Skip to content
Digital Forensicseasy Premium

Digital Forensics: Web Browser and Email Forensics

Published:

Questions

30

Duration

30 min

Faculty-reviewed

0

Updated

20 May 2026

Score, per-question explanations and topic breakdown shown right after you submit.

About this mock

FACT Digital Forensics paper drill on web browser artefacts and email forensics, covering HTTP cookies and their lifetime, HttpOnly, Secure, and SameSite attributes under RFC 6265, the on-disk layout of Chrome (SQLite History database, Bookmarks JSON file, Login Data with Windows DPAPI, Cache directory) and Firefox (places.sqlite with moz_places, moz_historyvisits, moz_bookmarks), timestamp epochs including the Chrome 1601 UTC microsecond base and the Firefox Unix epoch microsecond base, the Chrome downloads table inside History, macOS Keychain for browser credentials, private and incognito browsing residue in DNS cache and RAM, session restore through sessionstore and Current Session files, the Hindsight cross-browser parsing tool, the email protocol family of SMTP under RFC 5321 on ports 25 and 587, POP3 under RFC 1939 on ports 110 and 995, and IMAP under RFC 3501 on ports 143 and 993, the MIME family beginning at RFC 2045 for multipart and base64 and quoted-printable encoding, the MUA, MTA, and MDA decomposition of mail delivery, Received header reading bottom-up, Message-ID uniqueness, Return-Path versus header From mismatch as a spoof indicator, DKIM under RFC 6376, DMARC under RFC 7489, the PST and OST Outlook storage formats with the local-versus-cache distinction, the MBOX concatenated-message format for Thunderbird and Apple Mail, the EML single-message export, phishing display-name and lookalike-domain indicators, and Section 66D IT Act 2000 for cheating by personation through computer resource.

For FACT aspirants and MSc digital forensics students working through browser-forensics and email-forensics modules, and useful as a revision pass before NFSU MSc, GCFA, CHFI, and Security+ exams. Questions emphasise the canonical artefact paths on Windows and macOS, the RFC numbers and well-known ports that underpin email transport, and the Indian statutory framework under the IT Act 2000 with its 2008 amendment.

Topics covered:

  • Cookies: session vs persistent, HttpOnly, Secure, SameSite
  • Chrome and Firefox profile artefacts: History, Bookmarks, places.sqlite
  • Browser timestamps: Chrome 1601 epoch vs Firefox Unix epoch microseconds
  • Saved passwords: Chrome Login Data + DPAPI, macOS Keychain
  • Cache, downloads, session restore, and private-browsing residue
  • Email protocols: SMTP (RFC 5321), POP3 (RFC 1939), IMAP (RFC 3501), MIME
  • Email headers: Received chain, Message-ID, Return-Path, DKIM, DMARC
  • Mail storage formats (PST, OST, MBOX, EML) and Section 66D IT Act 2000

Useful for revision and self-testing before the FACT Digital Forensics paper.

Allow 30 minutes.

Sources & references

Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.

  • IETF RFC 6265

    HTTP State Management Mechanism, Section 5.2.6 (The HttpOnly Attribute)

    Open source
    cited in 3 questions
  • IETF RFC 5321

    Simple Mail Transfer Protocol specification, replacing RFC 2821

    Open source
    cited in 3 questions
  • Nelson, Bill; Phillips, Amelia; Steuart, Christopher

    Guide to Computer Forensics and Investigations, 6th Edition (Cengage), Chapter on Browser and Internet Forensics

    cited in 3 questions
  • Microsoft Learn

    Windows Data Protection API (DPAPI) overview and the CryptProtectData function

    Open source
    cited in 3 questions
  • Mozilla Developer Network

    Session restore and the sessionstore.jsonlz4 file format inside the Firefox profile

    Open source
    cited in 2 questions
  • Casey, Eoghan

    Digital Evidence and Computer Crime, 3rd Edition (Academic Press, 2011), Chapter on E-mail Investigations

    cited in 2 questions
  • Hindsight Project

    Hindsight Chrome internet history parser, downloads table mapping

    Open source
    cited in 2 questions
  • IETF RFC 5322

    Internet Message Format and its use as the EML single-message export representation

    Open source
    cited in 2 questions
  • CERT-In

    Advisories on phishing and display-name spoofing in Indian banking and tax fraud

    Open source
    cited in 1 question
  • IETF RFC 7489

    Domain-based Message Authentication, Reporting, and Conformance (DMARC) specification

    Open source
    cited in 1 question
  • Google Chrome Help

    Browse in private and how incognito mode handles browsing data

    Open source
    cited in 1 question
  • IETF RFC 3501

    Internet Message Access Protocol Version 4rev1 (IMAP4rev1) specification

    Open source
    cited in 1 question
  • Information Technology Act, 2000

    Section 66D: Punishment for cheating by personation by using computer resource (inserted by the 2008 amendment)

    Open source
    cited in 1 question
  • IETF RFC 6376

    DomainKeys Identified Mail (DKIM) Signatures specification

    Open source
    cited in 1 question
  • Apple Developer Documentation

    Keychain Services overview and the Security framework reference

    Open source
    cited in 1 question
  • IETF draft-ietf-httpbis-rfc6265bis

    Cookies: HTTP State Management Mechanism, the SameSite Attribute

    Open source
    cited in 1 question
  • IETF RFC 2045

    Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies

    Open source
    cited in 1 question
  • IETF RFC 1939

    Post Office Protocol Version 3 (POP3) specification

    Open source
    cited in 1 question

How our mocks are built

Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.

Common questions

What does the Digital Forensics: Web Browser and Email Forensics mock cover?+

FACT Digital Forensics paper drill on web browser artefacts and email forensics, covering HTTP cookies and their lifetime, HttpOnly, Secure, and SameSite attributes under RFC 6265, the on-disk layout of Chrome (SQLite History database, Bookmarks JSON file, Login Data with Windows DPAPI, Cache directory) and Firefox (places.sqlite with moz_places, moz_historyvisits, moz_bookmarks), timestamp epochs including the Chrome 1601 UTC microsecond base and the Firefox Unix epoch microsecond base, the Chr

How many questions and how long is the test?+

30 multiple-choice questions, 30 minutes total. Difficulty: easy. Tier: Premium.

Who is this mock for?+

Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.

Are the questions reviewed?+

Each question carries a verified source citation. Faculty review for individual questions is in progress.

Do I need an account to take this mock?+

Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.