Digital Forensics: First Responder and Digital Evidence Advanced
Published:
Questions
30
Duration
30 min
Faculty-reviewed
0
Updated
20 May 2026
About this mock
Hard-band FACT digital forensics drill on first responder doctrine and digital evidence admissibility in 2026 India. Synthesis-level questions span Section 65B IEA 1872 and Section 63 BSA 2023 with sub-clause precision, the Anvar P.V. (2014), Shafhi Mohammad (2018, overruled), Arjun Panditrao Khotkar (2020), and Tomaso Bruno (2015, per incuriam) line, the new BNSS 2023 search and production framework (Sections 94, 103, 105, 185, 186), the IT Act 2000 (Sections 69, 79A, 80, 84A), NIST SP 800-88 Revision 1 sanitization categories with media-type boundaries, RFC 3227 seven-layer volatility, hash deprecation (MD5 Wang-Yu 2005, SHA-1 SHAttered 2017, Shambles 2020), memory acquisition (LiME, DumpIt, OSXPmem, MacQuisition) with smear analysis, imaging formats (raw dd, E01, Ex01, AFF4, L01) with integrity-tag granularity, write blockers (Tableau T35689iu, T356887iu, T7u, T8u NVMe), encryption recovery scenarios (LUKS2 Argon2id, BitLocker TPM, FileVault 2, APFS), iOS BFU vs AFU state, checkm8 boundary (A5 to A11), and chain-of-custody curable-versus-fatal-break doctrine. Distractor design uses one-parameter swaps across statute subsections, vendor model numbers, RFC layer ordering, and judgment names so that surface familiarity is insufficient.
Calibrated for candidates targeting the top decile in the FACT digital forensics paper, NFSU MSc digital forensics entrance, and the cyber-crime modules of the UGC-NET Forensic Science Paper II. Useful as a final-stretch verification drill for examinees who have cleared the easy and applied-scenarios sets and need to test edge cases. Aim for 30 to 40 percent accuracy; hard-band distractors differ from the correct answer on one specific parameter (one statute subsection, one model number, one RFC layer, one judgment name) and a single misread will pull you onto the wrong option.
Topics covered:
- Section 65B IEA 1872 and Section 63 BSA 2023 sub-clause precision
- Anvar, Shafhi, Arjun Panditrao, Tomaso Bruno case line
- BNSS 94, 103, 105, 185, 186 with CrPC counterparts
- IT Act 69, 79A, 80, 84A interception and expert-evidence powers
- NIST SP 800-88 Rev 1 Clear, Purge, Destroy by media type
- RFC 3227 seven-layer order of volatility
- Hash deprecation timeline MD5, SHA-1, SHAttered, Shambles
- Memory acquisition (LiME, DumpIt, OSXPmem, MacQuisition) and smear
Written by ForensicSpot Editorial. Allow 30 minutes.
Sources & references
Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.
- cited in 3 questions
Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal
(2020) 7 SCC 1, Supreme Court of India, three-judge bench, paras 59 to 73 on Shafhi Mohammad
- cited in 2 questions
Information Technology Act 2000
Section 79A IT Act 2000, Examiner of Electronic Evidence; read with Section 45A IEA and Section 39(2) BSA
Open source - cited in 2 questions
Kissel, R., Regenscheid, A., Scholl, M., Stine, K. — NIST SP 800-88 Revision 1
Guidelines for Media Sanitization, Appendix A, flash media sanitization matrix
Open source - cited in 2 questions
Indian Evidence Act 1872 and Bharatiya Sakshya Adhiniyam 2023
Section 65B(4) IEA and Section 63(4) BSA, person occupying a responsible official position
Open source - cited in 2 questions
Bharatiya Nagarik Suraksha Sanhita 2023
Section 105 BNSS, audio-video recording of search and seizure, forwarding to magistrate
Open source - cited in 2 questions
Ligh, M.H., Case, A., Levy, J., Walters, A.
The Art of Memory Forensics, Wiley 2014, memory smear and acquisition-tool limitations
- cited in 1 question
Apple Platform Security Guide
Data protection classes, Before-First-Unlock and After-First-Unlock state semantics on iOS
Open source - cited in 1 question
Microsoft Learn — File System Internals
NTFS USN journal, $UsnJrnl:$J and $UsnJrnl:$Max alternate data streams; Carrier, FSFA
Open source - cited in 1 question
Microsoft Learn — BitLocker Recovery Guide
BitLocker recovery key escrow in Active Directory Domain Services and Microsoft Entra ID; msFVE-RecoveryInformation attribute
Open source - cited in 1 question
Cellebrite — Mobile Forensic Solutions
Checkm8 Acquisition documentation for Apple A5 to A11 devices; comparison with Advanced Logical and FFS profiles
Open source - cited in 1 question
Carrier, Brian
File System Forensic Analysis, Addison-Wesley, NTFS FILETIME timestamps and nanosecond-component analysis
- cited in 1 question
Cohen, M., Garfinkel, S., Schatz, B.
Extending the Advanced Forensic Format to accommodate multiple data sources, DFRWS 2009; libewf documentation
Open source - cited in 1 question
axi0mX — checkm8 disclosure
Boot ROM exploit affecting Apple A5 to A11 chips, September 2019; checkra1n implementation
Open source - cited in 1 question
Bureau of Police Research and Development
Cyber Crime Investigation Manual, chain-of-custody procedures and remedial documentation
Open source - cited in 1 question
Wang, X., Yu, H. — CRYPTO 2005
How to Break MD5 and Other Hash Functions; Sotirov, Stevens et al. (2008) MD5 considered harmful today, chosen-prefix collision on X.509
Open source - cited in 1 question
OpenText Tableau — Forensic Bridges
Tableau T8u Forensic USB 3.1 Bridge for NVMe; product specification and NIST CFTT validation
Open source - cited in 1 question
Kent, K., Chevalier, S., Grance, T., Dang, H. — NIST SP 800-86
Guide to Integrating Forensic Techniques into Incident Response, Section 3, live and dead acquisition strategies
Open source - cited in 1 question
Brezinski, D., Killalea, T. — RFC 3227
Guidelines for Evidence Collection and Archiving, IETF, February 2002, Section 2.1 Order of Volatility
Open source - cited in 1 question
Fruhwirth, C., Broz, M.
LUKS2 on-disk format specification, Argon2id key derivation parameters; cryptsetup manual
Open source - cited in 1 question
Selvi v. State of Karnataka
(2010) 7 SCC 263, paras 222 to 225; Section 27 IEA 1872 and Section 23 BSA 2023
Open source - cited in 1 question
Leurent, G., Peyrin, T. — SHA-1 is a Shambles
USENIX Security 2020; Stevens, Bursztein, Karpman, Albertini, Markov, The first collision for full SHA-1, CRYPTO 2017
Open source - cited in 1 question
Bharatiya Nagarik Suraksha Sanhita 2023 and Code of Criminal Procedure 1973
Section 94 BNSS corresponding to Section 91 CrPC, production of documents
Open source - cited in 1 question
OpenText EnCase — User Guide
EnCase Evidence File formats EWF v1 (E01) and EWF v2 (Ex01); libewf documentation
Open source
How our mocks are built
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.
Common questions
What does the Digital Forensics: First Responder and Digital Evidence Advanced mock cover?+
Hard-band FACT digital forensics drill on first responder doctrine and digital evidence admissibility in 2026 India. Synthesis-level questions span Section 65B IEA 1872 and Section 63 BSA 2023 with sub-clause precision, the Anvar P.V. (2014), Shafhi Mohammad (2018, overruled), Arjun Panditrao Khotkar (2020), and Tomaso Bruno (2015, per incuriam) line, the new BNSS 2023 search and production framework (Sections 94, 103, 105, 185, 186), the IT Act 2000 (Sections 69, 79A, 80, 84A), NIST SP 800-88 R
How many questions and how long is the test?+
30 multiple-choice questions, 30 minutes total. Difficulty: hard. Tier: Premium.
Who is this mock for?+
Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.
Are the questions reviewed?+
Each question carries a verified source citation. Faculty review for individual questions is in progress.
Do I need an account to take this mock?+
Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.