Skip to content
Digital Forensicsmedium Premium

Digital Forensics: Network Monitoring and Investigation Applied Scenarios

Published:

Questions

30

Duration

30 min

Faculty-reviewed

0

Updated

20 May 2026

Score, per-question explanations and topic breakdown shown right after you submit.

About this mock

Applied-scenario drill on network monitoring and investigation for FACT Digital Forensics aspirants. Each question places the candidate inside a real incident and asks which command, flag, log field, signature, or methodology stage actually solves the problem, rather than asking for a definition. The set covers Wireshark capture filter versus display filter syntax on a stored pcap, tcpdump rotation flags (-G, -C, -W) for long-window captures, PCAPng with nanosecond timestamp precision for high-speed links, OSCAR methodology applied to a live incident timeline, SPAN port versus inline network TAP under asymmetric routing, sFlow versus NetFlow versus IPFIX selection on a retention budget, Snort signature interpretation from a Talos or Emerging Threats alert line, Suricata HTTP parser logs versus Snort raw pattern matches, Zeek triage across conn.log, http.log, and dns.log, SQL injection identification from web access logs (UNION SELECT, OR '1'='1, time-based SLEEP), Windows Security Event ID mapping (4624 Logon Type 10 for RDP, 4625 Sub Status codes, 4672 special privileges, 4688 process creation), journalctl with -u and --since for SSH brute-force triage on systemd hosts, Cisco show ip arp plus show mac address-table correlation for ARP-spoof attribution, Cisco ASA syslog severity selection per RFC 5424, NetFlow top-talker drill-down, DPI trade-offs against TLS encryption with JA3 and JA3S fingerprinting, Cowrie versus Dionaea versus T-Pot honeypot selection, downstream legal exposure of operating a honeypot under the Information Technology Act 2000, NTP time-sync as the precondition for cross-host log correlation under RFC 5905, airodump-ng plus Kismet for rogue access point triangulation, and traffic-analysis inference of session type from packet size and timing over encrypted VPN tunnels.

This mock targets MSc Forensic Science and BSc Forensic Science students preparing for the FACT (Forensic Aptitude and Coding Test) Digital Forensics paper, NFSU MSc Cyber Security entrance candidates, and early-career SOC analysts learning the GCIA, GCFE, or SANS FOR572 syllabus through Indian academic mocks.

Topics covered:

  • Wireshark display filter and BPF capture filter on a stored pcap
  • tcpdump rotation with -G, -C, -W and strftime filename patterns
  • PCAPng nanosecond timestamping for high-speed link forensics
  • OSCAR methodology stages applied to a real network incident
  • SPAN versus TAP placement under asymmetric routing
  • Snort, Suricata EVE JSON, and Zeek conn-http-dns log triage
  • SQL injection signature reading from web access logs
  • Windows Event IDs 4624, 4625, 4672, 4688 in scenario context

Each item carries a three-paragraph explanation citing Wireshark, tcpdump, Snort, Suricata, Zeek, OWASP, Microsoft Learn, Cisco IOS, RFCs 5424, 5905, 7011, and Davidoff and Ham's Network Forensics text. Allow 30 minutes.

Sources & references

Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.

  • Davidoff, Sherri and Ham, Jonathan

    Network Forensics: Tracking Hackers Through Cyberspace (Prentice Hall, 2012), Statistical Flow Analysis

    cited in 5 questions
  • Microsoft Documentation

    Windows Event Logging reference, Security Audit Event 4624 and Logon Type values

    Open source
    cited in 4 questions
  • OWASP Foundation

    OWASP Web Security Testing Guide, Boolean-based SQL Injection and Authentication Bypass

    Open source
    cited in 3 questions
  • Suricata Documentation

    Open Information Security Foundation, Suricata User Guide, EVE JSON output format

    Open source
    cited in 2 questions
  • Salesforce Engineering

    JA3 SSL/TLS Client Fingerprinting specification and JA3S server fingerprint extension

    Open source
    cited in 2 questions
  • tcpdump and libpcap project

    tcpdump(1) manual page, flags -G, -C, -W and the strftime filename pattern

    Open source
    cited in 2 questions
  • Cisco IOS Command Reference

    Cisco IOS Configuration Fundamentals Command Reference, show ip arp and show mac address-table

    Open source
    cited in 1 question
  • Wireshark Documentation and PCAPng specification

    PCAPng Interface Description Block, if_tsresol option, and tcpdump --time-stamp-precision flag

    Open source
    cited in 1 question
  • Wireshark Documentation

    Wireshark User's Guide, Working with Captured Packets and the tshark/editcap utilities

    Open source
    cited in 1 question
  • systemd documentation

    journalctl(1) manual page, --unit, --since, --until, and --output flags

    Open source
    cited in 1 question
  • The Honeynet Project

    Know Your Enemy series, papers on Honeynet legal and operational issues

    Open source
    cited in 1 question
  • IETF RFC 7011 and RFC 3954

    IPFIX Protocol for the Exchange of Flow Information; Cisco NetFlow Services Export Version 9

    Open source
    cited in 1 question
  • Zeek Documentation

    Zeek (formerly Bro) User Manual, Chapter on Logs, including conn.log, http.log, dns.log

    Open source
    cited in 1 question
  • IETF RFC 5905

    Network Time Protocol Version 4: Protocol and Algorithms Specification

    Open source
    cited in 1 question
  • Cisco Documentation and IETF RFC 5424

    Cisco ASA Series Syslog Messages, severity-level reference; The Syslog Protocol

    Open source
    cited in 1 question
  • Aircrack-ng Project and Kismet documentation

    airodump-ng and Kismet User Guides on rogue access point detection

    Open source
    cited in 1 question
  • Snort Documentation

    Snort Users Manual, Chapter on Rule Options and the http_uri modifier

    Open source
    cited in 1 question
  • Cowrie SSH/Telnet Honeypot Project

    Cowrie documentation and source repository

    Open source
    cited in 1 question

How our mocks are built

Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.

Common questions

What does the Digital Forensics: Network Monitoring and Investigation Applied Scenarios mock cover?+

Applied-scenario drill on network monitoring and investigation for FACT Digital Forensics aspirants. Each question places the candidate inside a real incident and asks which command, flag, log field, signature, or methodology stage actually solves the problem, rather than asking for a definition. The set covers Wireshark capture filter versus display filter syntax on a stored pcap, tcpdump rotation flags (-G, -C, -W) for long-window captures, PCAPng with nanosecond timestamp precision for high-s

How many questions and how long is the test?+

30 multiple-choice questions, 30 minutes total. Difficulty: medium. Tier: Premium.

Who is this mock for?+

Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.

Are the questions reviewed?+

Each question carries a verified source citation. Faculty review for individual questions is in progress.

Do I need an account to take this mock?+

Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.