Digital Forensics: Malware Analysis Applied Scenarios
Published:
Questions
30
Duration
30 min
Faculty-reviewed
0
Updated
20 May 2026
About this mock
FACT digital forensics drill pitched at applied scenarios in malware analysis: triage decisions, PE static reads, dynamic detonation, memory forensics, persistence mapping, and the legal frame in India. Each question hands the candidate a piece of evidence drawn from a real workflow (a section entropy reading, an Import Address Table excerpt, a YARA fragment, a Sysmon event line, an ld.so.preload artefact, a launchd plist, an MFT timestamp pair) and asks which technique, tool, or statute fits.
Calibrated for B.Sc and M.Sc forensic-science aspirants preparing for FACT, NFSU MSc Digital Forensics entrance, and the SANS GREM and EC-Council CHFI tracks. The medium band sits between vocabulary recall and full reverse-engineering case work: the candidate must connect two ideas in a single question (entropy plus section name, command-line plus parent process, registry path plus ATT&CK technique) rather than restate a single definition.
Topics covered:
- Static triage: packers, section entropy, imphash and import tables
- Dynamic detonation: Cuckoo and CAPE for fileless PowerShell loaders
- Process injection signatures: VirtualAllocEx, process hollowing, doppelganging
- Memory forensics: Volatility malfind and unbacked RWX regions
- Persistence across Windows, Linux, and macOS with ATT&CK mapping
- Behaviour patterns: C2 beaconing, DGA, ssdeep similarity, Pyramid of Pain
- NTFS anti-forensics: timestomp and partial USN journal recovery
- Indian cyber law: IT Act Sections 43, 66, and 70 selection
Answers, options, and detailed explanations are revealed only after submission on the results page. Allow 30 minutes.
Sources & references
Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.
- cited in 9 questions
- cited in 7 questions
Sikorski, Michael; Honig, Andrew
Practical Malware Analysis (No Starch Press, 2012), Chapter 1: Basic Static Techniques
- cited in 2 questions
Carrier, Brian
File System Forensic Analysis (Addison-Wesley, 2005), Chapter on NTFS Log Files
- cited in 2 questions
Microsoft Sysinternals
Process Monitor filters for ransomware behaviour, Russinovich and Cogswell
Open source - cited in 1 question
Antonakakis, Manos et al.
From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware, USENIX Security 2012
Open source - cited in 1 question
Kornblum, Jesse
Identifying almost identical files using context triggered piecewise hashing, Digital Investigation, 2006
Open source - cited in 1 question
Ligh, Michael Hale; Case, Andrew; Levy, Jamie; Walters, AAron
The Art of Memory Forensics (Wiley, 2014), Chapter on Code Injection and malfind
- cited in 1 question
- cited in 1 question
NIST Special Publication 800-86
Guide to Integrating Forensic Techniques into Incident Response, Section on Volatile Data Collection
Open source - cited in 1 question
- cited in 1 question
Apple Developer Documentation
launchd.plist man page and Daemons and Services Programming Guide
Open source - cited in 1 question
YARA Documentation
Writing YARA rules: string sets, the of expression, and the at operator
Open source - cited in 1 question
Information Technology Act, 2000
Sections 43 and 66, computer-related contraventions and offences
Open source - cited in 1 question
Mandiant
Tracking Malware with Import Hashing (imphash), Mandiant research blog and PEfile docs, 2014
Open source
How our mocks are built
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.
Common questions
What does the Digital Forensics: Malware Analysis Applied Scenarios mock cover?+
FACT digital forensics drill pitched at applied scenarios in malware analysis: triage decisions, PE static reads, dynamic detonation, memory forensics, persistence mapping, and the legal frame in India. Each question hands the candidate a piece of evidence drawn from a real workflow (a section entropy reading, an Import Address Table excerpt, a YARA fragment, a Sysmon event line, an ld.so.preload artefact, a launchd plist, an MFT timestamp pair) and asks which technique, tool, or statute fits.
How many questions and how long is the test?+
30 multiple-choice questions, 30 minutes total. Difficulty: medium. Tier: Premium.
Who is this mock for?+
Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.
Are the questions reviewed?+
Each question carries a verified source citation. Faculty review for individual questions is in progress.
Do I need an account to take this mock?+
Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.