SANs 4 585 Smart Phone Forensic Analysis exams with verified solutions 2026/2027 study set, Exams of Business Administration

SANs 4 585 Smart Phone Forensic Analysis exams with verified solutions 2026/2027 study set

Typology: Exams

2025/2026

Available from 06/03/2026

TheHub
TheHub 🇺🇸

3.9

(35)

11K documents

1 / 14

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
SANs 4 585 Smart Phone Forensic
Analysis exams with verified solutions
2026/2027 study set
Under which iOS sub-directory folder would an examiner expect to find Internet
history, caches, keyboards, and Cookies?
Library
The /private/var/mobile/Library folder (physical acquisition), Backup
Service/mobile/Library (File System acquisition) or Library folder (Logical acquisition)
contains most of the data of interest for forensic examiners. The Library folder contains
a vast amount of folders including those containing data pertaining to communication,
Internet history, Preferences, Keyboard, Caches and more. Tools like Physical Analyzer
provide access to all of these folders and database files.
Another location for the Library folder may be the Data/Data/mobile/Library for physical
acquisition.
Answer Options:
•Health
•Library
•Applications
•Media
What SQLite data type can be exported in order to be opened with a compatible
program?
BLOB
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe

Partial preview of the text

Download SANs 4 585 Smart Phone Forensic Analysis exams with verified solutions 2026/2027 study set and more Exams Business Administration in PDF only on Docsity!

SANs 4 585 Smart Phone Forensic

Analysis exams with verified solutions

2026/2027 study set

Under which iOS sub-directory folder would an examiner expect to find Internet history, caches, keyboards, and Cookies? Library The /private/var/mobile/Library folder (physical acquisition), Backup Service/mobile/Library (File System acquisition) or Library folder (Logical acquisition) contains most of the data of interest for forensic examiners. The Library folder contains a vast amount of folders including those containing data pertaining to communication, Internet history, Preferences, Keyboard, Caches and more. Tools like Physical Analyzer provide access to all of these folders and database files. Another location for the Library folder may be the Data/Data/mobile/Library for physical acquisition. Answer Options: •Health •Library •Applications •Media What SQLite data type can be exported in order to be opened with a compatible program? BLOB

Like the name suggests, BLOBs are comprised of binary data. Embedded files are stored as BLOBs. This data can be exported and then opened with a compatible program. Answer Options: •PLIST •TIFE •BLOB •JPEG What can be concluded from a folder named "00e456d65498137b76ec5b4137a70821df4afdbf" found in a device's MobileSync directory? The backup was made prior to fall 2018 The backup files from an iOS device prior to September 2018 changed from the 40 digit alphanumeric GUID to a format of 8 characters for the ChipID padded with zeros followed by 16 characters of ECID in hex padded with zeros on the left. Similar to [Opadding] CHIP-[0padding]ECID. An iPhone XS/XR series phone will have the Chip ID of 8020 and an iPhone 11 will have a ChipID of 8030. Answer Options:

  • The folder was created using Samsung Kies
  • The device model is an iPhone 11
  • The backup was for an Android phone
  • The backup was made prior to fall 2018 What is often more of a challenge with mobile forensics than other areas of forensics? Isolation of devices

perform a similar hardware-based key storage, but are found on computers and not mobile devices. Answer Options:

  • Hash-based salt
  • TEE
  • Input throttling
  • TPM What is a drawback of protobuf as a storage format? Each application using protobuf structures its data in a unique way Every application using protobuf will have its own way to structure data, this is a challenge for interpreting the data during an investigation. Protobuf outperforms XML and JSON. The raw files can be decoded using the protobuf compiler, slightly simplifying interpretation. Protobuf was created to be OS and language neutral, it's available in Android and iOS among others. Answer Options:
  • Applications using protobuf perform worse than JSON and XML applications
  • Each application using protobuf structures its data in a unique way
  • Raw protobuf files cannot be interpreted or decoded
  • Protobuf requires iOS and cannot be ported to other platforms Which of the following can be found in the system partition of an iOS device? File system files The system partition contains the iOS files and bootloader. All of the other files are located in the data partition of the physical partition or the file system partitions. Answer Options:
  • Data files for applications
  • System backups
  • Configuration files for preferences
  • File system files An examiner is reviewing the contents of the iOS 14 file MapsSync_0.0.1 and note that they only see five new entries for a device that has been used for months. Which of the following describes the reason for this finding? The database overwrites information with each new search The database that contains the information for the file MapsSync_0.0.1 is transactional in nature and overwrites data each time a new search occurs. Answer Options:
  • The backup that contained the data was corrupted
  • The buffer for the requests had not written to the file
  • The information is wiped each time the device reboots
  • The database overwrites information with each new search Which "adb shell" command option generated the following output? dumpsys usagestats Answer Options:
  • pm list packages
  • cat /data/system/packages.xmi
  • dumpsys usagestats
  • cat /data/system/packages.list The following record was extracted from which artifact? "use_location_for_services 1" googlesettings.db One of the first things to verify in regard to location information is if the user has location services enabled on their device. On Android devices, these settings are saved in the googlesettings.db in
  • Using a Hex Viewer
  • Reviewing the file header
  • Converting the database to a txt file How is POISON CARP's spyware installed on an Android system? Running an application that contains a malicious loader in its folder POISON CARP's persistence mechanism creates a binary file with .so extension and stores them in folders used by legitimate applications, when the legitimate application runs, the .so file is loaded and it installs the spyware. MMS messages are related to Stagefright. Crafted Wi-Fi packets are used when exploiting AWDL in iOS. Tethering required in order to exploit Bootrom in older iPhone models. Answer Options:
  • Tethering the device to a computer and sending a malicious payload via usb
  • Receiving Wi-Fi packet crafted to leverage an AWDL vulnerability
  • Running an application that contains a malicious loader in its folder
  • Opening an MMS message or a web site containing a crafted mp4 file An examiner is given an Android device and asked to determine if the owner was at a particular tourist attraction. Location services is turned on, but the user cleared their location history. Which database could help with the investigation? /data/data/com.samsung.storyservice/databases/dme.db The dme.db database records items in the photo gallery including dates and GPS coordinates of where a photo or video was taken. It contains image scene names, titles, locations, and timestamps and is considered very accurate. ns.db tracks application names, the job or task associated with it and the runtime dates. herrevad provides information on when WiFi was used versus Cellular and frosting.db is used to prove that an application existed on a device. It shows application name, path, and last updated timestamp.

Answer Options:

  • /data/com.android.vending/databases/frosting.db
  • /data/data/com.samsung.storyservice/databases/dme.db
  • /data/com.google.android.gms/databases/ns.db
  • /data/com.google.android.gms/databases/herrevad Where are iOS Class keys stored? Within the metadata of each file The Class Key protects the File Key. The Class Key is stored in the metadata of the file. Finally, the device passcode and the UID of the iOS device protect the Class Key. Answer Options:
  • In effacable storage
  • Between the flash memory and the system area on the device
  • Within the metadata of each file
  • In iCloud Which file is needed in order to "decompile" an Android application and reveal the Java classes used to make up the source code? classes.dex Locate classes.dex file from an unpacked Android .apk and use the program, dex2jar, to create a Java .jar file named classes_ dex2jar.jar that contains all of the Java classes that were contained within the classes.de file to decompile an Android application. Answer Options:
  • AndroidManifest.xml
  • classes.dex
  • dex2jar
  • Manifest.MF Why would an examiner have problems mounting an Android YAFFS2 file system?

Answer Options:

  • iOS 9
  • iOS 10
  • Android 4.1 (Jelly Bean)
  • Android 4.4 (KitKat) What is a challenge collecting GPS data using automated tools? Different applications store the data in different formats Data can be stored in many different formats, locations, and technologies. This includes data bases, files and metadata. Since this is a challenge for automated tools it is recommended to perform a manual check in order to find additional data that might have been missed. It's common for applications that request GPS access to store location data. Many tools for GPS data collection rely on geo-coordinates stored in the metadata of files. Answer Options:
  • Most tools do not inspect geo-coordinates stored in file metadata
  • Applications require databases to store GPS data
  • Different applications store the data in different formats
  • Few applications leverage their permission to store location data Which option is recommended when downloading large iCloud backup files for analysis? Download files in chunks Downloading files from iCloud is a slow process that can be interrupted if the forensic computer goes to sleep or if there is an Internet connection issue. When attempting to download a large or multiple large backups, the download is more efficient if less data is selected, i.e., files are downloaded in chunks. Less data is selected for each download until all files are downloaded for analysis.

Answer Options:

  • Download files in chunks
  • Download only user data files
  • Download all files at once
  • Download only system and info files An examiner should do which of the following when it is initially determined that browser history has been deleted? Examine the database in raw hex format Upon examining tables within a database that at first glance appear to contain zero entries, examine the database in raw hex format to ensure that it does not contain any deleted but inactive entries. Reviewing the database in hex format may show inactive content, marked for deletion but not overwritten, with details of websites visited. Answer Options:
  • Locate application snapshots on the device
  • Document that the data is irrecoverable
  • Examine the database in raw hex format
  • Review cached images from websites visited What is a unique effect of a soft reboot on a rooted Android device? It will preserve a temporary root A soft reboot will preserve a temporary root, which will be removed if a normal reboot is performed on the device. Answer Options:
  • It will unbrick the device
  • It will eliminate a permanent root
  • It will preserve a temporary root
  • It will remove all traces left behind from rooting the device

can be decrypted, typically through a brute force attack. Answer Options:

  • The data is encrypted using a strong key but the password is saved to a file which is encoded using Base64, which is easily reversible
  • The clear text password will be cached in the user's keychain and can be recovered searching the user's keychain
  • The backup file is encrypted and a copy of the keychain is saved in a local file which may be attacked using brute force tools
  • The keychain is not captured with the backup and the password can be recovered from the Info.plist file Which of the following describes behavior based mobile malware detection? Application activity is monitored and classified as normal or abnormal Behavior based malware detection separates normal from abnormal activity and alerts when the processes behave unexpectedly. Answer Options:
  • Activity is processed and alerts are generated when large amounts of data are moved
  • Known patterns are searched for and alerts are generated when located
  • Application activity is monitored and classified as normal or abnormal
  • Applications are run in sandboxes and activity is compared to known malicious traits Which malware detection framework creates a ruleset based on baseline activity? Specification-based detection Specification based detection creates a set of rules for normal behavior of an application and uses that baseline to determine the maliciousness of programs that break the defined ruleset. Answer Options:
  • Signature-based detection
  • Specification-based detection
  • Behavioral-based detection
  • Data mining detection What is the MAIN difference between a Full Root and a Shell/Soft Root? Full root is permanent There are different types of root access available for Android devices. Most commercial forensic tools offer a temporary root, which allows temporary superuser access to the device. These temporary roots are supposed to 'go away' upon reboot. However, traces are left behind and we will look at this further later today. Temporary roots are also called shell and soft roots. A full root provides persistent root access to the device. This means that even when the device is rebooted, the device remains rooted. A temporary root, such as shell, is normally utilized to gain persistence on the device. As expected, traces of a full root are commonly the easiest to detect. Answer Options:
  • Soft root Utilizes Shell root
  • Full root Leaves traces behind on the device
  • Full root is permanent
  • Soft root Allows system level access without a password