All Practice Exams
100+ Free eCDFP Practice Questions
Certified Digital Forensics Professional (eCDFP) practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
Which Windows registry hive file is stored in each user's profile directory and contains user-specific settings such as desktop preferences, application MRU lists, and user-specific startup entries?
A
B
C
D
to track
Same family resources
Explore More INE Security (eLearnSecurity) Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
2026 Statistics
Key Facts: eCDFP Exam
76.7%
Minimum Passing Score
INE Security
30 questions
Exam Length
INE Security
24 hours
Exam Window
INE Security
3 years
Certification Validity
INE Security
4 domains
Exam Content Areas
INE Security
Free retake
Within 14 Days of Failure
INE Security
The eCDFP is INE Security's practical digital forensics certification designed for senior-level professionals including forensic analysts, forensic examiners, and MSSPs. The 24-hour exam consists of 30 questions (15 theory, 15 practical) inside a browser-based forensic lab with Windows and Linux workstations. Candidates must score 76.7% or above. The exam covers: Fundamentals of Digital Forensics (33%), Digital Forensics Tools and Techniques (27%), Preservation of Evidence (20%), and Storage Device Fundamentals (20%). This practice exam tests the theoretical and technical knowledge that underpins every eCDFP scenario.
Sample eCDFP Practice Questions
Try these sample questions to test your eCDFP exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1Which principle states that every contact between a forensic examiner and evidence leaves a trace, forming the foundation of digital forensics?
A.Chain of custody
B.Frye standard
C.Best evidence rule
D.Locard's Exchange Principle
Explanation: Locard's Exchange Principle states that every contact leaves a trace, meaning that any interaction with a crime scene or digital evidence results in an exchange of material. In digital forensics this underpins the idea that actions on a system leave artifacts. Chain of custody is the documentation of evidence handling, while the best evidence rule and Frye standard are legal standards.
2In digital forensics, what is the correct order of evidence collection according to the Order of Volatility (most volatile first)?
A.Hard disk, RAM, swap space, CPU registers
B.RAM, hard disk, CPU registers, swap space
C.CPU registers, RAM, swap space, hard disk
D.Swap space, RAM, CPU registers, hard disk
Explanation: RFC 3227 defines the Order of Volatility from most to least volatile: CPU registers and cache, RAM, swap/pagefile, network state, running processes, hard disk data, removable media, and finally backups/logs. CPU registers are lost the moment power is cut, while hard disk contents persist. Collecting in this order ensures the most perishable evidence is secured first.
3Which hashing algorithm is most commonly used to verify the integrity of a forensic disk image and is required by many law enforcement standards?
A.MD5
B.SHA-1
C.SHA-256
D.CRC32
Explanation: SHA-256 is the current standard for forensic image integrity verification. While MD5 and SHA-1 are still used in legacy workflows, known collision attacks against both make SHA-256 the preferred choice for court-admissible evidence. CRC32 is a checksum for error detection, not a cryptographic hash suitable for evidentiary purposes.
4FTK Imager is used to create a forensic image of a suspect drive. Which image format preserves metadata, allows compression, and is natively segmented, making it the de-facto standard?
A.E01 (Expert Witness Format)
B.dd (raw)
C.AFF (Advanced Forensic Format)
D.ISO 9660
Explanation: E01 (EnCase Expert Witness Format) is the de-facto standard forensic image format. It stores the bit-for-bit copy along with metadata (case info, examiner, acquisition hash), supports compression and segmentation into multiple files, and includes built-in MD5/SHA1 integrity hashes. FTK Imager, Autopsy, and most forensic suites natively support E01.
5When acquiring a live system's RAM, which tool is commonly used on Windows to capture a full physical memory dump for later analysis?
A.Wireshark
B.RegRipper
C.DumpIt
D.WinHex
Explanation: DumpIt (now part of Magnet RAM Capture / Comae Toolkit) is a single-executable tool for capturing a full physical memory image on Windows without installation. The resulting dump can be analyzed with Volatility or Rekall. Wireshark captures network traffic, RegRipper extracts registry data, and WinHex is a hex editor/disk forensics tool.
6A forensic examiner finds a file whose name appears in the directory but the clusters are marked free in the FAT. What best describes this condition?
A.Deleted file recoverable by carving
B.Slack space
C.Alternate data stream
D.Bad sector cluster
Explanation: When a file is deleted in FAT-based file systems, the directory entry's first character is changed to 0xE5 (sigma) and the cluster chain in the FAT is zeroed (marked free), but the actual data may still reside in those clusters until overwritten. This deleted but recoverable state is the basis of file carving and undelete operations. Slack space is the unused space at the end of a cluster; ADS is an NTFS feature.
7Which NTFS metadata file records the location of every file and directory on the volume and is the first target in NTFS forensic analysis?
A.$LogFile
B.$Bitmap
C.$MFT (Master File Table)
D.$UsnJrnl
Explanation: The $MFT (Master File Table) is NTFS's central index, containing a record for every file and directory including attributes, timestamps (MACE), size, and data run locations. It is the primary target in NTFS forensics because parsing it reveals the complete volume structure. $LogFile logs metadata transactions, $Bitmap tracks cluster allocation, and $UsnJrnl records change journal entries.
8An examiner finds data hidden after the logical end of a file but within the same cluster allocation on an NTFS volume. What is this forensic artifact called?
A.File slack (cluster slack)
B.Volume slack
C.Unallocated space
D.Alternate data stream
Explanation: File slack (also called cluster slack) is the unused space between the logical end of a file and the end of its last allocated cluster. Since NTFS allocates in cluster-sized units, a 300-byte file in a 4096-byte cluster leaves 3796 bytes of slack that may contain remnants of previously deleted data. Volume slack is space after the last partition; unallocated space is free clusters; ADS is a named secondary stream.
9Which structure at the start of a traditional partitioned disk contains the partition table and bootloader code, and is a key target when reconstructing a damaged disk layout?
A.Volume Boot Record (VBR)
B.GUID Partition Table (GPT)
C.Master Boot Record (MBR)
D.Partition Table Entry (PTE)
Explanation: The Master Boot Record (MBR) occupies the first 512 bytes of a disk (sector 0) and contains the bootstrap code (446 bytes), the partition table (64 bytes supporting up to 4 primary partitions), and the MBR signature (0x55AA). When a disk's MBR is damaged or overwritten, forensic tools like WinHex can carve and rebuild the partition table. VBR is the first sector of a volume/partition, not the disk.
10During NTFS analysis, an examiner notices that a file's $STANDARD_INFORMATION timestamps differ significantly from its $FILE_NAME timestamps. What does this most likely indicate?
A.The file was compressed by NTFS
B.The file was encrypted with EFS
C.The file system is corrupt
D.The $SI timestamps were manipulated (timestomping)
Explanation: Timestomping is the act of modifying a file's $STANDARD_INFORMATION (SI) timestamps to hide malicious activity. Tools like Metasploit's timestomp module alter $SI timestamps, but the $FILE_NAME (FN) timestamps stored in the MFT parent directory index are much harder to modify and often retain the original values. A significant discrepancy between $SI and $FN timestamps is a strong indicator of anti-forensic tampering.
About the eCDFP Practice Questions
Verified exam format metadata for Certified Digital Forensics Professional (eCDFP) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.