





















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Cellebrite Reader Level 2 focuses on enhanced evidence review capabilities. It covers advanced filtering, artifact correlation, timeline review, tagging, and contextual analysis. Candidates demonstrate the ability to interpret evidence more effectively for investigative purposes.
Typology: Exams
1 / 93
This page cannot be seen from the preview
Don't miss anything!






















































































Question 1. In Cellebrite Reader, which folder typically contains the raw UFDR extraction files for a given case? A) /Reports B) /Data/Raw C) /Extraction/UFDR D) /Logs Answer: C Explanation: The /Extraction/UFDR directory stores the original UFDR files generated during acquisition, preserving the raw forensic data. Question 2. When validating case information, which metadata element confirms that the extracted device matches the physical device seized? A) Extraction timestamp B) Device serial number C) File hash value D) Analyst name Answer: B Explanation: The device serial number directly ties the logical extraction to the physical device, ensuring chain‑of‑custody integrity. Question 3. Which setting in Reader allows you to automatically hide personally identifiable information (PII) during a white‑collar crime review? A) Redaction mode B) PII filter toggle C) Case type preset – White‑Collar D) Metadata masking Answer: C
Explanation: Selecting the White‑Collar case type preset configures the environment to suppress or mask PII according to typical investigative requirements. Question 4. What is the maximum number of UFDR files that can be opened simultaneously in a single Reader session for cross‑device analysis? A) 2 B) 5 C) 10 D) Unlimited (limited by system resources) Answer: D Explanation: Reader does not impose a hard limit; the practical ceiling is determined by the host machine’s memory and CPU capacity. Question 5. In the Messages & Chats module, a double‑arrow icon next to a chat entry indicates: A) Message was edited B) Message was forwarded C) Message was deleted but recovered D) Message is a system notification Answer: C Explanation: The double‑arrow denotes a deleted message that the parser has successfully recovered from residual data. Question 6. Which indicator differentiates a “service notification” from a user‑sent message in Telegram logs? A) Bold font B) Purple background C) “System” label in the sender column
C) Only the URL and visit count D) The page’s HTTP headers Answer: B Explanation: The Snapshot view presents a visual thumbnail of the page as it appeared during the browsing session. Question 10. Application usage “Pattern of Life” is primarily derived from which two data points? A) App version and developer ID B) Launch count and foreground/background timestamps C) Permissions granted and data usage D) Crash logs and update history Answer: B Explanation: Launch count together with foreground/background timestamps reveal how frequently and when an app was actively used. Question 11. To filter messages by both “Category = SMS” and “Date Range = last 30 days,” which Reader feature is employed? A) Quick search bar B) Nested filter builder C) Advanced Boolean query box D) Watchlist manager Answer: B Explanation: The Nested filter builder allows stacking multiple criteria such as category and date range in a single filter. Question 12. Which wildcard character represents any single character in a Reader keyword search?
Answer: B Explanation: In Reader’s search syntax, ? substitutes for exactly one character, while * matches any string of characters. Question 13. When creating a watchlist, which file format is accepted for bulk import of terms? A) .txt (newline‑separated) B) .csv (comma‑separated) C) .xml (structured) D) All of the above Answer: D Explanation: Reader supports .txt, .csv, and .xml for watchlist imports, allowing flexibility for different workflows. Question 14. In the Timeline view, linking a GPS coordinate to a sent message requires matching which two fields? A) Latitude/Longitude and Message ID B) Timestamp and Device ID C) Timestamp and GPS timestamp D) Sender phone number and GPS provider Answer: C Explanation: The Timestamp in the GPS log must align with the timestamp of the sent message to establish a temporal correlation.
Explanation: The Image Source field explicitly tags the provenance of each image, allowing direct filtering for native‑camera captures. Question 18. In video analysis, the “Bookmark Frame” function is used to: A) Export the entire video file B) Extract a single frame as a still image evidence item C) Trim the video to a specific duration D) Add a textual note to the video timeline Answer: B Explanation: Bookmark Frame captures the current frame and saves it as a separate image for evidentiary purposes. Question 19. Cross‑artifact linking between an address book entry and a third‑party app identifier is facilitated by which Reader column? A) Source File B) Linked ID C) External Reference D) Correlation Tag Answer: B Explanation: The Linked ID column displays IDs that appear across multiple artifacts, enabling manual verification of relationships. Question 20. When the “Source File” link for a contact points to a .sqlite database, what does this indicate? A) The contact was stored in a relational database on the device B) The contact data is corrupted C) The contact originates from a cloud backup
D) The contact was imported from an external CSV file Answer: A Explanation: .sqlite files are SQLite databases used by many mobile OSes to store contacts, so the link confirms that origin. Question 21. An “orphaned” data record in Reader most likely results from: A) Encryption failure during extraction B) A parsing rule that could not associate the record with a parent artifact C) Duplicate entries in the source database D) Manual deletion by the analyst Answer: B Explanation: Orphaned records are those the parser extracted but could not link to a known parent (e.g., a message without a conversation thread). Question 22. A hierarchical tagging system that uses “Level‑1: Legal, Level‑2: Financial, Level‑3: Fraud” is primarily intended to: A) Reduce file size of the UFDR package B) Facilitate role‑based export of evidence sets C) Encrypt tags for security D) Auto‑generate case summaries Answer: B Explanation: Hierarchical tags enable analysts to export or view evidence subsets tailored to different investigative or legal teams. Question 23. Which configuration option determines the default number of rows displayed per page in the Messages grid? A) Pagination limit
Question 26. Which of the following is NOT a supported Boolean operator in Reader’s advanced keyword search? A) AND B) OR C) NOT D) XOR Answer: D Explanation: Reader supports AND, OR, NOT, but XOR is not part of its search syntax. Question 27. The “Deleted Message” flag is stored in which underlying database table for WhatsApp? A) messages B) chat_list C) deleted_messages D) status_updates Answer: C Explanation: WhatsApp’s deleted_messages table records identifiers of messages that were removed but may still be recoverable. Question 28. Which field must be included in a custom watchlist to automatically flag a known drug‑related slang term? A) Term B) Category C) Severity level D) Source URL Answer: A Explanation: The Term column holds the exact keyword or phrase that triggers the watchlist flag.
Question 29. To view the exact GPS coordinates of a location cluster on the map, you should: A) Hover over the heatmap color gradient B) Click the cluster bubble to expand individual pins C) Switch to “List view” mode D) Export the cluster as a KML file first Answer: B Explanation: Clicking a cluster bubble expands it, revealing individual pins with their precise latitude and longitude. Question 30. Which of the following best describes the purpose of the “Thumbnail View” in Media Categorization? A) To edit image metadata directly B) To quickly assess visual relevance before opening full files C) To generate hash values for each image D) To compress images for faster loading Answer: B Explanation: Thumbnail View provides a rapid visual overview, allowing analysts to prioritize which media to examine in detail. Question 31. When analyzing Bluetooth logs, the “Device Name” field is derived from: A) The device’s Bluetooth MAC address lookup table B) The user‑defined alias stored on the handset C) The manufacturer’s OUI database D) The most recent connection’s SSID Answer: B
C) Only the first 100 rows D) Only artifacts marked with a red tag Answer: A Explanation: Export respects the visible columns at the time of export, allowing analysts to customize the output. Question 35. Which of the following best characterizes the “Pattern of Life” metric derived from app usage timestamps? A) Frequency distribution of app launches per hour B) Total data consumed by the app C) Number of push notifications received D) Version updates over time Answer: A Explanation: Pattern of Life focuses on the frequency and timing of app launches, showing daily or weekly usage rhythms. Question 36. When creating a nested filter that includes “Category = Call Log” AND “Duration > 60 seconds,” which logical operator is implicitly used? A) OR B) NOT C) AND D) XOR Answer: C Explanation: Adding multiple criteria in a single filter defaults to an AND relationship, requiring both conditions to be true. Question 37. In the timeline view, a “synchronization” icon appears when:
A) Two events share the exact same timestamp B) An event’s timestamp is adjusted to UTC automatically C) A GPS coordinate aligns with a communication event within a configurable window D) The timeline is filtered by a single source file Answer: C Explanation: The synchronization icon flags when a location event (GPS) matches a communication (e.g., message) within the defined time tolerance. Question 38. Which EXIF tag provides the GPS latitude reference (N/S)? A) GPSLatitudeRef B) GPSLatDirection C) GPSNorthSouth D) LatitudeRef Answer: A Explanation: GPSLatitudeRef stores “N” or “S” to indicate north or south latitude. Question 39. To verify that an image’s timestamp has not been altered after acquisition, you should compare the EXIF DateTimeOriginal with which other value? A) File system “Created” timestamp B) File hash C) Image dimensions D) GPS altitude tag Answer: A Explanation: Comparing DateTimeOriginal to the file system’s created timestamp can reveal discrepancies suggesting tampering.
Question 43. Which filter combination would isolate all “Deleted” WhatsApp voice notes from the last 7 days? A) Category = Voice Note AND Status = Deleted AND Date >= Today‑ 7 B) Type = Audio AND Deleted = True AND Timestamp > 7d C) App = WhatsApp AND Media = Voice AND Flag = D D) Category = Audio AND DeletionFlag = 1 AND DateRange = Last7Days Answer: D Explanation: The correct fields are Category = Audio, DeletionFlag = 1, and a DateRange of the last seven days. Question 44. The “Export to PDF” function in Reader includes which of the following by default? A) All hidden artifacts B) Only currently displayed columns and rows C) Full raw database dumps D) Embedded video streams Answer: B Explanation: PDF export captures the visible data on screen, preserving column layout and applied filters. Question 45. Which of the following best explains why a “Source File” link might be grayed out for a particular artifact? A) The artifact originates from a cloud sync and has no local source file B) The analyst lacks permission to view the underlying file C) The artifact is a synthetic entry generated by the parser D) The source file was deleted during acquisition Answer: C
Explanation: Synthetic entries are created by the parser (e.g., derived timestamps) and therefore have no direct source file, resulting in a disabled link. Question 46. When using the “Keyword Search” across all content, which scope yields the fastest results? A) Searching only within the “Message Body” field B) Global “All Content” search with no wildcards C) Boolean search with multiple operators D) Searching within “Metadata” fields only Answer: B Explanation: A plain global “All Content” search without complex operators leverages the indexed database for quickest retrieval. Question 47. In the “Media” tab, the “Duration” column is only applicable to: A) Images B) Audio files and videos C) PDFs D) Text messages Answer: B Explanation: Duration denotes playback length, which is relevant for audio and video files only. Question 48. Which of the following statements about “Location Clusters” is FALSE? A) They are generated automatically based on proximity thresholds B) Each cluster can be manually renamed by the analyst C) Clusters are displayed as individual pins on the map by default D) They help identify habitual locations such as home or work
C) Application binaries D) Media thumbnails Answer: B Explanation: /Logs stores logs generated during the acquisition, documenting successes, failures, and timestamps. Question 52. Which of the following best describes a “system notification” in Telegram logs? A) A message sent by the user to a group B) An automated alert such as “You joined the channel” C) A media file shared in a private chat D) A deleted message recovered by the parser Answer: B Explanation: System notifications are automated messages (e.g., channel joins, admin actions) generated by Telegram itself. Question 53. When applying a filter that includes “Date Range = Last 24 Hours” and “Category = Call Log,” the resulting view will: A) Show all calls made in the past day, regardless of direction B) Show only incoming calls within the last 24 hours C) Show missed calls only D) Exclude calls that were later deleted Answer: A Explanation: The filter selects all call log entries whose timestamps fall inside the last 24 hours, without further direction or status constraints. Question 54. Which of the following is NOT a supported image source classification in the Media tab?
A) Camera B) Downloaded C) Screenshot D) Encrypted Answer: D Explanation: “Encrypted” is not a source type; images are classified as Camera, Downloaded, Screenshot, App‑generated, etc. Question 55. To verify the integrity of a UFDR file before opening it in Reader, you should: A) Compare its MD5 hash against the hash provided in the acquisition report B) Open it in a hex editor and look for the “Cellebrite” header C) Check the file size against the expected size in the case docket D) Run a built‑in “Integrity Check” from the Reader File menu Answer: A Explanation: Validating the MD5 (or SHA‑256) hash ensures the file has not been altered since acquisition. Question 56. In the “Advanced Filtering” dialog, the “Exclude” option performs which logical operation? A) NOT (negates the condition) B) AND NOT (adds a second condition) C) OR NOT (creates an alternative path) D) XOR (exclusive or) Answer: A Explanation: Exclude applies a NOT to the selected condition, removing matching records from the result set.