Computer Forensics: Foundations
Published:
Questions
30
Duration
30 min
Faculty-reviewed
30
Updated
03 May 2026
About this mock
This mock covers the foundations of Computer Forensics as set out in the FACT exam syllabus (Section B, Elective III, sub-section 1 — Computer Forensics). Thirty questions across the nine pillars a first-year MSc Cyber Forensics student must lock in before tackling case law, Windows-internals deep-dives, malware analysis, and reconstruction: computer hardware seen through a forensic lens (motherboard chipset, RAM volatility, HDD vs SSD, the CPU at the top of the order of volatility), the modern boot process (BIOS vs UEFI, MBR vs GPT, systemd as PID 1 on Linux), file-system fundamentals (NTFS journaling, FAT32's 4 GiB cap, ext4 extents and crtime), first-responder principles (RFC 3227 order of volatility, write blockers, volatile vs non-volatile classification), imaging and hashing (E01 vs raw dd, MD5 collisions vs SHA-256, hex digest lengths), search-and-seizure under post-2024 Indian law (BNSS replacing CrPC, IT Act 2000 sections 65/66/66A/66B with the Shreya Singhal strike-down), Windows artefacts (Registry hives and USBSTOR, Prefetch, the $I/$R Recycle Bin pair, the USN Journal), Linux artefacts (~/.bash_history, /var/log/, dot-file convention), and recovery techniques for deleted, hidden, and altered files (carving, slack space, NTFS Alternate Data Streams, what "delete" actually does).
It is pitched at BSc and first-year MSc cyber forensics students at NFSU, LNJN-NICFS, and other Indian universities, and at FACT and UGC-NET aspirants who need the Computer-Forensics foundations locked in. This sits at the introductory tier — vocabulary, definitions, and the most-asked concepts that anchor every later paper. It is **not** a duplicate of Mock #1 (which covers digital-forensics vocabulary across the whole field) — this mock drills specifically into Computer Forensics as a sub-discipline.
Topics covered:
- Computer hardware from a forensic angle: motherboard chipset, RAM volatility, HDD vs SSD with TRIM, the CPU at the top of the order of volatility
- Boot process and firmware: BIOS vs UEFI, MBR vs GPT, Linux systemd as PID 1
- File-system fundamentals: NTFS journaling, FAT32 4 GiB cap, ext4 extents and crtime
- First-responder principles: RFC 3227 order of volatility, hardware write blockers, volatile vs non-volatile
- Imaging and hashing: E01 vs raw dd, MD5 vs SHA-256, hex digest lengths
- Search and seizure under Indian law: BNSS 2023 (replacing CrPC), IT Act sections 65 / 66 / 66A / 66B with the 2015 Shreya Singhal strike-down
- Windows artefacts: Registry hives, Prefetch, $I/$R Recycle Bin pair, USN Journal
- Linux artefacts: ~/.bash_history, /var/log/, the dot-file hidden convention
- Recovery of deleted/hidden/altered files: file carving, slack space, NTFS Alternate Data Streams
Each question carries a detailed 220+ word explanation citing standard references (Carrier's File System Forensic Analysis, Casey's Digital Evidence and Computer Crime, Carvey on Windows Registry forensics, RFC 3227, NIST SP 800-86 and 800-88, NIST FIPS PUB 180-4, the IT Act 2000, the BNSS 2023, the Shreya Singhal judgment, and Microsoft / Linux kernel documentation). Allow 30 minutes; the explanations are long enough to use as study notes by themselves. If you can pass this mock comfortably, you have the Computer-Forensics vocabulary that the application-level mocks (#3 Windows artefacts, #4 mobile acquisition, #5 email forensics) build on.
Sources & references
Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.
- cited in 5 questions
Carrier, Brian — File System Forensic Analysis
Chapter 8: File System Analysis (slack space discussion)
- cited in 4 questions
RFC 3227 — Guidelines for Evidence Collection and Archiving
Section 2.1: Order of Volatility (CPU registers and cache)
Open source - cited in 2 questions
NIST FIPS PUB 180-4 — Secure Hash Standard
Section 1: Introduction (hash function output sizes)
Open source - cited in 2 questions
Kerrisk, Michael — The Linux Programming Interface
Chapter 18: Directories and Links (filename conventions, dot-files)
- cited in 1 question
Nelson, Phillips, Steuart — Guide to Computer Forensics and Investigations
Chapter 4: Data Acquisition (write blocker section)
- cited in 1 question
libewf — Expert Witness Format Specification
EWF format reference (header, sections, and chunk integrity)
Open source - cited in 1 question
Information Technology Act, 2000
Section 65: Tampering with Computer Source Documents
- cited in 1 question
Microsoft Documentation — Change Journals
USN Journal structure and the USN_RECORD reason flags
Open source - cited in 1 question
Shreya Singhal v. Union of India
(2015) 5 SCC 1, Supreme Court of India — strike-down of Section 66A IT Act
- cited in 1 question
Carvey, Harlan — Windows Registry Forensics
Chapter 3: Registry Analysis (HKLM hives and USBSTOR)
- cited in 1 question
Bharatiya Nagarik Suraksha Sanhita, 2023
Provisions on Search and Seizure (Chapter on Searches by Police Officers)
- cited in 1 question
Filesystem Hierarchy Standard, version 3.0
Section 5.10: /var/log : Log files and directories
Open source - cited in 1 question
Carvey, Harlan — Windows Forensic Analysis Toolkit
Chapter on Recycle Bin Artefacts ($I and $R structure)
- cited in 1 question
NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization
Section 2.5: Considerations for Solid-State Drives (TRIM and garbage collection)
Open source - cited in 1 question
Patterson, David A. & Hennessy, John L. — Computer Organization and Design: The Hardware/Software Interface
Chapter 1: Computer Abstractions and Technology (motherboard and chipset overview)
- cited in 1 question
UEFI Specification, version 2.10
Chapter 3: Boot Manager, and Chapter 5: GUID Partition Table
Open source - cited in 1 question
SANS DFIR Poster — Windows Forensic Analysis
Prefetch artefact details (Windows 7 vs Windows 8/10)
Open source - cited in 1 question
- cited in 1 question
Linux Kernel Documentation — ext4 Filesystem
Documentation/filesystems/ext4.rst (extents and on-disk format)
Open source - cited in 1 question
Microsoft Documentation — FAT, HPFS, and NTFS File Systems
FAT32 file size and volume size limits
- cited in 1 question
Microsoft Documentation — File Streams (NTFS)
Multiple data streams and the :streamname syntax
Open source
How our mocks are built
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.
Common questions
What does the Computer Forensics: Foundations mock cover?+
This mock covers the foundations of Computer Forensics as set out in the FACT exam syllabus (Section B, Elective III, sub-section 1 — Computer Forensics). Thirty questions across the nine pillars a first-year MSc Cyber Forensics student must lock in before tackling case law, Windows-internals deep-dives, malware analysis, and reconstruction: computer hardware seen through a forensic lens (motherboard chipset, RAM volatility, HDD vs SSD, the CPU at the top of the order of volatility), the modern
How many questions and how long is the test?+
30 multiple-choice questions, 30 minutes total. Difficulty: easy. Tier: Free.
Who is this mock for?+
Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.
Are the questions reviewed?+
Yes — 30 of 30 questions are faculty-reviewed. Each question carries a verified source citation.
Do I need an account to take this mock?+
Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.