CITP EXAM 4 QUESTIONS AND
ANSWERS WITH VERIFIED SOLUTIONS
2024
INTRODUCTION TO MOBILE DEVICE INVESTIGATIONS
EPO #1: Determine types of technology and the unique identifiers associated with a mobile device. -
ANSWER · IMEI - International mobile equipment ID. Perm 15-17 digit #. Is a permanent number.
· CDMA - MEID = Mobile Equipment ID. Can lookup make/model
· SIM - Subscriber Identity Module. Authentication of device to cell network. ICCID is the serial number
for your SIM card.
· MSISDN - Mobile Directory Number AND MIN - Mobile ID Number is another name for a phone number
· The Call Detail Records (CDR) needs to know what tower the cellphone is connected to. Provides list of
calls or other types of transmissions
INTRODUCTION TO MOBILE DEVICE INVESTIGATIONS
EPO #2: Use forensic hardware and software tools to extract and analyze digital data from a seized
mobile device. - ANSWER · Different types of extractions include manual, logical, and physical
o Manual: must take photographs of all screens
o Logical: usually using Cellebrite. Utilizes the built-in backup feature found in the device's operating
system (OS).
o Physical: Provides access to ALL data, basically a replica of the whole phone, usually requires forensic
software
FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #1: Define the uses and roles of electronic devices in criminal activity. - ANSWER · Three Major Rolls
o Computers as a target of an illegal scheme: system intrusion, hacking, DDOS attacks, or ransomware to
name a few.
o Computers used as the instrument or tool to facilitate criminal activity: ex solicitation of minors,
electronic stalking, credit card scams, tax or benefit fraud, ID theft
o Computers and other electronic devices as repositories of evidence and other information: may
contain photos, PII, or certain types of software
, FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #2: Identify electronic devices that may be or may contain evidence. - ANSWER · Permanent files as
well as temporary internet files. Search terms from web browsers
· Phone SIM cards
· Removable media - optical CDs, DVDs, and Blu-Ray or external drives, flash memory cards, or USB
drives.
· Cloud computing can contain evidence and needs an additional warrant.
FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #3: Describe how electronic evidence may be altered or destroyed. - ANSWER · The "two enemies"
are physical or external damage and software or internal alteration.
· All media can be altered through brute force, extreme temps, water/ condensation, or fire. Seize it
anyway, the data may still be recoverable
FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #4: Identify non-electronic items that may be important in the investigation of an electronic crime. -
ANSWER · Hardware: may contain DNA evidence or bodily fluids
· Printed documents or reports
· Scraps of paper with codes or passwords
· Indicators of ownership like receipts, mail, manuals
FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #5: Identify the proper procedures in collecting, preserving, and transporting computers and
electronic items seized as evidence. - ANSWER · Use Faraday bags or wrap in foil if none are available.
· Secure crime scene both physically and electronically. Sever network connectivity. Unplug desktop.
· Conduct electronics sweep.
· Leave phone how you found it, on or off. Isolate phones in Faraday bag.
FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #6: Identify the proper procedures for RAM Capture and uses for recovered data. - ANSWER ·
Random Access Memory (RAM) - is the storage area of everything the computer processes. Capture it
especially if you cannot remove the actual device or cannot get the password.
ANSWERS WITH VERIFIED SOLUTIONS
2024
INTRODUCTION TO MOBILE DEVICE INVESTIGATIONS
EPO #1: Determine types of technology and the unique identifiers associated with a mobile device. -
ANSWER · IMEI - International mobile equipment ID. Perm 15-17 digit #. Is a permanent number.
· CDMA - MEID = Mobile Equipment ID. Can lookup make/model
· SIM - Subscriber Identity Module. Authentication of device to cell network. ICCID is the serial number
for your SIM card.
· MSISDN - Mobile Directory Number AND MIN - Mobile ID Number is another name for a phone number
· The Call Detail Records (CDR) needs to know what tower the cellphone is connected to. Provides list of
calls or other types of transmissions
INTRODUCTION TO MOBILE DEVICE INVESTIGATIONS
EPO #2: Use forensic hardware and software tools to extract and analyze digital data from a seized
mobile device. - ANSWER · Different types of extractions include manual, logical, and physical
o Manual: must take photographs of all screens
o Logical: usually using Cellebrite. Utilizes the built-in backup feature found in the device's operating
system (OS).
o Physical: Provides access to ALL data, basically a replica of the whole phone, usually requires forensic
software
FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #1: Define the uses and roles of electronic devices in criminal activity. - ANSWER · Three Major Rolls
o Computers as a target of an illegal scheme: system intrusion, hacking, DDOS attacks, or ransomware to
name a few.
o Computers used as the instrument or tool to facilitate criminal activity: ex solicitation of minors,
electronic stalking, credit card scams, tax or benefit fraud, ID theft
o Computers and other electronic devices as repositories of evidence and other information: may
contain photos, PII, or certain types of software
, FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #2: Identify electronic devices that may be or may contain evidence. - ANSWER · Permanent files as
well as temporary internet files. Search terms from web browsers
· Phone SIM cards
· Removable media - optical CDs, DVDs, and Blu-Ray or external drives, flash memory cards, or USB
drives.
· Cloud computing can contain evidence and needs an additional warrant.
FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #3: Describe how electronic evidence may be altered or destroyed. - ANSWER · The "two enemies"
are physical or external damage and software or internal alteration.
· All media can be altered through brute force, extreme temps, water/ condensation, or fire. Seize it
anyway, the data may still be recoverable
FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #4: Identify non-electronic items that may be important in the investigation of an electronic crime. -
ANSWER · Hardware: may contain DNA evidence or bodily fluids
· Printed documents or reports
· Scraps of paper with codes or passwords
· Indicators of ownership like receipts, mail, manuals
FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #5: Identify the proper procedures in collecting, preserving, and transporting computers and
electronic items seized as evidence. - ANSWER · Use Faraday bags or wrap in foil if none are available.
· Secure crime scene both physically and electronically. Sever network connectivity. Unplug desktop.
· Conduct electronics sweep.
· Leave phone how you found it, on or off. Isolate phones in Faraday bag.
FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #6: Identify the proper procedures for RAM Capture and uses for recovered data. - ANSWER ·
Random Access Memory (RAM) - is the storage area of everything the computer processes. Capture it
especially if you cannot remove the actual device or cannot get the password.
