Digital Forensics: Network Monitoring, Packet Capture and Network Investigation
Published:
Questions
30
Duration
30 min
Faculty-reviewed
0
Updated
20 May 2026
About this mock
This thirty-question FACT-style mock walks the network-monitoring and network-investigation unit of the digital forensics paper end to end. It covers live packet capture with Wireshark and tcpdump including the Berkeley Packet Filter capture-filter grammar and the dotted display-filter grammar, the PCAP and PCAPng file formats, the difference between promiscuous mode on wired Ethernet and monitor mode on 802.11 wireless interfaces, and the role of Tshark as the command-line sibling of Wireshark. It steps through the OSCAR methodology of Davidoff and Ham, the catch-it-as-you-can versus stop-look-and-listen acquisition strategies, NetFlow and IPFIX metadata records, and the placement of SPAN mirror ports and inline TAP appliances for sensor visibility on switched networks.
The mock then turns to network intrusion detection with Snort, Suricata, and Zeek, contrasting signature-based and anomaly-based detection. Event-log analysis covers Windows Security channel logon events 4624 and 4625, Linux journald and rsyslog, and SQL-injection patterns visible from web access logs. Router and switch evidence covers Cisco IOS show logging, show ip route, show running-config, and the switch CAM or MAC address-table. Traffic analysis covers top-talkers, Deep Packet Inspection, JA3 and JA3S TLS fingerprinting, honeypots and honeynets including Cowrie and The Honeynet Project, NTP-disciplined log correlation, 802.11 frame types for wireless forensics, and what a passive observer can see in an encrypted VPN tunnel.
It suits MSc Cyber Forensics aspirants, NFSU MSc applicants, FACT candidates, and working SOC analysts preparing for GCIA or GCFE.
Topics covered:
- Wireshark capture filters in BPF syntax and display filters in dotted grammar
- tcpdump and Tshark command-line capture and analysis
- PCAP and PCAPng file format differences
- Promiscuous mode on wired Ethernet versus 802.11 monitor mode
- OSCAR methodology and catch-it-as-you-can versus stop-look-and-listen
- NetFlow and IPFIX metadata, SPAN mirror ports, and inline TAP appliances
- Snort, Suricata, and Zeek network intrusion detection
- Router and switch evidence, JA3 fingerprinting, honeypots, and VPN traffic visibility
Work through every question, read each explanation carefully, and revisit weak areas before reattempting. Allow 30 minutes.
Sources & references
Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.
- cited in 6 questions
Davidoff, Sherri and Ham, Jonathan
Network Forensics: Tracking Hackers Through Cyberspace (Prentice Hall, 2012), Chapter on Live Acquisition
- cited in 4 questions
- cited in 3 questions
- cited in 2 questions
IEEE 802.11-2020
Wireless LAN Medium Access Control and Physical Layer Specifications, frame type clauses
Open source - cited in 2 questions
Cisco IOS Command Reference
Cisco IOS Configuration Fundamentals Command Reference, show running-config and show startup-config
Open source - cited in 1 question
- cited in 1 question
Casey, Eoghan
Digital Evidence and Computer Crime, 3rd Edition (Academic Press, 2011), Chapter on Network Traffic Analysis
- cited in 1 question
- cited in 1 question
Microsoft Documentation
Windows Event Logging reference, Security Audit Events 4624 and 4625
Open source - cited in 1 question
- cited in 1 question
IETF RFC 5424 and systemd documentation
Syslog protocol specification and systemd-journald.service man page
Open source - cited in 1 question
Stallings, William
Cryptography and Network Security: Principles and Practice, 7th Edition, Chapter on Firewalls
- cited in 1 question
- cited in 1 question
Althouse, John; Atkinson, Jeff; Atkins, Josh
TLS Fingerprinting with JA3 and JA3S, Salesforce Engineering, open-source specification
Open source - cited in 1 question
- cited in 1 question
NIST SP 800-94
Guide to Intrusion Detection and Prevention Systems (IDPS), Chapter on Detection Methodologies
Open source - cited in 1 question
IETF RFC 7011
Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information
Open source - cited in 1 question
How our mocks are built
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.
Common questions
What does the Digital Forensics: Network Monitoring, Packet Capture and Network Investigation mock cover?+
This thirty-question FACT-style mock walks the network-monitoring and network-investigation unit of the digital forensics paper end to end. It covers live packet capture with Wireshark and tcpdump including the Berkeley Packet Filter capture-filter grammar and the dotted display-filter grammar, the PCAP and PCAPng file formats, the difference between promiscuous mode on wired Ethernet and monitor mode on 802.11 wireless interfaces, and the role of Tshark as the command-line sibling of Wireshark.
How many questions and how long is the test?+
30 multiple-choice questions, 30 minutes total. Difficulty: easy. Tier: Premium.
Who is this mock for?+
Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.
Are the questions reviewed?+
Each question carries a verified source citation. Faculty review for individual questions is in progress.
Do I need an account to take this mock?+
Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.