Skip to content
Digital Forensicshard Premium

Digital Forensics: Malware Analysis Advanced

Published:

Questions

30

Duration

30 min

Faculty-reviewed

0

Updated

20 May 2026

Score, per-question explanations and topic breakdown shown right after you submit.

About this mock

Hard-band drill on advanced malware analysis for the FACT digital forensics paper and aligned NFSU MSc entrance prep. The mock walks through PE Optional Header internals (Magic 0x10B PE32 versus 0x20B PE32+, IMAGE_FILE_HEADER Characteristics, DataDirectory[9] TLS callbacks, DataDirectory[6] debug, DataDirectory[10] load config), section flag combinations and entropy thresholds for packer detection, process injection technique discrimination (classic CreateRemoteThread, APC injection, SetWindowsHookEx, reflective DLL, process hollowing, process doppelganging via Transactional NTFS, Atom Bombing, and Module Stomping), Volatility 3 plugin selection (malfind versus hollowfind versus ldrmodules versus threads), VAD tag interpretation (VadS plus PAGE_EXECUTE_READWRITE plus CommitCharge), Sysmon event ID one-parameter swaps (1, 3, 7, 8, 11, 12, 13, 14, 22, 25), YARA condition semantics (any/all-of, pe.imports, math.entropy), MITRE ATT&CK technique ID precision (T1547.001, T1053.005, T1543.003, T1055.012, T1218.011, T1027, T1059.001), anti-debug primitive discrimination (IsDebuggerPresent versus NtQueryInformationProcess ProcessDebugPort 0x07, PEB.BeingDebugged versus PEB.NtGlobalFlag at PEB+0xBC), Cobalt Strike Malleable C2 sleep-and-jitter, JA3 TLS fingerprint construction order, imphash collision provenance, ssdeep versus sdhash versus TLSH score-scale interpretation, ransomware hybrid cryptography (Curve25519 plus ChaCha20-Poly1305 versus RSA-2048 plus AES-256-CBC), CTR mode IV reuse failure, _EPROCESS ActiveProcessLinks DKOM unlinking, Run versus RunOnce versus IFEO registry persistence, HKLM versus HKCU scope, NTFS timestomp nanosecond signal in $STANDARD_INFORMATION versus $FILE_NAME, and IT Act 2000 sections 65, 66, 66B, 66C.

Target audience: NFSU MSc Forensic Science / Cyber Security students, FACT digital forensics aspirants who have completed the easy and medium bands of this topic, candidates revising for GREM, GCFA, CHFI, or CISSP examinations, and SOC analysts pivoting into reverse engineering and memory forensics work.

Topics covered:

  • PE Optional Header Magic, IMAGE_FILE_HEADER, DataDirectory entries
  • Section flag combinations and entropy thresholds for packing
  • Process injection technique discrimination on one symptom
  • Volatility 3 plugins and VAD interpretation
  • Sysmon event IDs and YARA condition semantics
  • MITRE ATT&CK technique-ID precision and anti-debug primitives
  • Cobalt Strike, JA3, imphash, ssdeep, sdhash, TLSH
  • Ransomware cryptography, persistence registry paths, timestomp, IT Act sections

Calibrated for ~30 to 40 percent accuracy across the hard band. Allow 30 minutes.

Sources & references

Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.

  • Microsoft

    Run and RunOnce Registry Keys, system-wide and per-user persistence semantics

    Open source
    cited in 6 questions
  • MITRE ATT&CK

    Techniques T1547.001, T1053.005, T1543.003 sub-technique pages

    Open source
    cited in 4 questions
  • Microsoft Sysinternals

    Sysmon documentation: RegistryEvent Event IDs 12, 13, and 14

    Open source
    cited in 3 questions
  • Ligh, Michael Hale; Case, Andrew; Levy, Jamie; Walters, AAron

    The Art of Memory Forensics (Wiley, 2014), VAD tags and malfind detection logic

    cited in 2 questions
  • YARA Documentation

    YARA pe and math modules: pe.imports and math.entropy functions

    Open source
    cited in 2 questions
  • Sikorski, Michael; Honig, Andrew

    Practical Malware Analysis (No Starch Press, 2012), Chapter 16: Anti-Debugging, PEB fields

    cited in 1 question
  • Information Technology Act, 2000 (as amended by Information Technology (Amendment) Act, 2008)

    Sections 65, 66, 66B, 66C, IT Act 2000

    Open source
    cited in 1 question
  • Mandiant

    Tracking Malware with Import Hashing (imphash), Mandiant blog and pefile documentation, 2014

    Open source
    cited in 1 question
  • Fewer, Stephen

    Reflective DLL Injection (2008) and MITRE ATT&CK Sub-technique T1055.001

    Open source
    cited in 1 question
  • Althouse, John; Atkinson, Jeff; Atkins, Josh

    JA3 - A method for profiling SSL/TLS clients, Salesforce Engineering Research, 2017

    Open source
    cited in 1 question
  • Cobalt Strike Documentation

    Beacon sleep and jitter parameters in the Cobalt Strike User Guide

    Open source
    cited in 1 question
  • Eilam, Eldad

    Reversing: Secrets of Reverse Engineering (Wiley, 2005), Chapter on Anti-Reverse Engineering

    cited in 1 question
  • Oliver, Jonathan; Cheng, Chun; Chen, Yanggui

    TLSH - A Locality Sensitive Hash, 4th Cybercrime and Trustworthy Computing Workshop, 2013

    Open source
    cited in 1 question
  • NIST Special Publication 800-38A

    Recommendation for Block Cipher Modes of Operation: Methods and Techniques, CTR mode

    Open source
    cited in 1 question
  • enSilo Research (Liberman, Tal)

    AtomBombing: A Code Injection that Bypasses Current Security Solutions, 2016, and Module Stomping references

    Open source
    cited in 1 question
  • NIST Special Publication 800-83

    Guide to Malware Incident Prevention and Handling, hybrid cryptographic schemes in ransomware

    Open source
    cited in 1 question
  • Carrier, Brian

    File System Forensic Analysis (Addison-Wesley, 2005), NTFS $STANDARD_INFORMATION and $FILE_NAME attributes

    cited in 1 question
  • Volatility Foundation

    Volatility 3 documentation: windows.hollowfind, windows.malfind, windows.ldrmodules, windows.threads plugins

    Open source
    cited in 1 question

How our mocks are built

Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.

Common questions

What does the Digital Forensics: Malware Analysis Advanced mock cover?+

Hard-band drill on advanced malware analysis for the FACT digital forensics paper and aligned NFSU MSc entrance prep. The mock walks through PE Optional Header internals (Magic 0x10B PE32 versus 0x20B PE32+, IMAGE_FILE_HEADER Characteristics, DataDirectory[9] TLS callbacks, DataDirectory[6] debug, DataDirectory[10] load config), section flag combinations and entropy thresholds for packer detection, process injection technique discrimination (classic CreateRemoteThread, APC injection, SetWindowsH

How many questions and how long is the test?+

30 multiple-choice questions, 30 minutes total. Difficulty: hard. Tier: Premium.

Who is this mock for?+

Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.

Are the questions reviewed?+

Each question carries a verified source citation. Faculty review for individual questions is in progress.

Do I need an account to take this mock?+

Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.