CHFI Cheat Sheet 2026

The 30 highest-yield CHFI facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

150 questions
240 min time limit
70% to pass
  1. Which Oracle database view provides information about all currently connected sessions and can help identify unauthorized access? V$SESSION
  2. Which open-source full disk encryption tool is considered a major challenge for digital forensic investigators due to its strong encryption? VeraCrypt
  3. What disk regions, not normally reported by the OS, can be used to hide data as an advanced anti-forensics technique? Host Protected Area (HPA) and Device Configuration Overlay (DCO)
  4. Which SQL Server system database stores metadata about all other databases on the SQL Server instance? master
  5. Which of the following actions would be performed during the Analysis phase of a digital forensic investigation? Searching for keywords, recovering deleted files, and building a timeline of events.
  6. What is the primary goal of anti-forensics techniques? To prevent, destroy, or obfuscate digital evidence
  7. During an email forensics investigation, what does a missing or broken DMARC alignment indicate? The email may be a phishing attempt or spoofed to impersonate a legitimate domain
  8. In which location does Microsoft Outlook store emails, contacts, and calendar data in a local file format? .pst or .ost file
  9. What does the term 'database carving' refer to in forensic investigations? Recovering database records from raw disk images without a live database
  10. In a hexadecimal code, the offset is: The Ox at the beginning of the code
  11. Which tool is commonly used by CHFI investigators to analyze email headers and trace email origins? MXToolbox Email Header Analyzer
  12. Which of the following is the central and most critical metadata file in an NTFS file system, containing records for every file and directory on the volume? $MFT (Master File Table)
  13. A forensic analyst acquires the `hiberfil.sys` file from a Windows 10 laptop. What type of information can the analyst expect to recover by analyzing this file? A compressed copy of the system's RAM at the time of the last hibernation.
  14. In email forensics, what does the 'X-Originating-IP' header reveal? The IP address of the client that originally submitted the email
  15. In social media forensics, what is the significance of metadata embedded in images posted on social platforms? It may contain GPS coordinates, device model, and timestamp revealing the photo's origin
  16. What does 'timestomping' refer to in anti-forensics? Modifying file metadata timestamps to mislead timeline analysis
  17. In database forensics, what information can be extracted from the MySQL ibdata1 file? InnoDB tablespace data including deleted records not yet purged
  18. What is the anti-forensics purpose of exploiting Alternate Data Streams (ADS) in NTFS? To hide data within NTFS file metadata, invisible to standard directory listings
  19. In investigating a Twitter/X account for evidence, which API does law enforcement reference for legal data requests to the platform? Twitter's Legal Request Submission portal under the Stored Communications Act
  20. How many bytes do hard disk sectors normally contain? 512
  21. In a PostgreSQL forensic investigation, which directory contains the server log files by default? $PGDATA/log
  22. Which email header field is most important for tracing the originating IP address of an email message? Received
  23. Which anti-forensics technique involves modifying or deleting system log files to erase evidence of an attacker's activities? Log tampering (log sanitization)
  24. Which anti-forensics technique involves routing network traffic through multiple anonymizing proxies or Tor to conceal an attacker's true IP address? Trail obfuscation
  25. What are the following? cloud computing services that deliver hardware, operating systems, and virtual machines. Which a service API may be used to govern. Infrastructure-as-a-Service (IaaS)
  26. In database forensics, which log file type records every transaction and database modification for SQL Server? Transaction log (.ldf)
  27. If a crime is committed in a cloud environment, identify the specific offense that was committed there. Cloud as a subject
  28. Which anti-forensics technique involves an attacker deliberately planting false digital evidence to mislead forensic investigators? Evidence fabrication (anti-forensic deception)
  29. Which CHFI-relevant tool is specifically designed to recover and analyze SQLite database files commonly found on mobile devices and applications? DB Browser for SQLite
  30. Which hashing algorithm is recommended by NIST for generating forensic integrity hashes of email evidence files such as PST archives? SHA-256 or SHA-3
Turn these facts into recall: