '1'='1' -- HTTP/1.1" 500 294 "-" "SQLMap/1.5.11"`. Which type of web attack is most strongly indicated by this log entry?

Accepted Answer

SQL Injection (SQLi)

Answer

This log entry is a classic example of a SQL Injection attack. The string `' OR '1'='1' --` is a common SQLi payload designed to create a universally true condition in a WHERE clause, potentially bypassing authentication or retrieving all records. The `500` status code often indicates the server failed to process the malformed query, and the User-Agent `SQLMap` points to a well-known automated SQL injection tool.

Question 2

A forensic analyst is investigating a compromised web server where the attacker is suspected of having uploaded a web shell. Which of the following is the MOST reliable indicator of a web shell's presence?

Accepted Answer

A script file in an uploads directory containing functions like `exec()`, `passthru()`, or `system()`.

Answer

Web shells are scripts that allow attackers to execute system commands on a server. The most reliable indicator among the choices is finding a script file containing PHP, ASP, or other server-side language functions specifically designed to execute operating system commands, such as `exec()`, `passthru()`, `system()`, or `shell_exec`. The other options are less specific and can be caused by benign activities.

Question 3

An investigator is reviewing IIS logs and finds multiple suspicious entries similar to this: `GET /pages/..%255c..%255c..%255cwindows/system32/cmd.exe?/c+dir`. This log entry is a clear indicator of which type of web attack?

Accepted Answer

Directory Traversal

Answer

This log entry indicates a Directory Traversal (or Path Traversal) attack. The sequence `..%255c` is a double-URL-encoded version of `..\`. Attackers use this technique to move up the directory tree to access restricted files outside of the web root, in this case attempting to execute `cmd.exe`.

Question 4

A forensic investigator is analyzing web server access logs to profile an attacker's activity. What critical piece of information does the User-Agent string provide in a log entry?

Accepted Answer

The client software, browser, and operating system used to make the request.

Answer

The User-Agent string is an HTTP header that identifies the client software originating the request. For an investigator, this can reveal the attacker's browser, browser version, and operating system. It can also indicate the use of automated attack tools (like scanners or SQLMap), which often have unique User-Agent strings.

Question 5

A company website that hosts a public comment forum has been compromised. An attacker posted a comment containing malicious JavaScript, which is now executing in the browsers of legitimate users who view the forum page, stealing their session cookies. This is a classic example of a Stored XSS attack. Where would an investigator most likely find the original malicious script payload?

Accepted Answer

Within the web application's database, stored as part of the attacker's forum comment.

Answer

In a Stored (or Persistent) Cross-Site Scripting (XSS) attack, the malicious script is submitted to the web application and saved in a persistent data store, such as a database. When other users request the page containing the malicious data (e.g., a forum post), the server retrieves the script from the database and includes it in the response, causing it to execute in the victim's browser. Therefore, the primary evidence is the payload stored in the database.

CHFI - Computer Hacking Forensic Investigator Practice Test

CHFI - Computer Hacking Forensic Investigator Practice Test

CHFI - Computer Hacking Forensic Investigator Investigating Web Attacks Questions and Answers