Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.
Free, timed forensic mock tests for NFSU FACT, UGC-NET and university entrances. Instant scoring, per-question explanations and a topic breakdown after every attempt.
Advanced FACT digital-forensics drill that pushes the examiner from "name the artefact" into "name the one parameter that disambiguates near-twin readings of the same artefact" across thirty cross-platform scenarios. The Windows half covers $STANDARD_INFORMATION versus $FILE_NAME at sub-second precision (the SetFileTime zeroed-tick tell), the resident-vs-non-resident $DATA boundary on default-format NTFS, $LogFile LFS REDO/UNDO records against $UsnJrnl USN reasons, Prefetch format versions 17, 23, 26 and 30 mapped to Windows builds, AmCache InventoryApplicationFile FileId carrying SHA1 of the first 31 MiB, shellbag ItemPos<resolution> coordinates against BagMRU and NodeSlot, EventID 4624 LogonType 2/3/10/11 precision, AppCompatCache signatures 0xBADC0FFE/0x73/0x34 across Win7/Win8/Win10/11, MS-SHLLINK LinkFlags bits HasName / HasArguments / HasIconLocation, and the USBSTOR plus MountedDevices plus setupapi.dev.log attribution triple. The Linux half covers MCF identifiers $5/$6/$y/$7/$argon2id$ in /etc/shadow, dual-ABI auditd rules at arch=b64 vs arch=b32, systemd Wants= vs Requires= against Before= vs After= ordering, /proc/[pid]/smaps memfd-backed regions, journald persistence at /var/log/journal vs /run/log/journal, cron user-column semantics across /etc/crontab and /etc/cron.d and /var/spool/cron, ext4 vs xfs vs btrfs unlink semantics, bash HISTSIZE / HISTFILESIZE / HISTCONTROL interactions, file capabilities via setcap vs SUID, and nftables inet family addressing vs iptables -L. The macOS half covers TCC.db auth_value 0/1/2/3, launchd RunAtLoad / KeepAlive / StartInterval / WatchPaths interaction, APFS clone vs copy vs snapshot one-parameter difference, FSEvents MustScanSubDirs bit, .metadata_never_index travelling Spotlight exclusion, Unified Logging predicate language, com.apple.quarantine four-field xattr layout, login vs System vs iCloud keychain scope, Safari History.db visit_time CFAbsoluteTime base, and Time Machine APFS local snapshot vs sparsebundle external destination. For FACT aspirants who already cleared the applied band, NFSU MSc digital-forensics candidates aiming at the precision-level question, and analysts preparing for GCFA, CHFI, SANS FOR500, and FOR518. Distractors here are one-parameter shifts off the correct answer (wrong epoch base, wrong field order, wrong key, wrong bit position, wrong ABI), so the candidate needs to know the exact structural detail rather than the general subsystem. Topics covered: - NTFS attribute layout, journals, and sub-second timestomp telltales - Prefetch versions, AmCache schema, ShellBags coordinates and ShimCache - LogonType matrix, LNK LinkFlags bits, USB attribution triple - shadow-file MCF identifiers and auditd dual-ABI syscall rules - systemd ordering vs requirement strength and cron user-column rules - ext4/xfs/btrfs unlink, bash history vars, and capabilities vs SUID - TCC.db enums, launchd scheduling keys, APFS clone vs copy vs snapshot - FSEvents flags, Spotlight exclusion, Unified Logging predicates, keychains Useful for the FACT digital forensics paper, NFSU MSc entrance, and one-parameter cross-platform DFIR drill. Allow 30 minutes.
7 attempts · avg 6%
This advanced FACT-style mock targets the hardest band of network forensics and network investigation, the territory where a candidate has to reason across packet headers, captured TLS metadata, BGP attributes, OSPF timers, IEEE 802.1Q tag layout, WPA2 and WPA3 handshakes, IPsec exchanges, ICMP error semantics, and the byte-precise display and capture filter grammars of Wireshark and tcpdump. Subnet arithmetic on 192.168.10.83/27 is checked at both ends (broadcast and first usable host), aggregation of four contiguous /24s into a single /22 is asked as a CIDR exercise, and longest-prefix match resolves a deliberate overlap between a parent /16 and a child /18 in a routing table. IPv4 header byte offsets pin TTL at byte 8, Protocol at byte 9, Source IP at bytes 12 to 15, and Destination IP at bytes 16 to 19. The TCP control byte is unpacked in URG-ACK-PSH-RST-SYN-FIN order, MSS option Kind 2 Length 4 sits next to SACK-Permitted Kind 4 Length 2 and SACK ranges Kind 5, and the JA3 fingerprint field order is fixed as SSLVersion, Cipher, SSLExtension, EllipticCurve, EllipticCurvePointFormat. Other questions hold WPA2 message 3 as the GTK delivery vehicle, place the PMKID in WPA2 message 1, contrast IKEv2 SA_INIT with IKE_AUTH payloads, and read Cisco administrative distances, show ip route codes, OSPF E1 versus E2 externals, and Zeek conn.log field order.\n\nThe paper is calibrated for the FACT entrance exam at the advanced band and is equally useful for the MSc Digital Forensics network elective at NFSU, GIAC GCIA and GNFA candidates, and SANS FOR572 students who want a tight precision-test on the byte-level fluency that every network forensics tool assumes.\n\nTopics covered:\n- Subnet math, CIDR aggregation, route table overlap and longest-prefix match\n- IPv4 and IPv6 header byte offsets, TCP control bit ordering, TCP options (MSS, SACK)\n- TLS 1.2 vs TLS 1.3 cipher suite identifiers and the JA3 client fingerprint construction\n- BGP path attributes, OSPF Hello and Dead intervals, OSPF external Type 1 vs Type 2, Cisco administrative distance\n- IEEE 802.1Q tag layout (TPID, PCP, DEI, VID) and QinQ outer tag 0x88A8\n- WPA2 4-way handshake GTK delivery and the PMKID attack, WPA3 SAE forward secrecy\n- IKEv2 SA_INIT vs AUTH payloads, ESP and AH integrity scope, ICMP type 11 codes and type 3 code 4 PMTUD\n- Wireshark retransmission classifications, tcpdump BPF flag-mask filters, Zeek conn.log schema, Snort/Suricata rule semantics, IPFIX element IDs\n\nUse this as a precision drill on the byte-level network forensics knowledge that every advanced FACT paper assumes. Allow 30 minutes.
Hard-band drill on advanced malware analysis for the FACT digital forensics paper and aligned NFSU MSc entrance prep. The mock walks through PE Optional Header internals (Magic 0x10B PE32 versus 0x20B PE32+, IMAGE_FILE_HEADER Characteristics, DataDirectory[9] TLS callbacks, DataDirectory[6] debug, DataDirectory[10] load config), section flag combinations and entropy thresholds for packer detection, process injection technique discrimination (classic CreateRemoteThread, APC injection, SetWindowsHookEx, reflective DLL, process hollowing, process doppelganging via Transactional NTFS, Atom Bombing, and Module Stomping), Volatility 3 plugin selection (malfind versus hollowfind versus ldrmodules versus threads), VAD tag interpretation (VadS plus PAGE_EXECUTE_READWRITE plus CommitCharge), Sysmon event ID one-parameter swaps (1, 3, 7, 8, 11, 12, 13, 14, 22, 25), YARA condition semantics (any/all-of, pe.imports, math.entropy), MITRE ATT&CK technique ID precision (T1547.001, T1053.005, T1543.003, T1055.012, T1218.011, T1027, T1059.001), anti-debug primitive discrimination (IsDebuggerPresent versus NtQueryInformationProcess ProcessDebugPort 0x07, PEB.BeingDebugged versus PEB.NtGlobalFlag at PEB+0xBC), Cobalt Strike Malleable C2 sleep-and-jitter, JA3 TLS fingerprint construction order, imphash collision provenance, ssdeep versus sdhash versus TLSH score-scale interpretation, ransomware hybrid cryptography (Curve25519 plus ChaCha20-Poly1305 versus RSA-2048 plus AES-256-CBC), CTR mode IV reuse failure, _EPROCESS ActiveProcessLinks DKOM unlinking, Run versus RunOnce versus IFEO registry persistence, HKLM versus HKCU scope, NTFS timestomp nanosecond signal in $STANDARD_INFORMATION versus $FILE_NAME, and IT Act 2000 sections 65, 66, 66B, 66C. Target audience: NFSU MSc Forensic Science / Cyber Security students, FACT digital forensics aspirants who have completed the easy and medium bands of this topic, candidates revising for GREM, GCFA, CHFI, or CISSP examinations, and SOC analysts pivoting into reverse engineering and memory forensics work. Topics covered: - PE Optional Header Magic, IMAGE_FILE_HEADER, DataDirectory entries - Section flag combinations and entropy thresholds for packing - Process injection technique discrimination on one symptom - Volatility 3 plugins and VAD interpretation - Sysmon event IDs and YARA condition semantics - MITRE ATT&CK technique-ID precision and anti-debug primitives - Cobalt Strike, JA3, imphash, ssdeep, sdhash, TLSH - Ransomware cryptography, persistence registry paths, timestomp, IT Act sections Calibrated for ~30 to 40 percent accuracy across the hard band. Allow 30 minutes.
Hard-band FACT digital forensics drill on first responder doctrine and digital evidence admissibility in 2026 India. Synthesis-level questions span Section 65B IEA 1872 and Section 63 BSA 2023 with sub-clause precision, the Anvar P.V. (2014), Shafhi Mohammad (2018, overruled), Arjun Panditrao Khotkar (2020), and Tomaso Bruno (2015, per incuriam) line, the new BNSS 2023 search and production framework (Sections 94, 103, 105, 185, 186), the IT Act 2000 (Sections 69, 79A, 80, 84A), NIST SP 800-88 Revision 1 sanitization categories with media-type boundaries, RFC 3227 seven-layer volatility, hash deprecation (MD5 Wang-Yu 2005, SHA-1 SHAttered 2017, Shambles 2020), memory acquisition (LiME, DumpIt, OSXPmem, MacQuisition) with smear analysis, imaging formats (raw dd, E01, Ex01, AFF4, L01) with integrity-tag granularity, write blockers (Tableau T35689iu, T356887iu, T7u, T8u NVMe), encryption recovery scenarios (LUKS2 Argon2id, BitLocker TPM, FileVault 2, APFS), iOS BFU vs AFU state, checkm8 boundary (A5 to A11), and chain-of-custody curable-versus-fatal-break doctrine. Distractor design uses one-parameter swaps across statute subsections, vendor model numbers, RFC layer ordering, and judgment names so that surface familiarity is insufficient. Calibrated for candidates targeting the top decile in the FACT digital forensics paper, NFSU MSc digital forensics entrance, and the cyber-crime modules of the UGC-NET Forensic Science Paper II. Useful as a final-stretch verification drill for examinees who have cleared the easy and applied-scenarios sets and need to test edge cases. Aim for 30 to 40 percent accuracy; hard-band distractors differ from the correct answer on one specific parameter (one statute subsection, one model number, one RFC layer, one judgment name) and a single misread will pull you onto the wrong option. Topics covered: - Section 65B IEA 1872 and Section 63 BSA 2023 sub-clause precision - Anvar, Shafhi, Arjun Panditrao, Tomaso Bruno case line - BNSS 94, 103, 105, 185, 186 with CrPC counterparts - IT Act 69, 79A, 80, 84A interception and expert-evidence powers - NIST SP 800-88 Rev 1 Clear, Purge, Destroy by media type - RFC 3227 seven-layer order of volatility - Hash deprecation timeline MD5, SHA-1, SHAttered, Shambles - Memory acquisition (LiME, DumpIt, OSXPmem, MacQuisition) and smear Written by ForensicSpot Editorial. Allow 30 minutes.
Advanced FACT-style drill on cloud security and cloud forensics, calibrated to the hardest band of the syllabus. Thirty single-best-answer items on IAM evaluation precedence with explicit Deny, AWS condition keys including aws:PrincipalArn, aws:SourceArn, aws:SourceAccount, kms:ViaService and kms:GrantOperations, the iam:PassRole + iam:CreatePolicyVersion + iam:SetDefaultPolicyVersion privilege escalation chain, sts:AssumeRole session principal ARN parsing, CloudTrail ConsoleLogin mfaUsed and eventCategory filters, VPC Flow Log version 5 pkt-srcaddr and tcp-flags bitmask reading, KMS GenerateDataKey family selection and KeyUsage SIGN_VERIFY vs ENCRYPT_DECRYPT, S3 server-side encryption header values including aws:kms:dsse for DSSE-KMS, S3 Object Lock GOVERNANCE vs COMPLIANCE retention, Azure RBAC scope inheritance and Diagnostic Settings AuditEvent, GCP Audit Logs Admin Activity vs Data Access defaults, EKS IRSA AssumeRoleWithWebIdentity flow, Kubernetes audit policy stages RequestReceived to ResponseComplete, NIST SP 800-61 Rev 2 IR phases, CLOUD Act 2018 Section 103 extra-territorial reach, India-US MLAT routing with DPDP Act 2023 Section 16, IT Rules 2021 Rule 4(2) SSMI traceability, SAML 2.0 Subject vs OIDC sub claim and SAML AuthnContextClassRef vs OIDC acr, mTLS at NLB passthrough vs ALB vs API Gateway, CloudTrail log file validation digest schema, and BYOK vs HYOK vs AWS KMS External Key Store. Built for FACT aspirants, NFSU MSc Digital Forensics candidates, GCFA cloud-evidence pathways, SANS FOR509 prep, and AWS Certified Security Specialty candidates who want the hard-band differentiation between near-twin AWS, Azure, and GCP concepts. Every option set differs from the correct answer on a single parameter, so partial recall of the topic will not be enough to score well. Topics covered: - IAM policy evaluation: explicit Deny, cross-account two-way grant, condition keys - Privilege escalation chains via iam:PassRole and IAM policy versioning - CloudTrail event reading: AssumeRole session principal, ConsoleLogin, eventCategory - VPC Flow Log version 5 fields: pkt-srcaddr, pkt-dstaddr, tcp-flags bitmask - KMS API family, KeyUsage values, condition keys, grant tokens, XKS - S3 SSE header values, DSSE-KMS, Object Lock COMPLIANCE vs GOVERNANCE - Azure RBAC inheritance, GCP Audit Log defaults, EKS IRSA, Kubernetes audit stages - Indian and cross-border law: CLOUD Act 2018, DPDP Act 2023 Section 16, IT Rules 2021 Rule 4(2) This hard-band mock is calibrated for one-parameter discrimination, which is why every option in every item sits at the same level of abstraction and the same canonical form. Allow 30 minutes.
Applied FACT digital-forensics drill that puts the examiner inside thirty short investigation scenarios across Windows, Linux, and macOS hosts and asks what each surviving artefact actually proves. The Windows scenarios cover $MFT $STANDARD_INFORMATION versus $FILE_NAME timestomp signatures, prefetch hash and run-count execution proof, AmCache and ShimCache attribution differences, UserAssist ROT13 counters, USB insertion via the USBSTOR enumerator key cross-referenced with C:\Windows\INF\setupapi.dev.log, ShellBags evidence of access to now-deleted folders, Volume Shadow Copy mounting and Security.evtx diffing, LNK MAC times pinning prior file state, $Recycle.Bin SID resolution against SAM and ProfileList, and Remote Desktop sessions surfaced as EventID 4624 LogonType 10. The Linux half walks through GTFOBins-style SUID misuse with find -exec /bin/sh -p, the $6$ SHA-512 identifier in /etc/shadow, the three-way persistence choice across cron.d, systemd units, and rc.local, auditd connect() syscall rules, HISTTIMEFORMAT and the : epoch:0 marker in bash history, hard-link versus symbolic-link inode semantics, /proc/[pid]/maps as a window onto injected RWX regions, ext4 inode-reuse limits on deletion recovery, and extended-attribute namespaces as the Linux analogue of NTFS Alternate Data Streams. The macOS scenarios go through TCC.db privacy decisions, the com.apple.quarantine Gatekeeper attribute, the FSEvents gzipped binary log format, kMDItemWhereFroms via mdls and xattr, .DS_Store leakage risk, APFS Time Machine snapshot mounting with tmutil and mount_apfs, sandbox container layout under ~/Library/Containers, launchd StartInterval as the cron equivalent, the History.db schema with history_items joined to history_visits, and APFS clone semantics versus copy and hard link. For FACT aspirants, NFSU MSc digital-forensics candidates, and analysts preparing for GCFA, CHFI, SANS FOR500, or FOR518. Each question is a small triage decision: given this artefact in this state, what is the defensible reading? Distractors are near-twin readings drawn from adjacent artefacts on the same operating system, so guessing on path or vocabulary alone will not work and the candidate has to know how each subsystem actually writes its evidence. Topics covered: - Windows file-system metadata and execution-evidence reasoning - USB attribution, RDP sessions, and shadow-copy log diffing - Recycle Bin SID resolution and LNK target reconstruction - Linux privilege-escalation and persistence triage patterns - auditd, bash history timestamps, and inode-reuse recovery limits - macOS TCC, Gatekeeper, FSEvents, and Spotlight metadata - Time Machine snapshot mounting and sandbox container layout - launchd persistence keys and Safari history schema details Useful for revision before the FACT digital forensics paper and for cross-platform incident triage practice. Allow 30 minutes.
Applied scenario drill on web-browser and email forensics for FACT aspirants, pitched one level above the introductory mock. Questions move past definitions into the kind of decisions an investigator actually makes at the bench: writing the right SQL join across Chrome's urls, visits, and visit_source tables; converting a Chrome timestamp from microseconds since 1601 UTC into a calendar date; recognising why a SameSite=None cookie without Secure was rejected; deciding whether a body-hash mismatch on a DKIM signature points to a transit footer or to a header rewrite; tracing a multi-hop Received chain bottom-up to the host that actually submitted the message; reading an OST orphan condition after Active Directory disabled the account; choosing PST, OST, MBOX, or emlx for the workstation in front of you; and applying Section 66D of the IT Act 2000 to a bank-impersonation phishing case. The mock is calibrated for MSc Forensic Science aspirants preparing for the FACT entrance, the cyber stream of the NFSU MSc, and CHFI or GCFA candidates who want a focused drill on Chromium and Firefox artefacts, MIME parsing, SPF, DKIM, DMARC alignment failures, and standard email containers. Each question is rooted in a verifiable primary source: RFC 5321, 5322, 1939, 3501, 2045 to 2049, 6376, 7208, and 7489 for protocol behaviour; Microsoft Learn for OST, PST, DPAPI, and ESE; Apple Developer for the Keychain; the Chromium source tree and Mozilla Source Docs for browser internals; and the IT Act 2000 for the Indian statutory anchor. Topics covered: - Chrome History database joins and FILETIME-based timestamp arithmetic - Firefox places.sqlite, sessionstore-backups jsonlz4 framing, and Edge WebCacheV01.dat ESE access - Cookie attribute semantics, including the SameSite=None Secure rule, HTTP cache reconstruction, and ETag revalidation - Browser credential stores on Windows and macOS, DPAPI and Keychain key wrapping - Incognito leak vectors across pagefile, hiberfil, and the OS DNS resolver cache - Multi-hop Received chain reading, X-Originating-IP reliability, and Message-ID anchoring - MIME multipart parsing, base64 versus quoted-printable, and DKIM body-hash failure modes - SPF, DKIM, DMARC alignment outcomes and aggregate versus forensic reporting - PST, OST, MBOX, and emlx selection per platform, OST orphan handling, single-instance attachment recovery - Section 66D IT Act 2000 in a phishing-impersonation case Allow 30 minutes.
FACT Digital Forensics paper drill on applied virtual machine and cloud forensic scenarios, sitting one level above the introductory definitions mock on the same syllabus. Questions place the candidate inside a specific case and ask which technique applies: choosing between live and offline acquisition for a fileless guest, picking the right VMware artefact (.vmem at a snapshot, .vmss at a suspend, .vmsn for metadata), mounting VMDK chains and Hyper-V .avhdx differencing disks as ordered overlays, converting QCOW2 to raw with qemu-img convert, reading vmware.log for VM escape signals, inspecting VMFS datastores through vmfs-tools, recognising MITRE ATT&CK T1497 anti-VM checks via CPUID and MAC OUI, walking the Docker OverlayFS layer stack, retaining Kubernetes emptyDir evidence by shipping logs, acquiring vSAN through the API rather than by pulling drives, and choosing in-guest tools such as LiME or AVML for live memory. The cloud half tests log-source selection between CloudTrail, VPC Flow Logs, CloudWatch Logs, and S3 access logs, the iam:CreateAccessKey to iam:AttachUserPolicy escalation chain under MITRE T1098, the volatile-first acquisition order paired with EBS snapshot copy across accounts and regions, multi-tenancy under NIST IR 8006, KMS misuse evidence (key policy, grants, last-used), least-privilege failures in IAM JSON, the interaction of CLOUD Act 2018, IT Rules 2021, and DPDP Act 2023, MLAT preservation requests, Lambda forensics through CloudWatch Logs only, Azure Diagnostic Settings for Resource Logs, GCP Cloud Audit Logs Admin Activity vs Data Access, CloudTrail digest-chain tampering indicators, and S3 Object Lock compliance mode plus MFA Delete for legal hold. For FACT digital-forensics aspirants and MSc students working through applied virtualisation and cloud incident-response scenarios, useful as a revision pass before NFSU MSc, GCFA, SANS FOR509, CCSP, and AWS Security Specialty exams. Questions emphasise picking the right technique under a specific scenario rather than reciting definitions, with Indian and US legal anchors for cross-border cloud cases. Topics covered: - Live vs offline VM acquisition for fileless and snapshot scenarios - VMware .vmem, .vmss, .vmsn, .vmx, VMDK chains and ESXi VMFS datastores - Hyper-V .avhdx checkpoint chains and VirtualBox .vbox and .vdi files - QCOW2 to raw conversion with qemu-img and qemu-nbd cross-format mounting - Container OverlayFS layers and Kubernetes emptyDir evidence retention - AWS log-source selection: CloudTrail, VPC Flow Logs, CloudWatch, S3 access logs - IAM escalation chains, KMS audit, least-privilege failures, MITRE T1098 and T1497 - EBS snapshot acquisition order and cross-region cross-account chain-of-custody - CLOUD Act 2018, IT Rules 2021, DPDP Act 2023, MLAT preservation requests - Lambda, Azure Resource Logs, GCP Audit Log streams, CloudTrail integrity, S3 Object Lock Useful for revision and self-testing before the FACT Digital Forensics paper. Allow 30 minutes.
Applied scenario drill on identifying common network attacks from forensic evidence: ARP poisoning visible in arp -a, DNS hijack versus cache poisoning versus typosquatting from packet samples, when DNSSEC would have blocked the attack, the choice between BCP 38 ingress filtering and unicast Reverse Path Forwarding (uRPF), recognising SYN flood versus UDP amplification from NetFlow records, distinguishing SSL stripping from HTTPS downgrade and from certificate misissuance, KRACK versus PMKID versus WPA2 dictionary attack on a wireless capture, rogue AP versus evil twin versus karma differentiation, reflection-versus-amplification ratios (DNS amp versus memcached amp), SQL injection class detection from response side-channels (error-based, blind boolean, time-based), OWASP Top 10 (2021) category mapping including A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection and A07 Identification and Authentication Failures, XSS reflected versus stored versus DOM by where the payload lives, CSRF versus SSRF as confused-deputy patterns, zero-day versus N-day timeline in responsible disclosure, deauthentication-flood evidence in 802.11 management frames, lateral movement versus initial access in MITRE ATT&CK terms, and phishing-kit fingerprinting through typosquat domains and Let's Encrypt certificate patterns. This mock targets candidates preparing for the FACT entrance examination, MSc Digital Forensics aspirants at NFSU and central forensic-science universities, and working analysts mapping live incidents against syllabus categories. The scenario format mirrors what the FACT paper actually asks: the question describes evidence (a packet dump, a NetFlow record, an arp -a output, a log line) and asks which attack class fits and which mitigation applies. Topics covered: - ARP poisoning evidence in arp -a dumps and dynamic ARP inspection responses - DNSSEC validation chain and when it would have blocked a forged answer - BCP 38 versus unicast Reverse Path Forwarding (uRPF) for source-address validation - Reflection and amplification ratios for DNS, NTP, and memcached - WPA2 PMKID, KRACK key reinstallation, and WPA3 SAE Dragonblood - OWASP Top 10 (2021) category mapping for IDOR, weak hashes, and Log4Shell - SQL injection side-channels: error-based, boolean-based blind, time-based blind - MITRE ATT&CK lateral movement, initial access, defense evasion, exfiltration This 30-question, medium-difficulty pack is free to attempt and is reviewed against Stallings 8e, Kurose and Ross 8e, OWASP Top 10 (2021), the relevant IETF RFCs (2827, 3704, 4033, 6797, 6962), the IEEE 802.11 and 802.11w standards, the Vanhoef and Piessens KRACK paper, the Vanhoef and Ronen Dragonblood paper, NIST SP 800-115, Casey 3e, Nelson 6e, and current CERT-In advisories. Allow 30 minutes.
This FACT-aligned mock test puts the network security architecture block of the digital forensics syllabus into applied form. Thirty scenario-style single-best-answer questions exercise IPSec selection between AH (RFC 4302), ESP (RFC 4303), and the combination, transport versus tunnel mode for site-to-site and remote-access deployments, and IKEv2 (RFC 7296) versus the deprecated IKEv1 Aggressive Mode. VPN selection between OpenVPN, WireGuard, and IPSec is tested against use-case constraints. Firewall design covers stateful inspection, application proxies, and next-generation firewalls when layer-7 inspection plus user identity are required. IDS versus IPS placement (passive tap versus inline) and the signature-versus-anomaly gap on zero-day traffic are explored alongside PEAP versus EAP-TLS choices given certificate-management realities, Kerberos AS-TGS-KDC troubleshooting under RFC 4120 error codes, X.509 chain validation, LDAP distinguished names, digital signature verification, CRL versus OCSP under RFC 5280 and RFC 6960, TLS 1.2 versus 1.3 handshake changes, HSTS preload reasoning, NAC 802.1X-MAB risk, TOTP versus HOTP versus FIDO2 selection, PKI bridge trust models, VLAN versus micro-segmentation under NIST SP 800-207, SIEM correlation tuning, and IPv6 SLAAC with Privacy Extensions versus stateful DHCPv6. This medium-band paper is intended for MSc and BSc forensic science aspirants targeting the FACT entrance examination, and for working professionals preparing for CISSP, Security+, or CHFI. Indian PKI material under the Controller of Certifying Authorities and the IT Act 2000 informs the certificate questions, alongside CERT-In hardening advisories and NIST publications. Topics covered: - IPSec AH versus ESP versus combined, transport versus tunnel mode selection - IKEv2 phases against IKEv1 Aggressive Mode deprecation - VPN selection between OpenVPN, WireGuard, and IPSec for given constraints - Firewall types: stateful, proxy, and NGFW with TLS decryption and user identity - IDS passive tap versus IPS inline, and signature limits against zero-day traffic - PEAP versus EAP-TLS, Kerberos error troubleshooting, X.509 chain failures - LDAP DN versus RDN, digital signatures, CRL versus OCSP freshness trade-off - TLS 1.3 handshake, HSTS preload, 802.1X-MAB risk, FIDO2 selection, micro-segmentation Use this set as a calibration exercise before attempting full-length FACT digital forensics papers. Allow 30 minutes.
Applied-scenario drill on network monitoring and investigation for FACT Digital Forensics aspirants. Each question places the candidate inside a real incident and asks which command, flag, log field, signature, or methodology stage actually solves the problem, rather than asking for a definition. The set covers Wireshark capture filter versus display filter syntax on a stored pcap, tcpdump rotation flags (-G, -C, -W) for long-window captures, PCAPng with nanosecond timestamp precision for high-speed links, OSCAR methodology applied to a live incident timeline, SPAN port versus inline network TAP under asymmetric routing, sFlow versus NetFlow versus IPFIX selection on a retention budget, Snort signature interpretation from a Talos or Emerging Threats alert line, Suricata HTTP parser logs versus Snort raw pattern matches, Zeek triage across conn.log, http.log, and dns.log, SQL injection identification from web access logs (UNION SELECT, OR '1'='1, time-based SLEEP), Windows Security Event ID mapping (4624 Logon Type 10 for RDP, 4625 Sub Status codes, 4672 special privileges, 4688 process creation), journalctl with -u and --since for SSH brute-force triage on systemd hosts, Cisco show ip arp plus show mac address-table correlation for ARP-spoof attribution, Cisco ASA syslog severity selection per RFC 5424, NetFlow top-talker drill-down, DPI trade-offs against TLS encryption with JA3 and JA3S fingerprinting, Cowrie versus Dionaea versus T-Pot honeypot selection, downstream legal exposure of operating a honeypot under the Information Technology Act 2000, NTP time-sync as the precondition for cross-host log correlation under RFC 5905, airodump-ng plus Kismet for rogue access point triangulation, and traffic-analysis inference of session type from packet size and timing over encrypted VPN tunnels. This mock targets MSc Forensic Science and BSc Forensic Science students preparing for the FACT (Forensic Aptitude and Coding Test) Digital Forensics paper, NFSU MSc Cyber Security entrance candidates, and early-career SOC analysts learning the GCIA, GCFE, or SANS FOR572 syllabus through Indian academic mocks. Topics covered: - Wireshark display filter and BPF capture filter on a stored pcap - tcpdump rotation with -G, -C, -W and strftime filename patterns - PCAPng nanosecond timestamping for high-speed link forensics - OSCAR methodology stages applied to a real network incident - SPAN versus TAP placement under asymmetric routing - Snort, Suricata EVE JSON, and Zeek conn-http-dns log triage - SQL injection signature reading from web access logs - Windows Event IDs 4624, 4625, 4672, 4688 in scenario context Each item carries a three-paragraph explanation citing Wireshark, tcpdump, Snort, Suricata, Zeek, OWASP, Microsoft Learn, Cisco IOS, RFCs 5424, 5905, 7011, and Davidoff and Ham's Network Forensics text. Allow 30 minutes.
Applied scenario drill for the FACT digital forensics paper, focused on the computer networking knowledge investigators have to apply at a real scene: subnet arithmetic on /27, /28, and /29 blocks; supernetting and CIDR overlap detection; OSPF cost from interface bandwidth; BGP route-hijack identification from AS-PATH signatures; Spanning Tree Protocol root election; 802.1Q VLAN tagging on trunk versus access ports; ARP storm and switching loop diagnosis; ICMP type and code distinctions covering ping, traceroute, port unreachable, administratively prohibited, and redirect; TCP three-way handshake reading from a pcap snippet; DNS over UDP, TCP, DoT 853, and DoH 443; Wi-Fi 5 versus Wi-Fi 6 capture considerations; WPA2 versus WPA3 SAE handshake; client isolation on a guest SSID; bandwidth-delay product window sizing; jitter versus latency in a VoIP investigation; longest-prefix match in a routing table; carrier-grade NAT shared address space at 100.64.0.0/10 against RFC 1918 private space; NAT traversal versus direct exposure for a residential server. This mock is for forensic science postgraduates and FACT aspirants who have crossed the definition stage and now need to apply networking facts to investigation scenarios. It is calibrated to the medium band, where every question forces a choice between near-neighbour options that share most attributes and differ on one parameter the investigator has to know cold. The mock is equally useful for UGC-NET Paper II networking-section preparation, NFSU MSc digital forensics, and entry-level GCFA or CHFI revision. Topics covered: - Subnet arithmetic and broadcast addresses on /27, /28, /29 - Supernetting, CIDR aggregation, and prefix overlap detection - OSPF interface cost and BGP route-hijack signatures - Spanning Tree Protocol root election and switching-loop diagnosis - 802.1Q VLAN tagging on trunk and access ports - ICMP type and code distinctions across ping, traceroute, redirect - TCP three-way handshake from pcap and Path MTU Discovery black holes - DNS over UDP, TCP, DoT 853, DoH 443, plus EDNS0 buffer sizing - Wi-Fi 4, 5, 6 standards, WPA3 SAE, and client isolation - Bandwidth-delay product, jitter versus latency, CGNAT and NAT traversal Sit the mock under timed conditions, mark the explanation references, and revisit any RFC citations after each session. Allow 30 minutes.
Showing 12 of 38 tests