Chapter 11 — Quiz
14 questions: 10 multiple choice, 2 true/false, 2 short answer. Answers and a scoring band at the bottom. No peeking until you have committed to an answer.
Multiple choice
Q1. Which iOS Data-Protection class is the default for most app data, and therefore the basis of the AFU/BFU distinction? - A) Complete (Class A) - B) Complete Unless Open (Class B) - C) Complete Until First User Authentication (Class C) - D) No Protection (Class D)
Q2. A phone is described as AFU. For a cooperative-owner recovery, what does that state mean in practice? - A) The device has never been unlocked since boot, so everything is ciphertext. - B) The device has been unlocked at least once since boot, so the bulk of the data is decryptable in place until it reboots. - C) The device is permanently decrypted because the passcode was removed. - D) The device is in a special forensic mode that bypasses encryption.
Q3. Inside an iTunes/Finder backup, how is each backed-up file's storage name (fileID) derived?
- A) A random UUID assigned at backup time.
- B) The MD5 of the file's contents.
- C) The SHA-1 of the string domain-relativePath.
- D) The file's original name, URL-encoded.
Q4. You desolder the NAND from a modern, locked iPhone and read it in a programmer. What do you get? - A) The user's photos and messages in plaintext. - B) Nothing — the chip is blank. - C) Ciphertext, because the keys depend on the Secure Enclave's UID, which is not on the NAND. - D) A partial recovery of recently deleted files only.
Q5. What does crypto erase mean when a modern, encrypted phone is factory-reset? - A) Every NAND block is overwritten with zeros, several times. - B) The encryption key is destroyed, leaving the data physically intact but permanently unreadable. - C) The data is moved to a hidden partition. - D) Only the file-system index is cleared; the data is trivially recoverable.
Q6. File-Based Encryption (fscrypt) became the default on Android starting with which release?
- A) Android 5 (Lollipop)
- B) Android 6 (Marshmallow)
- C) Android 8 (Oreo)
- D) Android 10
Q7. Which combination must all be true for adb to read a non-rooted device's user data?
- A) Root access, a SIM card, and a charged battery.
- B) USB debugging enabled, the device unlocked, and the host authorized (trusted).
- C) Airplane mode on, USB debugging off, and the screen locked.
- D) A signed firehose loader and EDL mode.
Q8. A microSD card was used as adoptable storage in a Samsung phone that is now dead. What can you expect when you put the card in a reader? - A) FAT32 volume, fully readable, carve the photos normally. - B) An encrypted ext4/F2FS volume bound to the dead phone's key — effectively unreadable. - C) A plaintext copy of the phone's internal storage. - D) The card auto-decrypts in any Android device.
Q9. A client enabled iCloud Advanced Data Protection (ADP) and has since lost every trusted device, retaining only the account password. What is the consequence for recovering ADP-protected categories? - A) Apple can still produce the data with the password alone. - B) The data is end-to-end encrypted; with no trusted device, it is unrecoverable even to Apple. - C) A simple password reset restores full access. - D) ADP only affects email, so photos and backups are fine.
Q10. A wet phone arrives at your bench. What is the correct first action? - A) Power it on to "see if it still works." - B) Bury it in rice for 48 hours. - C) Keep it powered off (remove power), then clean the board with high-purity isopropyl before any test. - D) Put it in a freezer to stop corrosion.
True/False
Q11. Desoldering and reading the NAND from a current Secure Enclave iPhone is a reliable way to recover the owner's photos when the passcode is unknown. (True / False)
Q12. An encrypted iTunes/Finder backup typically contains more data than an unencrypted one — including saved passwords/Keychain, Health data, and call history. (True / False)
Short answer
Q13. Explain in two or three sentences why a phone that is still warm and AFU is a better recovery prospect than the same model that died on a flat battery and now boots only to the lock screen (BFU).
Q14. A client wants the photos off a modern, passcode-protected iPhone; the passcode is unknown and there is no backup. State the honest professional finding in one sentence, and name two legitimate avenues you would check before delivering it.
---
Answer key
Q1 — C. Class C (Complete Until First User Authentication) is the default; its key becomes available after the first unlock following boot and stays available until reboot, which is exactly what creates the AFU/BFU split.
Q2 — B. After First Unlock means the passcode-derived keys are live in memory, so the OS (and a cooperative recovery) can read the bulk of the data — until the device reboots back to BFU.
Q3 — C. The storage name is SHA1("domain-relativePath"); since iOS 10 the file sits in a subfolder named by the first two hex characters of that hash. (SHA1("HomeDomain-Library/SMS/sms.db") = 3d0d7e5fb2ce288813306e4d4636395e047a3d28.)
Q4 — C. You get ciphertext. The file/class/keybag keys ultimately depend on the UID fused into the Secure Enclave on the logic board, not on the NAND, and the NAND is cryptographically paired to that SEP.
Q5 — B. Crypto erase destroys the key (on iPhone, by wiping the Effaceable Storage that anchors the keybag), making the still-present ciphertext permanently unreadable. That is why it completes almost instantly.
Q6 — D. FBE via fscrypt is the default from Android 10. (FDE/dm-crypt was the earlier era, roughly Android 5–9; encryption became mandatory on capable devices in Android 6.)
Q7 — B. USB debugging enabled, the device unlocked (so CE data is available), and the host authorized via the on-screen RSA-key trust prompt — all three, or adb cannot reach user data.
Q8 — B. An adopted card is reformatted (ext4/F2FS) and encrypted with a key in the originating phone's keystore; bound to that phone, it is unreadable once the source device is gone.
Q9 — B. ADP makes those categories end-to-end encrypted; the keys live only on trusted devices. With every trusted device lost and only the password remaining, the data is unrecoverable even to Apple — the cloud analogue of the on-device wall.
Q10 — C. Remove power and keep it off, then clean with high-purity (≥99%) isopropyl (ideally ultrasonically) before testing. Powering a wet board accelerates corrosion and shorts; rice and freezers are myths.
Q11 — False. The NAND holds only ciphertext and the encrypted keybag; the unlocking secret (the UID) is inside the SEP and the NAND is paired to it. Chip-off yields "a perfect copy of an unbreakable safe."
Q12 — True. Apple stores additional sensitive categories (Keychain/saved passwords, Health, Wi-Fi settings, call history) only in encrypted backups, so when the owner supplies the password the encrypted backup is the richer source.
Q13 — Model answer. AFU means the device was unlocked at least once since boot, so the Class C / Credential-Encrypted keys are live in memory and the OS will hand over the data normally; a cooperative pull "just works." A BFU device (freshly booted, never unlocked) has those keys absent, so even the operating system sees ciphertext — a dead-battery boot drops you to BFU and locks the bulk of the data behind the unknown passcode.
Q14 — Model answer. Honest finding: "The phone is encrypted and the passcode is unknown, so the user data cannot be recovered by any legitimate means available to us." Legitimate avenues to check first (any two): a forgotten computer (iTunes/Finder) backup; an iCloud or Google account with credentials and the second factor; a previously trusted computer for a broken-screen AFU device; a removable SD card; for a deceased owner, Apple Digital Legacy / Google Inactive Account Manager via the executor.
Scoring: 13–14 correct — you can teach this chapter; you understand the wall and the easy wins alike. 10–12 — solid; re-read the iPhone key-hierarchy and AFU/BFU sections. 7–9 — you have the vocabulary but not the boundaries; revisit "Why chip-off an iPhone is (almost) pointless" and "The encryption wall." Below 7 — re-read the chapter before any client conversation; the cost of getting the wall wrong is a client's money and your credibility.