giac GASF Exam Questions
Questions for the GASF were updated on : Nov 21 ,2025
Page 1 out of 5. Viewing questions 1-15 out of 75
Question 1
While conducting forensic analysis of an associated media card, one would most often expect to find
this particular file system format?
- A. HFS
- B. NTFS
- C. Yaffs2
- D. FAT
Answer:
D
Question 2
When examining a file system acquisition of an Android device Which artifact must be carved out
manually?
- A. Deleted images
- B. Contacts
- C. SMS messages
- D. Phone numbers
Answer:
C
Question 3
While analysis in BlackBerry application list it appears that no third-party applications were installed
on the device. Which other file may provide you with additional information on applications that
were accessed with the handset?
- A. BlackBerry NV Items
- B. Content Store
- C. Event logs
- D. BBThumbs.dat
Answer:
C
Question 4
What is the essential piece of information is most often required in order to decrypt the contents of
BlackBerry OS 10 handsets?
- A. BlackBerry Blend username/pin
- B. BlackBerry Balance username/password
- C. BlackBerry Link ID/password
- D. BBM pin
Answer:
C
Question 5
Review the information contained within the Viber application running on an Android device. Which
of the following can be determined?
A. A message containing the string 8901260572525158741 was sent using the Viber application.
B. The Viber account used to send/receive messages can be tied to the user in possession of the SIM
card with an IMSI of 8901260572525158741
C. The user account for Viber is 8901260572525158741
D. The Viber account used to send/receive messages can be tied to the user in possession of the SIM
card with an ICCID of 8901260572525158741
Answer:
D
Explanation
Explanation: Reviewing the particular file in Viber shows that the information contained is related to
the activated SIM card inside the device. In order to answer the
Question: correctly,
it is important to know how many digits make up an ICCID versus an IMSI. ICCIDs are comprised of 19
to 20 digits whereas IMSIs may only contain 14 or 15.
Question 6
Which iOS backup file will contain the last time the device was backed up?
A. notes.sqlite
B. manifest.mbdb
C. status.plist
D. info.plist
Answer:
D
Explanation
Explanation: The file info.plist contains many artifacts regarding the device, including the last time it
was
backed up. The file manifest.mbdb contains a list of data stored in the backup. The file status.plist
contains details about the backup including a flag to identify the backup type, date and version. The
file notes.sqlite is an android file that contains notes written by the user on the device.
Question 7
You have conducted a keyword search over flash.bin and notice that multiple instances of the same
data appear many times throughout the flash image. What is this an example of?
A. Flash Translation Layer (FTL)
B. Logical Block Addressing (LBA)
C. NAND degradation
D. Wear-leveling
Answer:
C
Explanation
Question 8
An analyst is investigating files on a Nokia S60 Symbian device and looking for data that would
contain
possible cell tower locations, date and time stamps, phone numbers and/or references to files saved
on the device. Which of the follow files would contain user data that was created and stored on the
device that meet this criteria?
A. MapView.r08
B. LifeblogCOUNTRYSTRINGS.r1 3
C. Lifeblog.db
D. PbkView.r03
Answer:
C
Explanation
Explanation: Knowing that the application Lifeblog is often used on Symbian devices to store location
and activity data is useful. However, even if this is not well known at the start of the investigation,
you can eliminate any of the Resource files (*.r) because they are generated when an application is
installed and are not populated by user interactions.
Question 9
Using an emulator and running an application through a series of processes to figure out how it
would behave on an actual device is called:
A. Forensic analysis
B. Dynamic analysis
C. Web analysis
D. Static analysis
Answer:
B
Explanation
Reference:
https://pdfs.semanticscholar.org/90d9/6a3ab48a1b1039573d8a9bfd11e1ab957b82.pdf
Question 10
Which file type below is commonly associated with locational data and is an export option from
within
Cellebrite Physical Analyzer and XRY to provide detailed visual output of geographic information?
A. .plist
B. .kml
C. .xry
D. .ipa
Answer:
B
Explanation
Reference:
https://developers.google.com/kml/documentation/kml_tut
Question 11
Which file system is mostly found on Samsung devices?
A. Yet Another Flash File System (YAFFS2)
B. Out of Bound (OOB)
C. Robust File system (RFS)
D. EXT4
Answer:
C
Explanation
Reference:
http://movitool.ntd.homelinux.org/trac/movitool/wiki/RFS
Question 12
Which artifact(s) can be extracted from a logical image only if the device the image was acquired
from was jailbroken?
A. SMS/MMS
B. Email
C. Call Logs
D. Photos
Answer:
B
Explanation
Explanation: Photos, SMS/MMS and call logs can be extracted from a logical acquisition of a non-
jailbroken device. Once a device has been jailbroken, email can be extracted for review.
Question 13
Which file, located on the Android file system, may be examined to correlate files related to external
SD cards that were once used in an Android device?
A. Internal.db
B. Main.db
C. DataManager. Db
D. external.db
Answer:
D
Explanation
Explanation: Most of the data stored on the SD and eMMC cards are stored in the external .db or
emmc.db file in the /data/data/com.android.providers.media file. This file will remain persistent
even if the SD card is removed. This means that files and file names associated with SD cards
previously in the device can be recovered and examined. This is a great way to tie an SD card back to
a device.
Question 14
Examine the unpacked Android application below. Which important file, resident in most Android
applications, is missing?
A. dalvik-cache
B. classes.dex
C. com.skype.raider-1.apk
D. classes-dex2jar.jar
Answer:
B
Explanation
Reference:
https://en.wikipediA.org/wiki/Android_application_package
Question 15
What does access to iOS DFU mode provide an examiner?
A. Ability to decrypt the SD card of a Symbian device
B. Ability to acquire the info.mkf file on a Blackberry device and brute force the password
C. Ability to root an Android device and perform a physical acquisition
D. Ability to bypass the lock screen of an older iOS device
Answer:
D
Explanation
Reference:
https://www.sciencedirect.com/science/article/pii/B978159749659900002X