20+ practice questions focused on Mobile and Malware Forensics — one of the most tested topics on the Computer Hacking Forensic Investigator CHFI exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Mobile and Malware Forensics PracticeDuring a mobile forensics investigation, an analyst needs to acquire data from an iPhone that cannot be bypassed via passcode. The device is locked, and the analyst has the passcode. Which acquisition method provides the MOST comprehensive data extraction?
Explanation: Physical acquisition is the most comprehensive method because it creates a bit-for-bit copy of the entire flash storage, including the operating system, kernel, unallocated space, and deleted file remnants. Even with the passcode known, a locked iPhone restricts file system access via USB, but physical acquisition (often using advanced techniques like JTAG or chip-off) bypasses these restrictions to extract the raw NAND data, yielding the fullest forensic picture.
A security analyst is reviewing output from a Cuckoo Sandbox analysis of a suspicious executable. The report shows that the process created a mutex named 'Global\GLOBAL_MUTEX_123' and modified the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\. Which behavioral indicator is MOST evident?
Explanation: The modification of the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run is a classic persistence mechanism. This key is automatically processed by Windows Explorer at user logon, causing any executable listed there to run. Combined with the mutex creation (which prevents multiple instances), the behavioral indicator is clearly an attempt to establish persistence on the host.
In an Android forensic investigation, an examiner extracts the /data/data/com.whatsapp/databases/msgstore.db file. The database contains a table 'messages' with columns 'key_remote_jid', 'data', and 'timestamp'. Which SQL query would retrieve all messages sent to a specific contact with a phone number ending in '1234'?
Explanation: Option B is correct because the `key_remote_jid` column stores the remote party's identifier (e.g., a phone number with country code), and the `LIKE '%1234%'` pattern matches any value containing '1234' anywhere in the string. This retrieves all messages where the contact's phone number ends with '1234', as required by the question.
A forensic analyst is examining a Windows malware sample using static analysis. Which tool is BEST suited for viewing the PE header structure, including sections, imports, and exports?
Explanation: PEiD is specifically designed to analyze PE (Portable Executable) headers, making it ideal for quickly viewing section tables, import/export tables, and detecting packers or compilers. It parses the IMAGE_NT_HEADERS structure directly, providing a concise summary of the PE layout without requiring disassembly or decompilation.
During an iOS forensic examination, an analyst extracts an iTunes backup and finds the file '3d0d7e5fb2ce288813306e4d4636395e047a3d28'. Which type of data does this file typically contain?
Explanation: The file '3d0d7e5fb2ce288813306e4d4636395e047a3d28' is the SQLite database (NotesStore.sqlite) that stores Apple's Notes app data in an iOS backup. Its SHA-1 hash name corresponds to the domain 'AppDomain-com.apple.mobilenotes' and contains the notes, attachments, and metadata. This is a well-known artifact in iOS forensics for recovering user-created notes.
+15 more Mobile and Malware Forensics questions available
Practice all Mobile and Malware Forensics questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Mobile and Malware Forensics. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Mobile and Malware Forensics questions on the CHFI frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Mobile and Malware Forensics is tested as part of the Computer Hacking Forensic Investigator CHFI blueprint. Practicing with targeted Mobile and Malware Forensics questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free CHFI practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Mobile and Malware Forensics is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Mobile and Malware Forensics practice session with instant scoring and detailed explanations.
Start Mobile and Malware Forensics Practice →