Cyber Forensics: Volatility Order, Hashing and Write Blockers Basics
Published:
Questions
30
Duration
30 min
Faculty-reviewed
0
Updated
25 May 2026
About this mock
UGC-NET Forensic Science Unit VII drill on the foundational concepts of cyber forensics. Covers the order of volatility as defined in RFC 3227, from CPU registers and cache at the most volatile end through RAM, network state, running processes, and disk storage to archival media at the least volatile end. Write-blockers are examined as the first defensive tool an examiner deploys, with hardware devices such as Tableau and WiebeTech contrasted against software-based solutions. Hash functions tested include MD5 (128-bit digest), SHA-1 (160-bit), and SHA-256 (256-bit), with emphasis on their role in verifying digital evidence integrity before and after bit-stream imaging using FTK Imager, dd, and EnCase. Chain of custody requirements for digital evidence, the distinction between live and dead acquisition, and the basics of BSA 2023 Section 63 (formerly IEA Section 65B) electronic evidence certificates are all assessed.
The Indian statutory and judicial dimension covers IT Act 2000 Sections 65 (tampering with source code) and 66 (computer-related offences), cyber-crime taxonomy including hacking, phishing, and identity theft, and the landmark Supreme Court rulings Anvar P.V. v P.K. Basheer (2014) 10 SCC 473 and Arjun Panditrao Khotkar v Kailash Kushanrao Gorantyal (2020) 7 SCC 1 on admissibility of electronic records. The CFSL Hyderabad Cyber Crime Digital Repository (CCDR) and CERT-In are referenced as the primary Indian institutional pillars. Standards consulted include NIST SP 800-86 and ISO/IEC 27037, alongside Casey (Digital Evidence and Computer Crime, 3rd ed) and Nelson Phillips Steuart (Guide to Computer Forensics, 6th ed).
Topics covered:
- RFC 3227 volatility order from CPU registers to archival media
- Hardware vs software write-blockers (Tableau, WiebeTech)
- MD5, SHA-1, and SHA-256 hash function basics
- Hash verification before and after imaging for integrity
- Chain of custody for digital evidence
- BSA 2023 Section 63 / IEA Section 65B electronic certificate
- Live vs dead acquisition distinction
- IT Act 2000 Sections 65 and 66; cyber-crime taxonomy basics
Calibrated for first-pass UGC-NET Forensic Science Paper II Unit VII preparation and NFSU MSc Digital Forensics entrance revision. Allow 30 minutes.
Sources & references
Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.
- cited in 7 questions
Nelson, Bill; Phillips, Amelia; Steuart, Christopher — Guide to Computer Forensics and Investigations, 6th Edition, Cengage, 2019
Chapter 3: Data Acquisition — hardware write-blockers: Tableau and WiebeTech
- cited in 6 questions
Casey, Eoghan — Digital Evidence and Computer Crime, 3rd Edition, Academic Press, 2011
Chapter 4: Conducting Digital Investigations — order of volatility and live acquisition
- cited in 3 questions
NIST SP 800-86 — Guide to Integrating Forensic Techniques into Incident Response, 2006
Section 4.1: Basic Forensic Techniques — live vs static acquisition decision criteria
- cited in 2 questions
ISO/IEC 27037:2012 — Guidelines for Identification, Collection, Acquisition and Preservation of Digital Evidence
Section 7: Acquisition — recommended hash algorithms for evidence integrity
- cited in 2 questions
RFC 3227 — Guidelines for Evidence Collection and Archiving (IETF, 2002)
Section 2.1: Order of Volatility
- cited in 1 question
Bharatiya Sakshya Adhiniyam (BSA) 2023 — Section 63; Indian Evidence Act 1872 — Section 65B
Section 63 BSA 2023 / Section 65B IEA 1872: Admissibility of Electronic Records
- cited in 1 question
Information Technology Act 2000 — Sections 43, 66, 66C
Section 66: Computer-Related Offences — hacking as unauthorised access under Indian cyber law
- cited in 1 question
Information Technology Act 2000 — Sections 43 and 66
Section 43: Penalty for Damage to Computer System; Section 66: Computer Related Offences
- cited in 1 question
Information Technology Act 2000 — Section 65
Section 65: Tampering with Computer Source Documents
- cited in 1 question
Anvar P.V. v P.K. Basheer (2014) 10 SCC 473 — Supreme Court of India
Judgment: Section 65B IEA — mandatory certificate for admissibility of electronic records
- cited in 1 question
FIPS PUB 180-4 — Secure Hash Standard, NIST, 2015
Section 1: Hash function specifications — SHA-1, SHA-256, SHA-512 output lengths
- cited in 1 question
Arjun Panditrao Khotkar v Kailash Kushanrao Gorantyal (2020) 7 SCC 1 — Supreme Court of India
Judgment: Section 65B IEA — mandatory certificate, court power to summon certifying official
- cited in 1 question
Arjun Panditrao Khotkar v Kailash Kushanrao Gorantyal (2020) 7 SCC 1
Judgment: Section 65B IEA — mandatory certificate from responsible official of originating system
- cited in 1 question
Information Technology Act 2000 — Section 66C (as amended 2008)
Section 66C: Punishment for Identity Theft
- cited in 1 question
Carrier, Brian — File System Forensic Analysis, Addison-Wesley, 2005
Chapter 2: Computer Foundations — disk imaging with dd and forensic soundness
How our mocks are built
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.
Common questions
What does the Cyber Forensics: Volatility Order, Hashing and Write Blockers Basics mock cover?+
UGC-NET Forensic Science Unit VII drill on the foundational concepts of cyber forensics. Covers the order of volatility as defined in RFC 3227, from CPU registers and cache at the most volatile end through RAM, network state, running processes, and disk storage to archival media at the least volatile end. Write-blockers are examined as the first defensive tool an examiner deploys, with hardware devices such as Tableau and WiebeTech contrasted against software-based solutions. Hash functions test
How many questions and how long is the test?+
30 multiple-choice questions, 30 minutes total. Difficulty: easy. Tier: Free.
Who is this mock for?+
Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Cyber Forensics, NET. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.
Are the questions reviewed?+
Each question carries a verified source citation. Faculty review for individual questions is in progress.
Do I need an account to take this mock?+
Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.