MDF Final Exam Study Questions and Answers Graded A 2024
MDF Final Exam Study Questions and
Answers Graded A 2024
What is the term used extensively in the digital forensics community to qualify and
justify the use of a particular forensic technology or methodology? - Forensically Sound
List 3 mobile device operating systems. - Android, iOS, Windows
Mobile forensics is a branch of digital forensics related to the recovery of digital
evidence from what types of devices? - Cell Phones, GPS devices, drones, tablets
What is a brief definition or translation of the term "metadata?" - "data about data"
What are SIM card data files? - ICCID, IMSI, MSISDN
Metadata that can be specifically found in media files, such as pictures, is known as? -
EXIF Data
What is the order of extraction methodologies from the bottom of the "pyramid" to the
top, with the bottom representing the most basic? - Manual, Logical, Hex Dump, Chip
Off, Micro Read
Which of the following is not an example of a Hex Dump Extraction: File system,
Bootloader Physical, Client Physical, JTAG - File System
An examiner would physically scroll through a device while photographically
documenting its screen during what type of acquisition? - Manual
What does a logical acquisition utilize - a device's API, and is achieved through USB or
Bluetooth connections.
Physical acquisitions directly access what - the flash memory of a mobile device,
resulting in a bit-for-bit copy of the data.
What will never be recovered through a logical acquisition? - Unallocated space
MDF Final Exam Study Questions and Answers Graded A 2024
, MDF Final Exam Study Questions and Answers Graded A 2024
The mobile forensics process is broken down in to what three main categories? -
Seizure, acquisition, and examination/analysis
Search warrants require what? - Scope, Oath/Affirmation, Probable Cause
At the crime scene, the examiner should place the device in _______ and/or a _______
to prevent changes to the mobile device. - Airplane mode, faraday bag
Describe 1 way of identifying the model of an iPhone, and 1 way of identifying the iOS
version of an iPhone. - Model of iPhone: looking at the back/bottom half of the phone @
A#; iOS version: unlock phone>settings>general>about
iOS devices utilize what file systems? - HFSX
Within the file system of Apple mobile devices, which partition contains the device
firmware, the operating system, and pre-installed application settings that are not
typically available to the device user? - System Partition
What Apple protocol prevents users from downloading and installing unauthorized
apps? - Code Signing
What is the iOS architecture layer that develops the visual interface, provides basic
application architecture, and supports key functions, such as multi-tasking? - Cocoa
Touch
What does sandboxing do? - Requires user permission in order to allow applications to
access data from other applications
What are the Apple mobile device modes? - DFU, Normal, Recovery
What iOS backup is utilized when conducting an Advanced Logical acquisition in
Cellebrite Physical Analyzer? - Method 1 = iTunes Backup, Method 2 = Apple File
Conduit
What property list file, located in an iTunes backup, contains metadata regarding
application backup, identifying, and encryption-related information, such as application
names, passcode/encryption status, and keybagdata? - Manifest.plist
What are pairing records? - The records of every time you've connected your phone to
your computer and had your phone "trust" it
MDF Final Exam Study Questions and Answers Graded A 2024
, MDF Final Exam Study Questions and Answers Graded A 2024
Devices that utilize iOS or OSX operating systems store timestamps in what raw
format? - Mac Absolute Time and Unix Epoch Time
In iOS devices, SMS Messages are stored in what type of data structure? - SQLite
Database
What data structure is stored in a raw binary or XML format and is typically present
within devices that utilize iOS and OSX? - Property List
What version of iPhones is it possible to conduct a physical acquisition on when they're
locked or the passcode is unknown? - iPhone 4 and below
Devices that utilize the GSM communication protocol are uniquely identified by what
type of identifier? - IMEI
What does ADB stand for? - Android Debug Bridge
In Riley v California, 537 US; the United States Supreme Court unanimously held what
decision? - A search warrant is required to search a cell phone.
What is the Linux Kernel? - Basic layer between hardware and software
What are 3 Windows Phone Manufacturers? - Microsoft, Nokia, Alcatel, HTC, Samsung,
Huawei, LG
What is the Windows File System? - NTFS
What are the Windows Security Chambers? - Trusted Computing Base, Elevated Rights
Chamber, Standard Rights Chamber, Least Privileged Chamber
Windows Data Acquisition - Logical (SideloadUnlock & Client Install)
File System (Selective Backup)
Physical (Chip off, JTAG, ISP, Bootloader)
Cloud Backup (with Microsoft ID/Password)
Android was the first open and free mobile platform built on the __________. - Linux
Kernel
MDF Final Exam Study Questions and Answers Graded A 2024
, MDF Final Exam Study Questions and Answers Graded A 2024
Within the file system of Android mobile devices, which partition is designed for backup
purposes, and allows user to boot the phone differently to repair phone installation? -
/recovery
What major company originally bought and partially owns Android, Inc.? - Google
What is the process that allows specific developers (and only specific developers) of
each application to push updates for their applications to users' Android devices? -
Application Signing
What is the method that can be used to disable/break a Pattern Lock Screen Feature of
ADB disabled? - Smudge attack
What is a method of obtaining a physical acquisition from an Android device? - JTAG,
In-system programming, bootloader, Flashing recovery partition, ADB
What is a file system acquisition method? - ADB and Android Backup
What accurately describes deleted data? - Data is marked for deletion, and can reside
within the memory in unallocated space.
File Carving unallocated space is possible when analyzing what type of Android
acquisition? - Physical
In order to successfully perform a physical acquisition of an Android device via
bootloader, what mode must the mobile device first be placed into? - Recovery Mode,
Download, Firmware Update Mode
What are the key issues that Android security focuses on? - Protecting user data,
safeguarding system resources, and ensuring that applications cannot access the data
of another application without approval
What type of files are most commonly recovered from the forensic examination of
microSD memory cards? - Media Files
List 3 types of Android device screen locks - Passcode, Pin, Pattern, Biometric
What are the Android partitions? - Boot, system, recovery, data, cache, misc, sdcard
MDF Final Exam Study Questions and Answers Graded A 2024
