ForensicsHQ Certified Mobile Forensics Expert Certification Exam, Exams of Technology

This exam evaluates expertise in mobile device forensics across Android and iOS platforms. Topics include data acquisition methods, application artifacts, deleted data recovery, encryption challenges, and reporting. Candidates are assessed on their ability to perform lawful, accurate, and defensible mobile investigations.

Typology: Exams

2025/2026

Available from 01/24/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 90

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
ForensicsHQ Certified Mobile Forensics Expert
Certification Exam
**Question 1.** Which principle states that every interaction leaves a trace, making it relevant
to mobile forensics?
A) Murphy’s Law
B) Locard’s Exchange Principle
C) The Principle of Least Privilege
D) Shannon’s Information Theory
Answer: B
Explanation: Locard’s Exchange Principle asserts that any contact between two objects results in
a transfer of material, forming the basis for recovering digital traces from mobile devices.
**Question 2.** In mobile device architecture, which memory type stores the operating system
and user data on most smartphones?
A) DRAM
B) SRAM
C) NAND flash
D) ROM
Answer: C
Explanation: NAND flash is the nonvolatile memory used for storing the OS, apps, and user
data, allowing data retention without power.
**Question 3.** Which cellular technology introduced packetswitched data as its primary
transmission method?
A) 2G (GSM)
B) 3G (UMTS)
C) 4G LTE
D) 5G NR
Answer: C
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a

Partial preview of the text

Download ForensicsHQ Certified Mobile Forensics Expert Certification Exam and more Exams Technology in PDF only on Docsity!

Certification Exam

Question 1. Which principle states that every interaction leaves a trace, making it relevant to mobile forensics? A) Murphy’s Law B) Locard’s Exchange Principle C) The Principle of Least Privilege D) Shannon’s Information Theory Answer: B Explanation: Locard’s Exchange Principle asserts that any contact between two objects results in a transfer of material, forming the basis for recovering digital traces from mobile devices. Question 2. In mobile device architecture, which memory type stores the operating system and user data on most smartphones? A) DRAM B) SRAM C) NAND flash D) ROM Answer: C Explanation: NAND flash is the non‑volatile memory used for storing the OS, apps, and user data, allowing data retention without power. Question 3. Which cellular technology introduced packet‑switched data as its primary transmission method? A) 2G (GSM) B) 3G (UMTS) C) 4G LTE D) 5G NR Answer: C

Certification Exam

Explanation: 4G LTE is designed around IP‑based packet switching, providing higher data rates compared to the circuit‑switched approach of earlier generations. Question 4. When seizing a suspect’s phone, which method is most effective at preventing a remote wipe initiated via the internet? A) Turning the device off B) Placing it in a Faraday bag C) Removing the battery D) Activating airplane mode Answer: B Explanation: A Faraday bag blocks all radio signals, ensuring the device cannot receive remote commands, including wipe instructions. Question 5. The Android hardware abstraction layer (HAL) primarily serves what purpose? A) Providing a graphical user interface B) Translating Android API calls to hardware drivers C) Managing user permissions D) Encrypting the file system Answer: B Explanation: HAL acts as a bridge between Android’s higher‑level APIs and the device’s native hardware drivers. Question 6. Which Android runtime replaced Dalvik beginning with Android 5.0? A) ART (Android Runtime) B) JVM (Java Virtual Machine) C) V

Certification Exam

B) adb shell pm list packages C) adb install - r D) adb logcat Answer: B Explanation: The pm list packages command enumerates all installed application package names. Question 10. The iOS file system introduced with iOS 10 uses which modern file system format? A) HFS+ B) APFS (Apple File System) C) EXT D) NTFS Answer: B Explanation: APFS provides strong encryption, cloning, and space‑sharing capabilities, replacing the older HFS+ on iOS devices. Question 11. What component of iOS is responsible for storing cryptographic keys and performing secure operations? A) Secure Enclave Processor (SEP) B) TrustZone C) TPM (Trusted Platform Module) D) Keychain Daemon Answer: A Explanation: The SEP is a dedicated co‑processor that isolates cryptographic keys and handles encryption/decryption tasks.

Certification Exam

Question 12. Which iOS acquisition method requires a physical connection and uses a vulnerability like Checkm8? A) Logical backup via iTunes B iCloud sync extraction C) Full‑file system extraction with a bootrom exploit D) AirDrop data capture Answer: C Explanation: Checkm8 is a bootrom exploit that permits low‑level access for a full‑file system extraction without needing a passcode. Question 13. In iOS, where are passwords for Wi‑Fi networks typically stored? A) /private/var/wifi.plist B) /Library/Keychains/System.keychain C) /private/var/mobile/Library/Preferences/com.apple.wifi.plist D) /private/var/mobile/Library/Keychains/keychain‑db Answer: D Explanation: The iOS Keychain database holds Wi‑Fi credentials along with other sensitive items. Question 14. Logical acquisition of a mobile device primarily captures which type of data? A) Raw NAND flash image B) File system metadata only C) User‑level files and application data accessible via the OS D) Bootloader and firmware binaries Answer: C Explanation: Logical acquisition extracts data that the operating system can read, such as contacts, messages, and app files.

Certification Exam

Answer: C Explanation: Non‑conductive adhesives and low‑temperature soldering prevent heat‑induced data loss while removing the chip. Question 18. Downgrading an app version during an investigation is useful because: A) Older versions are always less secure, exposing passwords B) It can bypass newer encryption schemes that block data export C) It automatically deletes all user data, simplifying analysis D) It changes the device’s IMEI number for anonymity Answer: B Explanation: Some apps add stronger encryption in later releases; downgrading may allow access to data in a less protected format. Question 19. Which SQLite table is commonly used by WhatsApp to store chat messages? A) messages B) chatlist C) wa_msg_store D) conversation_log Answer: C Explanation: The wa_msg_store table holds message metadata and content for WhatsApp on Android and iOS. Question 20. GPS coordinates stored in a device’s location history are typically found in which format? A) Decimal degrees (DD) B) Degrees, minutes, seconds (DMS)

Certification Exam

C) Universal Transverse Mercator (UTM) D) Binary encoded polyline Answer: A Explanation: Most mobile OSes store latitude and longitude as decimal degrees for ease of computation. Question 21. Which iOS API provides the most accurate location data by fusing GPS, Wi‑Fi, and cellular information? A) CoreLocation’s startUpdatingLocation B) MapKit’s MKMapView C) HealthKit’s HKWorkout D) ARKit’s ARSession Answer: A Explanation: CoreLocation’s startUpdatingLocation aggregates multiple sources to deliver high‑precision positioning. Question 22. In Android, which permission is required for an app to read the device’s contacts? A) READ_SMS B) ACCESS_FINE_LOCATION C) READ_CONTACTS D) WRITE_EXTERNAL_STORAGE Answer: C Explanation: READ_CONTACTS grants an app the ability to access the contacts stored on the device.

Certification Exam

Answer: D Explanation: Apps may use local time zones or UTC independently, resulting in mismatched timestamps that must be normalized during timeline analysis. Question 26. The “Secure Boot” process on modern Android devices ensures that: A) The device can only boot signed firmware images from the manufacturer B) All user data is encrypted with a default password C) The SIM card is authenticated before network access D) The device disables all wireless radios during boot Answer: A Explanation: Secure Boot verifies the cryptographic signature of each boot component, preventing execution of unauthorized code. Question 27. When analyzing a Telegram data dump, which file typically contains chat messages in JSON format? A) cache.db B) tgmessages.db C) tdesktop.tdata D) messages.json Answer: D Explanation: Telegram stores exported chats as messages.json, which includes message content and metadata. Question 28. Which Android component is responsible for handling incoming SMS messages and may retain them in its private storage? A) Telephony Service B) SMS Provider (content://sms)

Certification Exam

C) Radio Interface Layer (RIL) D) Keyguard Manager Answer: B Explanation: The SMS Provider is a content provider that stores SMS/MMS data accessible via the content://sms URI. Question 29. In iOS, the “Data Protection” class NSFileProtectionCompleteUntilFirstUserAuthentication means: A) The file is encrypted until the device is powered off B) The file is accessible after the first successful passcode entry after boot C) The file remains unencrypted at all times D) The file can be read only by the system kernel Answer: B Explanation: This protection class allows file access after the user authenticates once after a reboot, then remains protected. Question 30. Which of the following is a primary limitation of cloud‑based mobile forensics? A) Inability to recover deleted local files B) Lack of metadata in cloud backups C) Dependency on the suspect’s internet connectivity and service provider cooperation D) Absence of encryption on cloud data Answer: C Explanation: Cloud forensics often requires legal requests to service providers and depends on the suspect’s synchronization settings.

Certification Exam

Explanation: SIM swapping involves the unauthorized replacement of a victim’s SIM, often leaving forensic traces such as changes in device logs. Question 34. In Android, which directory typically contains cached image thumbnails for the Gallery app? A) /data/media/0/DCIM/.thumbnails B) /system/app/Gallery C) /data/data/com.android.gallery3d/cache D) /sdcard/Android/data/com.android.gallery3d/cache Answer: C Explanation: The Gallery app stores thumbnail caches under its private data directory. Question 35. Which iOS log file is most useful for determining when a device was unlocked? A) /private/var/log/system.log B) /private/var/mobile/Library/Logs/CrashReporter/ C) /private/var/mobile/Library/Logs/Lockdown/ D) /private/var/mobile/Library/Preferences/com.apple.springboard.plist Answer: A Explanation: system.log records lock/unlock events, providing timestamps for user access. Question 36. A forensic analyst needs to verify whether a deleted WhatsApp chat was recovered from a backup. Which file should be examined? A) msgstore.db.crypt12 (encrypted) B) wa.db C) ChatStorage.sqlite

Certification Exam

D) WhatsApp.backup Answer: A Explanation: The encrypted msgstore.db.crypt12 file contains the most recent WhatsApp backup, which may include deleted messages. Question 37. In the context of mobile forensics, “dead‑drop” refers to: A) A method of remotely wiping a device B) A hidden folder used by malware to store data C) Physical exchange of data storage media without direct contact D) The process of dumping RAM to retrieve encryption keys Answer: C Explanation: A dead‑drop is a covert exchange point where data can be left or retrieved without the parties meeting. Question 38. Which Android API level introduced scoped storage, restricting apps from accessing arbitrary files on external storage? A) API 21 (Lollipop) B) API 23 (Marshmallow) C) API 29 (Android 10) D) API 30 (Android 11) Answer: C Explanation: Scoped storage in Android 10 (API 29) limits apps to their own directories unless they request special permissions. Question 39. When analyzing a device’s Wi‑Fi connection history, which SQLite table in iOS contains the SSID and timestamp information? A) WiFiNetworkList in com.apple.wifi.plist

Certification Exam

Question 42. Which of the following is an indicator that a device has been jailbroken (iOS) or rooted (Android)? A) Presence of /system/bin/su on Android or /Applications/Cydia.app on iOS B) Enabled airplane mode C) Installation of a VPN profile D) Use of a passcode longer than 4 digits Answer: A Explanation: The existence of superuser binaries or Cydia indicates elevated privileges typical of jailbroken/rooted devices. Question 43. When constructing a timeline from mobile artifacts, which timestamp type is considered the most reliable for establishing event order? A) File creation time (ctime) B) Last accessed time (atime) C) Modified time (mtime) D) MAC timestamps from the file system journal Answer: D Explanation: MAC (Modified, Accessed, Changed) timestamps recorded in the journal are less prone to user manipulation and provide accurate sequencing. Question 44. Which tool can be used to extract and decode iOS Keychain data after acquiring a physical image? A) iTunes Backup Extractor B) keychain_dump (part of libimobiledevice) C) Autopsy D) FTK Imager Answer: B

Certification Exam

Explanation: keychain_dump reads the Keychain database from a raw iOS image and can decrypt entries given the appropriate keys. Question 45. In Android, which broadcast intent is sent when the device boots up, allowing apps to perform actions at startup? A) android.intent.action.POWER_CONNECTED B) android.intent.action.BOOT_COMPLETED C) android.intent.action.SCREEN_ON D) android.intent.action.PACKAGE_ADDED Answer: B Explanation: BOOT_COMPLETED notifies apps that the system has finished booting. Question 46. What is the primary purpose of the “Find My iPhone” service in a forensic investigation? A) To retrieve the device’s encryption keys B) To obtain the last known GPS coordinates and lock status C) To automatically delete all data on the device D) To install a forensic agent remotely Answer: B Explanation: “Find My iPhone” can provide location history and remote lock status, which can be valuable evidence. Question 47. Which of the following best describes a “dead‑run” in the context of mobile device forensics? A) Continuous monitoring of network traffic from a device B) Executing a script that erases all forensic artifacts C) The process of disabling a device’s radios to prevent remote commands

Certification Exam

B) Wi‑Fi network passwords C) SMS message metadata D) Battery health statistics Answer: A Explanation: This plist lists all apps installed on the device, including version numbers and installation dates. Question 51. Which Android forensic acquisition method can retrieve the device’s RAM contents for volatile data analysis? A) JTAG B) Chip‑off C) Live memory dump via adb shell and dd on /dev/mem (requires root) D) Cloud backup download Answer: C Explanation: A live memory dump captures volatile data; it requires root privileges to access /dev/mem. Question 52. Which of the following is a characteristic of “file carving” in mobile forensics? A) It relies on file system metadata to locate files B) It extracts files based on known header/footer signatures without using the file system table C) It only works on encrypted partitions D) It requires the device to be in airplane mode Answer: B Explanation: File carving scans raw data for signatures to recover files even when metadata is missing.

Certification Exam

Question 53. The “Secure Enclave” on iOS devices communicates with the main processor using which interface? A) USB B) UART C) APB (Advanced Peripheral Bus) with a dedicated encrypted channel D) Wi‑Fi Direct Answer: C Explanation: The SEP uses a dedicated encrypted bus (APB) to ensure secure communication with the application processor. Question 54. Which forensic artifact can confirm whether a user has enabled “Do Not Disturb” mode on an iPhone? A) /private/var/mobile/Library/DoNotDisturb/Settings.plist B) com.apple.springboard.plist entry DoNotDisturbEnabled C) SystemPreferences key DND in the Keychain D) iMessage database flag dnd Answer: B Explanation: The SpringBoard preferences plist stores the DoNotDisturbEnabled boolean. Question 55. In Android, which permission is required to read the device’s call log? A) READ_CALL_LOG B) READ_PHONE_STATE C) READ_CONTACTS D) READ_SMS Answer: A Explanation: The READ_CALL_LOG permission grants access to the call history database.