Digital Forensics: Web Browser and Email Forensics
Published:
Questions
30
Duration
30 min
Faculty-reviewed
0
Updated
20 May 2026
About this mock
FACT Digital Forensics paper drill on web browser artefacts and email forensics, covering HTTP cookies and their lifetime, HttpOnly, Secure, and SameSite attributes under RFC 6265, the on-disk layout of Chrome (SQLite History database, Bookmarks JSON file, Login Data with Windows DPAPI, Cache directory) and Firefox (places.sqlite with moz_places, moz_historyvisits, moz_bookmarks), timestamp epochs including the Chrome 1601 UTC microsecond base and the Firefox Unix epoch microsecond base, the Chrome downloads table inside History, macOS Keychain for browser credentials, private and incognito browsing residue in DNS cache and RAM, session restore through sessionstore and Current Session files, the Hindsight cross-browser parsing tool, the email protocol family of SMTP under RFC 5321 on ports 25 and 587, POP3 under RFC 1939 on ports 110 and 995, and IMAP under RFC 3501 on ports 143 and 993, the MIME family beginning at RFC 2045 for multipart and base64 and quoted-printable encoding, the MUA, MTA, and MDA decomposition of mail delivery, Received header reading bottom-up, Message-ID uniqueness, Return-Path versus header From mismatch as a spoof indicator, DKIM under RFC 6376, DMARC under RFC 7489, the PST and OST Outlook storage formats with the local-versus-cache distinction, the MBOX concatenated-message format for Thunderbird and Apple Mail, the EML single-message export, phishing display-name and lookalike-domain indicators, and Section 66D IT Act 2000 for cheating by personation through computer resource.
For FACT aspirants and MSc digital forensics students working through browser-forensics and email-forensics modules, and useful as a revision pass before NFSU MSc, GCFA, CHFI, and Security+ exams. Questions emphasise the canonical artefact paths on Windows and macOS, the RFC numbers and well-known ports that underpin email transport, and the Indian statutory framework under the IT Act 2000 with its 2008 amendment.
Topics covered:
- Cookies: session vs persistent, HttpOnly, Secure, SameSite
- Chrome and Firefox profile artefacts: History, Bookmarks, places.sqlite
- Browser timestamps: Chrome 1601 epoch vs Firefox Unix epoch microseconds
- Saved passwords: Chrome Login Data + DPAPI, macOS Keychain
- Cache, downloads, session restore, and private-browsing residue
- Email protocols: SMTP (RFC 5321), POP3 (RFC 1939), IMAP (RFC 3501), MIME
- Email headers: Received chain, Message-ID, Return-Path, DKIM, DMARC
- Mail storage formats (PST, OST, MBOX, EML) and Section 66D IT Act 2000
Useful for revision and self-testing before the FACT Digital Forensics paper.
Allow 30 minutes.
Sources & references
Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.
- cited in 3 questions
- cited in 3 questions
- cited in 3 questions
Nelson, Bill; Phillips, Amelia; Steuart, Christopher
Guide to Computer Forensics and Investigations, 6th Edition (Cengage), Chapter on Browser and Internet Forensics
- cited in 3 questions
Microsoft Learn
Windows Data Protection API (DPAPI) overview and the CryptProtectData function
Open source - cited in 2 questions
Mozilla Developer Network
Session restore and the sessionstore.jsonlz4 file format inside the Firefox profile
Open source - cited in 2 questions
Casey, Eoghan
Digital Evidence and Computer Crime, 3rd Edition (Academic Press, 2011), Chapter on E-mail Investigations
- cited in 2 questions
- cited in 2 questions
IETF RFC 5322
Internet Message Format and its use as the EML single-message export representation
Open source - cited in 1 question
- cited in 1 question
IETF RFC 7489
Domain-based Message Authentication, Reporting, and Conformance (DMARC) specification
Open source - cited in 1 question
- cited in 1 question
- cited in 1 question
Information Technology Act, 2000
Section 66D: Punishment for cheating by personation by using computer resource (inserted by the 2008 amendment)
Open source - cited in 1 question
- cited in 1 question
Apple Developer Documentation
Keychain Services overview and the Security framework reference
Open source - cited in 1 question
IETF draft-ietf-httpbis-rfc6265bis
Cookies: HTTP State Management Mechanism, the SameSite Attribute
Open source - cited in 1 question
IETF RFC 2045
Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies
Open source - cited in 1 question
How our mocks are built
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.
Common questions
What does the Digital Forensics: Web Browser and Email Forensics mock cover?+
FACT Digital Forensics paper drill on web browser artefacts and email forensics, covering HTTP cookies and their lifetime, HttpOnly, Secure, and SameSite attributes under RFC 6265, the on-disk layout of Chrome (SQLite History database, Bookmarks JSON file, Login Data with Windows DPAPI, Cache directory) and Firefox (places.sqlite with moz_places, moz_historyvisits, moz_bookmarks), timestamp epochs including the Chrome 1601 UTC microsecond base and the Firefox Unix epoch microsecond base, the Chr
How many questions and how long is the test?+
30 multiple-choice questions, 30 minutes total. Difficulty: easy. Tier: Premium.
Who is this mock for?+
Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.
Are the questions reviewed?+
Each question carries a verified source citation. Faculty review for individual questions is in progress.
Do I need an account to take this mock?+
Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.