What is the CFCE certification and who issues it?

The CFCE (Certified Forensic Computer Examiner) is a digital forensics certification issued by IACIS (International Association of Computer Investigative Specialists). It is the only digital forensics certification accredited by the Forensic Specialties Accreditation Board (FSAB). It is widely respected in law enforcement, military, and private-sector digital forensics.

What is the CFCE exam format?

The CFCE is a two-phase certification. Phase 1 (Peer Review) involves solving four scenario-based practical forensic problems under a coach's guidance over approximately 30 days each. Phase 2 (Certification) includes a 30-day hands-on hard drive practical examination and a 14-day 100-question knowledge test. Both components require an 80% minimum score.

What topics does the CFCE knowledge test cover?

The 100-question knowledge test covers all seven CFCE core competencies: pre-examination procedures and legal issues (search/seizure, evidence rules, chain of custody), computer fundamentals and hardware, partitioning schemes (MBR and GPT), Windows file systems (FAT and NTFS), Windows artifacts (registry, shellbags, event logs, Prefetch, USB artifacts), data recovery and encryption, and presentation of findings and expert reporting.

How do I qualify for the CFCE?

External candidates must have 72 hours of digital forensics training aligned with CFCE core competencies and pay $800. Graduates of the IACIS BCFE (Basic Computer Forensic Examiner) course qualify automatically with no additional fee. All candidates must pass a background check. Registration opens June 1 (September cycle) and December 1 (March cycle).

What is IACIS's 'tool neutrality' philosophy?

IACIS teaches forensic examiners to understand the underlying principles of digital forensics (file system structures, binary encoding, hash algorithms) deeply enough to validate findings with multiple tools or manually. This means an examiner can explain findings in court without relying on 'the tool said so' — they can demonstrate WHY the evidence is what it is from first principles.

Does this practice test prepare me for the actual CFCE knowledge test?

Yes — these 100 questions cover all seven CFCE core competency domains at the depth tested by the CFCE knowledge test. The real exam includes multiple-choice, true/false, matching, and short-answer formats; this practice bank focuses on the multiple-choice component. You should also practice with a hard drive practical to prepare for Phase 2's hands-on component.

All Practice Exams

100+ Free CFCE Practice Questions

IACIS Certified Forensic Computer Examiner (CFCE) practice questions are available now; exam metadata is being verified.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Windows stores a record of files opened by each application type in the Recent Items MRU. Where is the RecentDocs MRU list stored in the registry for user-accessed files?

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

HKCU\Software\Microsoft\Office\Recent

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\RecentFiles

to track

2026 Statistics

Key Facts: CFCE Exam

80%

Minimum Pass Score

IACIS

100

Knowledge Test Questions

IACIS

30 days

Hard Drive Practical Window

IACIS

$800

External Candidate Fee

IACIS

3 years

Recertification Cycle

IACIS

Core Competency Domains

IACIS BCFE/CFCE

The CFCE is the gold-standard law-enforcement digital forensics credential, accredited by the FSAB and issued by IACIS. It requires 72 hours of qualifying training, four peer-review practical problems, a 30-day hard drive practical exam, and a 100-question knowledge test — all at an 80% passing threshold. IACIS's tool-neutral philosophy means the exam tests forensic principles deeply: FAT/NTFS structures, Windows registry forensics, evidence law, and expert reporting. The BCFE course ($0 exam fee included) is the primary pathway.

Sample CFCE Practice Questions

Try these sample questions to test your CFCE exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which legal standard governs the admissibility of scientific expert testimony in U.S. federal courts and requires that methods be tested, peer-reviewed, have known error rates, and be generally accepted?

A.Daubert standard

B.Kumho standard

C.Federal Rules of Evidence 901

D.Frye standard

Explanation: The Daubert standard, established by the Supreme Court in Daubert v. Merrell Dow Pharmaceuticals (1993), governs expert testimony in federal courts. Under Daubert, the trial judge acts as a gatekeeper and must ensure that the expert's methods are scientifically reliable: tested, peer-reviewed, have a known error rate, and are generally accepted. Many states have adopted Daubert, replacing the older Frye 'general acceptance' standard.

2A forensic examiner receives a hard drive seized under a search warrant. Before imaging, the examiner attaches the drive to a forensic workstation. What device should be used to prevent any write operations to the evidence drive?

A.A write blocker

B.A forensic bridge with read-only firmware

C.A software-based disk cloner

D.A hardware hash validator

Explanation: A write blocker (hardware or software) intercepts all write commands directed to the evidence drive and blocks them, ensuring the original media is not altered during acquisition. Hardware write blockers such as Tableau or WiebeTech devices are preferred in court-admissible forensics because they operate at the hardware layer and function independently of the host operating system.

3Which document records every person who has had custody of a piece of digital evidence from the moment of seizure through trial?

A.Evidence seizure log

B.Forensic examination report

C.Chain of custody form

D.Digital evidence bag label

Explanation: The chain of custody form records each person who possessed the evidence, the date and time of transfer, the reason for transfer, and the condition of the evidence at each handoff. A properly maintained chain of custody is essential to demonstrating that evidence has not been tampered with and that it is the same item collected at the scene.

4Under the Fourth Amendment, a warrantless search of a private citizen's computer is generally unconstitutional UNLESS which of the following applies?

A.The suspect is on parole or probation with a search condition

B.The investigator believes evidence will be destroyed within 24 hours

C.The computer is connected to the internet

D.The employer has a written acceptable use policy

Explanation: Parolees and probationers who have search conditions attached to their supervision can have their computers searched without a warrant because they have reduced Fourth Amendment expectations as a condition of release. Other recognized exceptions include consent, exigent circumstances (imminent destruction of evidence), plain view, and border search — but mere belief that evidence will be destroyed is not automatic authority without meeting the full exigent circumstances test.

5What is the primary purpose of hashing a forensic image immediately after acquisition?

A.To compress the image for storage efficiency

B.To encrypt the image to prevent unauthorized access

C.To verify that the image is a bit-for-bit copy of the original

D.To index the contents for faster searching

Explanation: Hashing (typically MD5 and/or SHA-256) immediately after acquisition creates a cryptographic fingerprint of the forensic image. If the hash of the image matches the hash of the source drive, the examiner can testify that the image is an exact, bit-for-bit duplicate. If the hash later matches after processing, it proves the image has not been altered. This integrity verification is fundamental to court-admissible digital forensics.

6Which of the following best describes a 'forensically sterile' acquisition medium?

A.A drive that has been wiped with a DOD-approved overwrite pattern and verified to contain no user data

B.A drive that is brand new and has never been used

C.A drive formatted with NTFS using full format

D.A drive that has been physically cleaned and inspected for hardware defects

Explanation: A forensically sterile medium is one that has been wiped (zeroed or overwritten with a known pattern) and verified to contain no data from prior use. Simply being 'new' is not sufficient because drives can contain manufacturing test data. Full NTFS formatting does not overwrite all sectors. The sterility must be validated by hashing or sector-level inspection before use.

7When seizing a running computer at a crime scene, the first responder should:

A.Photograph the screen, document running processes, and then capture volatile RAM before powering down

B.Log into the system to copy important files to an external drive

C.Insert a bootable USB to run a forensic live image of the running system

D.Immediately unplug the power cord to preserve the state of the hard drive

Explanation: Volatile data — RAM contents, running processes, network connections, and logged-in users — is lost the moment power is cut. Best practice is to photograph the screen, document visible information, capture a RAM dump if tools and authority are available, and only then power down. This preserves the maximum evidence while acknowledging that the drive state will be preserved on shutdown.

8What does the hexadecimal value 0x55AA at the end of the Master Boot Record (MBR) indicate?

A.The MBR signature, indicating the sector is a valid bootable record

B.The start of the first partition

C.The end-of-file marker for the boot sector

D.The MBR is encrypted

Explanation: The two-byte signature 0x55AA (stored at byte offsets 510–511 of the sector) is the MBR boot signature or magic number. The BIOS checks for this value to confirm that the sector is a valid bootable MBR. Without this signature, the BIOS will not attempt to execute the boot code in that sector.

9How many bytes are in a single sector on a traditional hard drive?

A.512 bytes

B.1024 bytes

C.4096 bytes

D.256 bytes

Explanation: Traditional hard drives use 512-byte sectors, which has been the standard for decades. Modern drives increasingly use 4096-byte (4K) Advanced Format sectors, but legacy drives and most forensic tool references default to 512 bytes per sector unless otherwise specified. The distinction is important when calculating offsets and partition boundaries.

10In binary, the value 10110110 equals which decimal number?

A.182

B.178

C.186

D.166

Explanation: Converting 10110110 binary to decimal: 1×128 + 0×64 + 1×32 + 1×16 + 0×8 + 1×4 + 1×2 + 0×1 = 128 + 32 + 16 + 4 + 2 = 182. Digital forensics examiners must be fluent in binary, hexadecimal, and decimal conversions to interpret raw disk data and file headers.

About the CFCE Practice Questions

Verified exam format metadata for IACIS Certified Forensic Computer Examiner (CFCE) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.