Skip to content
Digital Forensicshard Premium

Digital Forensics: Network Forensics and Investigation Advanced

Published:

Questions

30

Duration

30 min

Faculty-reviewed

0

Updated

20 May 2026

Score, per-question explanations and topic breakdown shown right after you submit.

About this mock

This advanced FACT-style mock targets the hardest band of network forensics and network investigation, the territory where a candidate has to reason across packet headers, captured TLS metadata, BGP attributes, OSPF timers, IEEE 802.1Q tag layout, WPA2 and WPA3 handshakes, IPsec exchanges, ICMP error semantics, and the byte-precise display and capture filter grammars of Wireshark and tcpdump. Subnet arithmetic on 192.168.10.83/27 is checked at both ends (broadcast and first usable host), aggregation of four contiguous /24s into a single /22 is asked as a CIDR exercise, and longest-prefix match resolves a deliberate overlap between a parent /16 and a child /18 in a routing table. IPv4 header byte offsets pin TTL at byte 8, Protocol at byte 9, Source IP at bytes 12 to 15, and Destination IP at bytes 16 to 19. The TCP control byte is unpacked in URG-ACK-PSH-RST-SYN-FIN order, MSS option Kind 2 Length 4 sits next to SACK-Permitted Kind 4 Length 2 and SACK ranges Kind 5, and the JA3 fingerprint field order is fixed as SSLVersion, Cipher, SSLExtension, EllipticCurve, EllipticCurvePointFormat. Other questions hold WPA2 message 3 as the GTK delivery vehicle, place the PMKID in WPA2 message 1, contrast IKEv2 SA_INIT with IKE_AUTH payloads, and read Cisco administrative distances, show ip route codes, OSPF E1 versus E2 externals, and Zeek conn.log field order.\n\nThe paper is calibrated for the FACT entrance exam at the advanced band and is equally useful for the MSc Digital Forensics network elective at NFSU, GIAC GCIA and GNFA candidates, and SANS FOR572 students who want a tight precision-test on the byte-level fluency that every network forensics tool assumes.\n\nTopics covered:\n- Subnet math, CIDR aggregation, route table overlap and longest-prefix match\n- IPv4 and IPv6 header byte offsets, TCP control bit ordering, TCP options (MSS, SACK)\n- TLS 1.2 vs TLS 1.3 cipher suite identifiers and the JA3 client fingerprint construction\n- BGP path attributes, OSPF Hello and Dead intervals, OSPF external Type 1 vs Type 2, Cisco administrative distance\n- IEEE 802.1Q tag layout (TPID, PCP, DEI, VID) and QinQ outer tag 0x88A8\n- WPA2 4-way handshake GTK delivery and the PMKID attack, WPA3 SAE forward secrecy\n- IKEv2 SA_INIT vs AUTH payloads, ESP and AH integrity scope, ICMP type 11 codes and type 3 code 4 PMTUD\n- Wireshark retransmission classifications, tcpdump BPF flag-mask filters, Zeek conn.log schema, Snort/Suricata rule semantics, IPFIX element IDs\n\nUse this as a precision drill on the byte-level network forensics knowledge that every advanced FACT paper assumes. Allow 30 minutes.

Sources & references

Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.

  • RFC 4632

    Classless Inter-Domain Routing (Fuller and Li, 2006), Section on Subnet Arithmetic

    Open source
    cited in 3 questions
  • tcpdump Man Page and Berkeley Packet Filter Syntax

    pcap-filter(7), Symbolic Flag Constants and Raw Byte Masks

    Open source
    cited in 2 questions
  • RFC 4271

    A Border Gateway Protocol 4 (Rekhter, Li, Hares, 2006), Section 5 Path Attributes

    Open source
    cited in 1 question
  • RFC 791

    Internet Protocol (Postel, 1981), Section 3.1 Internet Header Format

    Open source
    cited in 1 question
  • RFC 5681

    TCP Congestion Control (Allman, Paxson, Blanton, 2009), Section on Fast Retransmit

    Open source
    cited in 1 question
  • RFC 5681 and Wireshark Documentation

    TCP Congestion Control: Fast Retransmit and Fast Recovery, and Wireshark TCP Analysis

    Open source
    cited in 1 question
  • RFC 8200

    Internet Protocol, Version 6 (IPv6) Specification (Deering and Hinden, 2017), Section 3 IPv6 Header Format

    Open source
    cited in 1 question
  • RFC 1812

    Requirements for IP Version 4 Routers (Baker, 1995), Section on Route Lookup

    Open source
    cited in 1 question
  • RFC 1191

    Path MTU Discovery (Mogul and Deering, 1990), and RFC 792 ICMP Destination Unreachable Codes

    Open source
    cited in 1 question
  • Cisco IOS Configuration Guide

    Administrative Distance values for connected, static, EIGRP, OSPF, RIP, BGP

    cited in 1 question
  • RFC 2018

    TCP Selective Acknowledgement Options (Mathis, Mahdavi, Floyd, Romanow, 1996)

    Open source
    cited in 1 question
  • RFC 793

    Transmission Control Protocol (Postel, 1981), Section 3.1 Header Format

    Open source
    cited in 1 question
  • Suricata User Guide

    Rule Keyword Reference: flow keyword and stateless modifier

    Open source
    cited in 1 question
  • IEEE 802.1Q

    Bridges and Bridged Networks: VLAN Tag Format including PCP, DEI, and VID

    Open source
    cited in 1 question
  • RFC 4303 and RFC 4302

    IP Encapsulating Security Payload (ESP) and IP Authentication Header (AH) (Kent, 2005)

    Open source
    cited in 1 question
  • IEEE 802.11-2020

    Robust Security Network (RSN) 4-Way Handshake and Group Key Distribution

    Open source
    cited in 1 question
  • Cisco IOS Command Reference

    show ip route output codes including O, IA, E1, E2, B

    cited in 1 question
  • RFC 7011 and IANA IPFIX Information Element Registry

    Specification of the IP Flow Information Export Protocol; sourceIPv4Address (8) and destinationIPv4Address (12)

    Open source
    cited in 1 question
  • RFC 792

    Internet Control Message Protocol (Postel, 1981), Time Exceeded Message Codes

    Open source
    cited in 1 question
  • RFC 793 and RFC 2018

    Transmission Control Protocol, Section 3.1 Options; and TCP Selective Acknowledgement Options

    Open source
    cited in 1 question
  • Zeek Documentation

    Zeek Log Reference: conn.log Field Definitions and Schema

    Open source
    cited in 1 question
  • RFC 2328

    OSPF Version 2 (Moy, 1998), Sections on Hello Protocol and Designated Router

    Open source
    cited in 1 question
  • RFC 7296

    Internet Key Exchange Protocol Version 2 (IKEv2) (Kaufman et al., 2014)

    Open source
    cited in 1 question
  • Salesforce JA3 Specification

    Althouse, Atkinson and Atkins, TLS Fingerprinting with JA3 and JA3S

    Open source
    cited in 1 question
  • Steube, J. (Hashcat), PMKID Attack Disclosure

    Attack on WPA2 PSK via PMKID in the first EAPOL frame, 2018

    cited in 1 question
  • RFC 8446

    The Transport Layer Security (TLS) Protocol Version 1.3 (Rescorla, 2018), Appendix B.4 Cipher Suites

    Open source
    cited in 1 question
  • Wi-Fi Alliance WPA3 Specification and IEEE 802.11-2020

    Simultaneous Authentication of Equals (SAE) Key Establishment

    cited in 1 question

How our mocks are built

Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.

Common questions

What does the Digital Forensics: Network Forensics and Investigation Advanced mock cover?+

This advanced FACT-style mock targets the hardest band of network forensics and network investigation, the territory where a candidate has to reason across packet headers, captured TLS metadata, BGP attributes, OSPF timers, IEEE 802.1Q tag layout, WPA2 and WPA3 handshakes, IPsec exchanges, ICMP error semantics, and the byte-precise display and capture filter grammars of Wireshark and tcpdump. Subnet arithmetic on 192.168.10.83/27 is checked at both ends (broadcast and first usable host), aggrega

How many questions and how long is the test?+

30 multiple-choice questions, 30 minutes total. Difficulty: hard. Tier: Premium.

Who is this mock for?+

Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.

Are the questions reviewed?+

Each question carries a verified source citation. Faculty review for individual questions is in progress.

Do I need an account to take this mock?+

Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.