Mobile Forensics
___ and ___ phones are the closest in architecture and design to a PC
3G and 4G
Which of the following create huge obstacles for examiners trying to acquire and analyze evidence from a mobile device?
A. Encryption and security features
Which of the following is a disadvantage of powering off a mobile device that is collected for analysis?
B. Activating authentication mechanisms that could complicate evidence acquisition
Data is stored on mobile devices in which of the following formats?
B. Binary
What is the purpose of putting a mobile device in Airplane Mode or a Faraday bag, when collecting for analysis?
C. Isolating a device from communicating
The two main partitions in an iOS device are:
C. System and data
Apple has taken major steps to standardize the development of apps for its _____ and _____
IPad; iPhone
What is Apple?s propriety mobile operating system that powers its mobile devices such as the iPhone, iPad, and iPod touch?
D. iOS
It's ____________ to stay current with available mobile device models
difficult
true/false Fortunately for cyber investigators, smartphones utilize the same underlying operating system, making mobile forensic analysis tools universal.
false
true/false The 802.11 standard applies to mobile devices in that it stipulates they use a standardized underlying operating system for application support and communications.
false
true/false: Filesystem acquisition method extracts more data compared to manual and logical, including deleted files and unallocated space.
false
true/false: If a mobile device and its associated media are damaged, digital evidence cannot be extracted.
false
true/false: It's always possible to recover deleted file items such as e-mails, texts, and photos from a mobile device
false
true/false: Logical extractions are bit-by-bit copies of the file system including deleted data
false
true/false: The 'Mobile Chain of Custody' for evidence is significantly different than the traditional chain of custody for physical evidence because the geo-tracking, timestamp, and other data on the mobile device supersedes information an investigator would documen
false
Some devices and many apps report the _____ of the device. That can make it much easier to track the owner's movements
geolocation
the amount of information that we can get from a mobile device varies ___ with the device
greatly
the links of the chain are the pieces of evidence and they are tied together based upon___
how one link affects one or more other links
____________ crime assessment attempts to tie elements of a crime together into a single crime scene and use the timelines to build a picture and describe the events and supporting of the crime
hybrid
The ____________ extraction is fairly fast and one might want to examine it for obvious evidence while a tool is making a physical image of the target
logical
It is likely that the mobile device is extremely accurate as a yardstick for measuring when events happen as the device may be synchronized to a ____________ clock
network
Which of the following extraction methods creates a bit-by-bit copy of the mobile device?s memory?
physical
An examiner should decide whether to obtain a(n) _____ extraction or _____ extraction or both of a mobile device
physical;logical
____________ chains show events in the order in which they occurred
temporal
true/false: All third-party apps developed for iOS devices must be validated by Apple and signed using an Apple-issued certificate before they are made available on the app store.
true
true/false: If a digitally signed app is purchased to jailbreak an iOS device, Apple will honor the device's warranty.
true
true/false: If you have a device that supports physical extraction, that is the way to image the device. Logical extractions are useful only when the physical option is not available because of the device itself
true
true/false: Mobile device forensic analysis can provide an overlay to physical evidence, and timelines (as well as computer forensic timelines) can give a clearer picture of the events preceding and following a crime event
true
true/false: One of the benefits of packet switching is the ability to connect more readily to the Internet
true
true/false: SD cards are "nonvolatile" meaning that even if the power is turned off on the device, you won't lose your favorite tunes or your pictures
true
true/false: The architectural functionality that distinguishes 2G from 3G is that 2G systems were circuit switched and 3G systems are packet switched
true
Examiners make it a practice to run an extracted image ____________
twice
When working on a mobile device, there are several sources of information available to the investigator. Probably the most useful source of information available to an investigator is ___________
web searching
Early mobile phone systems were followed by digital _____ networks.
2G
Which of the following would be the best choice to use as a container for packing and transporting a mobile device that is collected for analysis?
A. A paper bag
At which classification level does the majority of mobile forensic tools on the market operate?
A. Logical
This extraction method is easy and fast to use with a workstation copying data from a mobile device. However, it cannot access deleted files or some log files from the mobile device.
B. Logical
Which of the following is the preferred and most comprehensive data acquisition method for mobile devices?
B. Physical
Which part of the file system is considered the 'gold mine' for forensic analysts since it contains user-installed applications and data associated with the applications?
C. Data partition
Security features for iOS devices, are built into:
D. All of the above
Which of the following is a technique for isolating and preventing a mobile device from communicating?
D. All of the above
When a mobile device is set to use _____, it will recognize any _____ network in its range
WiFi, WiFi
Just like computers, the _____ defines the basic components of the mobile device
architecture
____________ chains of evidence describe the events of a crime in terms of cause and effect
casual
____________ describes the events and concomitant evidence that make up the events of the crime
chain of evidence
Often it is desirable to ____________ the SIM in much the sam way as one would take a physical image of the mobile device or a computer in order to retain a copy for evidentiary purposes
clone
