100+ Free CHFI Practice Questions

Pass your Computer Hacking Forensic Investigator (CHFI v11, 312-49) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Which type of cybercrime involves an attacker using a compromised system as a stepping stone to attack other systems while making attribution difficult?

Insider threat

Pivoting attack

Phishing

Denial of service

to track

2026 Statistics

Key Facts: CHFI Exam

150

Exam Questions

EC-Council CHFI Blueprint v4

4 hours

Exam Duration

EC-Council CHFI Blueprint v4

60-85%

Cut Score Range

EC-Council

$550

Exam Voucher

EC-Council

Content Domains

CHFI v11 / Blueprint v4.0

3 years

Certification Validity

ECE 120 credits required

The CHFI v11 exam (312-49) has 150 multiple-choice questions in 4 hours with a variable 60-85% cut score. The v4 blueprint covers six domains: Forensic Science (15%), Regulations/Policies/Ethics (10%), Digital Evidence (18%), Procedures and Methodology (17%), Digital Forensics (29%), and Tools/Systems/Programs (11%). v11 adds dark web, IoT, OT, fileless malware, and AI-assisted forensics.

Sample CHFI Practice Questions

Try these sample questions to test your CHFI exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which type of cybercrime involves an attacker using a compromised system as a stepping stone to attack other systems while making attribution difficult?

A.Insider threat

B.Pivoting attack

C.Phishing

D.Denial of service

Explanation: A pivoting attack uses an already-compromised host as a launchpad for further attacks against internal targets. This makes attribution challenging because forensic investigators must trace activity back through multiple intermediate systems, often crossing jurisdictional and logging boundaries. Cyber attribution is a key learning objective in the CHFI Forensic Science domain.

2What is the primary purpose of forensic readiness in an organization?

A.To prevent all cyberattacks from succeeding

B.To maximize an organization's potential to use digital evidence while minimizing the cost of an investigation

C.To replace the incident response team with automated tools

D.To eliminate the need for chain of custody documentation

Explanation: Forensic readiness is the ability of an organization to maximize its potential to collect and use digital evidence while minimizing the cost of investigation. It involves pre-incident planning such as log retention policies, evidence-handling procedures, and trained responders so that when an incident occurs, evidence is already preserved in a forensically sound manner.

3According to the order of volatility, which data should an investigator collect FIRST during live acquisition?

A.Files on the local hard disk

B.Archived backup tapes

C.CPU registers and cache

D.Routing table on a router

Explanation: Per RFC 3227 and CHFI guidance, the order of volatility lists CPU registers and cache as the most volatile data, followed by routing tables/ARP cache/process tables, then RAM, temporary files, disk, remote logging, and finally archival media. Registers and cache are lost the instant power state changes, so they must be captured first if at all.

4Which of the following BEST describes anti-forensics?

A.A defensive control that blocks malware from executing

B.Techniques used to conceal, alter, or destroy evidence to obstruct forensic analysis

C.A government regulation requiring evidence preservation

D.The process of validating forensic tools before use

Explanation: Anti-forensics refers to any technique that hampers forensic investigation, including data wiping, encryption, steganography, log tampering, timestamp manipulation, alternate data streams, and exploits targeting forensic tools themselves. Recognizing and countering these techniques is a core CHFI competency in the Digital Forensics domain.

5Which network is commonly accessed through TOR relays and is frequently a target of forensic dark web investigations?

A.Surface Web indexed by Google

B.Deep Web databases requiring authentication

C.Dark Web (.onion services accessible only via anonymizing networks)

D.ARPANET

Explanation: The Dark Web consists of overlay networks that require specific software (such as the TOR Browser) and use .onion addresses. Investigators perform dark web forensics by examining TOR Browser artifacts in the Windows registry, prefetch files, memory dumps, and command-prompt history, since the network itself does not log routes.

6An IoC (Indicator of Compromise) for a malware infection is MOST likely to be which of the following?

A.A signed software license agreement

B.A specific file hash, IP address, or registry key associated with the threat

C.The job title of the user who reported the issue

D.The vendor support contract number

Explanation: Indicators of Compromise are forensic artifacts that signal malicious activity — examples include file hashes (MD5/SHA-256), C2 IP addresses or domains, mutex names, registry keys, and YARA-matchable byte patterns. They are shared via STIX/TAXII or threat-intel feeds and used to detect or pivot during investigation.

7Which type of malware operates entirely in memory without writing executable artifacts to disk?

A.Boot sector virus

B.Fileless malware

C.Macro virus

D.Worm

Explanation: Fileless malware lives in RAM and uses legitimate processes (PowerShell, WMI, mshta, regsvr32) for execution. Because nothing executable is written to disk, traditional signature-based AV often misses it. CHFI v11 expanded coverage of fileless malware including memfd_create() on Linux, GOOTLOADER, and .NET memory injection — investigators must capture RAM to find these artifacts.

8Which of the following is the FaaS (Forensics-as-a-Service) model BEST described as?

A.Outsourcing forensic capabilities to a cloud-delivered service provider

B.A free version of EnCase distributed by EC-Council

C.A type of fileless malware that masquerades as a forensic tool

D.A peer-to-peer evidence-sharing protocol

Explanation: Forensics-as-a-Service (FaaS) delivers forensic acquisition, analysis, and reporting capabilities through a cloud or managed-service model. It allows organizations without in-house forensic teams to access expert tooling and analysts on demand, often integrated with their cloud incident response workflows.

9Which dark-web component allows clients to connect to a TOR network without revealing that they are using TOR?

A.Exit relay

B.Guard relay

C.TOR bridge node

D.Hidden service descriptor

Explanation: TOR bridge nodes are non-published TOR relays used as entry points to the network. Because their IPs are not in the public TOR consensus, network observers (such as ISPs in censored regions) cannot easily identify users connecting to TOR through bridges. Forensic investigators must understand bridges when analyzing alleged TOR traffic.

10OWASP lists which of the following as a Top 10 IoT vulnerability category?

A.Quantum-resistant encryption

B.Weak, Guessable, or Hardcoded Passwords

C.Mandatory two-factor authentication

D.Strong supply-chain attestation

Explanation: Weak, guessable, or hardcoded passwords sits at the top of the OWASP IoT Top 10. Many IoT devices ship with default credentials baked into firmware (e.g., admin/admin), enabling botnets such as Mirai. CHFI v11 includes IoT forensics, so investigators must understand attack-surface fundamentals like this.

About the CHFI Exam

The Computer Hacking Forensic Investigator (CHFI v11, exam 312-49) validates skills in digital forensic investigation, evidence handling, file-system and OS artifact analysis, network and web-attack forensics, memory and malware analysis, mobile and cloud forensics, and the use of leading forensic tools. CHFI is ANSI-accredited and listed on the U.S. DoD 8140/8570 baseline.

Questions

150 scored questions

Time Limit

4 hours

Passing Score

60-85% (cut score)

Exam Fee

$550 (exam voucher) (EC-Council / Pearson VUE)

CHFI Exam Content Outline

15%

Forensic Science

Cybercrime types, IoCs, anti-forensics overview, data acquisition concepts, dark web and TOR, fileless malware, IoT and OT fundamentals

10%

Regulations, Policies, and Ethics

Federal Rules of Evidence, ACPO principles, search and seizure, chain of custody, eDiscovery, ISO/IEC 27037, ENFSI, and CAN-SPAM

18%

Digital Evidence

Disks, RAID, file systems (NTFS, FAT, APFS, ext4, HFS+), boot processes, mobile evidence, Windows event logs, IIS/Apache logs, file signatures, and MySQL forensics

17%

Procedures and Methodology

Forensic investigation lifecycle, lab setup, first response, data acquisition methodology, EDRM eDiscovery, image examination, event correlation, and dark-web/malware forensics

29%

Digital Forensics

Anti-forensics defeat, Windows/Linux/Android artifact analysis, network forensics, web-attack investigation, database/dark-web/email/cloud/IoT forensics, and Python forensics

11%

Tools, Systems, and Programs

FTK Imager, EnCase, Autopsy/TSK, Volatility, Wireshark, hashcat, Cellebrite, Sysinternals, Eric Zimmerman tools, SIEMs, and AWS/Azure/IoT forensic tools

How to Pass the CHFI Exam

What You Need to Know

Passing score: 60-85% (cut score)
Exam length: 150 questions
Time limit: 4 hours
Exam fee: $550 (exam voucher)

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CHFI Study Tips from Top Performers

1Memorize the order of volatility (registers/cache, RAM, network state, disk, archives) — it appears in many acquisition questions

2Know NTFS internals: $MFT, $LogFile, $Bitmap, alternate data streams, and $STANDARD_INFORMATION vs $FILE_NAME for timestomping detection

3Master Windows event log IDs: 4624 (logon), 4625 (failed logon), 4634 (logoff), 4688 (process creation), 4663 (object access)

4Practice with Volatility 3 plugins (pslist, pstree, malfind, netstat, cmdscan) on sample memory dumps from public CFReDS images

5Learn key registry forensic keys: NTUSER.DAT (ShellBags, RunMRU, RecentDocs), USBSTOR, AmCache, and Run/RunOnce for persistence

6Study cloud-specific logging: AWS CloudTrail, VPC Flow Logs, S3 access logs; Azure Activity Log; GCP Cloud Audit Logs

7Memorize file signatures (magic bytes): JPEG FF D8 FF, PNG 89 50 4E 47, PDF 25 50 44 46, ZIP 50 4B 03 04

8Get hands-on with Autopsy, FTK Imager, and Wireshark on sample images — CHFI is heavy on tool-recognition questions

Frequently Asked Questions

What is the CHFI exam format?

The CHFI v11 exam (312-49) has 150 multiple-choice questions and a 4-hour time limit. The passing score is a variable cut score between 60-85% depending on the exam form. The exam is delivered through ECC Exam Center (Pearson VUE) or via EC-Council's Remote Proctoring Service (RPS) so you can test from home.

How much does the CHFI certification cost?

The CHFI exam voucher costs approximately $550. Self-study candidates must additionally submit an eligibility application with a $100 non-refundable fee. Official iLearn, iWeek, or MasterClass training packages typically range from $1,500 to $3,500 and include the exam voucher.

What are the CHFI eligibility requirements?

Candidates must either complete official EC-Council CHFI training, OR demonstrate at least 2 years of information security work experience and submit an approved eligibility application. The training route waives the experience requirement. ANSI accreditation requires this gating to ensure baseline qualification.

What is new in CHFI v11 compared to earlier versions?

CHFI v11 (blueprint v4.0) adds expanded coverage of dark web and TOR forensics, IoT and OT (operational technology) forensics, fileless malware analysis (memfd_create, GOOTLOADER, .NET malware), AI-assisted forensics (ChatGPT in evidence processing), Python-based forensic scripting, and modern cloud platforms (AWS, Azure, GCP, Google Workspace).

What jobs can I get with a CHFI certification?

CHFI is mapped to NICE 2.0 and is a U.S. DoD 8140/8570 baseline certification. Common roles include Digital Forensics Analyst, Computer Forensics Investigator, Incident Response Analyst, Cyber Crime Investigator, Forensic Examiner (corporate or law enforcement), and DFIR Consultant. Median U.S. salaries typically range from $77,000 to $123,000.