Digital Forensics: Network Attack Identification and Response Scenarios
Published:
Questions
30
Duration
30 min
Faculty-reviewed
0
Updated
20 May 2026
About this mock
Applied scenario drill on identifying common network attacks from forensic evidence: ARP poisoning visible in arp -a, DNS hijack versus cache poisoning versus typosquatting from packet samples, when DNSSEC would have blocked the attack, the choice between BCP 38 ingress filtering and unicast Reverse Path Forwarding (uRPF), recognising SYN flood versus UDP amplification from NetFlow records, distinguishing SSL stripping from HTTPS downgrade and from certificate misissuance, KRACK versus PMKID versus WPA2 dictionary attack on a wireless capture, rogue AP versus evil twin versus karma differentiation, reflection-versus-amplification ratios (DNS amp versus memcached amp), SQL injection class detection from response side-channels (error-based, blind boolean, time-based), OWASP Top 10 (2021) category mapping including A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection and A07 Identification and Authentication Failures, XSS reflected versus stored versus DOM by where the payload lives, CSRF versus SSRF as confused-deputy patterns, zero-day versus N-day timeline in responsible disclosure, deauthentication-flood evidence in 802.11 management frames, lateral movement versus initial access in MITRE ATT&CK terms, and phishing-kit fingerprinting through typosquat domains and Let's Encrypt certificate patterns.
This mock targets candidates preparing for the FACT entrance examination, MSc Digital Forensics aspirants at NFSU and central forensic-science universities, and working analysts mapping live incidents against syllabus categories. The scenario format mirrors what the FACT paper actually asks: the question describes evidence (a packet dump, a NetFlow record, an arp -a output, a log line) and asks which attack class fits and which mitigation applies.
Topics covered:
- ARP poisoning evidence in arp -a dumps and dynamic ARP inspection responses
- DNSSEC validation chain and when it would have blocked a forged answer
- BCP 38 versus unicast Reverse Path Forwarding (uRPF) for source-address validation
- Reflection and amplification ratios for DNS, NTP, and memcached
- WPA2 PMKID, KRACK key reinstallation, and WPA3 SAE Dragonblood
- OWASP Top 10 (2021) category mapping for IDOR, weak hashes, and Log4Shell
- SQL injection side-channels: error-based, boolean-based blind, time-based blind
- MITRE ATT&CK lateral movement, initial access, defense evasion, exfiltration
This 30-question, medium-difficulty pack is free to attempt and is reviewed against Stallings 8e, Kurose and Ross 8e, OWASP Top 10 (2021), the relevant IETF RFCs (2827, 3704, 4033, 6797, 6962), the IEEE 802.11 and 802.11w standards, the Vanhoef and Piessens KRACK paper, the Vanhoef and Ronen Dragonblood paper, NIST SP 800-115, Casey 3e, Nelson 6e, and current CERT-In advisories. Allow 30 minutes.
Sources & references
Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.
- cited in 5 questions
OWASP Foundation
Cross-Site Request Forgery Prevention and Server-Side Request Forgery Prevention Cheat Sheets
Open source - cited in 3 questions
CERT-In Advisory
Phishing campaigns targeting Indian banking customers and indicators of kit deployment
Open source - cited in 3 questions
OWASP Web Security Testing Guide
Testing for SQL Injection: union-based extraction and sqlmap fingerprinting
Open source - cited in 2 questions
- cited in 1 question
RFC 4033: DNS Security Introduction and Requirements
IETF, 2005, on resolver-level integrity and authentication
Open source - cited in 1 question
RFC 3704 (BCP 84): Ingress Filtering for Multihomed Networks
Baker and Savola, IETF, March 2004, on uRPF modes
Open source - cited in 1 question
Cloudflare Engineering Blog
Memcrashed: Major amplification attacks from UDP port 11211, February 2018
Open source - cited in 1 question
RFC 4035: Protocol Modifications for the DNS Security Extensions
IETF, 2005, on validating resolvers and the AD bit
Open source - cited in 1 question
Cisco Systems
Catalyst LAN Switch Security: DHCP Snooping and Dynamic ARP Inspection configuration guide
- cited in 1 question
Dai Zovi, Dino; Macaulay, Shane
Attacking Automatic Wireless Network Selection, 2005
- cited in 1 question
- cited in 1 question
IEEE 802.11i-2004 and 802.11-2020
WPA2 four-way handshake, MIC computation, and offline PSK recovery
- cited in 1 question
- cited in 1 question
CERT/CC Vulnerability Disclosure Policy
Carnegie Mellon Software Engineering Institute, on zero-day, N-day and responsible disclosure timelines
- cited in 1 question
IEEE 802.11w-2009 and 802.11-2020
Management Frame Protection (MFP) and protection of robust management frames
- cited in 1 question
Akamai State of the Internet Security Report
DDoS attack-vector taxonomy, SYN flood and reflection categories
- cited in 1 question
Casey, Eoghan
Digital Evidence and Computer Crime, 3rd Edition (Academic Press), Chapter on Network Investigations
- cited in 1 question
RFC 6797: HTTP Strict Transport Security (HSTS)
IETF, 2012, on bare-hostname risk and downgrade protection
Open source - cited in 1 question
- cited in 1 question
- cited in 1 question
Vanhoef, Mathy; Ronen, Eyal
Dragonblood: Analysing the Dragonfly Handshake of WPA3, IEEE S&P 2020
Open source
How our mocks are built
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.
Common questions
What does the Digital Forensics: Network Attack Identification and Response Scenarios mock cover?+
Applied scenario drill on identifying common network attacks from forensic evidence: ARP poisoning visible in arp -a, DNS hijack versus cache poisoning versus typosquatting from packet samples, when DNSSEC would have blocked the attack, the choice between BCP 38 ingress filtering and unicast Reverse Path Forwarding (uRPF), recognising SYN flood versus UDP amplification from NetFlow records, distinguishing SSL stripping from HTTPS downgrade and from certificate misissuance, KRACK versus PMKID ver
How many questions and how long is the test?+
30 multiple-choice questions, 30 minutes total. Difficulty: medium. Tier: Premium.
Who is this mock for?+
Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.
Are the questions reviewed?+
Each question carries a verified source citation. Faculty review for individual questions is in progress.
Do I need an account to take this mock?+
Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.