Awaiting product image

EC0-349 ECCouncil Computer Hacking Forensic Investigator Exam

405 Questions and Answers

$19.99

EC0-349 EC-Council CHFI Exam – Practice Test for Mastering Digital Forensics & Cybercrime Investigation

Strengthen your digital forensics expertise and get certified with confidence using this EC0-349 EC-Council Computer Hacking Forensic Investigator (CHFI) Exam Practice Test, exclusively available on StudyLance.org. Designed for forensic analysts, cybersecurity professionals, and law enforcement IT specialists, this prep tool prepares you for one of EC-Council’s most respected certifications in cybercrime investigation and incident response.

This practice exam closely follows the official CHFI v8/v9 exam blueprint and covers core areas of investigation, analysis, and legal procedures related to cyber forensics:

  • Incident response and investigation processes

  • Forensic acquisition and imaging techniques

  • File system forensics (FAT, NTFS, Linux/Unix)

  • Email, mobile device, and cloud forensics

  • Log file analysis and memory forensics

  • Steganography, password recovery, and malware detection

  • Legal considerations, chain of custody, and evidence handling

Each question is paired with clear, detailed explanations to help you not only identify the correct answer but also understand its forensic context and application. This resource is perfect for CHFI candidates seeking a realistic, exam-style study experience.

🔍 Why Choose StudyLance for CHFI Exam Preparation?

At StudyLance.org, we help cybersecurity and digital investigation professionals like Daniel build confidence and technical expertise. Here’s why this practice test is trusted:

  • Mapped to the EC0-349 CHFI Exam Blueprint – Up-to-date and certification-ready

  • Realistic Case-Based Questions – Simulate real-world forensics scenarios

  • Detailed Answer Explanations – Learn investigative logic and methodology

  • Lifetime Access – Study at your own pace, from any device

  • Instant Download – Get immediate access to start preparing today

Whether you’re working in law enforcement, IT security, or private investigation, this EC-Council CHFI Exam Practice Test provides the training and insight needed to analyze digital evidence, respond to incidents, and earn your CHFI certification.

Category:

Sample Questions and Answers

What forensic artifact can reveal the recently executed programs on Windows?

Prefetch files
B. Event logs
C. Pagefile.sys
D. Registry hives

Answer: A
Explanation: Prefetch files store information about recently executed programs to speed up startup.

What is the role of “Volatility” in forensic investigations?

Disk imaging
B. Memory analysis framework for analyzing RAM dumps
C. Network sniffing
D. Encrypting data

Answer: B
Explanation: Volatility is an open-source tool for analyzing volatile memory dumps.

What does the “Registry” in Windows store?

File contents
B. System and user configuration settings and options
C. Network packets
D. Temporary files

Answer: B
Explanation: The Registry stores hierarchical configuration data for the OS and applications.

Which tool can extract deleted emails from Outlook PST files?

FTK Imager
B. EnCase
C. MailXaminer
D. Wireshark

Answer: C
Explanation: MailXaminer specializes in email forensics, including recovering deleted emails.

What is “file slack”?

Unused disk space at the end of allocated clusters, possibly containing residual data
B. Free space on the disk
C. Encrypted data
D. Fragmented files

Answer: A
Explanation: File slack contains residual data in cluster slack space, which can be forensic evidence.

Which hashing algorithm is considered secure and widely used in forensics?

MD5
B. SHA-1
C. SHA-256
D. CRC32

Answer: C
Explanation: SHA-256 is secure and collision-resistant, preferred over MD5 and SHA-1.

Which of the following is NOT a volatile memory artifact?

Running processes
B. Network connections
C. Hard drive files
D. Encryption keys stored in RAM

Answer: C
Explanation: Hard drive files are non-volatile.

What does “chain of custody” documentation NOT typically include?

Who collected the evidence
B. When and where the evidence was collected
C. How evidence was analyzed
D. The weather conditions during collection

Answer: D
Explanation: Weather conditions are generally irrelevant to chain of custody.

Which Windows tool can be used to export the Registry for forensic analysis?

regedit
B. msconfig
C. taskmgr
D. eventvwr

Answer: A
Explanation: regedit allows exporting registry keys to files.

Which type of malware hides its presence by modifying system components?

Rootkit
B. Virus
C. Worm
D. Trojan

Answer: A
Explanation: Rootkits hide by modifying OS components to evade detection.

What is a common source of forensic evidence on mobile devices?

Call logs and SMS messages
B. Network router logs
C. Printer logs
D. Hard disk partitions

Answer: A
Explanation: Call logs and SMS data are stored locally on mobile devices and are common forensic artifacts.

 

What is the primary purpose of “file carving” in digital forensics?

Encrypt files
B. Recover files from unallocated space without file system metadata
C. Format disks
D. Analyze network traffic

Answer: B
Explanation: File carving recovers files by identifying file signatures in raw data, even when file system metadata is missing.

Which Windows registry hive contains system-wide settings?

NTUSER.DAT
B. SYSTEM
C. SOFTWARE
D. SECURITY

Answer: B
Explanation: The SYSTEM hive contains system-wide configuration settings, including hardware info.

Which forensic artifact can help determine the time a file was last accessed?

Creation timestamp
B. Access timestamp
C. Modification timestamp
D. Backup timestamp

Answer: B
Explanation: The access timestamp logs the last time a file was opened or read.

What forensic tool is known for its ability to analyze smartphone data?

FTK Imager
B. Cellebrite UFED
C. Wireshark
D. Autopsy

Answer: B
Explanation: Cellebrite UFED specializes in extracting and analyzing data from mobile devices.

In the context of forensics, what is “data wiping”?

Encrypting data
B. Securely deleting data to prevent recovery
C. Compressing files
D. Making data read-only

Answer: B
Explanation: Data wiping uses overwriting methods to make deleted data unrecoverable.

What does the “Registry key LastWrite time” indicate?

When the key was created
B. When the key was last modified
C. When the system was last rebooted
D. When the user last logged in

Answer: B
Explanation: LastWrite time shows the last modification timestamp of a registry key.

Which of the following is NOT typically found in a Windows Event Log?

User logon events
B. Application crashes
C. File contents
D. System errors

Answer: C
Explanation: Event logs record system and application events but not file contents.

What is the function of “Prefetch” files in Windows forensics?

Store encrypted user data
B. Help speed up application launch and record execution history
C. Record deleted files
D. Store registry backups

Answer: B
Explanation: Prefetch files improve performance and indicate which applications were run.

What is the primary focus of “memory forensics”?

Analysis of hard disk data
B. Analysis of RAM to uncover running processes, malware, and artifacts
C. Analysis of network traffic
D. Analysis of emails

Answer: B
Explanation: Memory forensics analyzes volatile memory contents to detect live data.

What is “TIMESTAMP” analysis used for in digital forensics?

Decrypting files
B. Establishing timeline of events based on file and system metadata
C. Modifying logs
D. Encrypting evidence

Answer: B
Explanation: Timestamp analysis helps reconstruct event sequences during an investigation.

Which forensic process involves duplicating data without altering the original source?

Hashing
B. Imaging
C. Encryption
D. Deletion

Answer: B
Explanation: Imaging creates a bit-for-bit copy preserving the original data.

In mobile forensics, what is the purpose of a “JTAG” extraction?

Wireless data capture
B. Physical extraction of data by accessing the device’s hardware
C. Cloud backup recovery
D. Password cracking

Answer: B
Explanation: JTAG involves connecting directly to hardware to extract data.

What is the “$LogFile” in NTFS?

A file system log that records all changes to the volume
B. A user file
C. A malware file
D. An event log

Answer: A
Explanation: $LogFile records transactional metadata to maintain file system integrity.

What is the primary use of “Volatile Data Collection”?

To collect data stored on hard drives
B. To capture RAM, running processes, and network connections before shutdown
C. To analyze backup files
D. To retrieve deleted files

Answer: B
Explanation: Volatile data must be collected quickly as it is lost on power off.

What does the “Registry key Run” commonly indicate?

Programs configured to run at system startup
B. User login history
C. File deletion events
D. Network connections

Answer: A
Explanation: The Run key lists programs that start automatically when Windows boots.

Which of the following is an example of a non-volatile data source?

RAM
B. Pagefile
C. Hard disk drive
D. CPU registers

Answer: C
Explanation: Hard disks store data permanently, unlike volatile sources like RAM.

What does “artifact” mean in digital forensics?

A piece of data or metadata left behind during system or user activities
B. A tool used for encryption
C. A type of malware
D. Backup files

Answer: A
Explanation: Artifacts provide evidence of user actions or system processes.

What forensic technique is used to analyze partially overwritten files?

File carving
B. Timeline analysis
C. Keyword searching
D. Disk wiping

Answer: A
Explanation: File carving recovers file fragments even if the file system metadata is damaged.

In Windows forensics, what does the “UserAssist” registry key track?

User-initiated program execution history
B. File download history
C. Internet browsing history
D. System errors

Answer: A
Explanation: UserAssist tracks programs launched by the user via Windows Explorer.

Which file contains the configuration for system services and device drivers in Windows?

SYSTEM registry hive
B. NTUSER.DAT
C. SOFTWARE registry hive
D. SAM file

Answer: A
Explanation: The SYSTEM hive stores configurations for services and drivers.

What is the function of the “Event Tracing for Windows” (ETW)?

Logs network packets
B. Provides a mechanism for logging system and application events
C. Monitors disk usage
D. Encrypts logs

Answer: B
Explanation: ETW is a framework for tracing and logging Windows events.

What does “keyword searching” help forensic investigators do?

Locate files on a disk
B. Identify relevant evidence by searching for specific terms in data sets
C. Format drives
D. Encrypt files

Answer: B
Explanation: Keyword searching helps find data related to the investigation focus.

Which of the following is NOT a benefit of using a write blocker?

Prevent accidental writes to evidence media
B. Maintain evidence integrity
C. Allow modifying evidence during imaging
D. Ensure court admissibility of evidence

Answer: C
Explanation: Write blockers prevent any writes, not allow modifications.

What is the primary use of the “Prefetch” directory in Windows?

Store temporary internet files
B. Keep data about recently executed programs to speed up loading times
C. Store system logs
D. Hold backup files

Answer: B
Explanation: Prefetch helps Windows optimize program startup by caching information.

What is the significance of “MAC times” in file metadata?

Media Access Control addresses
B. Modified, Accessed, and Created timestamps useful for timeline reconstruction
C. Malware artifact codes
D. Memory allocation codes

Answer: B
Explanation: MAC times provide key timestamps for forensic timeline analysis.

Reviews

There are no reviews yet.

Be the first to review “EC0-349 ECCouncil Computer Hacking Forensic Investigator Exam”

Your email address will not be published. Required fields are marked *

Related products

Shopping Cart
Scroll to Top