GASF Cheat Sheet 2026

The 30 highest-yield GASF facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

75 questions
120 min time limit
69.00% to pass
  1. Which content provider URI would an examiner query to retrieve call log data from an Android device via ADB? content://call_log/calls
  2. What does ADB (Android Debug Bridge) allow forensic examiners to do on Android devices? Communicate with a device to extract data, run commands, and install tools
  3. Which tool is commonly used to perform a full file system extraction from a jailbroken iOS device? SSH with tar or dd
  4. Which of the following is a unique 56 bit number assigned to a CDMA handset? Mobile Station International Subscriber Directory Number (MSISDN)
  5. What tool is commonly used to examine SQLite databases recovered from mobile devices? DB Browser for SQLite
  6. What is the default file system used by most modern Android devices for internal storage? EXT4
  7. What is 'ISP (In-System Programming)' acquisition in mobile forensics? Connecting directly to the flash memory chip's test points on the PCB to read raw data
  8. What is the significance of the 'knowledgeC' database in iOS forensics? It records device usage and app activity timelines
  9. What is 'GrayKey' in the context of iOS forensics? A hardware device used to brute-force iOS passcodes
  10. When performing forensic analysis of mobile VPN usage, what artifact would best reveal the VPN server address, protocol used, and connection timestamps? VPN configuration profiles and app connection logs stored on the device
  11. Which Cellebrite product is specifically designed for physical and logical mobile device extraction? Cellebrite UFED (Universal Forensic Extraction Device)
  12. Which iOS backup file contains the device's backup encryption key wrapped by the backup password? Manifest.plist
  13. Where does WhatsApp typically store its message database on Android? /data/data/com.whatsapp/databases/msgstore.db
  14. Which Android partition contains the operating system and pre-installed system apps? /system
  15. What is a 'plist' file in iOS forensics and which formats can it take? A property list file; stored as binary, XML, or JSON encoding
  16. Which Google app on Android stores location history locally that can be forensically extracted? Google Maps (com.google.android.apps.maps)
  17. What forensic artifact can reveal a list of recently opened documents on an Android device? Recent tasks snapshot thumbnails and the RecentTask database
  18. Which Android forensic artifact records the history of Wi-Fi networks a device has connected to? /data/misc/wifi/WifiConfigStore.xml
  19. Where is the consolidated.db or Cache.SQLiteDb file located that stores location history on older iOS versions? /var/mobile/Library/Caches/locationd/
  20. Where does Android store notification history that can be forensically relevant? /data/data/com.android.systemui/databases/notification_history.db
  21. Which of the following is required in addition to the Apple ID of the custodian to access IOS backup files that are stored in ICloud? Device passcode
  22. What type of acquisition is being examined in the image below? Android physical
  23. Which file on Android devices stores Wi-Fi network configuration history including SSIDs that can establish a device's location history? /data/misc/wifi/wpa_supplicant.conf (legacy) or WifiConfigStore.xml (modern)
  24. Which artifact would reveal which apps were recently active in the foreground on an iOS device? knowledgeC.db ZOBJECT table
  25. The device pictured below is in Download Mode to attempt a physical acquisition. What can be ascertained by viewing the Android boot screen below? The Original/Factory ROM is booting
  26. Which format do most messaging and social media apps use to store local data on mobile devices? SQLite databases
  27. Based on the image below, which file system is being examined? Chinese knock-off
  28. What does the iOS 'sysdiagnose' archive contain that is useful for forensic analysis? System logs, crash reports, and diagnostic data
  29. What is the purpose of Android's 'logcat' in a forensic investigation? To capture real-time system and application log output
  30. What technique is commonly used to intercept and analyze encrypted HTTPS traffic from mobile applications during forensic investigations? SSL/TLS proxy interception via trusted CA certificate installation
Turn these facts into recall: