GASF Cheat Sheet 2026
The 30 highest-yield GASF facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
75 questions
120 min time limit
69.00% to pass
- Which content provider URI would an examiner query to retrieve call log data from an Android device via ADB? → content://call_log/calls
- What does ADB (Android Debug Bridge) allow forensic examiners to do on Android devices? → Communicate with a device to extract data, run commands, and install tools
- Which tool is commonly used to perform a full file system extraction from a jailbroken iOS device? → SSH with tar or dd
- Which of the following is a unique 56 bit number assigned to a CDMA handset? → Mobile Station International Subscriber Directory Number (MSISDN)
- What tool is commonly used to examine SQLite databases recovered from mobile devices? → DB Browser for SQLite
- What is the default file system used by most modern Android devices for internal storage? → EXT4
- What is 'ISP (In-System Programming)' acquisition in mobile forensics? → Connecting directly to the flash memory chip's test points on the PCB to read raw data
- What is the significance of the 'knowledgeC' database in iOS forensics? → It records device usage and app activity timelines
- What is 'GrayKey' in the context of iOS forensics? → A hardware device used to brute-force iOS passcodes
- When performing forensic analysis of mobile VPN usage, what artifact would best reveal the VPN server address, protocol used, and connection timestamps? → VPN configuration profiles and app connection logs stored on the device
- Which Cellebrite product is specifically designed for physical and logical mobile device extraction? → Cellebrite UFED (Universal Forensic Extraction Device)
- Which iOS backup file contains the device's backup encryption key wrapped by the backup password? → Manifest.plist
- Where does WhatsApp typically store its message database on Android? → /data/data/com.whatsapp/databases/msgstore.db
- Which Android partition contains the operating system and pre-installed system apps? → /system
- What is a 'plist' file in iOS forensics and which formats can it take? → A property list file; stored as binary, XML, or JSON encoding
- Which Google app on Android stores location history locally that can be forensically extracted? → Google Maps (com.google.android.apps.maps)
- What forensic artifact can reveal a list of recently opened documents on an Android device? → Recent tasks snapshot thumbnails and the RecentTask database
- Which Android forensic artifact records the history of Wi-Fi networks a device has connected to? → /data/misc/wifi/WifiConfigStore.xml
- Where is the consolidated.db or Cache.SQLiteDb file located that stores location history on older iOS versions? → /var/mobile/Library/Caches/locationd/
- Where does Android store notification history that can be forensically relevant? → /data/data/com.android.systemui/databases/notification_history.db
- Which of the following is required in addition to the Apple ID of the custodian to access IOS backup files that are stored in ICloud? → Device passcode
- What type of acquisition is being examined in the image below? → Android physical
- Which file on Android devices stores Wi-Fi network configuration history including SSIDs that can establish a device's location history? → /data/misc/wifi/wpa_supplicant.conf (legacy) or WifiConfigStore.xml (modern)
- Which artifact would reveal which apps were recently active in the foreground on an iOS device? → knowledgeC.db ZOBJECT table
- The device pictured below is in Download Mode to attempt a physical acquisition. What can be ascertained by viewing the Android boot screen below? → The Original/Factory ROM is booting
- Which format do most messaging and social media apps use to store local data on mobile devices? → SQLite databases
- Based on the image below, which file system is being examined? → Chinese knock-off
- What does the iOS 'sysdiagnose' archive contain that is useful for forensic analysis? → System logs, crash reports, and diagnostic data
- What is the purpose of Android's 'logcat' in a forensic investigation? → To capture real-time system and application log output
- What technique is commonly used to intercept and analyze encrypted HTTPS traffic from mobile applications during forensic investigations? → SSL/TLS proxy interception via trusted CA certificate installation
Turn these facts into recall: