Digital Forensics: First Responder and Digital Evidence Applied Scenarios
Published:
Questions
30
Duration
30 min
Faculty-reviewed
0
Updated
20 May 2026
About this mock
Scenario-driven FACT entrance drill on first-responder decisions and digital evidence handling. Every question is set in a working investigation: encrypted volumes that have to be imaged before the keys leave RAM, NVMe drives that the spare SATA write blocker cannot touch, E01 versus AFF4 versus raw dd format choices that turn on case-data and compression needs, chain-of-custody gaps that the prosecution has to repair with contemporaneous records, and Section 65B IEA / Section 63 BSA certificates signed by the wrong person. The questions test which procedure or provision actually applies to the facts, not what the textbook definition is in isolation.
Built for FACT aspirants and NFSU MSc digital forensics entrance candidates who have finished the easy-band material and now want medium-band scenarios. CHFI, GCFA, and BPRD digital-evidence trainees will find the same cases. Coverage cross-cites the new Indian criminal codes (BNSS 2023, BSA 2023) against their CrPC 1973 and Indian Evidence Act 1872 ancestors, with the Supreme Court rulings in Anvar P.V. v. P.K. Basheer (2014) and Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (2020) running through the certificate questions.
Topics covered:
- Live vs dead acquisition under encrypted-volume facts
- Order of volatility on hybrid disk, RAM, and remote-log scenes
- Write blocker selection: SATA vs NVMe vs software USB hooks
- Imaging formats: raw dd, E01, AFF4 chosen by case requirements
- Hash collision handling and SHA-1/MD5 deprecation timing
- Chain of custody breach scenarios and their statutory remedies
- BNSS 2023 search and seizure, audio-video recording under Section 105
- FileVault, BitLocker, LUKS key handling and recovery-key custody
- NTFS vs FAT32 quick-format recovery, MFT-wipe carving constraints
- Timestomp detection via $STANDARD_INFORMATION vs $FILE_NAME attributes
- Mobile seizure: BFU, Faraday bag failure, airplane mode trade-offs
- Panch witness role in panchnama under BNSS Section 103
Aim for 50 to 60 percent accuracy: medium-band distractors share most attributes with the right answer and a single misread will pull you onto the wrong one. Allow 30 minutes.
Sources & references
Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.
- cited in 3 questions
Brezinski, D. and Killalea, T. — RFC 3227
Guidelines for Evidence Collection and Archiving, IETF, Section 2.1 Order of Volatility
Open source - cited in 3 questions
Bharatiya Nagarik Suraksha Sanhita 2023
Section 103, independent and respectable inhabitants of the locality
Open source - cited in 3 questions
Ayers, R., Brothers, S., Jansen, W. — NIST SP 800-101 Rev 1
Guidelines on Mobile Device Forensics, Faraday isolation and seal failure
Open source - cited in 3 questions
Carrier, Brian
File System Forensic Analysis, Addison-Wesley, NTFS metadata and file carving
- cited in 2 questions
Lyle, J. — NIST Computer Forensics Tool Testing Program
Software Write Block Tool Specification and Test Plan
Open source - cited in 2 questions
Bureau of Police Research and Development
Cyber Crime Investigation Manual, Annex on Chain of Custody Form
Open source - cited in 1 question
Apple Platform Security Guide
FileVault personal recovery key, volume encryption with the T2 / Apple silicon Secure Enclave
Open source - cited in 1 question
Bharatiya Nagarik Suraksha Sanhita 2023 and Code of Criminal Procedure 1973
Sections 103, 105, 185 BNSS corresponding to Sections 100, 165 CrPC
Open source - cited in 1 question
Garfinkel, S.
Expert Witness Format (EWF/E01) verification semantics and libewf documentation
Open source - cited in 1 question
Garfinkel, S. — Digital Forensics Research Conference
Evolving forensic image formats from raw to EWF and AFF, comparative analysis
Open source - cited in 1 question
Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal
(2020) 7 SCC 1, Supreme Court of India, three-judge bench on Section 65B(4) certificate
- cited in 1 question
- cited in 1 question
Indian Evidence Act 1872 and Bharatiya Sakshya Adhiniyam 2023
Section 65B(4) IEA and Section 63(4) BSA, certificate of person responsible
Open source - cited in 1 question
Cohen, M., Garfinkel, S., Schatz, B.
Extending the Advanced Forensic Format to accommodate multiple data sources, DFRWS 2009
Open source - cited in 1 question
Kent, K., Chevalier, S., Grance, T., Dang, H. — NIST SP 800-86
Guide to Integrating Forensic Techniques into Incident Response, Section 3, encrypted volume handling
Open source - cited in 1 question
Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.
The first collision for full SHA-1 (SHAttered), CRYPTO 2017; NIST SP 800-131A
Open source - cited in 1 question
Garfinkel, S., Malan, D., Dubec, K.A., Stevens, C.C., Pham, C.
Disk imaging with the dc3dd patched version of GNU dd, DFRWS 2007
Open source - cited in 1 question
Wang, X., Yu, H., Yin, Y.L.
Efficient Collision Search Attacks on MD5, CRYPTO 2005; NIST hash function policy
Open source - cited in 1 question
NVM Express Inc. — NVMe Base Specification
Revision 2.0, NVMe Admin and I/O command sets, Write Zeroes and Sanitize
Open source - cited in 1 question
How our mocks are built
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.
Common questions
What does the Digital Forensics: First Responder and Digital Evidence Applied Scenarios mock cover?+
Scenario-driven FACT entrance drill on first-responder decisions and digital evidence handling. Every question is set in a working investigation: encrypted volumes that have to be imaged before the keys leave RAM, NVMe drives that the spare SATA write blocker cannot touch, E01 versus AFF4 versus raw dd format choices that turn on case-data and compression needs, chain-of-custody gaps that the prosecution has to repair with contemporaneous records, and Section 65B IEA / Section 63 BSA certificate
How many questions and how long is the test?+
30 multiple-choice questions, 30 minutes total. Difficulty: medium. Tier: Premium.
Who is this mock for?+
Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.
Are the questions reviewed?+
Each question carries a verified source citation. Faculty review for individual questions is in progress.
Do I need an account to take this mock?+
Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.