Skip to content
Digital Forensicsmedium Premium

Digital Forensics: Computer Hardware and File Systems Applied Scenarios

Published:

Questions

30

Duration

30 min

Faculty-reviewed

0

Updated

20 May 2026

Score, per-question explanations and topic breakdown shown right after you submit.

About this mock

Applied-scenario drill on computer hardware and file systems for the FACT digital forensics paper, pitched at the medium difficulty band where the question describes a real-world seizure or lab situation and the candidate must pick the technique, structure, or statute that fits. Coverage spans long-mode x86-64 instruction execution, DDR4 ECC behaviour, virtual memory and page-table translation during RAM acquisition, HDD zoned bit recording and LBA, SSD flash translation layer (FTL) and TRIM with garbage collection, MBR extended partitions and hybrid MBR alongside GPT, GPT backup-header recovery, NTFS resident versus non-resident $DATA, ext4 extents versus ext3 indirect blocks, ext4 journal modes (writeback, ordered, journal), APFS clones, $STANDARD_INFORMATION versus $FILE_NAME timestomp detection, NTFS $LogFile versus USN journal, exFAT versus FAT32 for large files, HFS+ versus APFS macOS timeline, pagefile.sys and hiberfil.sys as RAM residue, UEFI Secure Boot with EFI System Partition, the POST boot stage, NIC checksum offload artefacts in PCAP, PMTUD black holes from MTU mismatch, NVMe-direct-to-CPU versus SATA-through-PCH topology, ECC scrubbing in cold-boot key recovery, and 4Kn versus 512e imaging offset issues.

The pack is meant for FACT aspirants who have cleared an easy-band hardware mock and now want scenario-style questions that force them to choose between near-neighbour techniques and adjacent structures, the same calibration the FACT digital forensics paper applies. It is also useful for NFSU MSc cyber forensics entrance candidates, CDAC PG-DCSF students, and SI-to-Inspector cyber-cell promotion aspirants in state CIDs.

Topics covered:

  • Long mode and page-table translation in live acquisition
  • DDR4 ECC, scrubbing, and cold-boot key recovery windows
  • HDD zoned recording, SSD FTL, and TRIM-driven garbage collection
  • MBR extended partitions, GPT backup header, hybrid MBR scenarios
  • NTFS MFT resident attributes, USN journal, $LogFile timeline
  • ext4 extents and journal modes (writeback, ordered, journal)
  • APFS clones, HFS+ to APFS macOS file-system timeline
  • UEFI Secure Boot, EFI System Partition, NVMe versus SATA topology

Use this mock after the easy-band hardware pack and before attempting the digital-forensics mixed full-length.

Allow 30 minutes.

Sources & references

Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.

  • Carrier, Brian, File System Forensic Analysis, Addison-Wesley 2005

    Chapter 13: NTFS Concepts, Standard Information and File Name Attributes

    cited in 4 questions
  • UEFI Forum, Unified Extensible Firmware Interface Specification

    UEFI Specification 2.10, Section 5.3 GPT Header, Backup GPT at LBA-1

    Open source
    cited in 3 questions
  • Russinovich, Solomon, Ionescu, Yosifovich, Windows Internals 7th Edition Part 1

    Chapter 5: Memory Management, Virtual Address Translation

    cited in 2 questions
  • Linux kernel documentation, Filesystems ext4

    Documentation/filesystems/ext4.rst, Journal Modes journal, ordered, writeback

    Open source
    cited in 2 questions
  • Apple Inc., Apple File System Reference

    Apple File System Reference, Introduction and Adoption Timeline

    Open source
    cited in 2 questions
  • T13 Technical Committee, ATA Command Set Standard

    INCITS 529 (ACS-4), Section on Drive Geometry Reporting and LBA

    cited in 1 question
  • IEEE Standards Association, IEEE 802.3 Ethernet Standard

    IEEE Std 802.3, Section on Hardware Checksum Offload and NIC Capture Path

    Open source
    cited in 1 question
  • Microsoft Corporation, How NTFS Works

    Microsoft Docs, NTFS Master File Table, Resident and Non-Resident Attributes

    Open source
    cited in 1 question
  • International Disk Drive Equipment and Materials Association (IDEMA), Advanced Format Specification

    IDEMA Document AF-005, 4K Sector Implementation Guide, 4Kn versus 512e

    cited in 1 question
  • ECMA International, ECMA-167 Volume and File Structure for Read-Only and Write-Once Media

    ECMA-167 Part 3, Multi-session Recording and Volume Recognition

    Open source
    cited in 1 question
  • JEDEC Solid State Technology Association, DDR4 SDRAM Standard

    JESD79-4C, Section on Registered ECC DIMMs and Error Reporting

    Open source
    cited in 1 question
  • UEFI Forum, Unified Extensible Firmware Interface Platform Initialization Specification

    UEFI PI Specification 1.7, Volume 1: Pre-EFI Initialization (PEI) and Driver Execution Environment (DXE)

    Open source
    cited in 1 question
  • National Institute of Standards and Technology, Computer Forensics Tool Testing Program

    NIST CFTT, Hardware Write Blocker Specification Version 2.0

    Open source
    cited in 1 question
  • NIST Special Publication 800-86

    Guide to Integrating Forensic Techniques into Incident Response, Solid State Storage Acquisition

    Open source
    cited in 1 question
  • Microsoft Corporation, FAT32 File System Specification

    Microsoft FAT32 File System Specification 1.03, Section on Directory Entry Format

    Open source
    cited in 1 question
  • Microsoft Corporation, exFAT File System Specification

    Microsoft exFAT File System Specification, Revision 1.00

    Open source
    cited in 1 question
  • Microsoft Corporation, NTFS Technical Reference

    Microsoft Docs, NTFS Log File and Change Journal

    Open source
    cited in 1 question
  • Halderman, J. Alex et al., Lest We Remember: Cold Boot Attacks on Encryption Keys, Princeton University 2008

    Cold-Boot RAM Persistence and ECC Scrubbing Behaviour

    Open source
    cited in 1 question
  • Intel Corporation, Intel 64 and IA-32 Architectures Software Developer's Manual

    Volume 3A, Chapter 3: Protected-Mode Memory Management and IA-32e Long Mode

    Open source
    cited in 1 question
  • NVM Express Inc., NVM Express Base Specification

    NVMe Specification 2.0, Section on Namespace and Address Reporting

    Open source
    cited in 1 question
  • Intel Corporation, Platform Controller Hub Datasheet

    Intel 600 Series Chipset Family PCH Datasheet, Volume 1, DMI Link and PCIe Lane Topology

    Open source
    cited in 1 question
  • IETF RFC 8201 Path MTU Discovery for IP version 6 and RFC 1191 for IPv4

    RFC 1191 Section 3: Host Specification and RFC 8201 on Path MTU Discovery

    Open source
    cited in 1 question

How our mocks are built

Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.

Common questions

What does the Digital Forensics: Computer Hardware and File Systems Applied Scenarios mock cover?+

Applied-scenario drill on computer hardware and file systems for the FACT digital forensics paper, pitched at the medium difficulty band where the question describes a real-world seizure or lab situation and the candidate must pick the technique, structure, or statute that fits. Coverage spans long-mode x86-64 instruction execution, DDR4 ECC behaviour, virtual memory and page-table translation during RAM acquisition, HDD zoned bit recording and LBA, SSD flash translation layer (FTL) and TRIM wit

How many questions and how long is the test?+

30 multiple-choice questions, 30 minutes total. Difficulty: medium. Tier: Premium.

Who is this mock for?+

Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.

Are the questions reviewed?+

Each question carries a verified source citation. Faculty review for individual questions is in progress.

Do I need an account to take this mock?+

Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.