Digital Forensics: Web Browser and Email Investigation Scenarios

Applied scenario drill on web-browser and email forensics for FACT aspirants, pitched one level above the introductory mock. Questions move past definitions into the kind of decisions an investigator actually makes at the bench: writing the right SQL join across Chrome's urls, visits, and visit_source tables; converting a Chrome timestamp from microseconds since 1601 UTC into a calendar date; recognising why a SameSite=None cookie without Secure was rejected; deciding whether a body-hash mismatch on a DKIM signature points to a transit footer or to a header rewrite; tracing a multi-hop Received chain bottom-up to the host that actually submitted the message; reading an OST orphan condition after Active Directory disabled the account; choosing PST, OST, MBOX, or emlx for the workstation in front of you; and applying Section 66D of the IT Act 2000 to a bank-impersonation phishing case.

The mock is calibrated for MSc Forensic Science aspirants preparing for the FACT entrance, the cyber stream of the NFSU MSc, and CHFI or GCFA candidates who want a focused drill on Chromium and Firefox artefacts, MIME parsing, SPF, DKIM, DMARC alignment failures, and standard email containers. Each question is rooted in a verifiable primary source: RFC 5321, 5322, 1939, 3501, 2045 to 2049, 6376, 7208, and 7489 for protocol behaviour; Microsoft Learn for OST, PST, DPAPI, and ESE; Apple Developer for the Keychain; the Chromium source tree and Mozilla Source Docs for browser internals; and the IT Act 2000 for the Indian statutory anchor.

Topics covered:

• Chrome History database joins and FILETIME-based timestamp arithmetic
• Firefox places.sqlite, sessionstore-backups jsonlz4 framing, and Edge WebCacheV01.dat ESE access
• Cookie attribute semantics, including the SameSite=None Secure rule, HTTP cache reconstruction, and ETag revalidation
• Browser credential stores on Windows and macOS, DPAPI and Keychain key wrapping
• Incognito leak vectors across pagefile, hiberfil, and the OS DNS resolver cache
• Multi-hop Received chain reading, X-Originating-IP reliability, and Message-ID anchoring
• MIME multipart parsing, base64 versus quoted-printable, and DKIM body-hash failure modes
• SPF, DKIM, DMARC alignment outcomes and aggregate versus forensic reporting
• PST, OST, MBOX, and emlx selection per platform, OST orphan handling, single-instance attachment recovery
• Section 66D IT Act 2000 in a phishing-impersonation case

Allow 30 minutes.