Mobile and Network Forensics: Cellebrite, SQLite and WhatsApp Examination

This medium-difficulty UGC-NET Forensic Science Paper II Unit VII drill covers the full workflow of mobile device forensics using Cellebrite UFED, MSAB XRY, and Magnet AXIOM, alongside the SQLite database internals that underpin most mobile application evidence. Questions examine UFED extraction modes (physical, logical, file-system, and chip-off), UFD report generation, MSAB XRY standalone architecture, and Magnet AXIOM artifact-centric analysis that parses third-party app databases directly. SQLite coverage includes page structure, B-tree organisation, WAL (Write-Ahead Log) versus journal rollback mode, and how the WAL file and shared-memory file affect live-capture integrity. WhatsApp artifacts on Android (msgstore.db, wa.db, and the media folder under /data/data/com.whatsapp/databases/) are contrasted with iOS equivalents (ChatStorage.sqlite, ContactsV2.sqlite, and the Documents media folder). Signal's SQLCipher-encrypted database and Telegram's local cache and TDLib database structure are also examined as near-neighbour distractors for the WhatsApp questions.

Deleted record recovery from SQLite freelist pages and the unallocated page pool is tested in three questions covering the mechanics of how SQLite marks a deleted row for reuse, how leaf-page overflow carving recovers partial records, and the role of unallocated space carving in tools such as Oxygen Forensic Detective. Push notification artifacts from Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM) log files, along with Android Keystore versus iOS Keychain fundamentals and backup forensics covering adb backup, iTunes encrypted backup, and iCloud backup acquisition, complete the set. Indian law context spans IT Act 2000 Sections 65 and 66, BSA 2023 Section 63 (electronic records admissibility, formerly IEA Section 65B), and the CFSL Hyderabad mobile forensics unit workflow. NIST SP 800-101 Revision 1 and SWGDE mobile device guidelines provide the procedural reference frame.

Topics covered:

• Cellebrite UFED extraction modes and UFD report generation
• MSAB XRY architecture vs Magnet AXIOM artifact-based analysis
• SQLite page structure, B-tree layout, WAL vs journal rollback mode
• WhatsApp Android (msgstore.db) vs iOS (ChatStorage.sqlite) artifact locations
• Signal SQLCipher encryption and Telegram local cache structure
• Deleted SQLite record recovery from freelist and unallocated pages
• Push notification artifacts: APNs and FCM forensic value
• Backup forensics: adb backup, iTunes, iCloud and legal admissibility under BSA 63

Work through each question before checking the explanation, revisiting every wrong answer against Tamma and Tindall, Mahalik, NIST SP 800-101 R1, and Cellebrite training documentation. Allow 30 minutes.