ControlF Foundation in Mobile Phone Forensics FMPF Exam, Exams of Technology

The ControlF Foundation in Mobile Phone Forensics Exam provides a comprehensive introduction to mobile device investigations. It covers mobile operating systems, acquisition methods, SIM and memory analysis, app artifacts, deleted data recovery, and reporting. This certification prepares professionals to conduct legally defensible mobile forensic investigations.

Typology: Exams

2025/2026

Available from 01/23/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 88

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
ControlF Foundation in Mobile Phone Forensics
FMPF Exam
Question 1. Which of the following is NOT one of the four ACPO principles for handling digital
evidence?
A) No action should be taken that changes the original data unless it is necessary for the
investigation.
B) The provenance of any evidence must be established.
C) All forensic analysis must be performed by a certified forensic analyst.
D) The chain of custody must be documented at every stage.
Answer: C
Explanation: ACPO principles focus on preserving data integrity, establishing provenance, and
documenting custody; they do not mandate certification of the analyst, although best practice
encourages it.
Question 2. In a standard operating procedure (SOP) for mobile forensics, which step should
occur immediately after the device is seized?
A) Perform a logical acquisition.
B) Photograph the device in situ.
C) Insert the SIM card into a reader.
D) Begin a full chipoff extraction.
Answer: B
Explanation: SOPs require documenting the device’s condition and environment before any
handling, typically via photographs, to preserve evidential integrity.
Question 3. Under the UK General Data Protection Regulation (GDPR), a forensic examiner must
justify which of the following when accessing personal data on a seized phone?
A) The data is relevant to the investigation.
B) The data is stored on a removable SD card.
C) The device manufacturer’s warranty is still valid.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58

Partial preview of the text

Download ControlF Foundation in Mobile Phone Forensics FMPF Exam and more Exams Technology in PDF only on Docsity!

FMPF Exam

Question 1. Which of the following is NOT one of the four ACPO principles for handling digital evidence? A) No action should be taken that changes the original data unless it is necessary for the investigation. B) The provenance of any evidence must be established. C) All forensic analysis must be performed by a certified forensic analyst. D) The chain of custody must be documented at every stage. Answer: C Explanation: ACPO principles focus on preserving data integrity, establishing provenance, and documenting custody; they do not mandate certification of the analyst, although best practice encourages it. Question 2. In a standard operating procedure (SOP) for mobile forensics, which step should occur immediately after the device is seized? A) Perform a logical acquisition. B) Photograph the device in situ. C) Insert the SIM card into a reader. D) Begin a full chip‑off extraction. Answer: B Explanation: SOPs require documenting the device’s condition and environment before any handling, typically via photographs, to preserve evidential integrity. Question 3. Under the UK General Data Protection Regulation (GDPR), a forensic examiner must justify which of the following when accessing personal data on a seized phone? A) The data is relevant to the investigation. B) The data is stored on a removable SD card. C) The device manufacturer’s warranty is still valid.

FMPF Exam

D) The device is powered on. Answer: A Explanation: GDPR requires a lawful basis for processing personal data; relevance to a legitimate investigation provides that basis. Question 4. When performing on‑scene triage, the first decision a forensic examiner should make is: A) Whether to place the device in a Faraday bag. B) Whether to replace the battery. C) Whether to install a custom ROM. D) Whether to wipe the device’s cache. Answer: A Explanation: Isolating the device prevents remote wiping or network‑based alteration; this is the priority before any further action. Question 5. Which isolation technique is most effective against a remote wipe command sent over the cellular network? A) Enabling Airplane Mode. B) Turning the device off and removing the battery. C) Placing the device in a Faraday cage. D) Connecting the device to a USB charger. Answer: C Explanation: A Faraday cage blocks all radio frequencies, preventing any inbound network commands, including remote wipes. Question 6. A forensic examiner wishes to preserve a SIM card without triggering a PIN lock. The safest method is to:

FMPF Exam

Question 9. In GSM architecture, which component is responsible for translating a mobile phone number into a temporary identifier used over the air interface? A) Home Location Register (HLR). B) Visitor Location Register (VLR). C) Base Station Controller (BSC). D) Mobile Switching Center (MSC). Answer: A Explanation: The HLR stores the subscriber’s permanent profile and provides the Temporary Mobile Subscriber Identity (TMSI) for privacy. Question 10. Which type of data is typically found on a handset rather than on the service provider’s servers? A. Call Detail Records (CDRs) of all inbound and outbound calls. B. SMS messages stored in the device’s internal database. C. Billing information and payment history. D. Network cell tower logs. Answer: B Explanation: While providers retain CDRs and billing, SMS messages are often stored locally on the device unless synchronized with cloud services. Question 11. A USIM card differs from a traditional SIM card primarily because it: A. Stores data using NAND flash instead of EEPROM. B. Supports IPv6 addressing for VoLTE. C. Provides a larger storage capacity and can host applications. D. Operates only on CDMA networks.

FMPF Exam

Answer: C Explanation: USIM cards have expanded memory and can run applets (e.g., OTA updates), offering more functionality than older SIM cards. Question 12. In the Forensic Tool Leveling System, Level 3 extraction refers to: A. Manual photography of the device’s screen. B. Logical acquisition via OS APIs. C. Physical imaging of the flash memory. D. Chip‑off extraction of the NAND memory. Answer: C Explanation: Level 3 corresponds to physical acquisition, which creates a bit‑for‑bit image of the device’s storage, allowing recovery of deleted data. Question 13. Which of the following best describes logical acquisition? A. Directly reading the NAND chip with a hardware programmer. B. Extracting data through the operating system’s provided interfaces. C. Taking a high‑resolution photograph of the device’s home screen. D. Removing the device’s battery and analyzing it in a lab. Answer: B Explanation: Logical acquisition leverages OS APIs, backup services, or forensic software to pull accessible files and databases without accessing raw storage. Question 14. When is a manual acquisition method most appropriate? A. When the device boots normally and the passcode is known. B. When the device is physically damaged and cannot be powered on. C. When the examiner has a certified forensic tool licensed for the device.

FMPF Exam

C. Only the external SD card. D. Only the bootloader. Answer: B Explanation: FDE encrypts the whole flash storage, requiring the device’s unlock credentials to decrypt any partition. Question 18. File‑Based Encryption (FBE) differs from Full Disk Encryption (FDE) in that: A. FBE encrypts each file with a unique key tied to the user’s lock screen credential. B. FBE only works on iOS devices. C. FBE disables all encryption when the device is powered on. D. FBE encrypts the bootloader but not user data. Answer: A Explanation: FBE assigns a separate encryption key per file or directory, allowing selective access based on user authentication state. Question 19. Which biometric authentication method is considered the most resistant to spoofing on modern smartphones? A. Fingerprint scanner. B. Facial recognition using a 2D camera. C. Iris scanning. D. Voice recognition. Answer: C Explanation: Iris scanning captures high‑resolution patterns that are difficult to replicate, offering stronger anti‑spoofing capabilities than most fingerprint or 2D facial systems. Question 20. The Secure Enclave in Apple devices primarily stores:

FMPF Exam

A. The device’s Wi‑Fi passwords. B. The user’s encryption keys and biometric data. C. The operating system kernel. D. The device’s GPS coordinates. Answer: B Explanation: The Secure Enclave is a dedicated coprocessor that safeguards cryptographic keys and biometric templates, isolated from the main OS. Question 21. In Android, the Keystore system is used to: A. Store user contacts in plain text. B. Manage cryptographic keys securely, often backed by hardware. C. Cache web browsing history. D. Record call logs. Answer: B Explanation: Android Keystore provides a secure environment for generating, storing, and using cryptographic keys, often leveraging Trusted Execution Environment (TEE) hardware. Question 22. Which SQLite database on an Android device typically contains call log information? A. contacts2.db B. sms.db C. calllog.db D. settings.db Answer: C Explanation: The calllog.db database stores inbound, outbound, and missed call records, including timestamps and numbers.

FMPF Exam

Explanation: Physical removal of the NAND chip can cause micro‑fractures or delamination, potentially destroying the stored data. Question 26. Which network isolation method is least likely to cause data loss on a device that is currently powered on? A. Placing the device in a Faraday bag while leaving it powered. B. Turning on Airplane Mode. C. Removing the battery. D. Connecting the device to a USB charger without data lines. Answer: B Explanation: Airplane Mode disables all wireless radios without removing power, preserving volatile memory and preventing remote commands. Question 27. The primary purpose of a Chain of Custody (CoC) log is to: A. Record the device’s battery health over time. B. Demonstrate that evidence has not been tampered with from seizure to presentation in court. C. List all apps installed on the device. D. Track the number of forensic analysts who have accessed the case. Answer: B Explanation: CoC provides a documented, chronological record of every person who handled the evidence, ensuring its integrity for legal proceedings. Question 28. Under the U.S. Stored Communications Act (SCA), a law enforcement officer must obtain which of the following to compel a service provider to disclose the contents of a user’s emails older than 180 days? A. A subpoena.

FMPF Exam

B. A search warrant. C. A consent letter. D. An administrative subpoena. Answer: B Explanation: The SCA requires a warrant for the content of electronic communications older than 180 days; a subpoena is insufficient. Question 29. Which of the following best describes a “Cold Boot” attack on a mobile device? A. Using a forensic tool to extract data while the device is powered off. B. Rebooting the device into recovery mode to bypass the lock screen. C. Accessing residual data in RAM after a sudden power loss. D. Installing a custom ROM to gain root privileges. Answer: C Explanation: A cold boot attack exploits the fact that RAM retains data briefly after power loss, allowing extraction of encryption keys. Question 30. When documenting a seized mobile device, which photograph is considered mandatory by most forensic SOPs? A. A close‑up of the device’s logo. B. The device placed on a calibrated measurement grid showing scale. C. A picture of the examiner’s badge. D. A selfie with the device. Answer: B Explanation: Including a scale reference (e.g., ruler) ensures that the size and condition of the device are accurately recorded.

FMPF Exam

Explanation: A factory reset erases the device’s key hierarchy, making previously encrypted data inaccessible. Question 34. In the context of mobile forensics, the term “jailbreak” refers to: A. Removing the device’s battery. B. Gaining root access by exploiting software vulnerabilities. C. Placing the device in a Faraday cage. D. Resetting the device to factory settings. Answer: B Explanation: Jailbreaking (iOS) or rooting (Android) bypasses manufacturer restrictions, allowing deeper data access. Question 35. Which Android system file contains the list of enabled accessibility services, potentially indicating the presence of a spying app? A. /system/etc/hosts B. /data/system/users/0/settings_secure.xml C. /data/system/accessibility.xml D. /data/data/com.android.providers.settings/databases/settings.db Answer: C Explanation: accessibility.xml tracks services that can read screen contents; malicious apps often enable such services for data exfiltration. Question 36. The term “SIM swap” in a forensic context most likely indicates: A. Physical replacement of the SIM card with a new one to bypass PIN. B. Remote cloning of the SIM’s IMSI to intercept communications. C. Swapping the device’s battery for a higher capacity one.

FMPF Exam

D. Changing the SIM’s color for aesthetic purposes. Answer: B Explanation: SIM swapping involves fraudulently obtaining a replacement SIM linked to the victim’s number, allowing attackers to intercept calls and messages. Question 37. Which of the following is a valid reason to use a “Write Blocker” when acquiring data from a mobile device’s external SD card? A. To prevent the device from booting. B. To ensure the forensic workstation does not alter the card’s contents during imaging. C. To increase the read speed of the card. D. To encrypt the data on the card automatically. Answer: B Explanation: A write blocker forces read‑only access, preserving the original evidence integrity during acquisition. Question 38. In a forensic report, the term “metadata” most commonly refers to: A. The actual content of text messages. B. Information about a file, such as timestamps, size, and creator. C. The encryption algorithm used by the device. D. The battery voltage at seizure. Answer: B Explanation: Metadata provides contextual details about files and artifacts, aiding timeline reconstruction. Question 39. Which of the following best describes “OTA” in mobile forensics? A. On‑The‑Air, referring to wireless data transmission.

FMPF Exam

Question 42. In iOS, the “Keychain” database primarily stores: A. Application source code. B. User passwords, certificates, and cryptographic keys. C. System logs. D. GPS coordinates. Answer: B Explanation: The Keychain is Apple's secure credential storage, holding passwords, certificates, and private keys. Question 43. Which of the following statements about “Full Disk Encryption” on iOS devices is correct? A. The encryption key is derived from the device’s serial number. B. The key is stored in the Secure Enclave and unlocked by the user’s passcode. C. iOS does not support FDE; it only uses File‑Based Encryption. D. FDE can be disabled by simply toggling a setting in the UI. Answer: B Explanation: iOS’s Secure Enclave protects the hardware key, which is combined with the user’s passcode to unlock the encrypted volume. Question 44. Which file typically contains the list of installed applications on a jailbroken iOS device? A. /var/mobile/Library/Preferences/com.apple.mobile.installation.plist B. /System/Library/LaunchDaemons/com.apple.mobile.installation.plist C. /private/var/log/install.log D. /Applications/Info.plist Answer: A

FMPF Exam

Explanation: The installation.plist tracks apps installed on the device, and is accessible on jailbroken systems. Question 45. A forensic examiner wants to verify whether a deleted file was recovered by a third‑party “file shredder” app on Android. Which artifact would most likely reveal this activity? A. /data/system/uiderrors.txt B. /data/data/com.android.providers.media/databases/external.db C. /data/data/com.android.providers.settings/databases/settings.db D. /data/system/packages.xml Answer: B Explanation: external.db logs media database entries, including modifications; a shredder may update these records, leaving traces. Question 46. Which of the following best explains why “Airplane Mode” does not guarantee protection against Bluetooth‑based attacks? A. Airplane Mode only disables cellular radios, not Bluetooth or Wi‑Fi unless manually turned off. B. Airplane Mode encrypts all Bluetooth traffic. C. Airplane Mode boosts the device’s battery, allowing longer attacks. D. Airplane Mode automatically re‑enables Bluetooth after 5 minutes. Answer: A Explanation: By default, Airplane Mode disables cellular, but Bluetooth and Wi‑Fi may remain active, requiring manual deactivation. Question 47. In a forensic examination, the “hash value” of an image file is calculated. Which of the following statements is true? A. Two different files can never share the same hash value.

FMPF Exam

Question 50. Which of the following best describes a “volatile” artifact on a mobile device? A. Data stored on the internal flash memory. B. Data residing in RAM that is lost when power is removed. C. Data saved on the SIM card. D. Data encrypted with a hardware key. Answer: B Explanation: Volatile data exists only while the device is powered, such as RAM contents. Question 51. A forensic analyst discovers a “.db‑journal” file alongside a SQLite database on an Android device. This file most likely contains: A. A backup of the entire database. B. Recent transaction logs that may include deleted records. C. The device’s encryption keys. D. The user’s password in plain text. Answer: B Explanation: SQLite journal files store pending transactions; they can hold data that was deleted from the main database but not yet overwritten. Question 52. Which of the following is a primary limitation of using a “cloud backup” as the sole source of evidence in mobile forensics? A. Cloud backups are always encrypted with a known key. B. The backup may not contain the most recent data on the device. C. Cloud providers never retain logs of user activity. D. Cloud data is automatically deleted after 24 hours. Answer: B

FMPF Exam

Explanation: Cloud backups are typically scheduled and may miss recent changes, making them incomplete as the sole evidence source. Question 53. When performing a logical acquisition on an iPhone using a commercial tool, which of the following data categories is most likely to be inaccessible without a jailbreak? A. Contacts stored in iCloud. B. System logs located in /private/var/log/. C. Photos saved in the Camera Roll. D. SMS messages stored in sms.db. Answer: B Explanation: System logs reside in protected directories that require elevated privileges or a jailbreak to access. Question 54. Which of the following statements about “Passcode Retry Counter” on iOS devices is accurate? A. The counter resets automatically after 5 minutes. B. After a certain number of failed attempts, the device will erase all data (if enabled). C. The counter is stored in the SIM card. D. The counter can be disabled via Settings. Answer: B Explanation: iOS can be configured to erase all data after a predefined number of unsuccessful passcode entries. Question 55. In a forensic context, the term “artifact” most accurately refers to: A. Any physical evidence such as a weapon. B. Any residual data or metadata left by user or system activity on a device. C. The forensic software used for analysis.