Midterm Exam

Question 1

What is Digital Forensics?

Answer 1

A branch of forensic science focusing on the recovery and investigation of raw data residing in electronic or digital devices.

Question 2

Forensically Sound

Answer 2

Original Evidence has not been modified.
Difficult on mobile devices.
Procedures have to be tested, validated, and documented.

Question 3

3 Main Categories of Mobile Forensics

Answer 3

Seizure.
Acquisition.
Examination/Analysis.

Question 4

Biggest Challenges to Mobile Forensics

Answer 4

Data can be accessed, stored, and synchronized across multiple devices.

Question 5

Difficulties in Obtaining Mobile Data: Devices

Answer 5

Hardware/OS differences.
Generic state of device.
Dynamic nature of devices.
Alteration of data/device.

Question 6

Difficulties in Obtaining Mobile Data: Remote Access

Answer 6

Wipes and resets.

Communication shielding.

Question 7

Difficulties in Obtaining Mobile Data: Resources

Answer 7

Lack of resources.
Lack of available tools.
Legal issues.

Question 8

Difficulties in Obtaining Mobile Data: Security

Answer 8

Security features.
Anti-forensics techniques.
Passcode recovery.
Malicious programs.

Question 9

Mobile Evidence Extraction Process: About

Answer 9

Extractions of each mobile device may differ.
A consistent examination process should be followed.
There is no well established standard process.
All methods used should be tested, validated, and
documented.

Question 10

Mobile Evidence Extraction Process: Steps

Answer 10

Intake.
Identification.
Preparation.
Isolation.
Processing.
Verification.
Document and Reporting.
Presentation.
Archive.

Question 11

Mobile Evidence Extraction Process: Intake

Answer 11

Starting phase.
Documents ownership information and the type of
incident the mobile device was involved in.
Outlines the type of data or information needed.
Developing specific objectives for each examination is the critical part of this phase.

Question 12

Mobile Evidence Extraction Process: Identification

Answer 12

Legal authority.
Goals of the examination.
Make, model, and identifying information of device.
Removable and external data storage.
Other sources of potential evidence.

Question 13

Mobile Evidence Extraction Process: Preparation

Answer 13

Research appropriate methods and tools to be

used on the particular mobile device.

Question 14

Mobile Evidence Extraction Process: Steps: Isolation

Answer 14

Isolation before acquisition and examination of the device is important.
Multiple methods of isolation possible.
Some methods are more preferred than others.

Question 15

Mobile Evidence Extraction Process: Processing

Answer 15

The phone should be acquired using a tested method
that is repeatable and as forensically sound as possible.
Physical acquisitions are most preferred.
Least amount of changes to the device.
File system or logical extractions next best methods.

Question 16

Mobile Evidence Extraction Process: Verification

Answer 16

Verify the data in the extraction is accurate by comparing to data on the mobile device:
Comparing extracted data to the handset.
Using multiple tools and comparing results.
Using hash values.

Question 17

Mobile Evidence Extraction Process: Documents and Reporting

Answer 17

Documentation should be done throughout the
examination process.
After examination is complete, peer-review results.

Question 18

Mobile Evidence Extraction Process: Presentation

Answer 18

Information extracted and documented should be
able to be clearly presented.
Findings should be clear, concise, and repeatable
Some tools include features that can help explain
findings across multiple devices.

Question 19

Mobile Evidence Extraction Process: Archive

Answer 19

Preserving extracted data is important.
Retained in a usable format.
Remember court cases can go on for years.
Digital forensics tools are always advancing.

Question 20

4 Main Types of Operating Systems

Answer 20

Google Android.
Apple iOS.
RIM Blackberry.
Windows.

Question 21

5 Levels of Mobile Forensics Tools

Answer 21

Manual Extraction.
Logical Analysis.
Hex Dump.
Chip-off.
Micro-Read.

Question 22

3 Data Acquisition Methods

Answer 22

Manual.
Logical.
Physical.

Question 23

5 General Rules of Evidence for Digital Evidence

Answer 23

Admissible.
Authentic.
Complete.
Reliable.
Believable.

Question 24

Leading Operating System for Smart Phones

Answer 24

Android.

Question 25

Easiest Way to Identify iDevice Hardware

Answer 25

Observing the model number displayed on the back of the device.

Question 26

What is the iOS Filed System Built on?

Answer 26

HSF Plus.

HSF.

Question 27

What are the 2 Partitions of the File System? iOS

Answer 27

System.

Data.

Question 28

What was the Original iPhone OS Originally Called?

Answer 28

Alpine?

Question 29

What was the Original iPhone OS Originally Called?

Answer 29

OS X.

Question 30

Are all iOS versions supported by all iDevices.

Answer 30

No.

Question 31

What is Jailbreaking?

Answer 31

Removing limitations by Apple’s mobile operating system through software and hardware exploits.
Biggest reason is for to install unapproved apps.

Question 32

3 Modes iOS Devices are Capable of Running in

Answer 32

Normal.
Recovery.
DFU.

Question 33

iOS Recovery Mode

Answer 33

If one step in the boot-up process is unable to load
or verify the next step.
Required to perform upgrades or restore the iDevice.

Question 34

iOS Normal Mode

Answer 34

The normal mode the phone boots into.

Question 35

iOS Normal Mode

Answer 35

When an iDevice is switched on and booted into its operating system.

Question 36

2 Types of Memory in iOS Devices

Answer 36

RAM.

NAND flash memory.

Question 37

Custom Ramdisk Method: iOS

Answer 37

Gains access to file system by loading a custom
ramdisk into memory and exploiting a weakness
in the boot process while the device is in DFU mode.
Custom ramdisk contains the forensic tools necessary
to dump the file system.
Loading a custom ramdisk does not alter the user
data.
Only works for iPhone 4 and older.

Question 38

Where is the passcode stored since iOS 4?

Answer 38

Not on the device in any format.

Question 39

Where is the passcode stored since iOS 4?

Answer 39

Not on the device in any format.

Previously stored directly in the keychain.

Question 40

What are the actual iOS files encrypted with?

Answer 40

Actual files on the file system are encrypted with
data protection class keys.

Question 41

What does jailbreaking allow examiners to do? iOS

Answer 41

Allows physical acquisitions on devices that are not
vulnerable to the Boot ROM exploit must be jailbroken.
Install tools that would not normally be on the device.
Problem: makes changes to devices that may damage evidence or render it inadmissible in court.
Logical acquisition should be considered first.

Question 42

What was introduced in iOS 6 that prevents examiners from patching the kernal code directly?

Answer 42

Kernal Address Space Layout Randomization.

Kernal Address Space Protection.

Question 43

What is a computer that an iDevice is backed up to called?

Answer 43

The host computer.

Question 44

Where are the iOS pairing records stored by a Windows computer?

Answer 44

/var/root/Library/Lockdown/pair_records/directory.
Pairing records are stored as a plist file with a filename representing the unique identifier given to the computer.
Windows - %AllUserProfile%\Apple\Lockdown.

Question 45

Where are the iOS pairing records stored by a Mac OS X computer?

Answer 45

Mac OS X - /private/var/db/lockdown.

Question 46

40-Character Hex String that Corresponds to iOS Backup Files?

Answer 46

It matches the UDID of the device.

Question 47

4 Data Files Contained in iOS Backup Directory?

Answer 47

info. plist
manifest. plist
status. plist
manifest. mbdb

Question 48

iOS info.plist

Answer 48

This file stores details about the backed up device:
ICCID.
Last backup date.
IMEI.
Phone number.
Installed Apps.
Product type and production version.
Serial number.
iTunes version.
Device’s UDID.

Question 49

iOS manifest.plist

Answer 49

Describes the contents of the backup:
Applications.
Date.
IsEncrypted.
Lockdown.
WasPasscodeSet.
 Backup Keybag

Question 50

iOS manifest.plist

Answer 50

Describes the contents of the backup:
Applications.
Date.
IsEncrypted.
Lockdown.
WasPasscodeSet.
Backup Keybag.

Question 51

iOS status.plist

Answer 51

The status.plist file stores details about the backup status:
Backup state.
Date.
IsFullBackup.

Question 52

iOS manifest.mbdb

Answer 52

Contains records about all other files in the backup.directory.

Question 53

Is a complete backup created every time a user backs up their iOS device?

Answer 53

First backup is a complete backup.

Subsequent backups only files that are modified.

Question 54

Number of File Backup Domain Categories in iOS

Answer 54

12.

Question 55

What domain is the Addressbook database in iOS?

Answer 55

HomeDomain.

Question 56

What do you need to know in order to extract an iCloud backup?

Answer 56

Apple ID and password.

Question 57

2 Timestamps on iPhone?

Answer 57

Unix.

MAC.

Question 58

Unix Time on iOS

Answer 58

Unix timestamps are the number of seconds that offsets the Unix epoch time starting from January 1, 1970.

Question 59

MAC Time on iOS

Answer 59

Mac absolute time is the number of seconds that offsets the Unix epoch time starting from January 1, 2001.

Question 60

SQLite Database File Extensions

Answer 60

.db, .sqlitedb, or no extension.

Question 61

Important Database Files in iOS

Answer 61

Addressbook/Addressbook Images.
Call History.
SMS Messages/SMS Spotlight.
Calendar Events.
Emails.
Photos Metadata.
GPS.
Voicemail/Voicemail Directory.
Notes. 
Safari bookmarks/Safari web cache.
Web application cache.

Question 62

Important plist Domain Files in iOS

Answer 62

HomeDomain plist files.
RootDomain plist files.
WirelessDomain list files.
SystemPreferences plist files.

Question 63

What information is in the WirelessDoman file?

Answer 63

WirelessDomain plist files contain useful information about the SIM card last used in the device.

Question 64

Other important files in iOS?

Answer 64

Cookies.
Keyboard cache.
Photos/wallpaper/snapshots.
Recordings.
Downloaded applications.

Question 65

Can deleted SQLite databases be recovered?

Answer 65

Yes,SQLite databases store the deleted records within the database itself.

Question 66

Elcomsoft iOS Forensic Toolkit Features

Answer 66

Supported by both MAC OS X and Windows.
Physical and logical extractions.
Password recovery attacks.
Extract device keys to decrypt raw disk image and keychain items.
Logs and records every step of investigation.

Question 67

Elcomsoft iOS Forensic Toolkit Downsides

Answer 67

Does not provide options to analyze acquired data or recover the deleted data.
Supports most iOS devices, but some must be jailbroken.
Does not support all iOS devices.

Question 68

Oxygen Features

Answer 68

Allows fully automated forensic acquisition and analysis.
Supports a lot of devices.
Can recover deleted data from databases.
Import a backup/image file obtained using a different tool for analysis.
Password recovery from keychain.
Timeline.

Question 69

Oxygen Downsides

Answer 69

Windows only.
Does not support physical acquisitions.
Some logicals need to be jailbroken.

Question 70

Cellebrite Features

Answer 70

Supports physical, logical, and file system acquisitions.
Extracts device keys required to decrypt raw disk images and keychain items.
Reveals device passwords if possible.
Supports passcode recovery attacks.
Advanced analysis and decoding of extracted application data.

Question 71

Which tools run on Windows?

Answer 71

Forensic Toolkit.
Oxygen.
Cellebrite.

Question 72

Which tools run on Mac OS X?

Answer 72

Forensic Toolkit.

Question 73

Disadvantages of Open Source Tools

Answer 73

They often do not go through rigorous amounts of testing and validation and may miss data that could be manually extracted by the examiner.