Skip to content
Digital Forensicseasy Premium

Digital Forensics: Virtual Machine and Cloud Forensics

Published:

Questions

30

Duration

30 min

Faculty-reviewed

0

Updated

20 May 2026

Score, per-question explanations and topic breakdown shown right after you submit.

About this mock

FACT Digital Forensics paper drill on virtual machine and cloud forensics, covering hypervisor types under the Type 1 bare-metal model with VMware ESXi, Xen, Hyper-V, and KVM, the Type 2 hosted model with VMware Workstation, VirtualBox, and Parallels, virtual disk formats including VMDK on VMware, VHD and VHDX on Microsoft Hyper-V, QCOW2 on QEMU and KVM, and VDI on VirtualBox, thin and thick provisioning, VM snapshot artefacts such as .vmsn, .vmem, delta .vmdk, and .vmss suspended-state files, the .vmx configuration file and .nvram BIOS variables, live versus cold acquisition, forensic mounting of virtual disks using FTK Imager, vmware-mount, and qemu-nbd, the VM escape attack class, and the cloud forensics framework drawn from NIST SP 800-145 service and deployment models, NIST IR 8006 forensic challenges, NIST SP 800-86 procedural guidance, the US CLOUD Act 2018, and the Indian Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, with provider-specific evidence sources including AWS CloudTrail and VPC flow logs, Azure Activity Log, Google Cloud Audit Logs, S3 object versioning, and ephemerality concerns in managed containers and serverless functions on Lambda, Azure Functions, and Cloud Functions.

For FACT aspirants and MSc digital forensics students working through virtualisation and cloud modules, and useful as a revision pass before NFSU MSc, GCFA, CCSK, CHFI, and CCSP exams. Questions emphasise definitions, vendor mapping, evidence-source identification, and the Indian and US legal framework for cross-border cloud investigations.

Topics covered:

  • Hypervisor types and disk formats: ESXi, Hyper-V, VirtualBox, KVM, VMDK, VHDX, QCOW2, VDI
  • VM snapshot, memory, and configuration artefacts: .vmsn, .vmem, .vmss, .vmx, .nvram
  • Live versus cold acquisition and forensic mounting with FTK Imager and qemu-nbd
  • NIST SP 800-145 cloud service and deployment models
  • NIST IR 8006 multi-tenancy and ephemerality challenges
  • CLOUD Act 2018 and IT (Intermediary Guidelines) Rules 2021
  • AWS, Azure, and Google Cloud evidence sources
  • Container and serverless forensic limitations

Useful for revision and self-testing before the FACT Digital Forensics paper.

Allow 30 minutes.

Sources & references

Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.

  • VMware, Inc.

    vSphere documentation: Understanding Virtual Machine Snapshots and Snapshot Files

    Open source
    cited in 7 questions
  • NIST

    NIST IR 8006, Cloud Computing Forensic Science Challenges (2020 draft), Multi-tenancy challenge

    Open source
    cited in 7 questions
  • Amazon Web Services

    Amazon VPC Flow Logs documentation, log record format and use cases

    Open source
    cited in 4 questions
  • Nelson, Bill; Phillips, Amelia; Steuart, Christopher

    Guide to Computer Forensics and Investigations, 6th Edition (Cengage), Chapter on Virtual Machine Forensics

    cited in 2 questions
  • Google Cloud

    Google App Engine product documentation, overview of the managed runtime model

    Open source
    cited in 2 questions
  • Microsoft Corporation

    Microsoft Azure documentation, Azure Activity Log overview

    Open source
    cited in 2 questions
  • QEMU Project

    QEMU documentation: qemu-nbd man page, exporting disk images as network block devices

    Open source
    cited in 2 questions
  • United States Congress

    Clarifying Lawful Overseas Use of Data (CLOUD) Act, Pub. L. 115-141, Division V (2018)

    Open source
    cited in 1 question
  • Ministry of Electronics and Information Technology, Government of India

    Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

    Open source
    cited in 1 question
  • Exterro / AccessData

    FTK Imager User Guide: mounting disk images including VMDK as read-only volumes

    Open source
    cited in 1 question
  • Oracle Corporation

    Oracle VirtualBox User Manual, Chapter on Virtual Storage and the VDI format

    Open source
    cited in 1 question

How our mocks are built

Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.

Common questions

What does the Digital Forensics: Virtual Machine and Cloud Forensics mock cover?+

FACT Digital Forensics paper drill on virtual machine and cloud forensics, covering hypervisor types under the Type 1 bare-metal model with VMware ESXi, Xen, Hyper-V, and KVM, the Type 2 hosted model with VMware Workstation, VirtualBox, and Parallels, virtual disk formats including VMDK on VMware, VHD and VHDX on Microsoft Hyper-V, QCOW2 on QEMU and KVM, and VDI on VirtualBox, thin and thick provisioning, VM snapshot artefacts such as .vmsn, .vmem, delta .vmdk, and .vmss suspended-state files, t

How many questions and how long is the test?+

30 multiple-choice questions, 30 minutes total. Difficulty: easy. Tier: Premium.

Who is this mock for?+

Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.

Are the questions reviewed?+

Each question carries a verified source citation. Faculty review for individual questions is in progress.

Do I need an account to take this mock?+

Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.