Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.
Timed practice tests with instant scoring and per-question explanations.
This mock covers Network Forensics as it is actually practised — reading packet captures, parsing logs, and reconstructing what happened on the wire. Thirty medium-difficulty questions across the eight pillars a network-forensic analyst (and any FACT or NFSU MSc Cyber Forensics aspirant) must lock in: packet-capture fundamentals (tcpdump and dumpcap snaplen, BPF capture filters versus Wireshark display filters, ring buffers for continuous capture, libpcap versus PCAP-NG), the TCP/IP stack as a forensic timeline (Ethernet framing, IPv4 TTL and fragmentation, TCP flags including the FIN-versus-RST distinction, the three-way handshake, sequence numbers, and retransmissions), per-protocol artefacts (HTTP request headers, the cleartext SNI in the TLS ClientHello, DNS record types and exfiltration patterns, the SMTP envelope, FTP active versus passive, SMB on port 445, the SSH banner), flow telemetry versus full PCAP (NetFlow/IPFIX, sFlow sampling), intrusion detection (Snort/Suricata rule anatomy, Zeek protocol logs, MITRE ATT&CK lateral-movement techniques), web and proxy logs (Apache Common Log Format, IIS W3C Extended Log Format with its UTC time field), timestamp normalisation across UTC/IST/NTP-drifted endpoints, attacker techniques visible in packets (SYN scans, DNS tunnelling, JA3/JA3S TLS fingerprinting), and the Indian regulatory layer (IT Act sections 69 and 69B with the CERT-In Directions of 28 April 2022 mandating 180-day log retention within Indian jurisdiction). It is pitched at MSc Cyber Forensics students at NFSU, LNJN-NICFS, and other Indian universities, and at FACT, UGC-NET, and entry-level SOC analyst aspirants who need the network-forensics layer locked in before tackling deeper malware-traffic analysis, encrypted-payload reconstruction, and case studies. The questions assume you already know the basics of digital forensics; the medium-difficulty bar is set so that a careful read of an explanation closes the gap if you got the question wrong. Themes covered: - Packet capture: tcpdump/Wireshark/dumpcap, BPF filter syntax, ring buffers, libpcap vs PCAP-NG - TCP/IP stack: Ethernet, IPv4 TTL/fragmentation, TCP flags, three-way handshake, retransmissions - Protocol artefacts: HTTP, HTTPS ClientHello SNI, DNS records and tunnelling, SMTP, FTP active/passive, SMB, SSH - Flow telemetry: NetFlow/IPFIX vs full PCAP, sFlow sampling - Intrusion detection: Snort/Suricata rule anatomy, Zeek protocol logs, MITRE ATT&CK lateral movement - Web/proxy logs: Apache CLF, IIS W3C Extended, NTP and UTC timestamp normalisation - Attacker techniques in packets: SYN scans, DNS tunnelling, JA3/JA3S TLS fingerprints - Indian context: IT Act sections 69 and 69B, CERT-In Directions of 28 April 2022 (180-day log retention) Each question carries a detailed 220+ word explanation citing primary sources — Davidoff and Ham’s *Network Forensics*, the relevant RFCs (791, 959, 1035, 4253, 5321, 6066, 7011, 9293), NIST SP 800-86, the Wireshark and Snort documentation, MITRE ATT&CK, and the IT Act with the CERT-In Directions. Allow 15 minutes; the explanations are long enough to use as study notes by themselves.
This mock covers mobile device forensics — acquisition strategies, the iOS and Android security architectures that determine what you can extract, the vendor tools used in Indian forensic labs, and the anti-forensics tactics suspects routinely use. Thirty questions cover logical, file-system, physical, JTAG and chip-off acquisition; BFU vs AFU device state; the iOS Secure Enclave, Effaceable Storage, and Class A/B/C/D file protection; Checkm8, GrayKey, Cellebrite UFED and Premium; Android File-Based Encryption, Direct Boot and Verified Boot; SIM card structure (ICCID, IMSI, MSISDN, ADN, LDN, EF_SMS); SQLite WAL and freelist forensics; vault apps, app cloning, and disappearing-message platforms. It is pitched at MSc cyber forensics students at NFSU and LNJN-NICFS, certified examiner candidates (CHFI Mobile, CCO, CCPA), state-FSL trainees, and FACT aspirants who need the mobile section locked in. Mobile forensics has overtaken disk forensics as the highest-volume work in Indian forensic labs since 2020 — most cyber-crime cells now process more phones than computers, and the iOS / Android security architectures keep evolving fast enough that mock content needs to stay current with each iOS major release. Themes covered: - The acquisition hierarchy: logical → file-system → physical → JTAG → chip-off - BFU vs AFU and the BFU-lockout problem during transport - iOS Secure Enclave, Effaceable Storage, NSFileProtection class A/B/C/D - Checkm8 (A5–A11), GrayKey, Cellebrite UFED and Premium — what each can and cannot do - Android File-Based Encryption (FBE), Direct Boot, Verified Boot (AVB 2.0) - SIM card forensics: ICCID, IMSI vs IMEI, ADN / LDN / EF_SMS, SIM-side recoverable SMS - Faraday isolation and the BFU-lockout battery problem - SQLite forensics: WAL files, freelist carving, journal modes - Anti-forensics: vault apps (Calculator+, AppLock, Parallel Space), app cloning (Samsung Dual Messenger, Xiaomi App Twin, Island), disappearing messages, encrypted wipe - App-specific artefacts: WhatsApp msgstore.db / msgstore.db.crypt14/15, Telegram Secret Chats vs Cloud Chats - Cloud forensics: iCloud, Google Account, messenger cloud backups Each question carries a detailed explanation citing NIST SP 800-101 Rev 1, Apple Platform Security Guide, the Android Open Source Project documentation, vendor knowledge bases (Cellebrite, Magnet, Grayshift), Mahalik et al. Practical Mobile Forensics, and INTERPOL guidelines. Allow 15 minutes; some questions require knowledge of vendor tooling, others require iOS / Android internals. The explanations are long enough to use as study notes by themselves.
This mock covers Windows forensic artefacts in depth — the Registry hives, the Event Log infrastructure, Prefetch, ShimCache, Amcache, USB device tracking, ShellBags, UserAssist, RecentDocs, Jump Lists, LNK files, the NTFS journal files, Volume Shadow Copies, SRUM and the Recycle Bin. Thirty questions test what each artefact records, where it lives on disk, what tool to use to parse it, and what real-investigation question each artefact answers — who logged in, what programs ran, what USB drives were inserted, what files were opened, what was the user doing at 14:32. It is pitched at BSc and MSc cyber forensics students at NFSU and similar Indian universities, certified examiner aspirants (CHFI, GCFE, GCFA), and FACT or state-FSL examinees who routinely face Windows-artefact questions. Windows desktop forensics is the largest single section in any practical cyber-forensics paper because the majority of seized devices in Indian cyber-crime cells are still Windows machines — knowing the artefacts cold is the difference between a competent examiner and a paper-only candidate. Themes covered: - Registry hive structure: SAM, SECURITY, SOFTWARE, SYSTEM, NTUSER.DAT, USRCLASS.DAT — and exactly where each file lives on disk - USB insertion artefacts: USBSTOR, MountedDevices, MountPoints2 and setupapi.dev.log - Persistence keys: Run, RunOnce, Services, Image File Execution Options - ShellBags, RecentDocs, UserAssist, Jump Lists, LNK files — what each tells you about user activity - Critical Event Log IDs: 4624, 4625, 4634, 4647, 4672, 4688, 4720, 7045, 1102 — what each means and when it fires - Prefetch (.pf): up to 8 last-run timestamps in Windows 10+, the eviction rules - ShimCache (AppCompatCache) and Amcache.hve — the differences and why both matter - $MFT, $LogFile, $UsnJrnl — the NTFS forensic trio - Volume Shadow Copies, SRUM (SRUDB.dat), the Recycle Bin ($I / $R files) - Tooling: Eric Zimmerman tools (Registry Explorer, RECmd, EvtxECmd, MFTECmd, AmcacheParser, JLECmd, LECmd, RBCmd), KAPE, Autopsy, Magnet AXIOM Each question carries a detailed explanation citing Microsoft Learn for the official artefact behaviour, Carvey Windows Registry Forensics and Windows Forensic Analysis Toolkit, Eric Zimmerman documentation, MITRE ATT&CK technique mappings, and Mandiant research where relevant. Allow 15 minutes — these are quick-recall questions that any practising examiner should answer in well under 30 seconds each. The explanations are long enough to use as study notes by themselves; even if you skip the timed run, reading through them once is a complete refresher.