Quiz 5

SQL temporary files can contain evidentiary data, but these data may be missed by non-forensic SQLite viewers. Write-ahead logs (WALSs) are one type of temporary file. What data are stored in the WALs?

Database restore points

Original data before a transaction change

Data change archive

New data changes

When reviewing mobile applications, what type of data are sometimes stored outside of the messaging database?

Attachments

Participants

Message body

Datetime stamps

Which two file formats are typically used on iOS devices to store user data?

APK and SQLite

plist and MDB

Plist and SQLite

Plist and ESE

How can an examiner identify whether an SQLite database is using write-ahead logging as its mechanism for storing temporary data?

Analyze the SQLite header and check the 18th and 19th bytes; if the first is 02 and the second is 01, then the database is using WAL.

Analyze the SQLite header and check the 18th and 19th bytes; if they are both 01, then the database is using WAL.

Analyze the SQLite header and check the 18th and 19th bytes; if they are both 02, then the database is using WAL.

Analyze the SQLite header and check the 18th and 19th bytes; if the first is 01 and the second is 02, then the database is using WAL.

During analysis of an iOS backup, you find that the file sharing app Dropbox is installed. Which file should you investigate to find information about the account ID and file and folder names?

Spotlight.db

DB files.-sqlite

Dropbox.db

Com.get.dsopbox.plist

What can be used in conjunction with an MDM software to provide additional monitoring for installed applications?

MAM

AirWatch

MIM

BES

What is the name of the file stored in an iOS backup that contains information about Apple Pay transactions?

Pass.json

Manifest.plist

Keychain

Apple_pay.plist

A junior analyst is questioning findings from an SQLite query that joined two tables on a mobile device's chat application. The analyst is confused as to why they only have 200 records when over 400 showed up in the chat messages table before running the query. What is the reason for the discrepancy?

The analyst did not SELECT the proper columns when doing the JOIN.

The analyst forgot to adjust for epoch time, which caused a discrepancy in the results based on the first JOIN command.

The analyst ran a LEFT JOIN instead of an INNER JOIN.

The analyst ran an INNER JOIN instead of a LEFT JOIN.

What is the AS keyword used for in the SELECT statement below?

SELECT

ZTEXT AS "Message Text",

ZDATE AS "Message Date”,

ZSTATE AS "Message Direction/State"

FROM

ZVIBERMESSAGE

To change the column names in the output

To search messages for the specified string

To change the column names in the source database table

To convert the message data values to human readable format

Which of the following is true concerning third-party chat applications?

Third-party chat applications store all their data in the stock Android messaging databases.

Commercial forensic tool support is very good.

Forensic tools cannot parse data from third-party chat applications.

All potentially helpful data are likely to be encrypted.

An analyst has identified a BLOB stored in an SQLite database and believes it may be critical for a case. How can the data be viewed if the tool does not have the native capability to read binary data?

Internally view as text

Switch to hex view

Convert to XML

Export to an external viewer

Where might an analyst find evidence of file transfers performed as part of a file sharing service?

SMS messages

.bak files

Cache Files

.bbm files

Where can an examiner find evidence of file transfer through the Dropbox application, besides the folder containing the app data?

Browser history

Maps history

Call logs

Contacts

A junior analyst feels it would not be beneficial to review a weather application's history as part of a forensics investigation of an iOS device, but a coworker analyst feels the history should be included. What information from this application's history would aid in the examination?

Traffic route information tracked by the weather application

GPS location data that can place the user at a specific place at a certain time

User account information that is requested in order to view the application

Data that are shared and recorded between third-party applications by the same developer

What are JavaScript Object Notation (JSON) files typically used for in smartphones?

Encoding small data sets

Increasing transfer speed between devices

Enabling dynamic web browsing

Transferring data between an application and a web server

What type of database file has an examiner likely uncovered if they find the following four bytes starting at offset 0x10?

542D 4442

Mongo

WAL

SQLite

Realm

Quiz 5

More Quizzes