








































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The PrepIQ Cellebrite Reader Level 3 Ultimate Exam is designed for digital forensic professionals seeking advanced expertise in reviewing and interpreting mobile device evidence using Cellebrite Reader solutions. This preparation resource covers evidence navigation, artifact analysis, reporting workflows, and investigative collaboration techniques. Learners will strengthen their ability to interpret extracted mobile data and support investigative findings in corporate, legal, and law enforcement environments.
Typology: Exams
1 / 48
This page cannot be seen from the preview
Don't miss anything!









































Question 1. Which file type does Cellebrite Reader open to begin a forensic examination? A) .E B) .UFDR C) .DAT D) .IMG Answer: B Explanation: The Universal Forensic Data Report (.UFDR) is the proprietary container that Cellebrite Reader uses for loaded projects. Question 2. What is the primary purpose of verifying a file hash in the Reader? A) To speed up loading time B) To confirm data integrity from extraction C) To encrypt the data D) To generate a report summary Answer: B Explanation: Hash verification ensures the data has not been altered since the forensic extraction was performed. Question 3. In the Project Tree, which action allows you to prioritize a specific data category? A) Right-click → “Refresh” B) Drag-and-drop the category to the top C) Click the “Lock” icon D) Use the “Pin” button on the toolbar Answer: B Explanation: Dragging a category moves it higher in the tree, making it more visible for analysis. Question 4. The Dashboard view in Reader primarily provides:
A) A list of all files on the device B) High-level statistical overviews such as counts of messages, calls, and media C) Detailed hex dumps of each artifact D) Network traffic logs Answer: B Explanation: The Dashboard aggregates counts and summary charts for quick case assessment. Question 5. Which search mode scans every artifact in the project regardless of category? A) Category-specific search B) Global search C) Filtered search D) Regex-only search Answer: B Explanation: Global search examines all data types, while category-specific limits the scope. Question 6. To locate credit-card numbers using a regular expression, which pattern is most appropriate? A) \d{4}-\d{4}-\d{4}-\d{4} B) \b[0-9]{13,16}\b C) ^[A-Z]{2}[0-9]{6}$ D) \w+@\w+.\w{2,3} Answer: B Explanation: The pattern \b[0-9]{13,16}\b matches any 13- to 16-digit numeric string, typical of credit-card numbers. Question 7. When reconstructing a WhatsApp conversation, the Reader groups messages by: A) Date only
Answer: B Explanation: Mutual links reveal contacts that appear in multiple cases, indicating possible relationships. Question 11. Which log type distinguishes a FaceTime call from a cellular call? A) Call Log – Type column B) SMS Log – Direction column C) App Usage – Duration column D) Network Log – Protocol column Answer: A Explanation: The Call Log includes a “Type” field that specifies whether a call is cellular, FaceTime, or VoIP. Question 12. In the Maps view, which filter would exclude Wi-Fi-derived locations? A) Source = GPS only B) Precision > 50 m C = Timestamp < 2023- 01 - 01 D) All of the above Answer: A Explanation: Selecting GPS only removes Wi-Fi-based location points from the map. Question 13. To visualize a device’s movement over a day, you would generate: A) Heat map B) Pathing map C) Cluster map D) Topographic map Answer: B Explanation: Pathing maps plot sequential GPS points, showing the chronological route taken.
Question 14. “Significant Locations” in Cellebrite are defined as: A) Places visited more than five times B) Locations with a precision better than 10 m C) Points where the device remained for a minimum dwell time (e.g., 30 min) D) All GPS points within a 1-km radius of each other Answer: C Explanation: Significant Locations are identified by prolonged dwell periods, indicating purposeful presence. Question 15. Which EXIF field provides the geographic coordinates of a photo? A) DateTimeOriginal B) GPSLatitude and GPSLongitude C) CameraModel D) Orientation Answer: B Explanation: GPSLatitude and GPSLongitude store the latitude and longitude embedded by the device’s camera. Question 16. AI-based image categorization can automatically filter images containing: A) Text messages only B) Specific objects such as weapons or drugs C) Audio files embedded in JPEGs D) Only portrait mode photos Answer: B Explanation: The AI engine tags visual content, allowing filters for objects like weapons or illicit substances. Question 17. The Unified Timeline merges artifacts from:
C) Network provider D) GPS accuracy Answer: B Explanation: Linking unlock (user presence) with message sending shows the user consciously performed the action. Question 21. When adjusting timestamps for a device that was set to a different time zone, you must consider: A) Only the device’s local time B) UTC offset stored in the system logs C) The carrier’s network time only D) None; timestamps are always UTC Answer: B Explanation: System logs include the UTC offset, enabling conversion from device-local time to universal time. Question 22. Which filter expression would show “all images with GPS coordinates sent via WhatsApp in July 2022”? A) type:image AND source:WhatsApp AND date:2022-07* AND hasGPS:true B) category:media OR app:WhatsApp C) filetype:jpg AND month:July D) location:GPS AND app:All Answer: A Explanation: The expression combines artifact type, source app, date pattern, and GPS presence. Question 23. Tagging an artifact in Reader is primarily used for: A) Encrypting the file B) Highlighting it for later review or export C) Deleting the artifact from the case
D) Changing its hash value Answer: B Explanation: Tags act as markers to group and retrieve evidential items efficiently. Question 24. How does Reader handle duplicate entries that originate from both a logical and a physical extraction? A) It keeps both copies unchanged B) It merges them and displays a single unified entry C) It deletes the logical copy automatically D) It prompts the examiner to choose which to retain Answer: B Explanation: Reader’s data model deduplicates based on unique identifiers, presenting a merged view. Question 25. A “merged contact” in the Contacts tab indicates: A) Two separate contacts have been combined because they share the same phone number or email address B) The contact has been deleted C) The contact is a group chat participant D) The contact is from a different device model Answer: A Explanation: Merging consolidates duplicate entries that refer to the same real-world person. Question 26. Importing a watchlist allows the examiner to: A) Increase the device’s battery life B) Automatically flag artifacts containing predefined keywords or suspicious numbers C) Change the project’s file format D) Remove all images from the case Answer: B
Explanation: Bluetooth logs do not provide geolocation coordinates, whereas GPS, Wi-Fi, and cellular tower data do. Question 30. The “Precision” filter for location artifacts is used to: A) Exclude points with low accuracy (e.g., > 100 m) B) Increase the file compression rate C) Sort contacts alphabetically D) Hide all GPS data Answer: A Explanation: Precision defines the accuracy radius; filtering by it removes imprecise points. Question 31. When analyzing a Telegram conversation, the Reader indicates “Message Fragment” when: A) The message exceeds 200 characters and is stored in multiple database rows B) The message was sent in a group chat C) The message contains an image D) The message was edited after sending Answer: A Explanation – Telegram stores long messages as fragments; Reader stitches them together for display. Question 32. Which log entry would most likely indicate a VoIP call made through Skype? A) Call Log – Type = “VoIP” and App = “Skype” B) SMS Log – Direction = “Outgoing” C) Power Log – Event = “Screen On” D) Network Log – Protocol = “SMTP” Answer: A Explanation: The Call Log records the call type and associated application, identifying Skype VoIP calls.
Question 33. In the Reader, the “Power Log” is useful for proving: A) The device’s battery capacity B) When the device was turned on/off or screen unlocked, establishing user presence C) The Wi-Fi password used D) The number of installed apps Answer: B Explanation: Power logs capture events like boot, shutdown, and screen unlock, which help establish timeline context. Question 34. To exclude all system-generated artifacts from a timeline view, you would apply which filter? A) artifactType:User B) source:Device C) category:System – Exclude D) tag:Important Answer: C Explanation: Selecting “System – Exclude” removes system-level entries, leaving only user-generated data. Question 35. Which of the following best describes “Pathing” in the context of geodata analysis? A) A heat map of most-visited locations B) A linear sequence of GPS points plotted in chronological order C) A list of Wi-Fi SSIDs detected D) A clustering of cell tower IDs Answer: B Explanation: Pathing visualizes the device’s movement by connecting sequential GPS coordinates.
A) Random Encryption Standard B) Regular Expression, a pattern-matching syntax C) Rapid Extraction System D) Remote Execution Service Answer: B Explanation: Regex is a powerful tool for searching complex patterns like email addresses or VINs. Question 40. To find all email addresses from the domain “example.com” using regex, which pattern is correct? A) \bexample.com\b B) \b[\w.%+-][email protected]\b C) ^example$ D) \d{3}@example.com Answer: B Explanation: The pattern matches any standard email username followed by “@example.com”. Question 41. When reviewing “Call Log” entries, the “Direction” field indicates: A) Whether the call was incoming, outgoing, or missed B) The geographical direction of the call tower C) The type of network (3G/4G) D) The call’s audio quality Answer: A Explanation: Direction clarifies if a call was placed, received, or not answered. Question 42. Which of the following is a benefit of using the “Tagging” feature in large cases? A) It automatically deletes untagged artifacts B) It enables quick grouping and export of selected evidence subsets
C) It changes the file format to PDF D) It encrypts the tagged items with a new key Answer: B Explanation: Tags act as labels that can be used to filter, review, and export specific groups of artifacts. Question 43. If a GPS point shows a precision of 150 m, what does this imply? A) The location is accurate within a 150-meter radius B) The point is exactly 150 m above sea level C) The device was moving at 150 km/h D) The Wi-Fi signal strength was 150 dBm Answer: A Explanation: Precision denotes the radius of uncertainty around the reported coordinates. Question 44. Which artifact would you analyze to determine whether a suspect used a VPN at a specific time? A) Network Log – VPN connection entries with timestamps B) Call Log – Duration field C) SMS Log – Message content D) Power Log – Screen brightness changes Answer: A Explanation: Network logs record VPN session start and end times, revealing usage. Question 45. The “Unified Timeline” can be filtered by “Event Type”. Which of the following is NOT a valid event type filter? A) Call B) SMS C) Battery Level D) App Launch
Explanation: Deleted Items aggregates data that the device indicates were removed but may still be recoverable. Question 49. When a duplicate contact is identified across two extractions, Reader’s merging algorithm uses which identifier as the primary key? A) Phone number B) Contact ID assigned by the device OS C) Email address D) First name only Answer: B Explanation: The OS-generated Contact ID is unique per device and serves as the primary deduplication key. Question 50. Which of the following best describes the purpose of the “Dashboard” widget titled “Frequent Locations”? A) List the top five Wi-Fi networks used B) Show locations where the device spent the most cumulative time C) Display the most used apps D) Summarize battery usage per hour Answer: B Explanation: Frequent Locations aggregates dwell time to highlight places the device visited repeatedly. Question 51. To search for all messages that contain a VIN (Vehicle Identification Number) pattern, which regex would you use? A) \b[0-9A-HJ-NPR-Z]{17}\b B) \bVIN[0-9]{4}\b C) \b[0-9]{6}\b D) \b[AZ]{2}[0-9]{5}\b Answer: A
Explanation: VINs are 17-character alphanumeric strings excluding I, O, Q; the pattern captures this format. Question 52. Which artifact type would you examine to determine if a suspect used the device’s “Find My iPhone” feature? A) Location Log – Service = “Find My iPhone” B) Call Log – Type = “Find My iPhone” C) Power Log – Event = “Location Services On” D) Settings Log – Feature = “Find My iPhone” Answer: D Explanation: Settings logs record toggling of system features like “Find My iPhone”. Question 53. The “Filter Bar” allows the examiner to combine multiple criteria using which logical operator by default? A) OR B) NOT C) AND D) XOR Answer: C Explanation: Multiple filter conditions are combined with AND, narrowing results to items that meet all criteria. Question 54. When analyzing a WhatsApp group chat, the Reader shows multiple participants under the “Group Members” section. This data is sourced from: A) The device’s contacts database only B) The group’s metadata stored within the WhatsApp SQLite database C) The carrier’s SMS logs D) The device’s Bluetooth pairing list Answer: B Explanation: WhatsApp stores group participant information in its own database, which Reader extracts.
Question 58. In the context of “Pattern of Life”, which combination of artifacts provides the strongest evidence of routine behavior? A) GPS location points, App Usage timestamps, and Power Log events B) Call Log duration only C) Wi-Fi SSID list D) Battery health report Answer: A Explanation: Correlating location, app interaction, and device power events creates a comprehensive activity pattern. Question 59. Which of the following is a limitation of the “Global Search” function? A) It cannot search within image metadata B) It does not respect case-sensitive queries C) It only returns the first 100 results D) It excludes deleted artifacts unless explicitly enabled Answer: D Explanation: By default, Global Search omits artifacts marked as deleted; the examiner must enable that option. Question 60. To export only the artifacts that have been tagged “Review”, you would: A) Use the Export wizard and select Tag = “Review” as a filter B) Right-click the Project Tree and choose “Export All” C) Delete all other tags first D) Change the project’s default export format to CSV Answer: A Explanation: The Export wizard allows filtering by tags, enabling selective export. Question 61. Which artifact type is most appropriate for verifying that a suspect sent a voice note via Signal at a specific time?
A) Signal Log – Media entry with type “audio” and timestamp B) Call Log – Duration field C) SMS Log – Text content D) Power Log – Battery level drop Answer: A Explanation: Signal logs contain entries for voice notes, including media type and timestamp. Question 62. When a watchlist flags a phone number as suspicious, the Reader highlights the number in which view? A) Contacts tab only B) All artifact views where the number appears (calls, messages, etc.) C) Dashboard – Summary only D) Exported PDF reports only Answer: B Explanation: Watchlist matches are applied globally, so any artifact containing the flagged number is highlighted. Question 63. The “Precision” filter for location data can be set to “High”. This will: A) Show only points with precision ≤ 10 m B) Show points with the highest latitude values C) Exclude all Wi-Fi-derived locations D) Sort points alphabetically Answer: A Explanation: “High” precision typically corresponds to a small radius, such as ≤ 10 m. Question 64. Which of the following artifacts would you examine to confirm that a suspect installed a new app at 02:30 AM? A) App Installation Log – Timestamp entry for the specific package name