Digital Forensics: Network Attack Identification and Response Scenarios

Applied scenario drill on identifying common network attacks from forensic evidence: ARP poisoning visible in arp -a, DNS hijack versus cache poisoning versus typosquatting from packet samples, when DNSSEC would have blocked the attack, the choice between BCP 38 ingress filtering and unicast Reverse Path Forwarding (uRPF), recognising SYN flood versus UDP amplification from NetFlow records, distinguishing SSL stripping from HTTPS downgrade and from certificate misissuance, KRACK versus PMKID versus WPA2 dictionary attack on a wireless capture, rogue AP versus evil twin versus karma differentiation, reflection-versus-amplification ratios (DNS amp versus memcached amp), SQL injection class detection from response side-channels (error-based, blind boolean, time-based), OWASP Top 10 (2021) category mapping including A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection and A07 Identification and Authentication Failures, XSS reflected versus stored versus DOM by where the payload lives, CSRF versus SSRF as confused-deputy patterns, zero-day versus N-day timeline in responsible disclosure, deauthentication-flood evidence in 802.11 management frames, lateral movement versus initial access in MITRE ATT&CK terms, and phishing-kit fingerprinting through typosquat domains and Let's Encrypt certificate patterns.

This mock targets candidates preparing for the FACT entrance examination, MSc Digital Forensics aspirants at NFSU and central forensic-science universities, and working analysts mapping live incidents against syllabus categories. The scenario format mirrors what the FACT paper actually asks: the question describes evidence (a packet dump, a NetFlow record, an arp -a output, a log line) and asks which attack class fits and which mitigation applies.

Topics covered:

• ARP poisoning evidence in arp -a dumps and dynamic ARP inspection responses
• DNSSEC validation chain and when it would have blocked a forged answer
• BCP 38 versus unicast Reverse Path Forwarding (uRPF) for source-address validation
• Reflection and amplification ratios for DNS, NTP, and memcached
• WPA2 PMKID, KRACK key reinstallation, and WPA3 SAE Dragonblood
• OWASP Top 10 (2021) category mapping for IDOR, weak hashes, and Log4Shell
• SQL injection side-channels: error-based, boolean-based blind, time-based blind
• MITRE ATT&CK lateral movement, initial access, defense evasion, exfiltration

This 30-question, medium-difficulty pack is free to attempt and is reviewed against Stallings 8e, Kurose and Ross 8e, OWASP Top 10 (2021), the relevant IETF RFCs (2827, 3704, 4033, 6797, 6962), the IEEE 802.11 and 802.11w standards, the Vanhoef and Piessens KRACK paper, the Vanhoef and Ronen Dragonblood paper, NIST SP 800-115, Casey 3e, Nelson 6e, and current CERT-In advisories. Allow 30 minutes.