Skip to content
Digital Forensicsmedium Premium

Digital Forensics: Network Attack Identification and Response Scenarios

Published:

Questions

30

Duration

30 min

Faculty-reviewed

0

Updated

20 May 2026

Score, per-question explanations and topic breakdown shown right after you submit.

About this mock

Applied scenario drill on identifying common network attacks from forensic evidence: ARP poisoning visible in arp -a, DNS hijack versus cache poisoning versus typosquatting from packet samples, when DNSSEC would have blocked the attack, the choice between BCP 38 ingress filtering and unicast Reverse Path Forwarding (uRPF), recognising SYN flood versus UDP amplification from NetFlow records, distinguishing SSL stripping from HTTPS downgrade and from certificate misissuance, KRACK versus PMKID versus WPA2 dictionary attack on a wireless capture, rogue AP versus evil twin versus karma differentiation, reflection-versus-amplification ratios (DNS amp versus memcached amp), SQL injection class detection from response side-channels (error-based, blind boolean, time-based), OWASP Top 10 (2021) category mapping including A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection and A07 Identification and Authentication Failures, XSS reflected versus stored versus DOM by where the payload lives, CSRF versus SSRF as confused-deputy patterns, zero-day versus N-day timeline in responsible disclosure, deauthentication-flood evidence in 802.11 management frames, lateral movement versus initial access in MITRE ATT&CK terms, and phishing-kit fingerprinting through typosquat domains and Let's Encrypt certificate patterns.

This mock targets candidates preparing for the FACT entrance examination, MSc Digital Forensics aspirants at NFSU and central forensic-science universities, and working analysts mapping live incidents against syllabus categories. The scenario format mirrors what the FACT paper actually asks: the question describes evidence (a packet dump, a NetFlow record, an arp -a output, a log line) and asks which attack class fits and which mitigation applies.

Topics covered:

  • ARP poisoning evidence in arp -a dumps and dynamic ARP inspection responses
  • DNSSEC validation chain and when it would have blocked a forged answer
  • BCP 38 versus unicast Reverse Path Forwarding (uRPF) for source-address validation
  • Reflection and amplification ratios for DNS, NTP, and memcached
  • WPA2 PMKID, KRACK key reinstallation, and WPA3 SAE Dragonblood
  • OWASP Top 10 (2021) category mapping for IDOR, weak hashes, and Log4Shell
  • SQL injection side-channels: error-based, boolean-based blind, time-based blind
  • MITRE ATT&CK lateral movement, initial access, defense evasion, exfiltration

This 30-question, medium-difficulty pack is free to attempt and is reviewed against Stallings 8e, Kurose and Ross 8e, OWASP Top 10 (2021), the relevant IETF RFCs (2827, 3704, 4033, 6797, 6962), the IEEE 802.11 and 802.11w standards, the Vanhoef and Piessens KRACK paper, the Vanhoef and Ronen Dragonblood paper, NIST SP 800-115, Casey 3e, Nelson 6e, and current CERT-In advisories. Allow 30 minutes.

Sources & references

Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.

  • OWASP Foundation

    Cross-Site Request Forgery Prevention and Server-Side Request Forgery Prevention Cheat Sheets

    Open source
    cited in 5 questions
  • CERT-In Advisory

    Phishing campaigns targeting Indian banking customers and indicators of kit deployment

    Open source
    cited in 3 questions
  • OWASP Web Security Testing Guide

    Testing for SQL Injection: union-based extraction and sqlmap fingerprinting

    Open source
    cited in 3 questions
  • US-CERT Alert TA14-017A

    UDP-Based Amplification Attacks, with DNS amp ratio guidance

    Open source
    cited in 2 questions
  • RFC 4033: DNS Security Introduction and Requirements

    IETF, 2005, on resolver-level integrity and authentication

    Open source
    cited in 1 question
  • RFC 3704 (BCP 84): Ingress Filtering for Multihomed Networks

    Baker and Savola, IETF, March 2004, on uRPF modes

    Open source
    cited in 1 question
  • Cloudflare Engineering Blog

    Memcrashed: Major amplification attacks from UDP port 11211, February 2018

    Open source
    cited in 1 question
  • RFC 4035: Protocol Modifications for the DNS Security Extensions

    IETF, 2005, on validating resolvers and the AD bit

    Open source
    cited in 1 question
  • Cisco Systems

    Catalyst LAN Switch Security: DHCP Snooping and Dynamic ARP Inspection configuration guide

    cited in 1 question
  • Dai Zovi, Dino; Macaulay, Shane

    Attacking Automatic Wireless Network Selection, 2005

    cited in 1 question
  • RFC 6962: Certificate Transparency

    IETF, 2013, on append-only logs of issued certificates

    Open source
    cited in 1 question
  • IEEE 802.11i-2004 and 802.11-2020

    WPA2 four-way handshake, MIC computation, and offline PSK recovery

    cited in 1 question
  • MITRE ATT&CK Framework

    Tactics TA0001 Initial Access and TA0008 Lateral Movement

    Open source
    cited in 1 question
  • CERT/CC Vulnerability Disclosure Policy

    Carnegie Mellon Software Engineering Institute, on zero-day, N-day and responsible disclosure timelines

    cited in 1 question
  • IEEE 802.11w-2009 and 802.11-2020

    Management Frame Protection (MFP) and protection of robust management frames

    cited in 1 question
  • Akamai State of the Internet Security Report

    DDoS attack-vector taxonomy, SYN flood and reflection categories

    cited in 1 question
  • Casey, Eoghan

    Digital Evidence and Computer Crime, 3rd Edition (Academic Press), Chapter on Network Investigations

    cited in 1 question
  • RFC 6797: HTTP Strict Transport Security (HSTS)

    IETF, 2012, on bare-hostname risk and downgrade protection

    Open source
    cited in 1 question
  • Steube, Jens; Vanhoef, Mathy

    PMKID attack on WPA2 Personal, hashcat advisory, August 2018

    Open source
    cited in 1 question
  • RFC 2827 (BCP 38): Network Ingress Filtering

    Ferguson and Senie, IETF, May 2000

    Open source
    cited in 1 question
  • Vanhoef, Mathy; Ronen, Eyal

    Dragonblood: Analysing the Dragonfly Handshake of WPA3, IEEE S&P 2020

    Open source
    cited in 1 question

How our mocks are built

Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.

Common questions

What does the Digital Forensics: Network Attack Identification and Response Scenarios mock cover?+

Applied scenario drill on identifying common network attacks from forensic evidence: ARP poisoning visible in arp -a, DNS hijack versus cache poisoning versus typosquatting from packet samples, when DNSSEC would have blocked the attack, the choice between BCP 38 ingress filtering and unicast Reverse Path Forwarding (uRPF), recognising SYN flood versus UDP amplification from NetFlow records, distinguishing SSL stripping from HTTPS downgrade and from certificate misissuance, KRACK versus PMKID ver

How many questions and how long is the test?+

30 multiple-choice questions, 30 minutes total. Difficulty: medium. Tier: Premium.

Who is this mock for?+

Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.

Are the questions reviewed?+

Each question carries a verified source citation. Faculty review for individual questions is in progress.

Do I need an account to take this mock?+

Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.