ANDROID Forensic Fundamentals — ANDFFC – Practical Scenario Certification

This is the final practical exam for the ANDROID Forensic Fundamentals Course (ANDFFC). The exam will contain a series of multiple-choice and fill in the blank questions. The provided Android mobile device image will be provided to answer the questions below. This exam is an open note, open Internet, and open computer exam. You can utilize any tools taught in this course to find and parse the information.

The exam will include questions on:

• Android Overview
• Android Security
• Android Artifacts
• Android SQLite Databases
• Android 3rd Party Apps

Directions:

• Use any notes taken during the course
• Utilize the provided Android forensic image and exported databases to answer questions below
• Use SQLite database browser utilities as needed
• Document all answers

Please ensure you have loaded and decoded the “UFED Samsung GSM SM-G935A Galaxy S7 Edge 2019_11_06 (001)” located in the “DSI ANDFFC” main folder.

How many applications are installed on the Android device?

How many apps have been decoded by Cellebrite?

What is the name of a database file associated with the contacts from the Android device?

Android devices will always have one flash memory chip with only two partitions.

What is the name of the privileged account on an Android device?

In the non-decoded apps, which application contains the word “VF live!”?

In the non-decoded apps, are there any databases that contain the name “240033/buttermilk-waffles”?

What is the description associated to this recipe 240033 Buttermilk Waffles?

Can you get a picture of the waffles?

Upload the image associated with the question.

In the Media Storage app, there is an entry in the files table, with the words Ding-Dong, what is the date stamp (date added)?

What is the security feature of Android devices that ensures an app only has access to the information within the app itself?

What is the process of changing your access priveleges from a regular user to a super user called?

Within the icing_mmssms.db SQLite database tables, there is a _ID of 6, which contains the message of Hey Boo, please validate the time associated with this message.

What SQLite database is associated with Android Browser History?

What SQLite database is associated with the Chrome Browser History?

What SQLite database is associated with the Gmail Browser History?

What timestamp format is typically utilized by Android apps to record date/time related information for stored data? (circle all that apply)

From what date does Epoch begin (in milliseconds)?

Jan 1, 1970

What data type enables storage of binary data in a SQLite database?

In Cellebrite – what is the path to the file containing the Call History Data?

When was the last call made to +12024681136?

How long did this call last?

Using ADB, what command can be used to acquire a specific file from an Android device

How are deleted files permanently removed from a SQLite database?

SQLite utilizes a strict client/server architecture to store app user data

Use the databases exported from the forensic acquisition below:

• contacts2.db
• mmssms.db

Use a SQLite browser to answer the remaining questions

What table in the MMSSMS SQLite database contains the total message count for each identified conversation?

In the MMSSMS database, when was the last message received from “Alexiis”?

Answer the question in MM-DD-YYYY HH:MM:SS UTC format

What did she say?

In the MMSSMS database, was the native Android “Messages” app the only one used to send or receive messages with this phone?

If not, what other apps were used? (name at least one)