Mobile Acquisition and Anti-Forensics

This mock covers mobile device forensics — acquisition strategies, the iOS and Android security architectures that determine what you can extract, the vendor tools used in Indian forensic labs, and the anti-forensics tactics suspects routinely use. Thirty questions cover logical, file-system, physical, JTAG and chip-off acquisition; BFU vs AFU device state; the iOS Secure Enclave, Effaceable Storage, and Class A/B/C/D file protection; Checkm8, GrayKey, Cellebrite UFED and Premium; Android File-Based Encryption, Direct Boot and Verified Boot; SIM card structure (ICCID, IMSI, MSISDN, ADN, LDN, EF_SMS); SQLite WAL and freelist forensics; vault apps, app cloning, and disappearing-message platforms.

It is pitched at MSc cyber forensics students at NFSU and LNJN-NICFS, certified examiner candidates (CHFI Mobile, CCO, CCPA), state-FSL trainees, and FACT aspirants who need the mobile section locked in. Mobile forensics has overtaken disk forensics as the highest-volume work in Indian forensic labs since 2020 — most cyber-crime cells now process more phones than computers, and the iOS / Android security architectures keep evolving fast enough that mock content needs to stay current with each iOS major release.

Themes covered:

• The acquisition hierarchy: logical → file-system → physical → JTAG → chip-off
• BFU vs AFU and the BFU-lockout problem during transport
• iOS Secure Enclave, Effaceable Storage, NSFileProtection class A/B/C/D
• Checkm8 (A5–A11), GrayKey, Cellebrite UFED and Premium — what each can and cannot do
• Android File-Based Encryption (FBE), Direct Boot, Verified Boot (AVB 2.0)
• SIM card forensics: ICCID, IMSI vs IMEI, ADN / LDN / EF_SMS, SIM-side recoverable SMS
• Faraday isolation and the BFU-lockout battery problem
• SQLite forensics: WAL files, freelist carving, journal modes
• Anti-forensics: vault apps (Calculator+, AppLock, Parallel Space), app cloning (Samsung Dual Messenger, Xiaomi App Twin, Island), disappearing messages, encrypted wipe
• App-specific artefacts: WhatsApp msgstore.db / msgstore.db.crypt14/15, Telegram Secret Chats vs Cloud Chats
• Cloud forensics: iCloud, Google Account, messenger cloud backups

Each question carries a detailed explanation citing NIST SP 800-101 Rev 1, Apple Platform Security Guide, the Android Open Source Project documentation, vendor knowledge bases (Cellebrite, Magnet, Grayshift), Mahalik et al. Practical Mobile Forensics, and INTERPOL guidelines. Allow 15 minutes; some questions require knowledge of vendor tooling, others require iOS / Android internals. The explanations are long enough to use as study notes by themselves.