Chapter 24 — Exercises

A mix of concept checks, hands-on labs (classify an acquisition, convert a timestamp, recover from a database image, build a mobile timeline, write the report), and judgment calls — because mobile forensics is a discipline of decisions under constraint as much as technique. (answer in Appendix) = worked solution in Answers. ⭐ = stretch. Where a lab references a practice extraction or image, see Appendix J — Practice Images and Lab Setup. Do every device-touching exercise only on phones, cards, and extractions you own or are clearly authorized to examine — the authority rule that governs the chapter's encryption section governs your practice bench too, and on mobile the line between forensics and the cybersecurity book's offense is exactly authority.


Group A — The acquisition pyramid

24.1 Draw the five-level mobile acquisition pyramid from memory and label each level (manual, logical, file-system, physical, chip-off/JTAG/ISP). For each, state in one phrase what data it reaches and what it cannot, and mark the level at which (a) deleted SQLite records first become recoverable and (b) deleted files whose file-system pointers are gone become recoverable. Then write, in one sentence, the governing principle you should say out loud on every case. (answer in Appendix)

24.2 For each device-and-authority snapshot below, name the highest forensically sound level you would realistically attempt, the single fact that caps it, and what you would write in the report if you could go no higher: (a) a cooperative complainant's unlocked iPhone, owner consents, you want their threatening-message thread; (b) an A13 iPhone, locked, BFU, passcode unknown, no exploit available for its iOS version, seized under warrant; (c) a rooted Android test device you own, USB debugging on, FBE but you know the PIN; (d) a dead-board legacy Android (2013, encryption never enabled) that no software method will talk to. Rank the four from most to least complete extraction and defend the ranking in two sentences.

24.3(Recovery vs. Forensics.) A technician in Chapter 11 and an examiner in this chapter both perform a logical extraction of the same unlocked iPhone, using the same cable and the same backup tool. List four things the examiner does that the technician does not, and explain why "a file-system extraction was attempted and failed on this OS version; logical was the maximum achievable" is a finding for the examiner but irrelevant to the technician. What is the deliverable in each case — and why is "the data" the right answer for only one of them?

24.4 (Chain of custody.) Write the chain-of-custody note for a completed extraction, modeled on the chapter's example, for this case: a Cellebrite UFED full-file-system extraction of an Apple iPhone (model A2403, iOS 16.3.1), performed under warrant, archive phone.zip with SHA-256 7b91c0a4.... Then add the mobile-specific sentence disk forensics never needs — the one that discloses what the acquisition changed on the device — and explain in one sentence why omitting it is the cross-examination trap that turns a sound extraction into a contested one.


Group B — iOS forensics

24.5 Define AFU and BFU precisely, and explain why a phone arriving powered-on-and-unlocked-since-boot is a fundamentally better evidence prospect than the bit-for-bit identical phone arriving powered-off. Then list the three things a first responder must do to preserve AFU state at seizure, and name the single most consequential field error that destroys it. Connect your answer to the Data Protection class that is the default for most app data and explain why that default is what creates the AFU/BFU split. (answer in Appendix)

24.6 (Hands-on / judgment.) Counterintuitively, the encrypted iTunes/Finder backup is the richer forensic source. (a) Name three categories of data an encrypted backup includes that an unencrypted one omits. (b) Describe the exact documented modification you, the examiner, make to obtain it, and what you must record. (c) Explain in two sentences why this is a defensible trade — a known, disclosed change for a materially larger, decryptable evidence set — and contrast it with the undocumented change that would not be defensible.

24.7 The iOS keychain holds account passwords, tokens, Wi-Fi passphrases, and certificates, and each item carries its own Data Protection class. Explain why an item marked ...ThisDeviceOnly cannot be carried off in a backup and read elsewhere, while a WhenUnlocked/AfterFirstUnlock item can be. Then state, in the careful phrasing a report demands, why "the device's saved Gmail token was recovered from the keychain" is a defensible finding but "all of the device's secrets were recovered" usually is not. Why does the keychain matter beyond the device — what does a recovered cloud token unlock, and which chapter owns that next step?

24.8(The wall, dated.) In two short paragraphs, explain the checkm8 era and its end. (a) Name the exploit class, the year, the SoC range it affects, and why Apple cannot patch it on those models. (b) State exactly which iPhones fall inside that range and which is the first generation outside it, and describe what checkm8-class capability does and does not give an examiner on a locked device (BFU vs. AFU vs. with-passcode). (c) For an A12-or-later locked, BFU, passcode-unknown device, state the only two realistic technical paths and why neither is a guarantee. Finish with the one sentence that makes this the chapter's clearest illustration of technology changes, principles don't.


Group C — Android forensics

24.9 List the three prerequisites that must all be true before adb can read a non-rooted Android's user data, and state what each one protects against. Then explain why adb pull /sdcard/DCIM succeeds on a phone where adb pull /data/data/com.whatsapp fails — naming the storage distinction that draws the line, and stating which level of the pyramid a /sdcard pull lives at and why it is forensically weak even when it works. (answer in Appendix)

24.10 (Hands-on.) On a test Android you own (USB debugging on, device unlocked), write the adb commands to: (a) confirm the device is attached and authorized (and say what device, unauthorized, and offline each mean); (b) read the model, the Android release, and the security-patch level for the report; (c) query the call log and SMS via content providers; and (d) pull the camera and Downloads folders. Then explain why adb backup -all is no longer the answer it once was, and from which Android release that became true.

24.11 (Judgment — the rooting dilemma.) You have an evidence Android and a question only /data/data can answer. Distinguish temporary/exploit root from permanent root (e.g., Magisk) by what each writes to the device and what survives a reboot, and state which is forensically preferable and why. Then explain the trap that has destroyed cases: what does unlocking the bootloader to root a modern Pixel do to userdata, and what is the absolute rule that follows? When rooting is justified, list the three things you must document, and the one thing you must validate. (answer in Appendix)

24.12 ⭐ A vendor's slide claims its Qualcomm EDL "9008" service and its MediaTek BROM service "image any locked Android, fully decrypted." Dismantle the claim on two independent grounds. (a) Explain what these modes actually are and what they require (signed, model-specific loaders) that is not freely available. (b) State the recurring refrain that defeats the "decrypted" half of the claim even on a flawless read of a modern device, and connect it to the identical disappointment of chip-off in Chapter 11. Then name the legitimate corner of the landscape where EDL/BROM genuinely helps.


Group D — Mobile artifacts and timestamps

24.13 Most mobile evidence is SQLite. For each artifact, name the database file and, where you can, the on-device path or domain: (a) iOS SMS/iMessage; (b) iOS call log; (c) Android SMS/MMS; (d) Android call log; (e) Android RCS; (f) iOS photo catalog; (g) iOS system activity / app-usage log; (h) iOS Health. Then state which one of these an examiner who parses only the telephony provider on a current Android will completely miss, and why that omission is "common and costly." (answer in Appendix)

24.14 (Calculate and verify a timestamp.) iOS date columns use Mac absolute time — seconds since 2001-01-01 UTC — and since iOS 11 sms.db stores them in nanoseconds. Using the Cocoa epoch offset 978307200 (seconds between 1970-01-01 and 2001-01-01): (a) Convert a knowledgeC.db value of 721692800 (seconds) to a UTC datetime. (b) Convert an sms.db value of 721692800000000000 (nanoseconds) to a UTC datetime, and confirm it is the same instant as (a). (c) State the UTC datetime both resolve to, and explain what a single mistake — treating the value as Unix time — would do to your timeline, by how many years, and in which direction. Validate your conversion in code against a known event before you ever build a timeline on it. (answer in Appendix)

24.15 (Hands-on / concept.) A current Pixel running Google Messages with RCS enabled is in evidence. Explain where the SMS/MMS live, where the RCS conversations live, and why an examiner must parse both. Then write the one-sentence report caveat you would include if you could only reach a logical extraction of this device, and state what RCS content that ceiling would or would not contain.

24.16(Build the timeline / Recover from this image.) You parse a file-system extraction and pull these mobile artifacts (all converted to UTC): a photo with EXIF DateTime 2024-03-15 19:04:11 and GPS 40.7484 N, 73.9857 W; a knowledgeC.db /app/inFocus event for the Camera app at 2024-03-15 19:04:10; an sms.db message sent at 2024-03-15 19:11:02; a com.apple.routined "Significant Location" visit centered on the same coordinates from 18:50 to 19:30; and a Wi-Fi join to BSSID a4:5e:60:xx:xx:xx at 19:02, which WiGLE resolves to a café at that corner. (a) Lay the five events out as a sourced timeline (each entry → artifact + database). (b) State the single inference the combination supports about the device, and the single inference it does not support no matter how clean the data. (c) Explain why the BSSID join independently corroborates the photo's GPS — and what you would do if the EXIF GPS and the Wi-Fi location disagreed.


Group E — Deleted records and app-layer encryption

24.17 Explain, at the level of the database file, why a "deleted" message is usually not destroyed: what does a SQL DELETE actually do to the bytes, where does the old record linger, and what does the -wal side file frequently still hold? Then state precisely why a file-system extraction recovers these deleted records while a logical extraction never sees them, and connect the idea to file carving from Chapter 7 in one sentence. (answer in Appendix)

24.18 (Recover from this image.) The first bytes of a file pulled from an extraction are:

00000000  53 51 4C 69 74 65 20 66  6F 72 6D 61 74 20 33 00   SQLite format 3.
00000010  10 00 01 01 00 40 20 20  00 00 00 01 00 00 00 2F   .....@  ......./

(a) Identify the file type from the 16-byte signature. (b) Bytes 16–17 are 10 00; state the page size in bytes and the byte order. (c) Name the three regions inside this file an examiner must parse to recover deleted records, and explain why opening the database in an ordinary SQLite browser and reading the live tables would miss every one of them. (d) Which extraction level would have captured this file plus its -wal, and why does that pairing matter?

24.19 (Judgment — encryption within the app.) "I'm inside the phone" does not mean "I can read every app." For each app, state what a full file-system extraction yields and what it does not: (a) WhatsApp on Android (msgstore.db, the .crypt14/.crypt15 backup, and the key file); (b) Signal (SQLCipher database, key in the Keystore/keychain); (c) Telegram secret chats. Then write the exact, defensible finding for a phone with Signal installed and in use whose message content you cannot read — and explain why that sentence is the privacy guarantee working as designed, not a failure of skill.

24.20(War story, generalized.) A suspect insists he "deleted nothing" and his logical backup is genuinely clean — the threatening messages are gone from the live tables. Explain, step by step, how a file-system extraction nonetheless reconstructs the messages, naming the exact side file and the kind of frames it holds. Then write the two sentences you would put in the report explaining where each recovered message came from and why that location proves it was deleted rather than fabricated — the explanation you must survive on cross.


24.21 Contrast the technical and legal paths to a locked, encrypted, passcode-unknown phone. (a) Name the easiest "technical attack" that is no attack at all, and the two exploit-based services the chapter names. (b) State the three hardware facts that govern whether any technical attack succeeds (throttling, AFU vs. BFU, the vendor cat-and-mouse). (c) Explain in one sentence why copying the encrypted blob and brute-forcing it offline on a cluster does not work on a modern device. (d) State why the cleanest, most defensible unlock is often a court order or consent, not a tool. (answer in Appendix)

24.22 Match each pillar to what it established and why a mobile examiner must know it: (a) Riley v. California (2014); (b) Carpenter v. United States (2018); (c) the "foregone conclusion" doctrine; (d) the All Writs Act / Apple v. FBI (San Bernardino, 2016). Then explain, in two sentences, why the scope of the warrant — not merely its existence — governs what you may examine, and what you must do if scope-compliant analysis turns up evidence of an unrelated crime.

24.23(Judgment.) Several courts treat compelling a fingerprint or face to unlock as non-testimonial (like a physical key) while a passcode remains testimonial and Fifth-Amendment-protected; other courts disagree. (a) Explain the distinction the courts are drawing. (b) Describe the practical consequence at seizure: why a phone that has rebooted (and now demands the passcode rather than biometrics) may be both technically and legally harder to open — tying device state to two different walls at once. (c) Why is "the law here is genuinely unsettled and varies by jurisdiction" the only honest summary, and which chapter and which non-keyboard source do you consult before acting?


Group G — The case, ethics, and the report

24.24 (Write the report — findings vs. inferences.) From a sound extraction you establish: a media file carries EXIF GPS coordinates and a creation timestamp; knowledgeC.db shows the camera app in focus at that minute; an Apple ID and app accounts tie the device to a named person; and the passcode was a 6-digit PIN. Write three sentences that are findings and two that would be inferences you must flag as such. Then state the single boundary a phone can never cross on the artifacts alone — and the predictable defense question that boundary invites, with the honest answer. (answer in Appendix)

24.25 (Ethics and scope — handle clinically.) During a properly scoped examination authorized for one category of evidence, you encounter material suggesting a different crime outside the warrant. (a) State, in order, the first four things you do and do not do (the digital plain-view discipline). (b) For a case involving suspected CSAM, name the two duties that dominate — the mandatory-reporting obligation (cite the U.S. statute and the entity reported to) and the duty to yourself — and explain why clinical detachment in the report is professional self-protection, not coldness. (c) Which chapter owns the full treatment of both duties, and why must you never improvise either?

24.26(Progressive project — the mobile evidence enters the case file.) Using a provided extraction (or the Chapter 11 backup you parsed for your Forensic Case File), complete the chapter's project step end to end and write it up: (a) Classify the acquisition — state its pyramid level and what it can and cannot contain — and record the device identity (model, OS, serial/IMEI) and the extraction hash in your chain-of-custody worksheet (Appendix F). (b) Parse and validate with iLEAPP/ALEAPP (or a commercial suite), cross-checking at least one load-bearing artifact with a second tool, and convert one set of iOS timestamps by hand to prove you control the epoch. (c) Build a mobile timeline of the high-value artifacts — calls/SMS/RCS, photo EXIF GPS, knowledgeC/significant-locations or Android usage traces, Wi-Fi BSSID joins, and any deleted SQLite records from the WAL/freelist (note exactly where each came from), every entry sourced to an artifact and database location. (d) State the limits in writing for each finding — device-vs-person, browsed-vs-sent, present-vs-decodable, the acquisition-level ceiling — and note any artifact you expected but could not reach, and why. Save the parser outputs and the timeline into the case-file folder; you will merge them into the master timeline in Chapter 21 and the capstone in Chapter 38.


Self-check. You have mastered this chapter when you can look at any phone on the bench and, before touching a tool, place it on the pyramid — what level its state, OS version, and your authority permit — and say, with equal confidence, "a full file-system extraction is achievable and here is what it will contain" and "extraction is not achievable on this model at this OS version, and that is a complete professional finding." Concretely, you should be able, without notes, to: convert a Mac-absolute timestamp (seconds and nanoseconds) and catch the 31-year error; explain why a file-system extraction recovers WAL/freelist deletions a logical pull cannot; state why chip-off and EDL return ciphertext on a modern locked device; name where RCS, Signal, and Health data live and which you can and cannot read; and separate a finding ("the camera was in focus at 19:04") from an inference ("the defendant took the photo") cleanly enough to hold the line on cross. If any of those still feels shaky, re-read the matching section before you touch an evidence device. Next, Chapter 25 — The Legal Framework takes the warrants, consent, compelled-decryption, and scope questions you met all through this chapter and gives them the full treatment they deserve — because the most technically perfect extraction is worthless if the authority behind it does not hold.