Digital Forensics: Network Forensics and Investigation Advanced

This advanced FACT-style mock targets the hardest band of network forensics and network investigation, the territory where a candidate has to reason across packet headers, captured TLS metadata, BGP attributes, OSPF timers, IEEE 802.1Q tag layout, WPA2 and WPA3 handshakes, IPsec exchanges, ICMP error semantics, and the byte-precise display and capture filter grammars of Wireshark and tcpdump. Subnet arithmetic on 192.168.10.83/27 is checked at both ends (broadcast and first usable host), aggregation of four contiguous /24s into a single /22 is asked as a CIDR exercise, and longest-prefix match resolves a deliberate overlap between a parent /16 and a child /18 in a routing table. IPv4 header byte offsets pin TTL at byte 8, Protocol at byte 9, Source IP at bytes 12 to 15, and Destination IP at bytes 16 to 19. The TCP control byte is unpacked in URG-ACK-PSH-RST-SYN-FIN order, MSS option Kind 2 Length 4 sits next to SACK-Permitted Kind 4 Length 2 and SACK ranges Kind 5, and the JA3 fingerprint field order is fixed as SSLVersion, Cipher, SSLExtension, EllipticCurve, EllipticCurvePointFormat. Other questions hold WPA2 message 3 as the GTK delivery vehicle, place the PMKID in WPA2 message 1, contrast IKEv2 SA_INIT with IKE_AUTH payloads, and read Cisco administrative distances, show ip route codes, OSPF E1 versus E2 externals, and Zeek conn.log field order.\n\nThe paper is calibrated for the FACT entrance exam at the advanced band and is equally useful for the MSc Digital Forensics network elective at NFSU, GIAC GCIA and GNFA candidates, and SANS FOR572 students who want a tight precision-test on the byte-level fluency that every network forensics tool assumes.\n\nTopics covered:\n- Subnet math, CIDR aggregation, route table overlap and longest-prefix match\n- IPv4 and IPv6 header byte offsets, TCP control bit ordering, TCP options (MSS, SACK)\n- TLS 1.2 vs TLS 1.3 cipher suite identifiers and the JA3 client fingerprint construction\n- BGP path attributes, OSPF Hello and Dead intervals, OSPF external Type 1 vs Type 2, Cisco administrative distance\n- IEEE 802.1Q tag layout (TPID, PCP, DEI, VID) and QinQ outer tag 0x88A8\n- WPA2 4-way handshake GTK delivery and the PMKID attack, WPA3 SAE forward secrecy\n- IKEv2 SA_INIT vs AUTH payloads, ESP and AH integrity scope, ICMP type 11 codes and type 3 code 4 PMTUD\n- Wireshark retransmission classifications, tcpdump BPF flag-mask filters, Zeek conn.log schema, Snort/Suricata rule semantics, IPFIX element IDs\n\nUse this as a precision drill on the byte-level network forensics knowledge that every advanced FACT paper assumes. Allow 30 minutes.