Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.
Timed practice tests with instant scoring and per-question explanations.
This mock drills into the two hardest acquisition surfaces in modern digital forensics — public-cloud workloads and Internet-of-Things devices — and the legal, architectural, and procedural obstacles that distinguish them from traditional disk forensics. Thirty hard questions across cloud service models (IaaS, PaaS, SaaS, FaaS) and what each layer surrenders to the investigator, deployment models (public, private, community, hybrid), multi-tenancy and data co-mingling, jurisdictional pathways for cross-border production (MLAT, the US CLOUD Act 2018, GDPR Article 48, India's DPDP Act 2023, IT Act §69 read with the 2009 Rules, the CERT-In Directions of 28 April 2022 with their 6-hour reporting and 180-day log-retention rules), the major cloud audit logs (AWS CloudTrail vs CloudWatch vs Config vs VPC Flow Logs, Azure Activity Log vs Entra ID Sign-in Logs vs Diagnostic Logs, GCP Cloud Audit Logs Admin Activity vs Data Access, Microsoft 365 Unified Audit Log retention by SKU), snapshot-based acquisition (EBS snapshot → cross-account share → forensic VPC restore), Linux memory acquisition with LiME, and the limits of memory acquisition on serverless platforms. The IoT half covers smart-hub voice assistants and the Echo cloud-account architecture exposed by *Arkansas v. Bates* (2017), wearables and the heart-rate / step-count timeline that proved decisive in *State v. Dabate* (Connecticut, 2017), smart-camera and doorbell acquisition when JTAG is gone and the eMMC is BGA-soldered (chip-off plus companion-app plus cloud), Android and iOS companion-app forensic artefacts (SQLite, SharedPreferences, plist, OAuth tokens), connected-vehicle Event Data Recorders extracted with the Bosch CDR tool over OBD-II under 49 CFR Part 563, and the special discipline required for industrial-control SCADA networks running Modbus and OPC-UA where active scanning can disrupt physical-world processes (IEC 62443). It is pitched at MSc and final-year BSc cyber forensics students at NFSU, LNJN-NICFS, and other Indian universities, and at FACT, UGC-NET and CHFI aspirants who need the cloud and IoT acquisition layers locked in. This is a **premium**, **hard**-difficulty mock — distractors target the misconceptions a careful student is most likely to fall into (CloudTrail vs CloudWatch vs Config; Lambda vs EC2 acquisition; MLAT vs CLOUD Act vs GDPR Article 48; Azure Activity Log vs Entra Sign-in Logs; chip-off vs JTAG when neither is straightforward). Themes covered: - Cloud service models (IaaS / PaaS / SaaS / FaaS) and the evidence each layer yields - Cloud deployment models (public, private, community, hybrid) and multi-tenancy - AWS CloudTrail, CloudWatch, Config, VPC Flow Logs; Azure Entra Sign-in / Activity / Diagnostic Logs; GCP Audit Logs Admin Activity vs Data Access; M365 Unified Audit Log - Snapshot acquisition (EBS / managed disk / persistent disk); Linux RAM with LiME; serverless limits - Jurisdiction: MLAT, CLOUD Act 2018, GDPR Article 48, DPDP 2023, IT Act §69, CERT-In Directions 2022, data sovereignty - Standards: NIST SP 800-145, NIST IR 8006, NIST SP 800-201, NIST SP 800-86, ISO/IEC 27037, CSA Domain 12, IEC 62443 - IoT classes: voice assistants (Echo / Home / HomePod), wearables (Fitbit, Apple Watch, Garmin), smart cameras (Ring, Nest), connected vehicles, industrial IoT - IoT acquisition: chip-off vs JTAG, companion-app SQLite/SharedPreferences/plist, cloud-account artefacts - Court precedents: *Arkansas v. Bates* (Echo, 2017), *State v. Dabate* (Fitbit, 2017) - Connected-vehicle CAN-bus, OBD-II, EDR under 49 CFR Part 563, Bosch CDR tool Each question carries a detailed 250+ word explanation citing primary sources — NIST IR 8006 and SP 800-201, NIST SP 800-145, ISO/IEC 27037, the CLOUD Act, GDPR, DPDP 2023, the IT Act, CERT-In Directions, AWS / Azure / GCP / Microsoft official documentation, the *Bates* and *Dabate* dockets, 49 CFR Part 563, ISO 15765-4, IEC 62443, and Hassan's *Digital Forensics Basics*. Allow 15 minutes — the explanations are long enough to use as study notes by themselves.
This mock covers Network Forensics as it is actually practised — reading packet captures, parsing logs, and reconstructing what happened on the wire. Thirty medium-difficulty questions across the eight pillars a network-forensic analyst (and any FACT or NFSU MSc Cyber Forensics aspirant) must lock in: packet-capture fundamentals (tcpdump and dumpcap snaplen, BPF capture filters versus Wireshark display filters, ring buffers for continuous capture, libpcap versus PCAP-NG), the TCP/IP stack as a forensic timeline (Ethernet framing, IPv4 TTL and fragmentation, TCP flags including the FIN-versus-RST distinction, the three-way handshake, sequence numbers, and retransmissions), per-protocol artefacts (HTTP request headers, the cleartext SNI in the TLS ClientHello, DNS record types and exfiltration patterns, the SMTP envelope, FTP active versus passive, SMB on port 445, the SSH banner), flow telemetry versus full PCAP (NetFlow/IPFIX, sFlow sampling), intrusion detection (Snort/Suricata rule anatomy, Zeek protocol logs, MITRE ATT&CK lateral-movement techniques), web and proxy logs (Apache Common Log Format, IIS W3C Extended Log Format with its UTC time field), timestamp normalisation across UTC/IST/NTP-drifted endpoints, attacker techniques visible in packets (SYN scans, DNS tunnelling, JA3/JA3S TLS fingerprinting), and the Indian regulatory layer (IT Act sections 69 and 69B with the CERT-In Directions of 28 April 2022 mandating 180-day log retention within Indian jurisdiction). It is pitched at MSc Cyber Forensics students at NFSU, LNJN-NICFS, and other Indian universities, and at FACT, UGC-NET, and entry-level SOC analyst aspirants who need the network-forensics layer locked in before tackling deeper malware-traffic analysis, encrypted-payload reconstruction, and case studies. The questions assume you already know the basics of digital forensics; the medium-difficulty bar is set so that a careful read of an explanation closes the gap if you got the question wrong. Themes covered: - Packet capture: tcpdump/Wireshark/dumpcap, BPF filter syntax, ring buffers, libpcap vs PCAP-NG - TCP/IP stack: Ethernet, IPv4 TTL/fragmentation, TCP flags, three-way handshake, retransmissions - Protocol artefacts: HTTP, HTTPS ClientHello SNI, DNS records and tunnelling, SMTP, FTP active/passive, SMB, SSH - Flow telemetry: NetFlow/IPFIX vs full PCAP, sFlow sampling - Intrusion detection: Snort/Suricata rule anatomy, Zeek protocol logs, MITRE ATT&CK lateral movement - Web/proxy logs: Apache CLF, IIS W3C Extended, NTP and UTC timestamp normalisation - Attacker techniques in packets: SYN scans, DNS tunnelling, JA3/JA3S TLS fingerprints - Indian context: IT Act sections 69 and 69B, CERT-In Directions of 28 April 2022 (180-day log retention) Each question carries a detailed 220+ word explanation citing primary sources — Davidoff and Ham’s *Network Forensics*, the relevant RFCs (791, 959, 1035, 4253, 5321, 6066, 7011, 9293), NIST SP 800-86, the Wireshark and Snort documentation, MITRE ATT&CK, and the IT Act with the CERT-In Directions. Allow 15 minutes; the explanations are long enough to use as study notes by themselves.