Digital Forensics: Network Forensics and Investigation Advanced
Published:
Questions
30
Duration
30 min
Faculty-reviewed
0
Updated
20 May 2026
About this mock
This advanced FACT-style mock targets the hardest band of network forensics and network investigation, the territory where a candidate has to reason across packet headers, captured TLS metadata, BGP attributes, OSPF timers, IEEE 802.1Q tag layout, WPA2 and WPA3 handshakes, IPsec exchanges, ICMP error semantics, and the byte-precise display and capture filter grammars of Wireshark and tcpdump. Subnet arithmetic on 192.168.10.83/27 is checked at both ends (broadcast and first usable host), aggregation of four contiguous /24s into a single /22 is asked as a CIDR exercise, and longest-prefix match resolves a deliberate overlap between a parent /16 and a child /18 in a routing table. IPv4 header byte offsets pin TTL at byte 8, Protocol at byte 9, Source IP at bytes 12 to 15, and Destination IP at bytes 16 to 19. The TCP control byte is unpacked in URG-ACK-PSH-RST-SYN-FIN order, MSS option Kind 2 Length 4 sits next to SACK-Permitted Kind 4 Length 2 and SACK ranges Kind 5, and the JA3 fingerprint field order is fixed as SSLVersion, Cipher, SSLExtension, EllipticCurve, EllipticCurvePointFormat. Other questions hold WPA2 message 3 as the GTK delivery vehicle, place the PMKID in WPA2 message 1, contrast IKEv2 SA_INIT with IKE_AUTH payloads, and read Cisco administrative distances, show ip route codes, OSPF E1 versus E2 externals, and Zeek conn.log field order.\n\nThe paper is calibrated for the FACT entrance exam at the advanced band and is equally useful for the MSc Digital Forensics network elective at NFSU, GIAC GCIA and GNFA candidates, and SANS FOR572 students who want a tight precision-test on the byte-level fluency that every network forensics tool assumes.\n\nTopics covered:\n- Subnet math, CIDR aggregation, route table overlap and longest-prefix match\n- IPv4 and IPv6 header byte offsets, TCP control bit ordering, TCP options (MSS, SACK)\n- TLS 1.2 vs TLS 1.3 cipher suite identifiers and the JA3 client fingerprint construction\n- BGP path attributes, OSPF Hello and Dead intervals, OSPF external Type 1 vs Type 2, Cisco administrative distance\n- IEEE 802.1Q tag layout (TPID, PCP, DEI, VID) and QinQ outer tag 0x88A8\n- WPA2 4-way handshake GTK delivery and the PMKID attack, WPA3 SAE forward secrecy\n- IKEv2 SA_INIT vs AUTH payloads, ESP and AH integrity scope, ICMP type 11 codes and type 3 code 4 PMTUD\n- Wireshark retransmission classifications, tcpdump BPF flag-mask filters, Zeek conn.log schema, Snort/Suricata rule semantics, IPFIX element IDs\n\nUse this as a precision drill on the byte-level network forensics knowledge that every advanced FACT paper assumes. Allow 30 minutes.
Sources & references
Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.
- cited in 3 questions
RFC 4632
Classless Inter-Domain Routing (Fuller and Li, 2006), Section on Subnet Arithmetic
Open source - cited in 2 questions
tcpdump Man Page and Berkeley Packet Filter Syntax
pcap-filter(7), Symbolic Flag Constants and Raw Byte Masks
Open source - cited in 1 question
RFC 4271
A Border Gateway Protocol 4 (Rekhter, Li, Hares, 2006), Section 5 Path Attributes
Open source - cited in 1 question
- cited in 1 question
RFC 5681
TCP Congestion Control (Allman, Paxson, Blanton, 2009), Section on Fast Retransmit
Open source - cited in 1 question
RFC 5681 and Wireshark Documentation
TCP Congestion Control: Fast Retransmit and Fast Recovery, and Wireshark TCP Analysis
Open source - cited in 1 question
RFC 8200
Internet Protocol, Version 6 (IPv6) Specification (Deering and Hinden, 2017), Section 3 IPv6 Header Format
Open source - cited in 1 question
- cited in 1 question
RFC 1191
Path MTU Discovery (Mogul and Deering, 1990), and RFC 792 ICMP Destination Unreachable Codes
Open source - cited in 1 question
Cisco IOS Configuration Guide
Administrative Distance values for connected, static, EIGRP, OSPF, RIP, BGP
- cited in 1 question
- cited in 1 question
- cited in 1 question
- cited in 1 question
- cited in 1 question
RFC 4303 and RFC 4302
IP Encapsulating Security Payload (ESP) and IP Authentication Header (AH) (Kent, 2005)
Open source - cited in 1 question
- cited in 1 question
Cisco IOS Command Reference
show ip route output codes including O, IA, E1, E2, B
- cited in 1 question
RFC 7011 and IANA IPFIX Information Element Registry
Specification of the IP Flow Information Export Protocol; sourceIPv4Address (8) and destinationIPv4Address (12)
Open source - cited in 1 question
- cited in 1 question
RFC 793 and RFC 2018
Transmission Control Protocol, Section 3.1 Options; and TCP Selective Acknowledgement Options
Open source - cited in 1 question
- cited in 1 question
- cited in 1 question
- cited in 1 question
Salesforce JA3 Specification
Althouse, Atkinson and Atkins, TLS Fingerprinting with JA3 and JA3S
Open source - cited in 1 question
Steube, J. (Hashcat), PMKID Attack Disclosure
Attack on WPA2 PSK via PMKID in the first EAPOL frame, 2018
- cited in 1 question
RFC 8446
The Transport Layer Security (TLS) Protocol Version 1.3 (Rescorla, 2018), Appendix B.4 Cipher Suites
Open source - cited in 1 question
Wi-Fi Alliance WPA3 Specification and IEEE 802.11-2020
Simultaneous Authentication of Equals (SAE) Key Establishment
How our mocks are built
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.
Common questions
What does the Digital Forensics: Network Forensics and Investigation Advanced mock cover?+
This advanced FACT-style mock targets the hardest band of network forensics and network investigation, the territory where a candidate has to reason across packet headers, captured TLS metadata, BGP attributes, OSPF timers, IEEE 802.1Q tag layout, WPA2 and WPA3 handshakes, IPsec exchanges, ICMP error semantics, and the byte-precise display and capture filter grammars of Wireshark and tcpdump. Subnet arithmetic on 192.168.10.83/27 is checked at both ends (broadcast and first usable host), aggrega
How many questions and how long is the test?+
30 multiple-choice questions, 30 minutes total. Difficulty: hard. Tier: Premium.
Who is this mock for?+
Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.
Are the questions reviewed?+
Each question carries a verified source citation. Faculty review for individual questions is in progress.
Do I need an account to take this mock?+
Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.