Vous êtes sur la page 1sur 7

CHFI v3 Sample Test Questions

1. Who made the first recorded study of fingerprints?

A. Francis Galton *
B. Hans Gross
C. Benjamin Franklin
D. Francis Eghart

2. Computer Forensics focuses on which three categories of data? (Select 3)

A. Latent Data *
B. Archival Data *
C. Active Data *
D. Passive Data
E. Inactive Data

3. When is it appropriate to use computer forensics?

A. If copyright and intellectual property theft/misuse has occurred *

B. If employees do not care for their boss’ management techniques
C. If sales drop off for no apparent reason for an extended period of time
D. If a financial institution is burglarized by robbers

4. In corporate investigations, what is the most common type of crime found?

A. Industrial espionage *
B. Copyright infringement
C. Physical theft
D. Denial of Service attacks

5. Which Amendment in the US Constitution protects every person from unreasonable

searches and seizures by government officials?

A. The 4th Amendment *

B. The 5th Amendment
C. The 1st Amendment
D. The 10th Amendment

6. Under United States Penal Code 18 U.S.C 1831 for Economic Espionage, what is the
maximum fine allowed by law?

A. $10,000,000 USD *
B. $1,000,000 USD
C. $100,000 USD
D. $5,000,000 USD

7. What prompted the US Patriot Act to be created?

A. World Trade Center attack in 2001 *

B. Oklahoma City bombing in 1995
C. World Trade Center attack in 1993
D. Iraqi invasion of Kuwait in 1990

8. For computer crimes in the United States, which two agencies share jurisdiction for
computer crimes that cross state lines? (Select 2)

A. FBI *
B. Secret Service *

9. What must be obtained before an investigation is carried out at a location?

A. Search warrant *
B. Subpoena
C. Habeas corpus
D. Modus operandi

10. What command can be used to view the current network connections on a computer?

A. Netstat *
B. Arp
C. Dir /p
D. Finger

11. What method of copying should always be performed first before carrying out an

A. Bit-stream copy *
B. Parity-bit copy
C. Parity-stream copy
D. Xcopy

12. Why should you never power on a computer that you need to acquire digital evidence

A. When the computer boots up, files are written to the computer rendering the data
“unclean” *
B. When the computer boots up, the system cache is cleared which could destroy
C. When the computer boots up, data in the memory’s buffer is cleared which could
destroy evidence
D. Powering on a computer has no affect when needing to acquire digital evidence from

13. Why would a company issue a dongle with the software they sell?

A. To provide copyright protection *

B. To provide wireless functionality with the software
C. To provide source code protection
D. To ensure that keyloggers cannot be used

14. What is the first step taken in an investigation for laboratory forensic staff members?

A. Securing and evaluating the electronic crime scene *

B. Packaging the electronic evidence
C. Conducting preliminary interviews
D. Transporting the electronic evidence

15. When marking evidence that has been collected with the “aaa/ddmmyy/nnnn/zz”
format, what does the “nnnn” denote?

A. The sequential number of the exhibits seized *

B. The sequence number for the parts of the same exhibit
C. The initials of the forensics analyst
D. The year the evidence was taken

16. When discussing the chain of custody in an investigation, what does a “link” refer to?

A. Someone that takes possession of a piece of evidence *

B. Evidence that links one piece of evidence to another, like a usb cable
C. The most critical piece of evidence in an investigation
D. The transportation used when moving evidence

17. What is one method of detecting a computer-related incident?

A. Gaps in the firewall log with no activity, when there is normally activity *
B. Numerous successful login attempts
C. Seeing spikes in network activity throughout the workday
D. Hard drive failure on a SQL server machine

18. In handling computer-related incidents, which IT role should be responsible for

recovery, containment, and prevention to constituents?

A. Network Administrator *
B. Security Administrator
C. Director of Information Technology
D. Director of Administration

19. What stage of the incident handling process involves reporting events?

A. Identification *
B. Follow-up
C. Containment
D. Recovery

20. Which category of incidents can be handled within one working day?

A. Low level incident *

B. Mid level incident
C. High level incident
D. All incidents should be handled immediately after their detection

21. How many entrances are recommended for a computer forensics lab?

A. One *
B. Three
C. Two
D. Four

22. What is stored in a StrongHold bag?

A. Wireless cards *
B. Backup tapes
C. Hard drives
D. PDA’s

23. Paraben’s Lockdown device uses which operating system to write hard drive data?

A. Windows *
B. Red Hat
C. Unix
D. Mac OS

24. Why does Computer Forensic Labs, Inc. not recommend that companies search for
evidence themselves?

A. Searching can change date/time stamps *

B. Searching could possibly crash the machine or device
C. Searching creates cache files which would hinder the investigation
D. Computer Forensic Labs, Inc. does not make this recommendation
25. What is the smallest physical storage unit on a hard drive?

A. Sector *
B. Cluster
C. Track
D. Platter

26. When operating systems mark a cluster as used but not allocated, the cluster is
considered what?

A. Lost *
B. Bad
C. Corrupt
D. Unallocated

27. Given the drive dimensions as follows and assuming a sector has 512 bytes, what is
the capacity of the described hard drive?

22,164 cylinders/disk
80 heads/cylinder
63 sectors/track

A. 53.26 GB *
B. 57.19 GB
C. 11.17 GB
D. .10 GB

28. What will the following command accomplish?

dd if=/dev/xxx of=mbr.backup bs=512 count=1

A. Back up the master boot record *
B. Restore the master boot record
C. Mount the master boot record on the first partition of the hard drive
D. Restore the first 512 bytes of the first partition of the hard drive

29. A standard 120 mm CD-ROM will hold up to how much data?

A. 700 MB *
B. 850 MB
C. 1.44 GB
D. 550 MB

30. What is the maximum capacity of a dual-layer blu-ray disc?

A. 50 GB *
B. 27 GB
C. 40 GB
D. 75 GB

31. What hashing method is used to password protect Blackberry devices?

A. SHA-1 *
B. RC5
C. MD5

32. When preparing an investigative report, what sources provide examples of expert
witnesses’ previous testimonies?

A. Deposition banks *
B. Testimony banks
C. Subpoena banks
D. Court docket banks

33. For forensic investigative reports, what electronic format should reports be sent in?

A. PDF *

34. This type of witness is not considered an expert in a particular field?

A. Lay witness *
B. Material witness
C. Clerk-appointed witness
D. Bonded witness

35. What type of numbering system in an investigative report is used in pleadings?

A. Legal-sequential numbering *
B. Decimal numbering structure
C. Forensic-sequential numbering
D. Binary-sequential numbering

36. In a court of law, who is qualified by the court to address the behavior of the
defendant or characteristics of a crime?

A. Victim advocate *
B. Legal counsel for defendant
C. Legal counsel for prosecution
D. No one is qualified

37. This type of testimony is presented by someone who does the actual fieldwork and
does not offer a view in court.

A. Technical testimony *
B. Expert testimony
C. Victim advocate testimony
D. Civil litigation testimony

38. When should an MD5 hash check be performed when processing evidence?

A. Before and after evidence examination *

B. On an hourly basis during the evidence examination
C. After the evidence examination has been completed
D. Before the evidence examination has been completed

39. When is it appropriate to use a formal checklist in a final report of an investigation?

A. It is never appropriate to use a formal checklist in a final report *

B. It is only appropriate to use a formal checklist in a final report in felony cases
C. It is only appropriate to use a formal checklist in a final report in misdemeanor cases
D. It is always suggested to use a formal checklist in a final report