Digital Forensics: Network Monitoring and Investigation Applied Scenarios
Published:
Questions
30
Duration
30 min
Faculty-reviewed
0
Updated
20 May 2026
About this mock
Applied-scenario drill on network monitoring and investigation for FACT Digital Forensics aspirants. Each question places the candidate inside a real incident and asks which command, flag, log field, signature, or methodology stage actually solves the problem, rather than asking for a definition. The set covers Wireshark capture filter versus display filter syntax on a stored pcap, tcpdump rotation flags (-G, -C, -W) for long-window captures, PCAPng with nanosecond timestamp precision for high-speed links, OSCAR methodology applied to a live incident timeline, SPAN port versus inline network TAP under asymmetric routing, sFlow versus NetFlow versus IPFIX selection on a retention budget, Snort signature interpretation from a Talos or Emerging Threats alert line, Suricata HTTP parser logs versus Snort raw pattern matches, Zeek triage across conn.log, http.log, and dns.log, SQL injection identification from web access logs (UNION SELECT, OR '1'='1, time-based SLEEP), Windows Security Event ID mapping (4624 Logon Type 10 for RDP, 4625 Sub Status codes, 4672 special privileges, 4688 process creation), journalctl with -u and --since for SSH brute-force triage on systemd hosts, Cisco show ip arp plus show mac address-table correlation for ARP-spoof attribution, Cisco ASA syslog severity selection per RFC 5424, NetFlow top-talker drill-down, DPI trade-offs against TLS encryption with JA3 and JA3S fingerprinting, Cowrie versus Dionaea versus T-Pot honeypot selection, downstream legal exposure of operating a honeypot under the Information Technology Act 2000, NTP time-sync as the precondition for cross-host log correlation under RFC 5905, airodump-ng plus Kismet for rogue access point triangulation, and traffic-analysis inference of session type from packet size and timing over encrypted VPN tunnels.
This mock targets MSc Forensic Science and BSc Forensic Science students preparing for the FACT (Forensic Aptitude and Coding Test) Digital Forensics paper, NFSU MSc Cyber Security entrance candidates, and early-career SOC analysts learning the GCIA, GCFE, or SANS FOR572 syllabus through Indian academic mocks.
Topics covered:
- Wireshark display filter and BPF capture filter on a stored pcap
- tcpdump rotation with -G, -C, -W and strftime filename patterns
- PCAPng nanosecond timestamping for high-speed link forensics
- OSCAR methodology stages applied to a real network incident
- SPAN versus TAP placement under asymmetric routing
- Snort, Suricata EVE JSON, and Zeek conn-http-dns log triage
- SQL injection signature reading from web access logs
- Windows Event IDs 4624, 4625, 4672, 4688 in scenario context
Each item carries a three-paragraph explanation citing Wireshark, tcpdump, Snort, Suricata, Zeek, OWASP, Microsoft Learn, Cisco IOS, RFCs 5424, 5905, 7011, and Davidoff and Ham's Network Forensics text. Allow 30 minutes.
Sources & references
Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.
- cited in 5 questions
Davidoff, Sherri and Ham, Jonathan
Network Forensics: Tracking Hackers Through Cyberspace (Prentice Hall, 2012), Statistical Flow Analysis
- cited in 4 questions
Microsoft Documentation
Windows Event Logging reference, Security Audit Event 4624 and Logon Type values
Open source - cited in 3 questions
OWASP Foundation
OWASP Web Security Testing Guide, Boolean-based SQL Injection and Authentication Bypass
Open source - cited in 2 questions
Suricata Documentation
Open Information Security Foundation, Suricata User Guide, EVE JSON output format
Open source - cited in 2 questions
Salesforce Engineering
JA3 SSL/TLS Client Fingerprinting specification and JA3S server fingerprint extension
Open source - cited in 2 questions
tcpdump and libpcap project
tcpdump(1) manual page, flags -G, -C, -W and the strftime filename pattern
Open source - cited in 1 question
Cisco IOS Command Reference
Cisco IOS Configuration Fundamentals Command Reference, show ip arp and show mac address-table
Open source - cited in 1 question
Wireshark Documentation and PCAPng specification
PCAPng Interface Description Block, if_tsresol option, and tcpdump --time-stamp-precision flag
Open source - cited in 1 question
Wireshark Documentation
Wireshark User's Guide, Working with Captured Packets and the tshark/editcap utilities
Open source - cited in 1 question
systemd documentation
journalctl(1) manual page, --unit, --since, --until, and --output flags
Open source - cited in 1 question
The Honeynet Project
Know Your Enemy series, papers on Honeynet legal and operational issues
Open source - cited in 1 question
IETF RFC 7011 and RFC 3954
IPFIX Protocol for the Exchange of Flow Information; Cisco NetFlow Services Export Version 9
Open source - cited in 1 question
Zeek Documentation
Zeek (formerly Bro) User Manual, Chapter on Logs, including conn.log, http.log, dns.log
Open source - cited in 1 question
- cited in 1 question
Cisco Documentation and IETF RFC 5424
Cisco ASA Series Syslog Messages, severity-level reference; The Syslog Protocol
Open source - cited in 1 question
Aircrack-ng Project and Kismet documentation
airodump-ng and Kismet User Guides on rogue access point detection
Open source - cited in 1 question
- cited in 1 question
How our mocks are built
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.
Common questions
What does the Digital Forensics: Network Monitoring and Investigation Applied Scenarios mock cover?+
Applied-scenario drill on network monitoring and investigation for FACT Digital Forensics aspirants. Each question places the candidate inside a real incident and asks which command, flag, log field, signature, or methodology stage actually solves the problem, rather than asking for a definition. The set covers Wireshark capture filter versus display filter syntax on a stored pcap, tcpdump rotation flags (-G, -C, -W) for long-window captures, PCAPng with nanosecond timestamp precision for high-s
How many questions and how long is the test?+
30 multiple-choice questions, 30 minutes total. Difficulty: medium. Tier: Premium.
Who is this mock for?+
Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.
Are the questions reviewed?+
Each question carries a verified source citation. Faculty review for individual questions is in progress.
Do I need an account to take this mock?+
Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.