GIAC gasf practice test

Question 1

While conducting forensic analysis of an associated media card, one would most often expect to find
this particular file system format?

• A. HFS
• B. NTFS
• C. Yaffs2
• D. FAT

Answer:

D

Question 2

When examining a file system acquisition of an Android device Which artifact must be carved out
manually?

• A. Deleted images
• B. Contacts
• C. SMS messages
• D. Phone numbers

Answer:

C

Question 3

While analysis in BlackBerry application list it appears that no third-party applications were installed
on the device. Which other file may provide you with additional information on applications that
were accessed with the handset?

• A. BlackBerry NV Items
• B. Content Store
• C. Event logs
• D. BBThumbs.dat

Answer:

C

Question 4

What is the essential piece of information is most often required in order to decrypt the contents of
BlackBerry OS 10 handsets?

• A. BlackBerry Blend username/pin
• B. BlackBerry Balance username/password
• C. BlackBerry Link ID/password
• D. BBM pin

Answer:

C

Question 5

Review the information contained within the Viber application running on an Android device. Which
of the following can be determined?

A. A message containing the string 8901260572525158741 was sent using the Viber application.
B. The Viber account used to send/receive messages can be tied to the user in possession of the SIM
card with an IMSI of 8901260572525158741
C. The user account for Viber is 8901260572525158741
D. The Viber account used to send/receive messages can be tied to the user in possession of the SIM
card with an ICCID of 8901260572525158741

Answer:

D
Explanation

Explanation: Reviewing the particular file in Viber shows that the information contained is related to
the activated SIM card inside the device. In order to answer the

Question 6

Which iOS backup file will contain the last time the device was backed up?
A. notes.sqlite
B. manifest.mbdb
C. status.plist
D. info.plist

Answer:

D
Explanation

Explanation: The file info.plist contains many artifacts regarding the device, including the last time it
was
backed up. The file manifest.mbdb contains a list of data stored in the backup. The file status.plist
contains details about the backup including a flag to identify the backup type, date and version. The
file notes.sqlite is an android file that contains notes written by the user on the device.

Question 7

You have conducted a keyword search over flash.bin and notice that multiple instances of the same
data appear many times throughout the flash image. What is this an example of?
A. Flash Translation Layer (FTL)
B. Logical Block Addressing (LBA)
C. NAND degradation
D. Wear-leveling

Answer:

C
Explanation

Question 8

An analyst is investigating files on a Nokia S60 Symbian device and looking for data that would
contain
possible cell tower locations, date and time stamps, phone numbers and/or references to files saved
on the device. Which of the follow files would contain user data that was created and stored on the
device that meet this criteria?

A. MapView.r08
B. LifeblogCOUNTRYSTRINGS.r1 3
C. Lifeblog.db
D. PbkView.r03

Answer:

C
Explanation

Explanation: Knowing that the application Lifeblog is often used on Symbian devices to store location
and activity data is useful. However, even if this is not well known at the start of the investigation,
you can eliminate any of the Resource files (*.r) because they are generated when an application is
installed and are not populated by user interactions.

Question 9

Using an emulator and running an application through a series of processes to figure out how it
would behave on an actual device is called:
A. Forensic analysis
B. Dynamic analysis
C. Web analysis
D. Static analysis

Answer:

B
Explanation

Reference:
https://pdfs.semanticscholar.org/90d9/6a3ab48a1b1039573d8a9bfd11e1ab957b82.pdf

Question 10

Which file type below is commonly associated with locational data and is an export option from
within
Cellebrite Physical Analyzer and XRY to provide detailed visual output of geographic information?
A. .plist
B. .kml
C. .xry
D. .ipa

Answer:

B
Explanation

Reference:
https://developers.google.com/kml/documentation/kml_tut