Digital Forensicshard Premium
Digital Forensics: Malware Analysis Advanced
Published:
Questions
30
Duration
30 min
Faculty-reviewed
0
Updated
20 May 2026
Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.
Published:
Questions
30
Duration
30 min
Faculty-reviewed
0
Updated
20 May 2026
Score, per-question explanations and topic breakdown shown right after you submit.
Free ForensicSpot account required to save your progress — you’ll sign in when you start.
Hard-band drill on advanced malware analysis for the FACT digital forensics paper and aligned NFSU MSc entrance prep. The mock walks through PE Optional Header internals (Magic 0x10B PE32 versus 0x20B PE32+, IMAGE_FILE_HEADER Characteristics, DataDirectory[9] TLS callbacks, DataDirectory[6] debug, DataDirectory[10] load config), section flag combinations and entropy thresholds for packer detection, process injection technique discrimination (classic CreateRemoteThread, APC injection, SetWindowsHookEx, reflective DLL, process hollowing, process doppelganging via Transactional NTFS, Atom Bombing, and Module Stomping), Volatility 3 plugin selection (malfind versus hollowfind versus ldrmodules versus threads), VAD tag interpretation (VadS plus PAGE_EXECUTE_READWRITE plus CommitCharge), Sysmon event ID one-parameter swaps (1, 3, 7, 8, 11, 12, 13, 14, 22, 25), YARA condition semantics (any/all-of, pe.imports, math.entropy), MITRE ATT&CK technique ID precision (T1547.001, T1053.005, T1543.003, T1055.012, T1218.011, T1027, T1059.001), anti-debug primitive discrimination (IsDebuggerPresent versus NtQueryInformationProcess ProcessDebugPort 0x07, PEB.BeingDebugged versus PEB.NtGlobalFlag at PEB+0xBC), Cobalt Strike Malleable C2 sleep-and-jitter, JA3 TLS fingerprint construction order, imphash collision provenance, ssdeep versus sdhash versus TLSH score-scale interpretation, ransomware hybrid cryptography (Curve25519 plus ChaCha20-Poly1305 versus RSA-2048 plus AES-256-CBC), CTR mode IV reuse failure, _EPROCESS ActiveProcessLinks DKOM unlinking, Run versus RunOnce versus IFEO registry persistence, HKLM versus HKCU scope, NTFS timestomp nanosecond signal in $STANDARD_INFORMATION versus $FILE_NAME, and IT Act 2000 sections 65, 66, 66B, 66C.
Target audience: NFSU MSc Forensic Science / Cyber Security students, FACT digital forensics aspirants who have completed the easy and medium bands of this topic, candidates revising for GREM, GCFA, CHFI, or CISSP examinations, and SOC analysts pivoting into reverse engineering and memory forensics work.
Topics covered:
Calibrated for ~30 to 40 percent accuracy across the hard band. Allow 30 minutes.
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.