Skip to content
Digital Forensicsmedium Premium

Digital Forensics: Web Browser and Email Investigation Scenarios

Published:

Questions

30

Duration

30 min

Faculty-reviewed

0

Updated

20 May 2026

Score, per-question explanations and topic breakdown shown right after you submit.

About this mock

Applied scenario drill on web-browser and email forensics for FACT aspirants, pitched one level above the introductory mock. Questions move past definitions into the kind of decisions an investigator actually makes at the bench: writing the right SQL join across Chrome's urls, visits, and visit_source tables; converting a Chrome timestamp from microseconds since 1601 UTC into a calendar date; recognising why a SameSite=None cookie without Secure was rejected; deciding whether a body-hash mismatch on a DKIM signature points to a transit footer or to a header rewrite; tracing a multi-hop Received chain bottom-up to the host that actually submitted the message; reading an OST orphan condition after Active Directory disabled the account; choosing PST, OST, MBOX, or emlx for the workstation in front of you; and applying Section 66D of the IT Act 2000 to a bank-impersonation phishing case.

The mock is calibrated for MSc Forensic Science aspirants preparing for the FACT entrance, the cyber stream of the NFSU MSc, and CHFI or GCFA candidates who want a focused drill on Chromium and Firefox artefacts, MIME parsing, SPF, DKIM, DMARC alignment failures, and standard email containers. Each question is rooted in a verifiable primary source: RFC 5321, 5322, 1939, 3501, 2045 to 2049, 6376, 7208, and 7489 for protocol behaviour; Microsoft Learn for OST, PST, DPAPI, and ESE; Apple Developer for the Keychain; the Chromium source tree and Mozilla Source Docs for browser internals; and the IT Act 2000 for the Indian statutory anchor.

Topics covered:

  • Chrome History database joins and FILETIME-based timestamp arithmetic
  • Firefox places.sqlite, sessionstore-backups jsonlz4 framing, and Edge WebCacheV01.dat ESE access
  • Cookie attribute semantics, including the SameSite=None Secure rule, HTTP cache reconstruction, and ETag revalidation
  • Browser credential stores on Windows and macOS, DPAPI and Keychain key wrapping
  • Incognito leak vectors across pagefile, hiberfil, and the OS DNS resolver cache
  • Multi-hop Received chain reading, X-Originating-IP reliability, and Message-ID anchoring
  • MIME multipart parsing, base64 versus quoted-printable, and DKIM body-hash failure modes
  • SPF, DKIM, DMARC alignment outcomes and aggregate versus forensic reporting
  • PST, OST, MBOX, and emlx selection per platform, OST orphan handling, single-instance attachment recovery
  • Section 66D IT Act 2000 in a phishing-impersonation case

Allow 30 minutes.

Sources & references

Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.

  • Microsoft Learn

    Windows Data Protection API (DPAPI), master key storage under AppData Roaming Microsoft Protect

    Open source
    cited in 6 questions
  • Chromium Project Source

    net/disk_cache layout, data_N block files and Cache_Data large-entry storage

    Open source
    cited in 4 questions
  • IETF RFC 5322

    Internet Message Format, X- header convention and Optional Fields semantics

    Open source
    cited in 4 questions
  • Mozilla Source Docs

    Session restore on-disk format, mozLz40 framing of an LZ4 raw block

    Open source
    cited in 2 questions
  • Hindsight Project

    Hindsight Chrome internet history parser, downloads_url_chains schema notes

    Open source
    cited in 2 questions
  • IETF RFC 7489

    Domain-based Message Authentication, Reporting, and Conformance, Section 3.1 Identifier Alignment

    Open source
    cited in 2 questions
  • IETF RFC 5321

    Simple Mail Transfer Protocol, Section 4.4 Trace Information and the Received header

    Open source
    cited in 1 question
  • IETF draft-ietf-httpbis-rfc6265bis

    HTTP State Management Mechanism, SameSite=None and the Secure requirement

    Open source
    cited in 1 question
  • IETF RFC 2046

    MIME Part Two: Media Types, multipart/related and multipart/alternative semantics

    Open source
    cited in 1 question
  • IETF RFC 7208

    Sender Policy Framework, Section 2.4 Mail from Identity and what SPF authenticates

    Open source
    cited in 1 question
  • Apple Developer Documentation

    Keychain Services overview and the Security framework reference

    Open source
    cited in 1 question
  • Information Technology Act 2000

    Section 66D, Punishment for cheating by personation by using computer resource

    Open source
    cited in 1 question
  • Google LevelDB Project

    LevelDB on-disk format, table (.ldb) and log file (.log) layout

    Open source
    cited in 1 question
  • IETF RFC 6376

    DomainKeys Identified Mail Signatures, Section 3.4 Canonicalisation and Section 3.7 Body Hash

    Open source
    cited in 1 question
  • IETF RFC 9111

    HTTP Caching, Section 4.3 Validation and the 304 Not Modified response

    Open source
    cited in 1 question
  • IETF RFC 2045

    MIME Part One, Sections 6.7 (Quoted-Printable) and 6.8 (Base64)

    Open source
    cited in 1 question

How our mocks are built

Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.

Common questions

What does the Digital Forensics: Web Browser and Email Investigation Scenarios mock cover?+

Applied scenario drill on web-browser and email forensics for FACT aspirants, pitched one level above the introductory mock. Questions move past definitions into the kind of decisions an investigator actually makes at the bench: writing the right SQL join across Chrome's urls, visits, and visit_source tables; converting a Chrome timestamp from microseconds since 1601 UTC into a calendar date; recognising why a SameSite=None cookie without Secure was rejected; deciding whether a body-hash mismatc

How many questions and how long is the test?+

30 multiple-choice questions, 30 minutes total. Difficulty: medium. Tier: Premium.

Who is this mock for?+

Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.

Are the questions reviewed?+

Each question carries a verified source citation. Faculty review for individual questions is in progress.

Do I need an account to take this mock?+

Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.