The CHFI (Computer Hacking Forensic Investigator) certification from EC-Council is a globally recognized credential for digital forensics professionals. It validates your ability to investigate cybercrime, collect and preserve digital evidence, and present findings in a legally defensible manner. This free printable PDF gives you practice questions drawn from all major CHFI exam domains โ from evidence acquisition and chain of custody to memory forensics and cloud investigations.
Use this PDF alongside our online CHFI practice test to test your knowledge in both offline and timed online environments before sitting the real exam.
The CHFI exam tests practical knowledge across the full digital forensics investigation lifecycle. Each domain demands both conceptual understanding and hands-on tool familiarity โ examiners expect you to recognize correct procedures for real-world scenarios.
The investigation process begins at the first response: securing the scene, documenting the environment, and establishing chain of custody before touching any device. You must know the order of volatility โ CPU registers and cache first, then RAM, swap space, network state, running processes, disk, and finally optical/tape media. Evidence seizure procedures differ for powered-on vs. powered-off systems.
Disk imaging is core to the exam. Know FTK Imager and the dd command syntax, why write blockers are mandatory, and how hash verification (MD5 and SHA-256) proves image integrity. For live systems, RAM acquisition tools โ Magnet RAM Capture, WinPmem โ capture volatile data including running processes, open network connections, and encryption keys. Mobile acquisition modes range from logical (file system exports) to chip-off (physical NAND extraction).
NTFS internals are heavily tested: the Master File Table (MFT), $LogFile (transaction log), $UsnJrnl (change journal), file slack space, and unallocated cluster recovery. Know MAC times โ Modified, Accessed, Created โ and how NTFS timestamps differ from FAT32. Linux ext2/ext3/ext4 forensics include inode structure and journal analysis.
The Windows registry is a goldmine of forensic artifacts. Key hives: HKLM (system-wide settings) and HKCU (user-specific). High-value keys include recently accessed files, USB device history (SYSTEM hive), and user account information. Windows Event Logs (Security, System, Application) provide login events, account changes, and service activity. Prefetch files, LNK (shortcut) files, and Recycle Bin ($I and $R files) reveal program execution and deleted file history.
Wireshark packet capture analysis includes reading IP header fields (TTL, protocol, source/destination), reassembling TCP streams, and identifying protocol anomalies. IDS/IPS, firewall, and router logs require interpretation. Email header analysis โ tracing X-Originating-IP, Received headers โ is a common scenario question. VoIP forensics covers SIP and RTP stream analysis.
Examiners test your ability to detect anti-forensics: file signature analysis catches renamed extensions, steganography detection tools identify hidden data in images, and timestamp manipulation leaves artifacts in $UsnJrnl. Know disk wiping patterns (DoD 5220.22-M standard, Gutmann method) and what remnants survive after each method.
Memory forensics covers process list analysis, network connection artifacts, and malware indicators in RAM dumps. Cloud forensics challenges โ jurisdiction ambiguity, data co-mingling, multi-tenancy โ and how to obtain cloud provider logs and issue legal holds in cloud environments are increasingly common exam topics.
The downloadable PDF is ideal for offline review, but our interactive online CHFI practice test delivers immediate scoring, per-question explanations, and domain-level performance breakdowns. Use both formats together to build the speed and accuracy the 4-hour, 150-question CHFI exam demands.