Skip to content
Digital Forensicseasy Premium

Digital Forensics: Network Monitoring, Packet Capture and Network Investigation

Published:

Questions

30

Duration

30 min

Faculty-reviewed

0

Updated

20 May 2026

Score, per-question explanations and topic breakdown shown right after you submit.

About this mock

This thirty-question FACT-style mock walks the network-monitoring and network-investigation unit of the digital forensics paper end to end. It covers live packet capture with Wireshark and tcpdump including the Berkeley Packet Filter capture-filter grammar and the dotted display-filter grammar, the PCAP and PCAPng file formats, the difference between promiscuous mode on wired Ethernet and monitor mode on 802.11 wireless interfaces, and the role of Tshark as the command-line sibling of Wireshark. It steps through the OSCAR methodology of Davidoff and Ham, the catch-it-as-you-can versus stop-look-and-listen acquisition strategies, NetFlow and IPFIX metadata records, and the placement of SPAN mirror ports and inline TAP appliances for sensor visibility on switched networks.

The mock then turns to network intrusion detection with Snort, Suricata, and Zeek, contrasting signature-based and anomaly-based detection. Event-log analysis covers Windows Security channel logon events 4624 and 4625, Linux journald and rsyslog, and SQL-injection patterns visible from web access logs. Router and switch evidence covers Cisco IOS show logging, show ip route, show running-config, and the switch CAM or MAC address-table. Traffic analysis covers top-talkers, Deep Packet Inspection, JA3 and JA3S TLS fingerprinting, honeypots and honeynets including Cowrie and The Honeynet Project, NTP-disciplined log correlation, 802.11 frame types for wireless forensics, and what a passive observer can see in an encrypted VPN tunnel.

It suits MSc Cyber Forensics aspirants, NFSU MSc applicants, FACT candidates, and working SOC analysts preparing for GCIA or GCFE.

Topics covered:

  • Wireshark capture filters in BPF syntax and display filters in dotted grammar
  • tcpdump and Tshark command-line capture and analysis
  • PCAP and PCAPng file format differences
  • Promiscuous mode on wired Ethernet versus 802.11 monitor mode
  • OSCAR methodology and catch-it-as-you-can versus stop-look-and-listen
  • NetFlow and IPFIX metadata, SPAN mirror ports, and inline TAP appliances
  • Snort, Suricata, and Zeek network intrusion detection
  • Router and switch evidence, JA3 fingerprinting, honeypots, and VPN traffic visibility

Work through every question, read each explanation carefully, and revisit weak areas before reattempting. Allow 30 minutes.

Sources & references

Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.

  • Davidoff, Sherri and Ham, Jonathan

    Network Forensics: Tracking Hackers Through Cyberspace (Prentice Hall, 2012), Chapter on Live Acquisition

    cited in 6 questions
  • Wireshark Documentation

    PCAPng File Format Specification

    Open source
    cited in 4 questions
  • The Honeynet Project

    Cowrie SSH and Telnet honeypot documentation

    Open source
    cited in 3 questions
  • IEEE 802.11-2020

    Wireless LAN Medium Access Control and Physical Layer Specifications, frame type clauses

    Open source
    cited in 2 questions
  • Cisco IOS Command Reference

    Cisco IOS Configuration Fundamentals Command Reference, show running-config and show startup-config

    Open source
    cited in 2 questions
  • Suricata Documentation

    Open Information Security Foundation, Suricata User Guide

    Open source
    cited in 1 question
  • Casey, Eoghan

    Digital Evidence and Computer Crime, 3rd Edition (Academic Press, 2011), Chapter on Network Traffic Analysis

    cited in 1 question
  • IETF RFC 5905

    Network Time Protocol Version 4 Protocol and Algorithms Specification

    Open source
    cited in 1 question
  • Microsoft Documentation

    Windows Event Logging reference, Security Audit Events 4624 and 4625

    Open source
    cited in 1 question
  • Zeek Documentation

    Zeek (formerly Bro) User Manual, Chapter on Logs and Scripting

    Open source
    cited in 1 question
  • IETF RFC 5424 and systemd documentation

    Syslog protocol specification and systemd-journald.service man page

    Open source
    cited in 1 question
  • Stallings, William

    Cryptography and Network Security: Principles and Practice, 7th Edition, Chapter on Firewalls

    cited in 1 question
  • tcpdump and libpcap project

    tcpdump(1) manual page, flags -i, -n, -nn, -w, -s

    Open source
    cited in 1 question
  • Althouse, John; Atkinson, Jeff; Atkins, Josh

    TLS Fingerprinting with JA3 and JA3S, Salesforce Engineering, open-source specification

    Open source
    cited in 1 question
  • Snort Documentation

    Snort Users Manual, Chapter on Snort Rules and Detection Engine

    Open source
    cited in 1 question
  • NIST SP 800-94

    Guide to Intrusion Detection and Prevention Systems (IDPS), Chapter on Detection Methodologies

    Open source
    cited in 1 question
  • IETF RFC 7011

    Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information

    Open source
    cited in 1 question
  • OWASP Foundation

    OWASP Web Security Testing Guide, Section on SQL Injection

    Open source
    cited in 1 question

How our mocks are built

Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.

Common questions

What does the Digital Forensics: Network Monitoring, Packet Capture and Network Investigation mock cover?+

This thirty-question FACT-style mock walks the network-monitoring and network-investigation unit of the digital forensics paper end to end. It covers live packet capture with Wireshark and tcpdump including the Berkeley Packet Filter capture-filter grammar and the dotted display-filter grammar, the PCAP and PCAPng file formats, the difference between promiscuous mode on wired Ethernet and monitor mode on 802.11 wireless interfaces, and the role of Tshark as the command-line sibling of Wireshark.

How many questions and how long is the test?+

30 multiple-choice questions, 30 minutes total. Difficulty: easy. Tier: Premium.

Who is this mock for?+

Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.

Are the questions reviewed?+

Each question carries a verified source citation. Faculty review for individual questions is in progress.

Do I need an account to take this mock?+

Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.