Digital Forensics: Malware Analysis Advanced
Published:
Questions
30
Duration
30 min
Faculty-reviewed
0
Updated
20 May 2026
About this mock
Hard-band drill on advanced malware analysis for the FACT digital forensics paper and aligned NFSU MSc entrance prep. The mock walks through PE Optional Header internals (Magic 0x10B PE32 versus 0x20B PE32+, IMAGE_FILE_HEADER Characteristics, DataDirectory[9] TLS callbacks, DataDirectory[6] debug, DataDirectory[10] load config), section flag combinations and entropy thresholds for packer detection, process injection technique discrimination (classic CreateRemoteThread, APC injection, SetWindowsHookEx, reflective DLL, process hollowing, process doppelganging via Transactional NTFS, Atom Bombing, and Module Stomping), Volatility 3 plugin selection (malfind versus hollowfind versus ldrmodules versus threads), VAD tag interpretation (VadS plus PAGE_EXECUTE_READWRITE plus CommitCharge), Sysmon event ID one-parameter swaps (1, 3, 7, 8, 11, 12, 13, 14, 22, 25), YARA condition semantics (any/all-of, pe.imports, math.entropy), MITRE ATT&CK technique ID precision (T1547.001, T1053.005, T1543.003, T1055.012, T1218.011, T1027, T1059.001), anti-debug primitive discrimination (IsDebuggerPresent versus NtQueryInformationProcess ProcessDebugPort 0x07, PEB.BeingDebugged versus PEB.NtGlobalFlag at PEB+0xBC), Cobalt Strike Malleable C2 sleep-and-jitter, JA3 TLS fingerprint construction order, imphash collision provenance, ssdeep versus sdhash versus TLSH score-scale interpretation, ransomware hybrid cryptography (Curve25519 plus ChaCha20-Poly1305 versus RSA-2048 plus AES-256-CBC), CTR mode IV reuse failure, _EPROCESS ActiveProcessLinks DKOM unlinking, Run versus RunOnce versus IFEO registry persistence, HKLM versus HKCU scope, NTFS timestomp nanosecond signal in $STANDARD_INFORMATION versus $FILE_NAME, and IT Act 2000 sections 65, 66, 66B, 66C.
Target audience: NFSU MSc Forensic Science / Cyber Security students, FACT digital forensics aspirants who have completed the easy and medium bands of this topic, candidates revising for GREM, GCFA, CHFI, or CISSP examinations, and SOC analysts pivoting into reverse engineering and memory forensics work.
Topics covered:
- PE Optional Header Magic, IMAGE_FILE_HEADER, DataDirectory entries
- Section flag combinations and entropy thresholds for packing
- Process injection technique discrimination on one symptom
- Volatility 3 plugins and VAD interpretation
- Sysmon event IDs and YARA condition semantics
- MITRE ATT&CK technique-ID precision and anti-debug primitives
- Cobalt Strike, JA3, imphash, ssdeep, sdhash, TLSH
- Ransomware cryptography, persistence registry paths, timestomp, IT Act sections
Calibrated for ~30 to 40 percent accuracy across the hard band. Allow 30 minutes.
Sources & references
Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.
- cited in 6 questions
- cited in 4 questions
- cited in 3 questions
- cited in 2 questions
Ligh, Michael Hale; Case, Andrew; Levy, Jamie; Walters, AAron
The Art of Memory Forensics (Wiley, 2014), VAD tags and malfind detection logic
- cited in 2 questions
- cited in 1 question
Sikorski, Michael; Honig, Andrew
Practical Malware Analysis (No Starch Press, 2012), Chapter 16: Anti-Debugging, PEB fields
- cited in 1 question
Information Technology Act, 2000 (as amended by Information Technology (Amendment) Act, 2008)
Sections 65, 66, 66B, 66C, IT Act 2000
Open source - cited in 1 question
Mandiant
Tracking Malware with Import Hashing (imphash), Mandiant blog and pefile documentation, 2014
Open source - cited in 1 question
- cited in 1 question
Althouse, John; Atkinson, Jeff; Atkins, Josh
JA3 - A method for profiling SSL/TLS clients, Salesforce Engineering Research, 2017
Open source - cited in 1 question
Cobalt Strike Documentation
Beacon sleep and jitter parameters in the Cobalt Strike User Guide
Open source - cited in 1 question
Eilam, Eldad
Reversing: Secrets of Reverse Engineering (Wiley, 2005), Chapter on Anti-Reverse Engineering
- cited in 1 question
Oliver, Jonathan; Cheng, Chun; Chen, Yanggui
TLSH - A Locality Sensitive Hash, 4th Cybercrime and Trustworthy Computing Workshop, 2013
Open source - cited in 1 question
NIST Special Publication 800-38A
Recommendation for Block Cipher Modes of Operation: Methods and Techniques, CTR mode
Open source - cited in 1 question
enSilo Research (Liberman, Tal)
AtomBombing: A Code Injection that Bypasses Current Security Solutions, 2016, and Module Stomping references
Open source - cited in 1 question
NIST Special Publication 800-83
Guide to Malware Incident Prevention and Handling, hybrid cryptographic schemes in ransomware
Open source - cited in 1 question
Carrier, Brian
File System Forensic Analysis (Addison-Wesley, 2005), NTFS $STANDARD_INFORMATION and $FILE_NAME attributes
- cited in 1 question
Volatility Foundation
Volatility 3 documentation: windows.hollowfind, windows.malfind, windows.ldrmodules, windows.threads plugins
Open source
How our mocks are built
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.
Common questions
What does the Digital Forensics: Malware Analysis Advanced mock cover?+
Hard-band drill on advanced malware analysis for the FACT digital forensics paper and aligned NFSU MSc entrance prep. The mock walks through PE Optional Header internals (Magic 0x10B PE32 versus 0x20B PE32+, IMAGE_FILE_HEADER Characteristics, DataDirectory[9] TLS callbacks, DataDirectory[6] debug, DataDirectory[10] load config), section flag combinations and entropy thresholds for packer detection, process injection technique discrimination (classic CreateRemoteThread, APC injection, SetWindowsH
How many questions and how long is the test?+
30 multiple-choice questions, 30 minutes total. Difficulty: hard. Tier: Premium.
Who is this mock for?+
Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.
Are the questions reviewed?+
Each question carries a verified source citation. Faculty review for individual questions is in progress.
Do I need an account to take this mock?+
Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.