MSAB XRY Cloud Exam Exam, Exams of Technology

The MSAB XRY Cloud Exam focuses on acquiring and analyzing cloud-based data using XRY. It covers account access, cloud service artifacts, social media data, synchronization evidence, and reporting. This certification supports investigations involving cloud-hosted evidence.

Typology: Exams

2025/2026

Available from 01/23/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 91

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
MSAB XRY Cloud Exam
**Question 1.** In a forensic investigation, which cloud service model provides the most control over
the operating system and installed applications?
A) SaaS
B) PaaS
C) IaaS
D) DaaS
Answer: C
Explanation: IaaS (Infrastructure as a Service) gives investigators access to virtual machines, storage, and
networks, allowing control over the OS and applications, unlike SaaS or PaaS which abstract those
layers.
**Question 2.** When extracting data from a “DevicetoCloud scenario, the primary role of the
mobile device is to act as:
A) A storage repository for all cloud data
B) A gateway that authenticates and forwards requests to cloud services
C) An offline backup of cloud credentials
D) A firewall that blocks cloud traffic
Answer: B
Explanation: The device authenticates the user and forwards API calls to the cloud, effectively serving as
a gateway for data retrieval.
**Question 3.** Which legal principle requires a forensic examiner to obtain a warrant before seizing
data stored on a server located in another country?
A) Chain of custody
B) Mutual Legal Assistance Treaty (MLAT)
C) Data minimization
D) Cloud service level agreement
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b

Partial preview of the text

Download MSAB XRY Cloud Exam Exam and more Exams Technology in PDF only on Docsity!

Question 1. In a forensic investigation, which cloud service model provides the most control over the operating system and installed applications? A) SaaS B) PaaS C) IaaS D) DaaS Answer: C Explanation: IaaS (Infrastructure as a Service) gives investigators access to virtual machines, storage, and networks, allowing control over the OS and applications, unlike SaaS or PaaS which abstract those layers. Question 2. When extracting data from a “Device‑to‑Cloud” scenario, the primary role of the mobile device is to act as: A) A storage repository for all cloud data B) A gateway that authenticates and forwards requests to cloud services C) An offline backup of cloud credentials D) A firewall that blocks cloud traffic Answer: B Explanation: The device authenticates the user and forwards API calls to the cloud, effectively serving as a gateway for data retrieval. Question 3. Which legal principle requires a forensic examiner to obtain a warrant before seizing data stored on a server located in another country? A) Chain of custody B) Mutual Legal Assistance Treaty (MLAT) C) Data minimization D) Cloud service level agreement

Answer: B Explanation: An MLAT facilitates cross‑border legal cooperation, ensuring that foreign data is accessed only with proper judicial authorization. Question 4. Under GDPR, “Selective Extraction” primarily helps investigators to: A) Avoid collecting any personal data B) Extract only the data necessary for the investigation while preserving privacy of unrelated data C) Encrypt all extracted data automatically D) Transfer data to a non‑EU jurisdiction Answer: B Explanation: Selective extraction limits collection to relevant items, supporting GDPR’s data minimization principle. Question 5. In XRY Cloud’s Automatic Mode, what does a “token” represent? A) The device’s IMEI number B) A temporary credential that grants API access to a cloud service C) The user’s password hash D) A hardware encryption key Answer: B Explanation: Tokens are time‑limited credentials issued by cloud providers that allow XRY Cloud to call APIs without needing the user’s password. Question 6. The “Window of Opportunity” in token‑based extraction refers to: A) The period when the device battery is fully charged B) The timeframe before a token expires or is refreshed C) The time required to install XRY Cloud on a forensic workstation

C) Disable 2FA on the cloud account remotely D) Reset the user’s password without notification Answer: A Explanation: Legitimate backup codes or previously captured OTPs can be used; guessing or unauthorized changes are illegal and unethical. Question 10. What distinguishes “Standalone” from “Integrated” extraction in XRY Cloud? A) Standalone runs on a separate machine, while Integrated runs inside the XRY mobile suite B) Standalone extracts only text, Integrated extracts media as well C) Standalone requires no internet, Integrated does D) Standalone uses API calls, Integrated uses web scraping Answer: A Explanation: Standalone mode operates independently, whereas Integrated mode is embedded within the broader XRY mobile workflow. Question 11. Which social media platform’s API allows XRY Cloud to retrieve “Reactions” (Like, Love, etc.) on posts? A) Instagram B) Snapchat C) Facebook D) TikTok Answer: C Explanation: Facebook’s Graph API includes fields for reactions, enabling their extraction. Question 12. When extracting Instagram data, which artifact is NOT directly available via the standard API?

A) Direct messages (DMs) B) Photo captions C) Followers list D) Story highlights Answer: A Explanation: Instagram’s public API does not expose private DMs; specialized methods or screen‑scraping are needed. Question 13. XRY Cloud can recover deleted tweets from X (Twitter) under which condition? A) The user’s account is set to private B) The tweet was removed within the last 30 days and is still cached by the API C) The tweet was posted via a third‑party client D) Twitter provides a “hard delete” archive to investigators Answer: B Explanation: Twitter retains recently deleted tweets in a short‑term cache, which XRY Cloud can access if the token is still valid. Question 14. Which Google service provides a chronological log of user actions such as searches, app usage, and location history? A) Google Drive B) Google Photos C) Google My Activity D) Google Keep Answer: C Explanation: Google My Activity aggregates user actions across Google services.

Question 18. When extracting data from Dropbox, which of the following is NOT considered a metadata artifact? A) File size B) Revision history C) File content hash (SHA‑256) D) File’s binary data Answer: D Explanation: The binary content is the actual data, not metadata; the other items describe the file. Question 19. Which of these cloud storage services supports “Selective Sync,” allowing investigators to limit extraction to specific folders? A) OneDrive B) Box C) iCloud Drive D) All of the above Answer: D Explanation: All three provide selective synchronization options that can be leveraged during forensic acquisition. Question 20. For a successful XRY Cloud extraction, the forensic workstation must maintain: A) A static IP address to avoid token invalidation B) Continuous internet connectivity throughout the extraction process C) Disabled antivirus to prevent API throttling D) A VPN connection to the cloud provider’s internal network Answer: B

Explanation: Interruptions in connectivity can cause token expiration or incomplete data transfer. Question 21. Data scoping in XRY Cloud allows an examiner to: A) Increase the bandwidth of the extraction automatically B) Limit the extraction to a defined date range or data type, reducing processing time C) Bypass encryption on selected files only D) Export data directly to a cloud storage bucket Answer: B Explanation: Scoping filters the acquisition to relevant items, improving efficiency. Question 22. Which method does XRY Cloud primarily use to collect data from services that do not expose a public API? A) Brute‑force password guessing B) XRY Photon screen‑scraping C) Packet capture of network traffic D) Direct database access via SSH Answer: B Explanation: XRY Photon emulates a device screen to manually scrape data from web or app interfaces. Question 23. When merging cloud and device extractions in XAMN Spotlight, the “Source Mode” attribute indicates: A) Whether the data was encrypted at rest B) The geographic origin of the data C) Whether the artifact originated from the physical device, the cloud, or both D) The file system type used on the device

D) The size of each extracted artifact Answer: B Explanation: Connection View visualizes relationships between accounts and shared contacts. Question 27. Which of the following is a primary challenge when extracting data from a cloud service that employs “OAuth 2.0” for authentication? A) Lack of encryption on the data at rest B) Short‑lived access tokens that require refresh handling C) Inability to retrieve user‑generated content D) Mandatory use of hardware security modules (HSM) Answer: B Explanation: OAuth 2.0 issues access tokens that may expire, requiring proper refresh logic during extraction. Question 28. In the context of cloud forensics, “Data Minimization” means: A) Deleting all non‑essential data after acquisition B) Collecting only the data necessary for the investigation to comply with privacy laws C) Compressing data to reduce storage size D) Using the smallest possible hard drive for the case Answer: B Explanation: Data minimization limits collection to relevant items, respecting legal and privacy requirements. Question 29. Which of the following XRY Cloud supported services stores user activity logs in a “JSON” format accessible via API? A) Dropbox

B) Google My Activity C) iCloud Keychain D) Snapchat Stories Answer: B Explanation: Google My Activity returns user actions as JSON objects through its API. Question 30. When extracting Viber cloud backups, the primary artifact of interest for reconstructing conversations is: A) SQLite database named “viber_messages.db” B) Plain‑text log file “viber_chat.txt” C) Encrypted backup file with “.vbr” extension D) XML configuration file “viber_config.xml” Answer: C Explanation: Viber stores chat backups in an encrypted “.vbr” file, which must be decrypted for analysis. Question 31. Which of the following best describes the purpose of “API throttling” in cloud services? A) To increase the speed of data extraction B) To limit the number of requests an application can make in a given time period, protecting service stability C) To encrypt all API traffic automatically D) To provide unlimited access to premium users only Answer: B Explanation: Throttling prevents abuse by capping request rates, which forensic tools must handle gracefully.

Explanation: The grid enables investigators to compare artifact hashes with reference hash sets for verification or malware detection. Question 35. Which cloud service’s “Shared Albums” feature can be leveraged to infer relationships between users in a forensic case? A) Google Photos B) OneDrive C) Box D) Dropbox Answer: A Explanation: Shared Albums in Google Photos list collaborators, providing evidence of shared content and relationships. Question 36. What is the primary advantage of using “Selective Extraction” when dealing with GDPR‑protected data? A) It automatically anonymizes all personal identifiers B) It reduces the risk of over‑collecting personal data, aligning with GDPR’s proportionality principle C) It speeds up the extraction by 90% D) It bypasses the need for a data protection impact assessment (DPIA) Answer: B Explanation: Selective extraction limits collection to necessary items, supporting GDPR’s data minimization and proportionality requirements. Question 37. Which of the following authentication flows is most commonly encountered when extracting data from Microsoft OneDrive via XRY Cloud? A) SAML assertion B) OAuth 2.0 with Azure AD

C) Kerberos ticket D) RADIUS challenge‑response Answer: B Explanation: OneDrive uses Azure Active Directory’s OAuth 2.0 flow for user authentication. Question 38. When extracting Snapchat “Stories,” the investigator should be aware that: A) Stories are stored indefinitely on Snapchat’s servers B) Stories expire after 24 hours and may be unavailable unless captured before expiration C) Stories are encrypted with a user‑controlled key that cannot be accessed by XRY Cloud D) Snapchat does not provide any API for Stories, requiring Photon only Answer: B Explanation: Snapchat automatically deletes Stories after 24 hours; timely acquisition is essential. Question 39. Which of the following is a forensic consideration when using XRY Cloud to extract data from a device that is rooted or jail‑broken? A) Rooted devices automatically disable cloud authentication B) Jail‑broken devices may have altered API endpoints, requiring custom configuration in XRY Cloud C) Root access provides direct file system access, making cloud extraction unnecessary D) Cloud providers refuse to serve data to rooted devices Answer: B Explanation: Modifications can change how the device communicates with cloud services, requiring the examiner to adjust extraction settings. Question 40. In the context of XRY Cloud, “Refresh Token” is used to: A) Extend the validity of an expired access token without user interaction

Question 43. Which of the following best describes a “Cloud‑Native Artifact”? A) A file that exists only on the local device and never syncs B) Data generated and stored directly within the cloud service, such as server‑side logs or activity records C) An image captured on the device’s screen during extraction D) A temporary cache file that is cleared after extraction Answer: B Explanation: Cloud‑native artifacts are created and retained by the service itself, independent of any device. Question 44. In XRY Cloud, the “Data Scoping” option “Location Data Only” will retrieve which of the following from Google services? A) Email body content B) GPS coordinates from Google Timeline and photo EXIF data C) Calendar events D) Saved passwords Answer: B Explanation: Selecting location‑only scope extracts GPS‑based records and geotagged media. Question 45. Which of the following is a potential legal risk if an examiner extracts data from a cloud account without proper jurisdictional authority? A) The extracted data may be corrupted B) The evidence could be deemed inadmissible due to violation of privacy laws C) The cloud provider may block future API calls from the examiner’s IP D) The device battery may drain faster Answer: B

Explanation: Lack of proper legal authority can render the evidence inadmissible and expose the examiner to liability. Question 46. When using XRY Cloud to extract Facebook “Message Threads,” the examiner must be aware that: A) All messages are stored in plain text on the server B) Deleted messages are permanently removed and cannot be recovered via API C) Facebook retains a “message archive” for 90 days even after deletion, which may be accessible D) The API returns only the last 100 messages per thread Answer: C Explanation: Facebook keeps a short‑term archive for deleted messages, which can sometimes be retrieved during that window. Question 47. Which of the following best explains why “Two‑Factor Authentication” (2FA) can complicate manual cloud extraction? A) 2FA requires a second device or token that may not be available to the examiner B) 2FA encrypts the user’s password with an unknown algorithm C) 2FA disables all API endpoints for the account D) 2FA automatically logs out the user after each request Answer: A Explanation: 2FA often involves a separate device (SMS, authenticator app) that the examiner may not have, making login more complex. Question 48. In XRY Cloud, the “Connection View” can help an investigator to: A) Identify which cloud services share the same OAuth client ID, indicating possible linked accounts B) Determine the bandwidth used during extraction

Question 51. Which of the following cloud services uses “Refresh Tokens” that are non‑revocable unless the user explicitly revokes access? A) Google Drive B) Dropbox C) Apple iCloud D) Microsoft OneDrive Answer: A Explanation: Google’s OAuth implementation issues refresh tokens that remain valid until the user revokes the app’s access. Question 52. In the context of XRY Cloud, “API Versioning” is important because: A) Older API versions may lack forensic‑friendly fields, leading to incomplete data capture B) Newer versions automatically encrypt all data C) Versioning determines the speed of the extraction D) It controls the size of the generated case file Answer: A Explanation: Using the correct API version ensures that all needed fields are available for forensic analysis. Question 53. Which of the following is a recommended step before initiating a cloud extraction on a suspect’s account? A) Disable all firewalls on the forensic workstation B) Verify that the extraction tool’s certificates are trusted by the cloud provider C) Delete the suspect’s local app caches to avoid duplication D) Change the suspect’s password to prevent future access Answer: B

Explanation: Ensuring trusted certificates prevents TLS handshake failures and maintains a secure connection. Question 54. When extracting Google Photos, the EXIF metadata can provide which of the following forensic values? A) The user’s Google account password B) GPS coordinates, camera model, and timestamp of each photo C) The list of users who liked the photo D) The photo’s compression algorithm Answer: B Explanation: EXIF data includes location, device, and capture time, all valuable for investigations. Question 55. Which of the following best describes “Screen‑Scraping” as used by XRY Photon? A) Capturing network packets to reconstruct API calls B) Programmatically reading the visual output of a UI and extracting textual data C) Accessing the cloud provider’s database directly via SSH D) Using OCR on printed screenshots taken from the device Answer: B Explanation: Screen‑scraping reads the rendered UI to pull visible information when APIs are unavailable. Question 56. In XRY Cloud, the “Data Integrity Check” performed after extraction verifies: A) That the extracted files match the hash values reported by the cloud service B) That the device battery level is above 50% C) That the user’s consent form is signed D) That the extraction completed within the allocated time window