Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.
Free, timed forensic mock tests for NFSU FACT, UGC-NET and university entrances. Instant scoring, per-question explanations and a topic breakdown after every attempt.
Advanced FACT digital-forensics drill that pushes the examiner from "name the artefact" into "name the one parameter that disambiguates near-twin readings of the same artefact" across thirty cross-platform scenarios. The Windows half covers $STANDARD_INFORMATION versus $FILE_NAME at sub-second precision (the SetFileTime zeroed-tick tell), the resident-vs-non-resident $DATA boundary on default-format NTFS, $LogFile LFS REDO/UNDO records against $UsnJrnl USN reasons, Prefetch format versions 17, 23, 26 and 30 mapped to Windows builds, AmCache InventoryApplicationFile FileId carrying SHA1 of the first 31 MiB, shellbag ItemPos<resolution> coordinates against BagMRU and NodeSlot, EventID 4624 LogonType 2/3/10/11 precision, AppCompatCache signatures 0xBADC0FFE/0x73/0x34 across Win7/Win8/Win10/11, MS-SHLLINK LinkFlags bits HasName / HasArguments / HasIconLocation, and the USBSTOR plus MountedDevices plus setupapi.dev.log attribution triple. The Linux half covers MCF identifiers $5/$6/$y/$7/$argon2id$ in /etc/shadow, dual-ABI auditd rules at arch=b64 vs arch=b32, systemd Wants= vs Requires= against Before= vs After= ordering, /proc/[pid]/smaps memfd-backed regions, journald persistence at /var/log/journal vs /run/log/journal, cron user-column semantics across /etc/crontab and /etc/cron.d and /var/spool/cron, ext4 vs xfs vs btrfs unlink semantics, bash HISTSIZE / HISTFILESIZE / HISTCONTROL interactions, file capabilities via setcap vs SUID, and nftables inet family addressing vs iptables -L. The macOS half covers TCC.db auth_value 0/1/2/3, launchd RunAtLoad / KeepAlive / StartInterval / WatchPaths interaction, APFS clone vs copy vs snapshot one-parameter difference, FSEvents MustScanSubDirs bit, .metadata_never_index travelling Spotlight exclusion, Unified Logging predicate language, com.apple.quarantine four-field xattr layout, login vs System vs iCloud keychain scope, Safari History.db visit_time CFAbsoluteTime base, and Time Machine APFS local snapshot vs sparsebundle external destination. For FACT aspirants who already cleared the applied band, NFSU MSc digital-forensics candidates aiming at the precision-level question, and analysts preparing for GCFA, CHFI, SANS FOR500, and FOR518. Distractors here are one-parameter shifts off the correct answer (wrong epoch base, wrong field order, wrong key, wrong bit position, wrong ABI), so the candidate needs to know the exact structural detail rather than the general subsystem. Topics covered: - NTFS attribute layout, journals, and sub-second timestomp telltales - Prefetch versions, AmCache schema, ShellBags coordinates and ShimCache - LogonType matrix, LNK LinkFlags bits, USB attribution triple - shadow-file MCF identifiers and auditd dual-ABI syscall rules - systemd ordering vs requirement strength and cron user-column rules - ext4/xfs/btrfs unlink, bash history vars, and capabilities vs SUID - TCC.db enums, launchd scheduling keys, APFS clone vs copy vs snapshot - FSEvents flags, Spotlight exclusion, Unified Logging predicates, keychains Useful for the FACT digital forensics paper, NFSU MSc entrance, and one-parameter cross-platform DFIR drill. Allow 30 minutes.
7 attempts · avg 6%
This advanced FACT-style mock targets the hardest band of network forensics and network investigation, the territory where a candidate has to reason across packet headers, captured TLS metadata, BGP attributes, OSPF timers, IEEE 802.1Q tag layout, WPA2 and WPA3 handshakes, IPsec exchanges, ICMP error semantics, and the byte-precise display and capture filter grammars of Wireshark and tcpdump. Subnet arithmetic on 192.168.10.83/27 is checked at both ends (broadcast and first usable host), aggregation of four contiguous /24s into a single /22 is asked as a CIDR exercise, and longest-prefix match resolves a deliberate overlap between a parent /16 and a child /18 in a routing table. IPv4 header byte offsets pin TTL at byte 8, Protocol at byte 9, Source IP at bytes 12 to 15, and Destination IP at bytes 16 to 19. The TCP control byte is unpacked in URG-ACK-PSH-RST-SYN-FIN order, MSS option Kind 2 Length 4 sits next to SACK-Permitted Kind 4 Length 2 and SACK ranges Kind 5, and the JA3 fingerprint field order is fixed as SSLVersion, Cipher, SSLExtension, EllipticCurve, EllipticCurvePointFormat. Other questions hold WPA2 message 3 as the GTK delivery vehicle, place the PMKID in WPA2 message 1, contrast IKEv2 SA_INIT with IKE_AUTH payloads, and read Cisco administrative distances, show ip route codes, OSPF E1 versus E2 externals, and Zeek conn.log field order.\n\nThe paper is calibrated for the FACT entrance exam at the advanced band and is equally useful for the MSc Digital Forensics network elective at NFSU, GIAC GCIA and GNFA candidates, and SANS FOR572 students who want a tight precision-test on the byte-level fluency that every network forensics tool assumes.\n\nTopics covered:\n- Subnet math, CIDR aggregation, route table overlap and longest-prefix match\n- IPv4 and IPv6 header byte offsets, TCP control bit ordering, TCP options (MSS, SACK)\n- TLS 1.2 vs TLS 1.3 cipher suite identifiers and the JA3 client fingerprint construction\n- BGP path attributes, OSPF Hello and Dead intervals, OSPF external Type 1 vs Type 2, Cisco administrative distance\n- IEEE 802.1Q tag layout (TPID, PCP, DEI, VID) and QinQ outer tag 0x88A8\n- WPA2 4-way handshake GTK delivery and the PMKID attack, WPA3 SAE forward secrecy\n- IKEv2 SA_INIT vs AUTH payloads, ESP and AH integrity scope, ICMP type 11 codes and type 3 code 4 PMTUD\n- Wireshark retransmission classifications, tcpdump BPF flag-mask filters, Zeek conn.log schema, Snort/Suricata rule semantics, IPFIX element IDs\n\nUse this as a precision drill on the byte-level network forensics knowledge that every advanced FACT paper assumes. Allow 30 minutes.
Hard-band drill on advanced malware analysis for the FACT digital forensics paper and aligned NFSU MSc entrance prep. The mock walks through PE Optional Header internals (Magic 0x10B PE32 versus 0x20B PE32+, IMAGE_FILE_HEADER Characteristics, DataDirectory[9] TLS callbacks, DataDirectory[6] debug, DataDirectory[10] load config), section flag combinations and entropy thresholds for packer detection, process injection technique discrimination (classic CreateRemoteThread, APC injection, SetWindowsHookEx, reflective DLL, process hollowing, process doppelganging via Transactional NTFS, Atom Bombing, and Module Stomping), Volatility 3 plugin selection (malfind versus hollowfind versus ldrmodules versus threads), VAD tag interpretation (VadS plus PAGE_EXECUTE_READWRITE plus CommitCharge), Sysmon event ID one-parameter swaps (1, 3, 7, 8, 11, 12, 13, 14, 22, 25), YARA condition semantics (any/all-of, pe.imports, math.entropy), MITRE ATT&CK technique ID precision (T1547.001, T1053.005, T1543.003, T1055.012, T1218.011, T1027, T1059.001), anti-debug primitive discrimination (IsDebuggerPresent versus NtQueryInformationProcess ProcessDebugPort 0x07, PEB.BeingDebugged versus PEB.NtGlobalFlag at PEB+0xBC), Cobalt Strike Malleable C2 sleep-and-jitter, JA3 TLS fingerprint construction order, imphash collision provenance, ssdeep versus sdhash versus TLSH score-scale interpretation, ransomware hybrid cryptography (Curve25519 plus ChaCha20-Poly1305 versus RSA-2048 plus AES-256-CBC), CTR mode IV reuse failure, _EPROCESS ActiveProcessLinks DKOM unlinking, Run versus RunOnce versus IFEO registry persistence, HKLM versus HKCU scope, NTFS timestomp nanosecond signal in $STANDARD_INFORMATION versus $FILE_NAME, and IT Act 2000 sections 65, 66, 66B, 66C. Target audience: NFSU MSc Forensic Science / Cyber Security students, FACT digital forensics aspirants who have completed the easy and medium bands of this topic, candidates revising for GREM, GCFA, CHFI, or CISSP examinations, and SOC analysts pivoting into reverse engineering and memory forensics work. Topics covered: - PE Optional Header Magic, IMAGE_FILE_HEADER, DataDirectory entries - Section flag combinations and entropy thresholds for packing - Process injection technique discrimination on one symptom - Volatility 3 plugins and VAD interpretation - Sysmon event IDs and YARA condition semantics - MITRE ATT&CK technique-ID precision and anti-debug primitives - Cobalt Strike, JA3, imphash, ssdeep, sdhash, TLSH - Ransomware cryptography, persistence registry paths, timestomp, IT Act sections Calibrated for ~30 to 40 percent accuracy across the hard band. Allow 30 minutes.
Hard-band FACT digital forensics drill on first responder doctrine and digital evidence admissibility in 2026 India. Synthesis-level questions span Section 65B IEA 1872 and Section 63 BSA 2023 with sub-clause precision, the Anvar P.V. (2014), Shafhi Mohammad (2018, overruled), Arjun Panditrao Khotkar (2020), and Tomaso Bruno (2015, per incuriam) line, the new BNSS 2023 search and production framework (Sections 94, 103, 105, 185, 186), the IT Act 2000 (Sections 69, 79A, 80, 84A), NIST SP 800-88 Revision 1 sanitization categories with media-type boundaries, RFC 3227 seven-layer volatility, hash deprecation (MD5 Wang-Yu 2005, SHA-1 SHAttered 2017, Shambles 2020), memory acquisition (LiME, DumpIt, OSXPmem, MacQuisition) with smear analysis, imaging formats (raw dd, E01, Ex01, AFF4, L01) with integrity-tag granularity, write blockers (Tableau T35689iu, T356887iu, T7u, T8u NVMe), encryption recovery scenarios (LUKS2 Argon2id, BitLocker TPM, FileVault 2, APFS), iOS BFU vs AFU state, checkm8 boundary (A5 to A11), and chain-of-custody curable-versus-fatal-break doctrine. Distractor design uses one-parameter swaps across statute subsections, vendor model numbers, RFC layer ordering, and judgment names so that surface familiarity is insufficient. Calibrated for candidates targeting the top decile in the FACT digital forensics paper, NFSU MSc digital forensics entrance, and the cyber-crime modules of the UGC-NET Forensic Science Paper II. Useful as a final-stretch verification drill for examinees who have cleared the easy and applied-scenarios sets and need to test edge cases. Aim for 30 to 40 percent accuracy; hard-band distractors differ from the correct answer on one specific parameter (one statute subsection, one model number, one RFC layer, one judgment name) and a single misread will pull you onto the wrong option. Topics covered: - Section 65B IEA 1872 and Section 63 BSA 2023 sub-clause precision - Anvar, Shafhi, Arjun Panditrao, Tomaso Bruno case line - BNSS 94, 103, 105, 185, 186 with CrPC counterparts - IT Act 69, 79A, 80, 84A interception and expert-evidence powers - NIST SP 800-88 Rev 1 Clear, Purge, Destroy by media type - RFC 3227 seven-layer order of volatility - Hash deprecation timeline MD5, SHA-1, SHAttered, Shambles - Memory acquisition (LiME, DumpIt, OSXPmem, MacQuisition) and smear Written by ForensicSpot Editorial. Allow 30 minutes.
Advanced FACT-style drill on cloud security and cloud forensics, calibrated to the hardest band of the syllabus. Thirty single-best-answer items on IAM evaluation precedence with explicit Deny, AWS condition keys including aws:PrincipalArn, aws:SourceArn, aws:SourceAccount, kms:ViaService and kms:GrantOperations, the iam:PassRole + iam:CreatePolicyVersion + iam:SetDefaultPolicyVersion privilege escalation chain, sts:AssumeRole session principal ARN parsing, CloudTrail ConsoleLogin mfaUsed and eventCategory filters, VPC Flow Log version 5 pkt-srcaddr and tcp-flags bitmask reading, KMS GenerateDataKey family selection and KeyUsage SIGN_VERIFY vs ENCRYPT_DECRYPT, S3 server-side encryption header values including aws:kms:dsse for DSSE-KMS, S3 Object Lock GOVERNANCE vs COMPLIANCE retention, Azure RBAC scope inheritance and Diagnostic Settings AuditEvent, GCP Audit Logs Admin Activity vs Data Access defaults, EKS IRSA AssumeRoleWithWebIdentity flow, Kubernetes audit policy stages RequestReceived to ResponseComplete, NIST SP 800-61 Rev 2 IR phases, CLOUD Act 2018 Section 103 extra-territorial reach, India-US MLAT routing with DPDP Act 2023 Section 16, IT Rules 2021 Rule 4(2) SSMI traceability, SAML 2.0 Subject vs OIDC sub claim and SAML AuthnContextClassRef vs OIDC acr, mTLS at NLB passthrough vs ALB vs API Gateway, CloudTrail log file validation digest schema, and BYOK vs HYOK vs AWS KMS External Key Store. Built for FACT aspirants, NFSU MSc Digital Forensics candidates, GCFA cloud-evidence pathways, SANS FOR509 prep, and AWS Certified Security Specialty candidates who want the hard-band differentiation between near-twin AWS, Azure, and GCP concepts. Every option set differs from the correct answer on a single parameter, so partial recall of the topic will not be enough to score well. Topics covered: - IAM policy evaluation: explicit Deny, cross-account two-way grant, condition keys - Privilege escalation chains via iam:PassRole and IAM policy versioning - CloudTrail event reading: AssumeRole session principal, ConsoleLogin, eventCategory - VPC Flow Log version 5 fields: pkt-srcaddr, pkt-dstaddr, tcp-flags bitmask - KMS API family, KeyUsage values, condition keys, grant tokens, XKS - S3 SSE header values, DSSE-KMS, Object Lock COMPLIANCE vs GOVERNANCE - Azure RBAC inheritance, GCP Audit Log defaults, EKS IRSA, Kubernetes audit stages - Indian and cross-border law: CLOUD Act 2018, DPDP Act 2023 Section 16, IT Rules 2021 Rule 4(2) This hard-band mock is calibrated for one-parameter discrimination, which is why every option in every item sits at the same level of abstraction and the same canonical form. Allow 30 minutes.
This mock drills into the two hardest acquisition surfaces in modern digital forensics — public-cloud workloads and Internet-of-Things devices — and the legal, architectural, and procedural obstacles that distinguish them from traditional disk forensics. Thirty hard questions across cloud service models (IaaS, PaaS, SaaS, FaaS) and what each layer surrenders to the investigator, deployment models (public, private, community, hybrid), multi-tenancy and data co-mingling, jurisdictional pathways for cross-border production (MLAT, the US CLOUD Act 2018, GDPR Article 48, India's DPDP Act 2023, IT Act §69 read with the 2009 Rules, the CERT-In Directions of 28 April 2022 with their 6-hour reporting and 180-day log-retention rules), the major cloud audit logs (AWS CloudTrail vs CloudWatch vs Config vs VPC Flow Logs, Azure Activity Log vs Entra ID Sign-in Logs vs Diagnostic Logs, GCP Cloud Audit Logs Admin Activity vs Data Access, Microsoft 365 Unified Audit Log retention by SKU), snapshot-based acquisition (EBS snapshot → cross-account share → forensic VPC restore), Linux memory acquisition with LiME, and the limits of memory acquisition on serverless platforms. The IoT half covers smart-hub voice assistants and the Echo cloud-account architecture exposed by *Arkansas v. Bates* (2017), wearables and the heart-rate / step-count timeline that proved decisive in *State v. Dabate* (Connecticut, 2017), smart-camera and doorbell acquisition when JTAG is gone and the eMMC is BGA-soldered (chip-off plus companion-app plus cloud), Android and iOS companion-app forensic artefacts (SQLite, SharedPreferences, plist, OAuth tokens), connected-vehicle Event Data Recorders extracted with the Bosch CDR tool over OBD-II under 49 CFR Part 563, and the special discipline required for industrial-control SCADA networks running Modbus and OPC-UA where active scanning can disrupt physical-world processes (IEC 62443). It is pitched at MSc and final-year BSc cyber forensics students at NFSU, LNJN-NICFS, and other Indian universities, and at FACT, UGC-NET and CHFI aspirants who need the cloud and IoT acquisition layers locked in. This is a **premium**, **hard**-difficulty mock — distractors target the misconceptions a careful student is most likely to fall into (CloudTrail vs CloudWatch vs Config; Lambda vs EC2 acquisition; MLAT vs CLOUD Act vs GDPR Article 48; Azure Activity Log vs Entra Sign-in Logs; chip-off vs JTAG when neither is straightforward). Topics covered: - Cloud service models (IaaS / PaaS / SaaS / FaaS) and the evidence each layer yields - Cloud deployment models (public, private, community, hybrid) and multi-tenancy - AWS CloudTrail, CloudWatch, Config, VPC Flow Logs; Azure Entra Sign-in / Activity / Diagnostic Logs; GCP Audit Logs Admin Activity vs Data Access; M365 Unified Audit Log - Snapshot acquisition (EBS / managed disk / persistent disk); Linux RAM with LiME; serverless limits - Jurisdiction: MLAT, CLOUD Act 2018, GDPR Article 48, DPDP 2023, IT Act §69, CERT-In Directions 2022, data sovereignty - Standards: NIST SP 800-145, NIST IR 8006, NIST SP 800-201, NIST SP 800-86, ISO/IEC 27037, CSA Domain 12, IEC 62443 - IoT classes: voice assistants (Echo / Home / HomePod), wearables (Fitbit, Apple Watch, Garmin), smart cameras (Ring, Nest), connected vehicles, industrial IoT - IoT acquisition: chip-off vs JTAG, companion-app SQLite/SharedPreferences/plist, cloud-account artefacts - Court precedents: *Arkansas v. Bates* (Echo, 2017), *State v. Dabate* (Fitbit, 2017) - Connected-vehicle CAN-bus, OBD-II, EDR under 49 CFR Part 563, Bosch CDR tool Each question carries a detailed 250+ word explanation citing primary sources — NIST IR 8006 and SP 800-201, NIST SP 800-145, ISO/IEC 27037, the CLOUD Act, GDPR, DPDP 2023, the IT Act, CERT-In Directions, AWS / Azure / GCP / Microsoft official documentation, the *Bates* and *Dabate* dockets, 49 CFR Part 563, ISO 15765-4, IEC 62443, and Hassan's *Digital Forensics Basics*. Allow 30 minutes — the explanations are long enough to use as study notes by themselves.