Skip to content
Digital Forensicsmedium Premium

Digital Forensics: Malware Analysis Applied Scenarios

Published:

Questions

30

Duration

30 min

Faculty-reviewed

0

Updated

20 May 2026

Score, per-question explanations and topic breakdown shown right after you submit.

About this mock

FACT digital forensics drill pitched at applied scenarios in malware analysis: triage decisions, PE static reads, dynamic detonation, memory forensics, persistence mapping, and the legal frame in India. Each question hands the candidate a piece of evidence drawn from a real workflow (a section entropy reading, an Import Address Table excerpt, a YARA fragment, a Sysmon event line, an ld.so.preload artefact, a launchd plist, an MFT timestamp pair) and asks which technique, tool, or statute fits.

Calibrated for B.Sc and M.Sc forensic-science aspirants preparing for FACT, NFSU MSc Digital Forensics entrance, and the SANS GREM and EC-Council CHFI tracks. The medium band sits between vocabulary recall and full reverse-engineering case work: the candidate must connect two ideas in a single question (entropy plus section name, command-line plus parent process, registry path plus ATT&CK technique) rather than restate a single definition.

Topics covered:

  • Static triage: packers, section entropy, imphash and import tables
  • Dynamic detonation: Cuckoo and CAPE for fileless PowerShell loaders
  • Process injection signatures: VirtualAllocEx, process hollowing, doppelganging
  • Memory forensics: Volatility malfind and unbacked RWX regions
  • Persistence across Windows, Linux, and macOS with ATT&CK mapping
  • Behaviour patterns: C2 beaconing, DGA, ssdeep similarity, Pyramid of Pain
  • NTFS anti-forensics: timestomp and partial USN journal recovery
  • Indian cyber law: IT Act Sections 43, 66, and 70 selection

Answers, options, and detailed explanations are revealed only after submission on the results page. Allow 30 minutes.

Sources & references

Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.

  • MITRE ATT&CK

    Technique T1574.001 Hijack Execution Flow: DLL Search Order Hijacking

    Open source
    cited in 9 questions
  • Sikorski, Michael; Honig, Andrew

    Practical Malware Analysis (No Starch Press, 2012), Chapter 1: Basic Static Techniques

    cited in 7 questions
  • Carrier, Brian

    File System Forensic Analysis (Addison-Wesley, 2005), Chapter on NTFS Log Files

    cited in 2 questions
  • Microsoft Sysinternals

    Process Monitor filters for ransomware behaviour, Russinovich and Cogswell

    Open source
    cited in 2 questions
  • Antonakakis, Manos et al.

    From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware, USENIX Security 2012

    Open source
    cited in 1 question
  • Kornblum, Jesse

    Identifying almost identical files using context triggered piecewise hashing, Digital Investigation, 2006

    Open source
    cited in 1 question
  • Ligh, Michael Hale; Case, Andrew; Levy, Jamie; Walters, AAron

    The Art of Memory Forensics (Wiley, 2014), Chapter on Code Injection and malfind

    cited in 1 question
  • Volatility Foundation

    Volatility Framework documentation: malfind plugin behaviour

    Open source
    cited in 1 question
  • NIST Special Publication 800-86

    Guide to Integrating Forensic Techniques into Incident Response, Section on Volatile Data Collection

    Open source
    cited in 1 question
  • Bianco, David J.

    The Pyramid of Pain, Enterprise Detection and Response blog, 2013

    Open source
    cited in 1 question
  • Apple Developer Documentation

    launchd.plist man page and Daemons and Services Programming Guide

    Open source
    cited in 1 question
  • YARA Documentation

    Writing YARA rules: string sets, the of expression, and the at operator

    Open source
    cited in 1 question
  • Information Technology Act, 2000

    Sections 43 and 66, computer-related contraventions and offences

    Open source
    cited in 1 question
  • Mandiant

    Tracking Malware with Import Hashing (imphash), Mandiant research blog and PEfile docs, 2014

    Open source
    cited in 1 question

How our mocks are built

Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.

Common questions

What does the Digital Forensics: Malware Analysis Applied Scenarios mock cover?+

FACT digital forensics drill pitched at applied scenarios in malware analysis: triage decisions, PE static reads, dynamic detonation, memory forensics, persistence mapping, and the legal frame in India. Each question hands the candidate a piece of evidence drawn from a real workflow (a section entropy reading, an Import Address Table excerpt, a YARA fragment, a Sysmon event line, an ld.so.preload artefact, a launchd plist, an MFT timestamp pair) and asks which technique, tool, or statute fits.

How many questions and how long is the test?+

30 multiple-choice questions, 30 minutes total. Difficulty: medium. Tier: Premium.

Who is this mock for?+

Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.

Are the questions reviewed?+

Each question carries a verified source citation. Faculty review for individual questions is in progress.

Do I need an account to take this mock?+

Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.