Chapter 24 — Quiz

14 questions: 10 multiple choice, 2 true/false, 2 short answer. Answers and a scoring band at the bottom. Commit to an answer before you scroll — the value is in the reasoning, not the letter.


Multiple choice

Q1. On the five-level acquisition pyramid, at which level do deleted SQLite records (messages a user removed, lingering in freelist pages and the write-ahead log) first become recoverable? - A) Level 1 — manual - B) Level 2 — logical - C) Level 3 — file-system - D) Only at Level 5 — chip-off

Q2. The checkm8 bootrom exploit affects which range of Apple SoCs, and therefore which iPhones? - A) A4–A9 (iPhone 4 through iPhone 6s) - B) A5–A11 (roughly iPhone 4S through iPhone 8/8 Plus/X) - C) A12–A15 (iPhone XS through iPhone 13) - D) All SoCs ever made; Apple has never patched it

Q3. Why is an A12-or-later iPhone (iPhone XS/XR, 2018, onward) a genuine wall in a way an A11 is not? - A) Its NAND is soldered, unlike earlier models. - B) It is not vulnerable to checkm8, and Apple hardened the Secure Enclave against the offline/replay tricks that made older devices tractable. - C) It uses APFS instead of HFS+. - D) Its backups are always encrypted.

Q4. Counterintuitively, an encrypted iTunes/Finder backup contains more than an unencrypted one. Which set of data does the encrypted backup additionally include? - A) Only the photos at full resolution. - B) Nothing extra — the encryption merely scrambles the same content. - C) Saved passwords/keychain, Health data, call history, and Wi-Fi settings. - D) The Secure Enclave's UID key.

Q5. On a current Android using Google Messages with RCS, where do the RCS conversations live — the store an examiner who parses only the telephony provider will miss entirely? - A) mmssms.db in the telephony provider - B) contacts2.db in the contacts provider - C) bugle_db in com.google.android.apps.messaging - D) sms.db in HomeDomain

Q6. iOS sms.db date columns store time as: - A) Unix seconds since 1970-01-01. - B) Mac absolute time — seconds (nanoseconds since iOS 11) since 2001-01-01 UTC. - C) Windows FILETIME (100-ns ticks since 1601). - D) Days since the device was first activated.

Q7. Which combination must all be true for adb to read a non-rooted Android's user data? - A) Root, a SIM card, and a charged battery. - B) USB debugging enabled, the device unlocked, and the host authorized via the on-screen RSA-fingerprint prompt. - C) A signed firehose loader and EDL "9008" mode. - D) Airplane mode on and the screen locked.

Q8. On most modern Android devices (e.g., Pixel), unlocking the bootloader to gain root will: - A) Leave userdata untouched and simply enable root. - B) Factory-reset / wipe userdata, destroying the evidence you came for. - C) Decrypt userdata in place. - D) Permanently disable the Secure Enclave.

Q9. You perform a flawless chip-off (or EDL/BROM read) of a modern, encrypted, locked phone. What do you get? - A) The user's messages and photos in plaintext. - B) Ciphertext — a perfect bit-for-bit copy of an unbreakable safe, because the keys live in the SEP/TEE, not the NAND. - C) Only deleted files. - D) Nothing; the chip is wiped on removal.

Q10. Riley v. California (2014) held that: - A) Police may search a phone's contents under the search-incident-to-arrest exception. - B) A warrant is generally required to search the data on a seized cell phone. - C) Suspects must always reveal their passcodes. - D) Cell-site location data is never protected.


True/False

Q11. A physical (bit-for-bit) image of a modern locked phone's userdata yields readable user data without the passcode, because "physical" bypasses encryption. (True / False)

Q12. Of two bit-for-bit identical phones, the one seized AFU (powered-on, unlocked at least once since boot) is a far better extraction prospect than the one seized powered-off (BFU). (True / False)


Short answer

Q13. Explain in two or three sentences why a file-system extraction recovers deleted messages that a logical extraction never sees. Name the specific side file involved.

Q14. Give one example of a phone-evidence finding and one inference drawn from it, and state the single boundary a phone can never cross on the artifacts alone.

---

Answer key

Q1 — C. File-system (Level 3) is the first level that captures the database file — including the freelist pages and the -wal side file where deleted records linger. A logical pull reads only the live rows. (Deleted files whose file-system pointers are gone appear at Level 4, physical.)

Q2 — B. checkm8 (axi0mX, 2019) is a bootrom exploit affecting A5 through A11 — roughly the iPhone 4S through the iPhone 8/8 Plus/X. Because the flaw is in read-only bootrom code, Apple cannot patch it on those models; it is permanent for them — but it does not reach A12+.

Q3 — B. The A12 and later are not vulnerable to checkm8, and Apple hardened the Secure Enclave against the offline and replay tricks that made older devices tractable — so there is no public, durable "just unlock it" capability for A12+.

Q4 — C. An encrypted backup additionally includes the keychain/saved passwords, Health data, call history, and Wi-Fi settings, which a plain backup deliberately omits — which is why setting a (documented) backup password is a standard forensic move on a cooperative/AFU iOS device.

Q5 — C. RCS lives in bugle_db (/data/data/com.google.android.apps.messaging/databases/), not in the telephony provider's mmssms.db — parsing only the latter misses entire RCS conversations on a current Android.

Q6 — B. Mac absolute time (Cocoa/CFAbsoluteTime): seconds since 2001-01-01 UTC, stored in nanoseconds in sms.db since iOS 11. Treating it as Unix time throws the timeline off by 31 years.

Q7 — B. All three: USB debugging enabled (Developer Options), the device unlocked (so Credential-Encrypted data is available), and the host authorized via the on-screen RSA-fingerprint trust prompt. Missing any one, adb cannot reach user data — that gate is a security feature, not a bug.

Q8 — B. On most modern devices, unlocking the bootloader factory-resets userdata — the trap that has destroyed cases. The rule: never unlock a bootloader on an evidence device without certainty about its wipe behavior; prefer temporary/exploit root that touches no persistent partition.

Q9 — B. Ciphertext. On an encrypted device the keys are bound to the Secure Enclave (iOS) or TEE/StrongBox (Android), not the NAND, so chip-off, JTAG, ISP, and EDL/BROM all return "a flawless copy of an unbreakable safe." These help on unencrypted/legacy devices, not a modern locked one.

Q10 — B. Riley held the search-incident-to-arrest exception does not extend to phone data; police generally need a warrant. (Carpenter, 2018, later extended warrant protection to historical cell-site location information.)

Q11 — False. A physical image of a modern locked device is a perfect bit-for-bit copy of ciphertext; without the keys (bound to the SEP/TEE and gated behind the user's credential) the bytes are noise. "Physical" is powerful on unencrypted/legacy devices, not a modern locked one.

Q12 — True. AFU means the Data Protection / Credential-Encrypted keys are live in memory, so a capable tool yields the bulk of the data; a BFU device exposes almost nothing but unprotected scraps. The hardware is identical; only the accessibility differs — which is why first-responder training drills "do not let it power off, lock-and-reboot, or die."

Q13 — Model answer. A SQL DELETE marks a record's space free within the database file without scrubbing the bytes, so the old record persists in freelist pages, and the -wal (write-ahead log) side file frequently still holds the pre-deletion frames. A file-system extraction copies the .db and its -wal/-journal, so a forensic SQLite parser can reconstruct those deleted records — whereas a logical extraction reads only the live rows the backup exposes and never sees them.

Q14 — Model answer. Finding: "Media file X carries EXIF GPS coordinates [...] and a creation timestamp of [...]; knowledgeC.db shows the Camera app in focus at that minute." Inference (flagged as such): "the device's owner took the photo." The boundary a phone can never cross on the artifacts alone is device activity versus identity — you can place a device at a location, in active use, running a particular app, at a precise time, but you cannot prove whose hands were on the glass; attribution must come from corroboration (biometrics, account activity, witnesses).

Scoring: 13–14 correct — you can teach this chapter; you hold both the capabilities and their limits. 10–12 — solid; re-read the acquisition-pyramid and AFU/BFU sections and the timestamp epoch. 7–9 — you have the vocabulary but not the boundaries; revisit "The encryption challenge" and "Deleted records inside SQLite." Below 7 — re-read the chapter before you touch an evidence phone; on mobile, the cost of getting the wall — or the warrant scope — wrong is a suppressed case and a dismantled witness.