Digital Forensics: Web Browser and Email Investigation Scenarios
Published:
Questions
30
Duration
30 min
Faculty-reviewed
0
Updated
20 May 2026
About this mock
Applied scenario drill on web-browser and email forensics for FACT aspirants, pitched one level above the introductory mock. Questions move past definitions into the kind of decisions an investigator actually makes at the bench: writing the right SQL join across Chrome's urls, visits, and visit_source tables; converting a Chrome timestamp from microseconds since 1601 UTC into a calendar date; recognising why a SameSite=None cookie without Secure was rejected; deciding whether a body-hash mismatch on a DKIM signature points to a transit footer or to a header rewrite; tracing a multi-hop Received chain bottom-up to the host that actually submitted the message; reading an OST orphan condition after Active Directory disabled the account; choosing PST, OST, MBOX, or emlx for the workstation in front of you; and applying Section 66D of the IT Act 2000 to a bank-impersonation phishing case.
The mock is calibrated for MSc Forensic Science aspirants preparing for the FACT entrance, the cyber stream of the NFSU MSc, and CHFI or GCFA candidates who want a focused drill on Chromium and Firefox artefacts, MIME parsing, SPF, DKIM, DMARC alignment failures, and standard email containers. Each question is rooted in a verifiable primary source: RFC 5321, 5322, 1939, 3501, 2045 to 2049, 6376, 7208, and 7489 for protocol behaviour; Microsoft Learn for OST, PST, DPAPI, and ESE; Apple Developer for the Keychain; the Chromium source tree and Mozilla Source Docs for browser internals; and the IT Act 2000 for the Indian statutory anchor.
Topics covered:
- Chrome History database joins and FILETIME-based timestamp arithmetic
- Firefox places.sqlite, sessionstore-backups jsonlz4 framing, and Edge WebCacheV01.dat ESE access
- Cookie attribute semantics, including the SameSite=None Secure rule, HTTP cache reconstruction, and ETag revalidation
- Browser credential stores on Windows and macOS, DPAPI and Keychain key wrapping
- Incognito leak vectors across pagefile, hiberfil, and the OS DNS resolver cache
- Multi-hop Received chain reading, X-Originating-IP reliability, and Message-ID anchoring
- MIME multipart parsing, base64 versus quoted-printable, and DKIM body-hash failure modes
- SPF, DKIM, DMARC alignment outcomes and aggregate versus forensic reporting
- PST, OST, MBOX, and emlx selection per platform, OST orphan handling, single-instance attachment recovery
- Section 66D IT Act 2000 in a phishing-impersonation case
Allow 30 minutes.
Sources & references
Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.
- cited in 6 questions
Microsoft Learn
Windows Data Protection API (DPAPI), master key storage under AppData Roaming Microsoft Protect
Open source - cited in 4 questions
Chromium Project Source
net/disk_cache layout, data_N block files and Cache_Data large-entry storage
Open source - cited in 4 questions
- cited in 2 questions
- cited in 2 questions
Hindsight Project
Hindsight Chrome internet history parser, downloads_url_chains schema notes
Open source - cited in 2 questions
IETF RFC 7489
Domain-based Message Authentication, Reporting, and Conformance, Section 3.1 Identifier Alignment
Open source - cited in 1 question
IETF RFC 5321
Simple Mail Transfer Protocol, Section 4.4 Trace Information and the Received header
Open source - cited in 1 question
IETF draft-ietf-httpbis-rfc6265bis
HTTP State Management Mechanism, SameSite=None and the Secure requirement
Open source - cited in 1 question
IETF RFC 2046
MIME Part Two: Media Types, multipart/related and multipart/alternative semantics
Open source - cited in 1 question
IETF RFC 7208
Sender Policy Framework, Section 2.4 Mail from Identity and what SPF authenticates
Open source - cited in 1 question
Apple Developer Documentation
Keychain Services overview and the Security framework reference
Open source - cited in 1 question
Information Technology Act 2000
Section 66D, Punishment for cheating by personation by using computer resource
Open source - cited in 1 question
- cited in 1 question
IETF RFC 6376
DomainKeys Identified Mail Signatures, Section 3.4 Canonicalisation and Section 3.7 Body Hash
Open source - cited in 1 question
- cited in 1 question
How our mocks are built
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.
Common questions
What does the Digital Forensics: Web Browser and Email Investigation Scenarios mock cover?+
Applied scenario drill on web-browser and email forensics for FACT aspirants, pitched one level above the introductory mock. Questions move past definitions into the kind of decisions an investigator actually makes at the bench: writing the right SQL join across Chrome's urls, visits, and visit_source tables; converting a Chrome timestamp from microseconds since 1601 UTC into a calendar date; recognising why a SameSite=None cookie without Secure was rejected; deciding whether a body-hash mismatc
How many questions and how long is the test?+
30 multiple-choice questions, 30 minutes total. Difficulty: medium. Tier: Premium.
Who is this mock for?+
Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.
Are the questions reviewed?+
Each question carries a verified source citation. Faculty review for individual questions is in progress.
Do I need an account to take this mock?+
Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.