Page 1 of 163
CCPA Exam Cellebrite Certified Physical Analyst
ACTUAL QUESTIONS AND ANSWERS LATEST
UPDATE THIS YEAR
Cellebrite Certified Physical Analyst (CCPA) Exam,
CCPA Exam Overview
The CCPA is a 3-day advanced-level certification that focuses on forensic analysis of extracted mobile
device data using Cellebrite Physical Analyzer (PA) . Successful candidates must pass a knowledge test
and practical skills assessment with a score of 80% or higher .
Prerequisites: Cellebrite Certified Operator (CCO) certification is required before attempting CCPA .
Core Domains Tested:
• Creating and managing cases in Physical Analyzer
• Analyzing Android and iOS extractions (file systems, security models)
• SQLite database analysis and deleted data recovery
• Advanced search techniques and data carving
• Verification and validation of forensic findings
• Report generation
The exam includes both multiple-choice knowledge questions and a practical hands-on skills
assessment .
1. When loading a physical extraction from an Android device into Physical Analyzer, which file system
type typically indicates the extraction contains raw user data partitions including deleted files?
A. Logical extraction
B. File system extraction
, Page 2 of 163
C. Physical extraction
D. Advanced logical extraction
Answer: C
Physical extractions capture raw bit-for-bit copies of memory, including unallocated space where deleted
data may reside. Logical and file system extractions only copy active files and directories.
2. A forensic examiner is reviewing a case where a subject claims they never used a particular social
media application. The examiner locates an SQLite database file associated with that application. What
is the best approach to determine if the subject actually used the app?
A. Check only the application icon in the device's app drawer
B. Examine timestamps and records within the SQLite tables for user interaction data
C. Review only the device's web browsing history
D. Check the device's battery usage statistics
Answer: B
SQLite databases within application directories store user activity records, including messages, contacts,
and timestamps, even if the app icon is hidden or uninstalled.
, Page 3 of 163
3. The examiner opens an iOS extraction and notices that many records have "Created" timestamps but
no "Last Modified" timestamps. In SQLite forensics, what does this discrepancy potentially indicate?
A. The records were created by the system automatically
B. The records were created but never modified, which is common for many records
C. The records were deleted immediately after creation
D. The timestamps are corrupted by iOS security features
Answer: B
In SQLite databases, many records are written once and never updated. The absence of a Last Modified
timestamp does not indicate deletion; it simply means the row was inserted and never changed.
4. What is the primary limitation of Physical Analyzer's file carving feature when attempting to recover
data from unallocated space on an Android device?
A. File carving cannot recover SQLite records
B. File carving cannot recover data from encrypted user-data partitions on modern Android devices
C. File carving only works on iOS devices
D. File carving requires root access that Physical Analyzer cannot obtain
Answer: B
, Page 4 of 163
*On Android devices with full-disk encryption or file-based encryption (Android 5.0+), the user-data
partition remains encrypted after boot. Physical extraction without decryption yields encrypted data
that carving cannot recover.*
5. During verification of an extraction, the examiner calculates a hash value of the original evidence file
and compares it to the hash value of the processed output. Which forensic principle does this satisfy?
A. Authentication and integrity preservation
B. Chain of custody documentation
C. Least privilege access
D. Source code validation
Answer: A
Verification of hash values ensures that evidence has not been altered during processing, preserving data
integrity and authenticating that the working copy matches the original.
6. An examiner is examining an Android extraction and finds a file
path: /data/data/com.app.name/databases/app_data.db. Where in the file system hierarchy is this
located?
A. External storage (sdcard)
CCPA Exam Cellebrite Certified Physical Analyst
ACTUAL QUESTIONS AND ANSWERS LATEST
UPDATE THIS YEAR
Cellebrite Certified Physical Analyst (CCPA) Exam,
CCPA Exam Overview
The CCPA is a 3-day advanced-level certification that focuses on forensic analysis of extracted mobile
device data using Cellebrite Physical Analyzer (PA) . Successful candidates must pass a knowledge test
and practical skills assessment with a score of 80% or higher .
Prerequisites: Cellebrite Certified Operator (CCO) certification is required before attempting CCPA .
Core Domains Tested:
• Creating and managing cases in Physical Analyzer
• Analyzing Android and iOS extractions (file systems, security models)
• SQLite database analysis and deleted data recovery
• Advanced search techniques and data carving
• Verification and validation of forensic findings
• Report generation
The exam includes both multiple-choice knowledge questions and a practical hands-on skills
assessment .
1. When loading a physical extraction from an Android device into Physical Analyzer, which file system
type typically indicates the extraction contains raw user data partitions including deleted files?
A. Logical extraction
B. File system extraction
, Page 2 of 163
C. Physical extraction
D. Advanced logical extraction
Answer: C
Physical extractions capture raw bit-for-bit copies of memory, including unallocated space where deleted
data may reside. Logical and file system extractions only copy active files and directories.
2. A forensic examiner is reviewing a case where a subject claims they never used a particular social
media application. The examiner locates an SQLite database file associated with that application. What
is the best approach to determine if the subject actually used the app?
A. Check only the application icon in the device's app drawer
B. Examine timestamps and records within the SQLite tables for user interaction data
C. Review only the device's web browsing history
D. Check the device's battery usage statistics
Answer: B
SQLite databases within application directories store user activity records, including messages, contacts,
and timestamps, even if the app icon is hidden or uninstalled.
, Page 3 of 163
3. The examiner opens an iOS extraction and notices that many records have "Created" timestamps but
no "Last Modified" timestamps. In SQLite forensics, what does this discrepancy potentially indicate?
A. The records were created by the system automatically
B. The records were created but never modified, which is common for many records
C. The records were deleted immediately after creation
D. The timestamps are corrupted by iOS security features
Answer: B
In SQLite databases, many records are written once and never updated. The absence of a Last Modified
timestamp does not indicate deletion; it simply means the row was inserted and never changed.
4. What is the primary limitation of Physical Analyzer's file carving feature when attempting to recover
data from unallocated space on an Android device?
A. File carving cannot recover SQLite records
B. File carving cannot recover data from encrypted user-data partitions on modern Android devices
C. File carving only works on iOS devices
D. File carving requires root access that Physical Analyzer cannot obtain
Answer: B
, Page 4 of 163
*On Android devices with full-disk encryption or file-based encryption (Android 5.0+), the user-data
partition remains encrypted after boot. Physical extraction without decryption yields encrypted data
that carving cannot recover.*
5. During verification of an extraction, the examiner calculates a hash value of the original evidence file
and compares it to the hash value of the processed output. Which forensic principle does this satisfy?
A. Authentication and integrity preservation
B. Chain of custody documentation
C. Least privilege access
D. Source code validation
Answer: A
Verification of hash values ensures that evidence has not been altered during processing, preserving data
integrity and authenticating that the working copy matches the original.
6. An examiner is examining an Android extraction and finds a file
path: /data/data/com.app.name/databases/app_data.db. Where in the file system hierarchy is this
located?
A. External storage (sdcard)
