Digital Forensics: Network Monitoring and Investigation Applied Scenarios

Applied-scenario drill on network monitoring and investigation for FACT Digital Forensics aspirants. Each question places the candidate inside a real incident and asks which command, flag, log field, signature, or methodology stage actually solves the problem, rather than asking for a definition. The set covers Wireshark capture filter versus display filter syntax on a stored pcap, tcpdump rotation flags (-G, -C, -W) for long-window captures, PCAPng with nanosecond timestamp precision for high-speed links, OSCAR methodology applied to a live incident timeline, SPAN port versus inline network TAP under asymmetric routing, sFlow versus NetFlow versus IPFIX selection on a retention budget, Snort signature interpretation from a Talos or Emerging Threats alert line, Suricata HTTP parser logs versus Snort raw pattern matches, Zeek triage across conn.log, http.log, and dns.log, SQL injection identification from web access logs (UNION SELECT, OR '1'='1, time-based SLEEP), Windows Security Event ID mapping (4624 Logon Type 10 for RDP, 4625 Sub Status codes, 4672 special privileges, 4688 process creation), journalctl with -u and --since for SSH brute-force triage on systemd hosts, Cisco show ip arp plus show mac address-table correlation for ARP-spoof attribution, Cisco ASA syslog severity selection per RFC 5424, NetFlow top-talker drill-down, DPI trade-offs against TLS encryption with JA3 and JA3S fingerprinting, Cowrie versus Dionaea versus T-Pot honeypot selection, downstream legal exposure of operating a honeypot under the Information Technology Act 2000, NTP time-sync as the precondition for cross-host log correlation under RFC 5905, airodump-ng plus Kismet for rogue access point triangulation, and traffic-analysis inference of session type from packet size and timing over encrypted VPN tunnels.

This mock targets MSc Forensic Science and BSc Forensic Science students preparing for the FACT (Forensic Aptitude and Coding Test) Digital Forensics paper, NFSU MSc Cyber Security entrance candidates, and early-career SOC analysts learning the GCIA, GCFE, or SANS FOR572 syllabus through Indian academic mocks.

Topics covered:

• Wireshark display filter and BPF capture filter on a stored pcap
• tcpdump rotation with -G, -C, -W and strftime filename patterns
• PCAPng nanosecond timestamping for high-speed link forensics
• OSCAR methodology stages applied to a real network incident
• SPAN versus TAP placement under asymmetric routing
• Snort, Suricata EVE JSON, and Zeek conn-http-dns log triage
• SQL injection signature reading from web access logs
• Windows Event IDs 4624, 4625, 4672, 4688 in scenario context

Each item carries a three-paragraph explanation citing Wireshark, tcpdump, Snort, Suricata, Zeek, OWASP, Microsoft Learn, Cisco IOS, RFCs 5424, 5905, 7011, and Davidoff and Ham's Network Forensics text. Allow 30 minutes.