EC-Council · CHFI
Validates the ability to detect hacking attacks, extract and preserve digital evidence, and conduct forensic investigations, covering digital forensics methodology, evidence acquisition, chain-of-custody procedures, dark web forensics, IoT forensics, and malware forensics.
Questions
589
Duration
240 minutes
Passing Score
70%
Difficulty
AssociateLast Updated
Feb 2026
Prepare for the Computer Hacking Forensic Investigator certification with CHFI practice exam questions covering evidence handling, digital forensics methods, file systems, malware investigation, network evidence, mobile artifacts, and incident response reporting. The questions are scenario-based so you can practice choosing the next forensic step.
As you review, focus on chain of custody, artifact locations, acquisition methods, and tool limitations. Those details are easy to confuse under time pressure, and repeated practice with explanations helps turn forensic terminology into exam-ready judgment.
The Computer Hacking Forensic Investigator (CHFI) certification, offered by EC-Council under exam code 312-49, validates a practitioner's ability to detect hacking attacks, conduct thorough digital forensic investigations, and extract and preserve evidence in a manner admissible in legal proceedings. The program covers the full forensic investigation lifecycle — from searching and seizing digital assets through chain-of-custody procedures, data acquisition and duplication, defeating anti-forensic techniques, and final reporting. CHFI v11 is the current version of the program and introduced new modules on Dark Web Forensics and IoT Forensics, alongside enhanced coverage of malware forensics (including Emotet and EternalBlue), cloud forensics across AWS, Azure, and GCP, and RAM and Tor forensics.
Accredited under ISO/IEC 17024 (ANAB) and approved under U.S. DoD Directive 8140, CHFI carries formal government recognition as an intermediate-level qualification for three critical DFIR (Digital Forensics and Incident Response) work roles defined by the DoD Cyber Workforce Framework (DCWF). The certification is vendor-neutral in scope but technically deep, with more than 600 forensic tools covered across 68+ hands-on labs, making it one of the most lab-intensive digital forensics programs available.
CHFI is designed for cybersecurity and IT professionals who investigate, respond to, or prosecute cybercrime. Primary job roles include forensic computer analysts, cyber defense forensic analysts, malware analysts, incident responders, information security professionals, and IT auditors. It is also well-suited for law enforcement personnel, military and defense professionals, legal professionals who need to understand digital evidence, and banking or insurance professionals dealing with fraud investigations.
Candidates typically have a background in information technology or cybersecurity and are looking to specialize in digital forensics. The program is appropriate for both practitioners aiming to formalize existing skills and professionals transitioning into a DFIR-focused role. While there is no strict experience prerequisite if attending official training, those applying via the self-study eligibility path should have at least two years of information security experience.
There are no mandatory prerequisites for candidates who enroll in an official EC-Council authorized training program (via Training Partner, iLearn self-study, or iWeek live online). Attending the official CHFI course grants automatic eligibility to sit the exam upon completion.
Candidates who wish to challenge the exam without attending official training must submit an EC-Council Exam Eligibility Application, pay a non-refundable $100 eligibility fee, and demonstrate a minimum of two years of professional experience in the information security field. Practically, EC-Council recommends that candidates possess foundational knowledge of networking concepts, operating systems (Windows, Linux, macOS), cybersecurity fundamentals, and basic incident response procedures before undertaking CHFI study. Prior exposure to ethical hacking concepts (such as through CEH) is beneficial but not required.
The CHFI exam (312-49) consists of 150 multiple-choice questions and must be completed within 240 minutes (4 hours). The exam is delivered through EC-Council's ECC Exam Centers worldwide or via remote proctoring. The exam cost is $650 USD.
To maintain exam integrity, EC-Council administers the test in multiple forms with different question banks. Cut scores are set on a per-form basis, meaning the passing threshold can range from 60% to 85% depending on the specific form delivered. EC-Council publishes a 70% passing score as the benchmark figure. Scores are reported immediately upon completion at test centers. The certification is valid for three years, after which holders must earn 120 EC-Council Education Credits (ECE) to renew.
CHFI-certified professionals qualify for roles including Forensic Computer Analyst, Cyber Defense Forensic Analyst, Malware Analyst, Incident Responder, Cybercrime Investigator, and Information Systems Security Professional. The certification carries particular weight in government and defense sectors: under DoD Directive 8140 (the successor to DoD 8570), CHFI is formally recognized as an intermediate-level qualification for three DFIR-related DCWF work roles, making it a required or preferred credential for cybersecurity positions across U.S. federal agencies and defense contractors. The certification is also valued in finance, healthcare, legal, and insurance sectors where digital evidence and regulatory compliance intersect.
According to PayScale, CHFI-certified professionals earn an average salary of approximately $97,000, with ranges from $72,000 to $118,000 depending on role, location, and experience. Salary.com data places the average forensic analyst salary at $115,175 annually in the U.S. EC-Council reports that CHFI is the only forensics-focused certification program whose holders average a six-figure salary, according to its Salary Survey Report 75. Compared to alternatives such as GCFE (GIAC) or the AccessData ACE, CHFI's broader scope — spanning cloud, IoT, dark web, and mobile forensics — and its DoD recognition give it a stronger positioning for professionals targeting both private-sector and government DFIR roles.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 589 questions.
Preview — answers shown1. An investigator is analyzing file system activity on a Windows system and examines the $UsnJrnl (Update Sequence Number Journal) to identify file modifications. Which reason code in the $J data stream indicates that a file's data content was extended? (Select one!)
Explanation
The DATA_EXTEND reason code (0x00000002) in the $UsnJrnl indicates that a file's data content was extended. The Update Sequence Number Journal tracks file changes with specific reason codes: FILE_CREATE indicates new file creation, RENAME_NEW_NAME indicates the new name in a rename operation, and SECURITY_CHANGE indicates modifications to file security descriptors. The $UsnJrnl provides detailed change tracking that reveals file system activity even when traditional logs are unavailable, and can retain several days or weeks of history depending on system activity.
2. A digital forensics lab receives an SSD with TRIM enabled for analysis. The drive was powered on for 48 hours after the suspect deleted incriminating files. What is the expected recovery rate for the deleted files? (Select one!)
Explanation
TRIM commands notify SSDs which blocks are no longer in use after file deletion. Garbage collection runs as a background process when SSDs are powered on, permanently destroying data marked by TRIM. Testing shows 0 percent recovery rate on TRIM-enabled systems after sufficient time for garbage collection versus 100 percent recovery on TRIM-disabled systems. The 48-hour powered-on period allowed garbage collection to complete. Standard file carving cannot recover data after physical erasure. Over-provisioned areas may contain remnants but require chip-off or controller bypass techniques, not standard logical acquisition.
3. During database forensics of a SQL Server instance, an investigator needs to analyze historical transactions to determine which user deleted specific records at what time. Which SQL Server component and tool should be used? (Select one!)
Explanation
Transaction log (.LDF file) analyzed with ApexSQL Log is the correct approach for historical transaction analysis. The .LDF transaction log records all database modifications including DELETE statements with transaction name, timestamp, login name, affected table, and actual SQL statement. ApexSQL Log and similar tools parse the transaction log to present this information in human-readable format. The .MDF primary database file contains current data state but not historical transaction details. Backup files show point-in-time state but lack transaction-level detail about who made changes. Tempdb contains temporary objects and is cleared on restart, making it unsuitable for historical analysis. Only the transaction log provides the complete audit trail needed for forensic investigation.
4. A forensic analyst uses The Sleuth Kit to create a timeline of file activity from a suspected compromised system. Which command sequence correctly generates a timeline from an NTFS image? (Select one!)
Explanation
The correct timeline workflow uses fls with the -r flag to recursively walk directories, -m flag to output body file format, and -o to specify partition offset, piping to a body file. Then mactime reads the body file with -b flag and generates the human-readable ASCII timeline. The mmls command only displays partition layout and cannot generate timeline data. The icat command outputs file contents, not timeline information. The tsk_recover command extracts deleted files but does not create timeline data; mactime also does not have a -d flag for directory input.
5. During malware analysis, a reverse engineer examines a suspicious PE executable and observes that the entry point is located in the .rsrc section rather than the .text section, and the binary shows an entropy value of 7.8. What do these characteristics most likely indicate? (Select one!)
Explanation
An entry point outside the standard .text section combined with high entropy (greater than 6.5) are strong indicators of packed or encrypted malware. Legitimate executables typically have entry points in the .text section and lower entropy values. Entropy above 7.0 suggests encryption or compression, as randomized data has higher entropy than normal code. Packers often place unpacking stubs in non-standard sections like .rsrc. Digitally-signed applications follow standard PE structure. Corrupted files would not have valid PE headers. Standard compiler optimizations do not produce these anomalies.
Certified Threat Intelligence Analyst (CTIA)
CTIA · 740 questions
Certified Cybersecurity Technician (CCT)
CCT · 630 questions
Certified Secure Computer User (CSCU)
CSCU · 630 questions
EC-Council Certified Encryption Specialist (ECES)
ECES · 627 questions
Ethical Hacking Essentials (EHE)
EHE · 627 questions
ICS/SCADA Cybersecurity
ICS-SCADA · 627 questions
$17.99
One-time access to this exam