Digital Forensics: Computer Hardware and File Systems Applied Scenarios
Published:
Questions
30
Duration
30 min
Faculty-reviewed
0
Updated
20 May 2026
About this mock
Applied-scenario drill on computer hardware and file systems for the FACT digital forensics paper, pitched at the medium difficulty band where the question describes a real-world seizure or lab situation and the candidate must pick the technique, structure, or statute that fits. Coverage spans long-mode x86-64 instruction execution, DDR4 ECC behaviour, virtual memory and page-table translation during RAM acquisition, HDD zoned bit recording and LBA, SSD flash translation layer (FTL) and TRIM with garbage collection, MBR extended partitions and hybrid MBR alongside GPT, GPT backup-header recovery, NTFS resident versus non-resident $DATA, ext4 extents versus ext3 indirect blocks, ext4 journal modes (writeback, ordered, journal), APFS clones, $STANDARD_INFORMATION versus $FILE_NAME timestomp detection, NTFS $LogFile versus USN journal, exFAT versus FAT32 for large files, HFS+ versus APFS macOS timeline, pagefile.sys and hiberfil.sys as RAM residue, UEFI Secure Boot with EFI System Partition, the POST boot stage, NIC checksum offload artefacts in PCAP, PMTUD black holes from MTU mismatch, NVMe-direct-to-CPU versus SATA-through-PCH topology, ECC scrubbing in cold-boot key recovery, and 4Kn versus 512e imaging offset issues.
The pack is meant for FACT aspirants who have cleared an easy-band hardware mock and now want scenario-style questions that force them to choose between near-neighbour techniques and adjacent structures, the same calibration the FACT digital forensics paper applies. It is also useful for NFSU MSc cyber forensics entrance candidates, CDAC PG-DCSF students, and SI-to-Inspector cyber-cell promotion aspirants in state CIDs.
Topics covered:
- Long mode and page-table translation in live acquisition
- DDR4 ECC, scrubbing, and cold-boot key recovery windows
- HDD zoned recording, SSD FTL, and TRIM-driven garbage collection
- MBR extended partitions, GPT backup header, hybrid MBR scenarios
- NTFS MFT resident attributes, USN journal, $LogFile timeline
- ext4 extents and journal modes (writeback, ordered, journal)
- APFS clones, HFS+ to APFS macOS file-system timeline
- UEFI Secure Boot, EFI System Partition, NVMe versus SATA topology
Use this mock after the easy-band hardware pack and before attempting the digital-forensics mixed full-length.
Allow 30 minutes.
Sources & references
Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.
- cited in 4 questions
Carrier, Brian, File System Forensic Analysis, Addison-Wesley 2005
Chapter 13: NTFS Concepts, Standard Information and File Name Attributes
- cited in 3 questions
UEFI Forum, Unified Extensible Firmware Interface Specification
UEFI Specification 2.10, Section 5.3 GPT Header, Backup GPT at LBA-1
Open source - cited in 2 questions
Russinovich, Solomon, Ionescu, Yosifovich, Windows Internals 7th Edition Part 1
Chapter 5: Memory Management, Virtual Address Translation
- cited in 2 questions
Linux kernel documentation, Filesystems ext4
Documentation/filesystems/ext4.rst, Journal Modes journal, ordered, writeback
Open source - cited in 2 questions
Apple Inc., Apple File System Reference
Apple File System Reference, Introduction and Adoption Timeline
Open source - cited in 1 question
T13 Technical Committee, ATA Command Set Standard
INCITS 529 (ACS-4), Section on Drive Geometry Reporting and LBA
- cited in 1 question
IEEE Standards Association, IEEE 802.3 Ethernet Standard
IEEE Std 802.3, Section on Hardware Checksum Offload and NIC Capture Path
Open source - cited in 1 question
Microsoft Corporation, How NTFS Works
Microsoft Docs, NTFS Master File Table, Resident and Non-Resident Attributes
Open source - cited in 1 question
International Disk Drive Equipment and Materials Association (IDEMA), Advanced Format Specification
IDEMA Document AF-005, 4K Sector Implementation Guide, 4Kn versus 512e
- cited in 1 question
ECMA International, ECMA-167 Volume and File Structure for Read-Only and Write-Once Media
ECMA-167 Part 3, Multi-session Recording and Volume Recognition
Open source - cited in 1 question
JEDEC Solid State Technology Association, DDR4 SDRAM Standard
JESD79-4C, Section on Registered ECC DIMMs and Error Reporting
Open source - cited in 1 question
UEFI Forum, Unified Extensible Firmware Interface Platform Initialization Specification
UEFI PI Specification 1.7, Volume 1: Pre-EFI Initialization (PEI) and Driver Execution Environment (DXE)
Open source - cited in 1 question
National Institute of Standards and Technology, Computer Forensics Tool Testing Program
NIST CFTT, Hardware Write Blocker Specification Version 2.0
Open source - cited in 1 question
NIST Special Publication 800-86
Guide to Integrating Forensic Techniques into Incident Response, Solid State Storage Acquisition
Open source - cited in 1 question
Microsoft Corporation, FAT32 File System Specification
Microsoft FAT32 File System Specification 1.03, Section on Directory Entry Format
Open source - cited in 1 question
Microsoft Corporation, exFAT File System Specification
Microsoft exFAT File System Specification, Revision 1.00
Open source - cited in 1 question
Microsoft Corporation, NTFS Technical Reference
Microsoft Docs, NTFS Log File and Change Journal
Open source - cited in 1 question
Halderman, J. Alex et al., Lest We Remember: Cold Boot Attacks on Encryption Keys, Princeton University 2008
Cold-Boot RAM Persistence and ECC Scrubbing Behaviour
Open source - cited in 1 question
Intel Corporation, Intel 64 and IA-32 Architectures Software Developer's Manual
Volume 3A, Chapter 3: Protected-Mode Memory Management and IA-32e Long Mode
Open source - cited in 1 question
NVM Express Inc., NVM Express Base Specification
NVMe Specification 2.0, Section on Namespace and Address Reporting
Open source - cited in 1 question
Intel Corporation, Platform Controller Hub Datasheet
Intel 600 Series Chipset Family PCH Datasheet, Volume 1, DMI Link and PCIe Lane Topology
Open source - cited in 1 question
IETF RFC 8201 Path MTU Discovery for IP version 6 and RFC 1191 for IPv4
RFC 1191 Section 3: Host Specification and RFC 8201 on Path MTU Discovery
Open source
How our mocks are built
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.
Common questions
What does the Digital Forensics: Computer Hardware and File Systems Applied Scenarios mock cover?+
Applied-scenario drill on computer hardware and file systems for the FACT digital forensics paper, pitched at the medium difficulty band where the question describes a real-world seizure or lab situation and the candidate must pick the technique, structure, or statute that fits. Coverage spans long-mode x86-64 instruction execution, DDR4 ECC behaviour, virtual memory and page-table translation during RAM acquisition, HDD zoned bit recording and LBA, SSD flash translation layer (FTL) and TRIM wit
How many questions and how long is the test?+
30 multiple-choice questions, 30 minutes total. Difficulty: medium. Tier: Premium.
Who is this mock for?+
Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.
Are the questions reviewed?+
Each question carries a verified source citation. Faculty review for individual questions is in progress.
Do I need an account to take this mock?+
Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.