Skip to content
Digital Forensicseasy Premium

Digital Forensics: Malware Forensics and Reverse Engineering Foundations

Published:

Reviewed by Sourabh · 20 May 2026

Questions

30

Duration

30 min

Faculty-reviewed

0

Updated

20 May 2026

Score, per-question explanations and topic breakdown shown right after you submit.

About this mock

FACT Digital Forensics paper drill on malware forensics from the analyst's bench, covering the classical taxonomy of viruses, worms, and Trojans, the ransomware family with its locker and crypto classes and the worm-style propagation behind WannaCry 2017 and NotPetya 2017 through the EternalBlue SMBv1 exploit, the spyware versus adware distinction, user-mode and kernel-mode rootkits and hardware keyloggers, fileless malware that lives in memory through PowerShell and WMI, static analysis of the Windows Portable Executable (PE) format with its DOS header, NT headers, and Import Address Table (IAT), the Linux Executable and Linkable Format (ELF) defined in the System V ABI, the strings utility for fast triage, YARA pattern matching, the Mandiant imphash, packer recognition through UPX section names and high entropy, dynamic analysis with the Cuckoo and CAPE sandboxes, Sysinternals Process Monitor on Windows, Wireshark for command-and-control traffic capture inside the sandbox, anti-VM checks through CPUID and MAC OUI inspection, reverse engineering with Ghidra (NSA, 2019) and x64dbg, the IoC taxonomy spanning hashes, IP addresses, domains, registry keys, and mutexes, OASIS STIX and TAXII for threat intelligence sharing, David Bianco's Pyramid of Pain (2013), and the MITRE ATT&CK tactics and techniques matrix.

For FACT aspirants and MSc digital forensics students working through malware analysis and incident response modules, and useful as a revision pass before NFSU MSc, GREM, GCFA, and CHFI exams. Questions emphasise definitions, tooling, and the registry and file system artefacts an incident responder hunts for, with explicit references to NIST SP 800-83, NIST SP 800-86, and the standard textbooks by Sikorski and Honig, Ligh and colleagues, and Casey.

Topics covered:

  • Malware taxonomy: virus, worm, Trojan, ransomware, spyware, adware
  • Rootkits, keyloggers (hardware and software), and fileless malware
  • Static analysis: PE format, ELF format, strings, YARA, imphash, packers
  • Dynamic analysis: Cuckoo and CAPE sandboxes, Process Monitor, Wireshark, anti-VM
  • Reverse engineering: Ghidra and x64dbg user-mode debugging
  • Indicators of Compromise, STIX and TAXII, Pyramid of Pain, MITRE ATT&CK
  • Persistence: Windows Run keys, Scheduled Tasks, Linux cron and systemd
  • Memory forensics with Volatility and the order of volatility (RFC 3227, NIST 800-86)

Useful for revision and self-testing before the FACT Digital Forensics paper.

Allow 30 minutes.

Sources & references

Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.

  • Sikorski, Michael; Honig, Andrew

    Practical Malware Analysis (No Starch Press, 2012), and MITRE ATT&CK references on script-based execution

    Open source
    cited in 7 questions
  • Microsoft

    Windows Registry Run and RunOnce Keys documentation; MITRE ATT&CK Boot or Logon Autostart Execution

    Open source
    cited in 3 questions
  • Casey, Eoghan

    Digital Evidence and Computer Crime, 3rd Edition (Academic Press, 2011), Chapter on Indicators and Incident Response

    cited in 2 questions
  • MITRE ATT&CK

    MITRE ATT&CK framework documentation, Enterprise matrix

    Open source
    cited in 2 questions
  • NIST Special Publication 800-83

    Guide to Malware Incident Prevention and Handling for Desktops and Laptops, Section 2: Malware Categories

    Open source
    cited in 2 questions
  • Bianco, David

    The Pyramid of Pain, blog post 2013, later expanded in SANS reading-room material

    Open source
    cited in 1 question
  • National Security Agency

    Ghidra Software Reverse Engineering Framework, open-source release 2019

    Open source
    cited in 1 question
  • NIST Special Publication 800-86

    Guide to Integrating Forensic Techniques into Incident Response, Section on Order of Volatility; aligned with IETF RFC 3227

    Open source
    cited in 1 question
  • YARA Documentation

    The YARA project, originally developed by VirusTotal, rule writing and conditions

    Open source
    cited in 1 question
  • Microsoft Sysinternals

    Process Monitor documentation, originally by Mark Russinovich and Bryce Cogswell

    Open source
    cited in 1 question
  • x64dbg

    x64dbg open-source user-mode debugger for Windows, official documentation

    Open source
    cited in 1 question
  • OASIS Cyber Threat Intelligence Technical Committee

    STIX 2.1 and TAXII 2.1 specifications

    Open source
    cited in 1 question
  • Nelson, Bill; Phillips, Amelia; Steuart, Christopher

    Guide to Computer Forensics and Investigations, 6th Edition (Cengage), Chapter on Malware Categories

    cited in 1 question
  • System V Application Binary Interface

    Chapter on the Executable and Linkable Format (ELF), Linux Foundation reference

    Open source
    cited in 1 question
  • CERT-In

    Advisory on NotPetya ransomware and EternalBlue propagation (2017)

    Open source
    cited in 1 question
  • Ligh, Michael Hale; Case, Andrew; Levy, Jamie; Walters, AAron

    The Art of Memory Forensics (Wiley, 2014); Volatility Foundation documentation

    Open source
    cited in 1 question
  • Mandiant

    Tracking Malware with Import Hashing (imphash), Mandiant blog and PEfile documentation, 2014

    Open source
    cited in 1 question
  • CAPE Sandbox Documentation

    CAPE Sandbox project documentation, successor to the Cuckoo Sandbox lineage

    Open source
    cited in 1 question
  • Ligh, Michael Hale; Adair, Steven; Hartstein, Blake; Richard, Matthew

    Malware Analyst's Cookbook (Wiley, 2011), Chapter on Rootkits and System Call Hooking

    cited in 1 question

How our mocks are built

Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.

Common questions

What does the Digital Forensics: Malware Forensics and Reverse Engineering Foundations mock cover?+

FACT Digital Forensics paper drill on malware forensics from the analyst's bench, covering the classical taxonomy of viruses, worms, and Trojans, the ransomware family with its locker and crypto classes and the worm-style propagation behind WannaCry 2017 and NotPetya 2017 through the EternalBlue SMBv1 exploit, the spyware versus adware distinction, user-mode and kernel-mode rootkits and hardware keyloggers, fileless malware that lives in memory through PowerShell and WMI, static analysis of the

How many questions and how long is the test?+

30 multiple-choice questions, 30 minutes total. Difficulty: easy. Tier: Premium.

Who is this mock for?+

Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.

Are the questions reviewed?+

Each question carries a verified source citation. Faculty review for individual questions is in progress.

Do I need an account to take this mock?+

Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.