Skip to content
Mobile and Network Forensicsmedium Premium

Mobile and Network Forensics: Cellebrite, SQLite and WhatsApp Examination

Published:

Questions

30

Duration

30 min

Faculty-reviewed

0

Updated

25 May 2026

Score, per-question explanations and topic breakdown shown right after you submit.

About this mock

This medium-difficulty UGC-NET Forensic Science Paper II Unit VII drill covers the full workflow of mobile device forensics using Cellebrite UFED, MSAB XRY, and Magnet AXIOM, alongside the SQLite database internals that underpin most mobile application evidence. Questions examine UFED extraction modes (physical, logical, file-system, and chip-off), UFD report generation, MSAB XRY standalone architecture, and Magnet AXIOM artifact-centric analysis that parses third-party app databases directly. SQLite coverage includes page structure, B-tree organisation, WAL (Write-Ahead Log) versus journal rollback mode, and how the WAL file and shared-memory file affect live-capture integrity. WhatsApp artifacts on Android (msgstore.db, wa.db, and the media folder under /data/data/com.whatsapp/databases/) are contrasted with iOS equivalents (ChatStorage.sqlite, ContactsV2.sqlite, and the Documents media folder). Signal's SQLCipher-encrypted database and Telegram's local cache and TDLib database structure are also examined as near-neighbour distractors for the WhatsApp questions.

Deleted record recovery from SQLite freelist pages and the unallocated page pool is tested in three questions covering the mechanics of how SQLite marks a deleted row for reuse, how leaf-page overflow carving recovers partial records, and the role of unallocated space carving in tools such as Oxygen Forensic Detective. Push notification artifacts from Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM) log files, along with Android Keystore versus iOS Keychain fundamentals and backup forensics covering adb backup, iTunes encrypted backup, and iCloud backup acquisition, complete the set. Indian law context spans IT Act 2000 Sections 65 and 66, BSA 2023 Section 63 (electronic records admissibility, formerly IEA Section 65B), and the CFSL Hyderabad mobile forensics unit workflow. NIST SP 800-101 Revision 1 and SWGDE mobile device guidelines provide the procedural reference frame.

Topics covered:

  • Cellebrite UFED extraction modes and UFD report generation
  • MSAB XRY architecture vs Magnet AXIOM artifact-based analysis
  • SQLite page structure, B-tree layout, WAL vs journal rollback mode
  • WhatsApp Android (msgstore.db) vs iOS (ChatStorage.sqlite) artifact locations
  • Signal SQLCipher encryption and Telegram local cache structure
  • Deleted SQLite record recovery from freelist and unallocated pages
  • Push notification artifacts: APNs and FCM forensic value
  • Backup forensics: adb backup, iTunes, iCloud and legal admissibility under BSA 63

Work through each question before checking the explanation, revisiting every wrong answer against Tamma and Tindall, Mahalik, NIST SP 800-101 R1, and Cellebrite training documentation. Allow 30 minutes.

Sources & references

Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.

  • Tamma, Rohit and Tindall, Donnie -- Practical Mobile Forensics, 4th Edition, Packt Publishing

    Chapter 8: Android Forensics -- WhatsApp vs Signal on-device storage: SQLite plaintext vs SQLCipher encrypted database comparison

    cited in 23 questions
  • Carrier, Brian -- File System Forensic Analysis, Addison-Wesley

    Chapter 15: Application Databases -- SQLite B-tree types: table vs index B-trees and freelist carving for deleted row recovery

    cited in 5 questions
  • Mahalik, Heather -- Practical Mobile Forensics, Packt Publishing

    Chapter 4: Advanced Acquisition Techniques -- Chip-off, JTAG, ISP and EDL: hardware-level mobile extraction methods

    cited in 1 question
  • Bharatiya Sakshya Adhiniyam, 2023

    Section 63: Electronic records admissibility certificate -- responsible official signatory requirement (formerly IEA 1872 Section 65B; Anvar P.V. v Basheer 2014; Arjun Panditrao 2020)

    Open source
    cited in 1 question

How our mocks are built

Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.

Common questions

What does the Mobile and Network Forensics: Cellebrite, SQLite and WhatsApp Examination mock cover?+

This medium-difficulty UGC-NET Forensic Science Paper II Unit VII drill covers the full workflow of mobile device forensics using Cellebrite UFED, MSAB XRY, and Magnet AXIOM, alongside the SQLite database internals that underpin most mobile application evidence. Questions examine UFED extraction modes (physical, logical, file-system, and chip-off), UFD report generation, MSAB XRY standalone architecture, and Magnet AXIOM artifact-centric analysis that parses third-party app databases directly. S

How many questions and how long is the test?+

30 multiple-choice questions, 30 minutes total. Difficulty: medium. Tier: Premium.

Who is this mock for?+

Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Mobile and Network Forensics, NET. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.

Are the questions reviewed?+

Each question carries a verified source citation. Faculty review for individual questions is in progress.

Do I need an account to take this mock?+

Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.