Skip to content
Digital Forensicsmedium Premium

Digital Forensics: Virtual Machine and Cloud Forensic Scenarios

Published:

Questions

30

Duration

30 min

Faculty-reviewed

0

Updated

20 May 2026

Score, per-question explanations and topic breakdown shown right after you submit.

About this mock

FACT Digital Forensics paper drill on applied virtual machine and cloud forensic scenarios, sitting one level above the introductory definitions mock on the same syllabus. Questions place the candidate inside a specific case and ask which technique applies: choosing between live and offline acquisition for a fileless guest, picking the right VMware artefact (.vmem at a snapshot, .vmss at a suspend, .vmsn for metadata), mounting VMDK chains and Hyper-V .avhdx differencing disks as ordered overlays, converting QCOW2 to raw with qemu-img convert, reading vmware.log for VM escape signals, inspecting VMFS datastores through vmfs-tools, recognising MITRE ATT&CK T1497 anti-VM checks via CPUID and MAC OUI, walking the Docker OverlayFS layer stack, retaining Kubernetes emptyDir evidence by shipping logs, acquiring vSAN through the API rather than by pulling drives, and choosing in-guest tools such as LiME or AVML for live memory. The cloud half tests log-source selection between CloudTrail, VPC Flow Logs, CloudWatch Logs, and S3 access logs, the iam:CreateAccessKey to iam:AttachUserPolicy escalation chain under MITRE T1098, the volatile-first acquisition order paired with EBS snapshot copy across accounts and regions, multi-tenancy under NIST IR 8006, KMS misuse evidence (key policy, grants, last-used), least-privilege failures in IAM JSON, the interaction of CLOUD Act 2018, IT Rules 2021, and DPDP Act 2023, MLAT preservation requests, Lambda forensics through CloudWatch Logs only, Azure Diagnostic Settings for Resource Logs, GCP Cloud Audit Logs Admin Activity vs Data Access, CloudTrail digest-chain tampering indicators, and S3 Object Lock compliance mode plus MFA Delete for legal hold.

For FACT digital-forensics aspirants and MSc students working through applied virtualisation and cloud incident-response scenarios, useful as a revision pass before NFSU MSc, GCFA, SANS FOR509, CCSP, and AWS Security Specialty exams. Questions emphasise picking the right technique under a specific scenario rather than reciting definitions, with Indian and US legal anchors for cross-border cloud cases.

Topics covered:

  • Live vs offline VM acquisition for fileless and snapshot scenarios
  • VMware .vmem, .vmss, .vmsn, .vmx, VMDK chains and ESXi VMFS datastores
  • Hyper-V .avhdx checkpoint chains and VirtualBox .vbox and .vdi files
  • QCOW2 to raw conversion with qemu-img and qemu-nbd cross-format mounting
  • Container OverlayFS layers and Kubernetes emptyDir evidence retention
  • AWS log-source selection: CloudTrail, VPC Flow Logs, CloudWatch, S3 access logs
  • IAM escalation chains, KMS audit, least-privilege failures, MITRE T1098 and T1497
  • EBS snapshot acquisition order and cross-region cross-account chain-of-custody
  • CLOUD Act 2018, IT Rules 2021, DPDP Act 2023, MLAT preservation requests
  • Lambda, Azure Resource Logs, GCP Audit Log streams, CloudTrail integrity, S3 Object Lock

Useful for revision and self-testing before the FACT Digital Forensics paper.

Allow 30 minutes.

Sources & references

Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.

  • Amazon Web Services

    AWS CloudTrail and VPC Flow Logs user guides on event records and flow record formats

    Open source
    cited in 9 questions
  • VMware, Inc.

    VMware documentation: virtual machine file types and vmss2core utility for memory dumps

    Open source
    cited in 6 questions
  • QEMU Project

    QEMU documentation: qemu-img command reference and format conversion

    Open source
    cited in 2 questions
  • MITRE Corporation

    MITRE ATT&CK Technique T1098: Account Manipulation, with AWS sub-technique mappings

    Open source
    cited in 2 questions
  • Microsoft Corporation

    Microsoft documentation: VHDX format, differencing disks, and Hyper-V checkpoints

    Open source
    cited in 2 questions
  • Microsoft

    Microsoft AVML project documentation for Linux memory acquisition

    Open source
    cited in 1 question
  • Docker, Inc.

    Docker documentation: storage drivers and the overlay2 driver internals

    Open source
    cited in 1 question
  • Government of India and Microsoft

    Ministry of Home Affairs MLAT guidance and Microsoft Online Services Law Enforcement Requests Portal

    Open source
    cited in 1 question
  • Cloud Native Computing Foundation

    Kubernetes documentation: emptyDir volumes and pod lifecycle

    Open source
    cited in 1 question
  • Ligh, Case, Levy, Walters

    The Art of Memory Forensics, Chapter on Acquiring Memory from Virtual Machines

    cited in 1 question
  • Google Cloud

    Google Cloud documentation: Cloud Audit Logs streams (Admin Activity, Data Access, System Event, Policy Denied)

    Open source
    cited in 1 question
  • NIST Interagency Report 8006

    NIST Cloud Computing Forensic Science Challenges: Multi-tenancy and Architecture sections

    Open source
    cited in 1 question
  • Oracle Corporation

    Oracle VirtualBox User Manual: Configuration files and the .vbox XML format

    Open source
    cited in 1 question
  • United States Congress and Government of India

    CLOUD Act 2018 (Pub. L. 115-141, Div. V), IT Rules 2021, Digital Personal Data Protection Act 2023

    Open source
    cited in 1 question

How our mocks are built

Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.

Common questions

What does the Digital Forensics: Virtual Machine and Cloud Forensic Scenarios mock cover?+

FACT Digital Forensics paper drill on applied virtual machine and cloud forensic scenarios, sitting one level above the introductory definitions mock on the same syllabus. Questions place the candidate inside a specific case and ask which technique applies: choosing between live and offline acquisition for a fileless guest, picking the right VMware artefact (.vmem at a snapshot, .vmss at a suspend, .vmsn for metadata), mounting VMDK chains and Hyper-V .avhdx differencing disks as ordered overlay

How many questions and how long is the test?+

30 multiple-choice questions, 30 minutes total. Difficulty: medium. Tier: Premium.

Who is this mock for?+

Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.

Are the questions reviewed?+

Each question carries a verified source citation. Faculty review for individual questions is in progress.

Do I need an account to take this mock?+

Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.