Mobile Forensics: Acquisition Methods and Anti-Forensics
Published:
Questions
30
Duration
30 min
Faculty-reviewed
30
Updated
29 Apr 2026
About this mock
This mock covers mobile device forensics — acquisition strategies, the iOS and Android security architectures that determine what you can extract, the vendor tools used in Indian forensic labs, and the anti-forensics tactics suspects routinely use. Thirty questions cover logical, file-system, physical, JTAG and chip-off acquisition; BFU vs AFU device state; the iOS Secure Enclave, Effaceable Storage, and Class A/B/C/D file protection; Checkm8, GrayKey, Cellebrite UFED and Premium; Android File-Based Encryption, Direct Boot and Verified Boot; SIM card structure (ICCID, IMSI, MSISDN, ADN, LDN, EF_SMS); SQLite WAL and freelist forensics; vault apps, app cloning, and disappearing-message platforms.
It is pitched at MSc cyber forensics students at NFSU and LNJN-NICFS, certified examiner candidates (CHFI Mobile, CCO, CCPA), state-FSL trainees, and FACT aspirants who need the mobile section locked in. Mobile forensics has overtaken disk forensics as the highest-volume work in Indian forensic labs since 2020 — most cyber-crime cells now process more phones than computers, and the iOS / Android security architectures keep evolving fast enough that mock content needs to stay current with each iOS major release.
Topics covered:
- The acquisition hierarchy: logical → file-system → physical → JTAG → chip-off
- BFU vs AFU and the BFU-lockout problem during transport
- iOS Secure Enclave, Effaceable Storage, NSFileProtection class A/B/C/D
- Checkm8 (A5–A11), GrayKey, Cellebrite UFED and Premium — what each can and cannot do
- Android File-Based Encryption (FBE), Direct Boot, Verified Boot (AVB 2.0)
- SIM card forensics: ICCID, IMSI vs IMEI, ADN / LDN / EF_SMS, SIM-side recoverable SMS
- Faraday isolation and the BFU-lockout battery problem
- SQLite forensics: WAL files, freelist carving, journal modes
- Anti-forensics: vault apps (Calculator+, AppLock, Parallel Space), app cloning (Samsung Dual Messenger, Xiaomi App Twin, Island), disappearing messages, encrypted wipe
- App-specific artefacts: WhatsApp msgstore.db / msgstore.db.crypt14/15, Telegram Secret Chats vs Cloud Chats
- Cloud forensics: iCloud, Google Account, messenger cloud backups
Each question carries a detailed explanation citing NIST SP 800-101 Rev 1, Apple Platform Security Guide, the Android Open Source Project documentation, vendor knowledge bases (Cellebrite, Magnet, Grayshift), Mahalik et al. Practical Mobile Forensics, and INTERPOL guidelines. Allow 30 minutes; some questions require knowledge of vendor tooling, others require iOS / Android internals. The explanations are long enough to use as study notes by themselves.
Sources & references
Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.
- cited in 5 questions
- cited in 3 questions
NIST SP 800-101 Rev. 1 — Guidelines on Mobile Device Forensics
Section 5: Forensic Tool Classification System (acquisition hierarchy)
Open source - cited in 2 questions
3GPP TS 51.011 — Specification of the Subscriber Identity Module (SIM)
Section 10.2: Elementary Files (ADN, FDN, LDN, SMS, LOCI)
- cited in 2 questions
Mahalik, Heather et al. — Practical Mobile Forensics
4th Edition, Chapter on Android app artefacts (WhatsApp msgstore)
- cited in 1 question
- cited in 1 question
Cellebrite — UFED Product Family Documentation
UFED Touch / 4PC / Premium acquisition methods and supported devices
- cited in 1 question
Magnet Forensics — iOS BFU vs AFU Acquisition Whitepaper
BFU lockout mechanics and Faraday-bag battery-drain mitigation
- cited in 1 question
Cellebrite — JTAG and Chip-off Acquisition Guide
JTAG TAP pinout, ISP/JTAG vs chip-off comparison
- cited in 1 question
Magnet Forensics — Android App Cloning Whitepaper
Multi-user architecture, Dual Messenger / App Twin / Parallel Space mechanisms
- cited in 1 question
INTERPOL — Global Guidelines for Digital Forensics Laboratories
Mobile chip-off procedure and risks
Open source - cited in 1 question
Android Open Source Project — Direct Boot Mode
Direct Boot architecture, DE/CE storage and `directBootAware` apps
Open source - cited in 1 question
axi0mX — Checkm8 BootROM Exploit Disclosure
Affected SoC range (A5 through A11) and unpatchability
Open source - cited in 1 question
Sanderson, Paul — Forensic Analysis of SQLite Databases
Freelist page recovery and unallocated record carving
- cited in 1 question
Android Open Source Project — File-Based Encryption
FBE architecture and DE/CE storage classes
Open source - cited in 1 question
Magnet Forensics (Grayshift) — GrayKey Product Documentation
GrayKey product overview and supported devices
- cited in 1 question
- cited in 1 question
Cellebrite — UFED Cloud Analyser Documentation
Cloud-based acquisition: iCloud, Google Account, messenger cloud backups
- cited in 1 question
- cited in 1 question
ACPO Good Practice Guide for Digital Evidence
Mobile device seizure, isolation and Faraday-bag procedure
- cited in 1 question
3GPP TS 23.003 — Numbering, Addressing and Identification
IMSI structure (Section 2.2) and IMEI structure (Section 6)
- cited in 1 question
Cellebrite — Vault Apps Reference Guide
Known vault-app package list and detection signatures
- cited in 1 question
ITU-T Recommendation E.118 — The International Telecommunication Charge Card
ICCID structure (industry identifier, country code, issuer, serial, Luhn check)
How our mocks are built
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.
Common questions
What does the Mobile Forensics: Acquisition Methods and Anti-Forensics mock cover?+
This mock covers mobile device forensics — acquisition strategies, the iOS and Android security architectures that determine what you can extract, the vendor tools used in Indian forensic labs, and the anti-forensics tactics suspects routinely use. Thirty questions cover logical, file-system, physical, JTAG and chip-off acquisition; BFU vs AFU device state; the iOS Secure Enclave, Effaceable Storage, and Class A/B/C/D file protection; Checkm8, GrayKey, Cellebrite UFED and Premium; Android File-B
How many questions and how long is the test?+
30 multiple-choice questions, 30 minutes total. Difficulty: medium. Tier: Free.
Who is this mock for?+
Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.
Are the questions reviewed?+
Yes — 30 of 30 questions are faculty-reviewed. Each question carries a verified source citation.
Do I need an account to take this mock?+
Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.