2025美亚个人
案情介绍
香港警方接到报案,西贡区布袋澳有人持木棍袭击他人,警方到达现场发现冯子超头部受伤昏迷,身上只有一部智能手机但没有身份证明文件。调查后香港警方以伤人罪拘捕了陈民浩。陈民浩被捕后保持沉默,拒绝交代案情,身上搜获一部智能手机,冯子超则被送往医院救治。警方检查了两人的智能手机,并由检验人员进行了检验。冯子超的智能手机资料储存在FUNG_CC_mobile.zip文件中,而陈民浩的智能手机资料则储存在CHAN_MH.zip文件中。警方希望运用你的电子数据检验知识,在两个人的智能手机中查找办案线索。
ps:
复盘看了两位大佬的wp,链接贴下面
西电:https://forensics.xidian.edu.cn/wiki/MeiyaCup2025Individual/#_1
检材密码
FEYn0MJLYy9zTQRFHlXGRkVqXv3IkE8h
题目
1. [单选题]请你使用CHAN_MH.zip检材回答以下问题。这个智能手机是什么操作系统?
A. iOS 17.1.1
B. iOS 17.2.1
C. iOS 17.3.1
D. iOS 17.0.1
看iDevice_info.txt
答案:A
2. [填空题] 在这个手机中,有多少组国际移动设备识别码(IMEI)号码? (请以阿拉伯数字作答)
IMEI找对应英文即可
答案:2
3. [单选题] 承上题,以下哪一个才是正确的国际移动设备识别码(IMEI)号码?
A. 357328098205226
B. 357328097205226
C. 357328096205226
D. 357328095205226
见上题
答案:A
4. [单选题] 请指出最后使用的使用者身分模组(SIM)的集成电路卡识别码(ICCID)
A. 89852122206020998419
B. 89852122205020998419
C. 89852122204020998419
D. 89852122203020998419
找对应的英文,发现出现两次,均为同一个号码
答案:A
5. [填空题] 请指出最后使用的Apple ID是多少? (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
搜索appleid就能在iDevice_info.txt里找到
或者看Accounts3.sqlite,路径:\var\mobile\Library\Accounts\Accounts3.sqlite
答案:whoishogan@gmail.com
6. [填空题] 蓝牙模组中的蓝牙地址是多少? (请以下格式作答:xx:xx:xx:xx:xx:xx)
关键词bluetooth
答案:f8:38:80:bb:f5:28
7. [填空题] 这个智能手机曾经启动「个人热点」分享网络,请问他的「热点」名称? (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
iphone的手机热点名和设备名是保持一致的,所以直接找设备名
答案:iPhone
8. [单选题] 这个智能手机没有连接过以下哪一个服务集标识符(SSID)
A. Hongn Home
B. CMHK
C. 1010 free wifi
D. ErrorError
路径:\var\preferences\SystemConfiguration\com.apple.wifi-private-mac-networks.plist
只看到CD
下一题cue到了,排除B
答案:A
9. [填空题] 请指出首次连接服务集识别码(SSID)名称为" CMHK"的无线区域网络(Wi-Fi)的日期及时间 (请以GMT +8时区及以下格式作答: yyyy-MM-dd HH:mm:ss)
10. [单选题] 安装了以下即时哪个通讯软件?
i) WhatsApp
ii) WeChat
iii) WhatsApp Business
iv) QQ
A. 只有 i) 和 ii)
B. 只有 i), ii) 和 iii)
C. 只有 i), ii) 和 iv)
D. 以上皆是
看应用目录,路径:\var\mobile,com.tencent.xin是微信,whatsapp没有看到business版
答案:A
11. [填空题] 承上题,请指出即时通讯软件"WhatsApp"的版本 (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
在Manifest.plist里找到,搜索包名即可
答案:731647702.0
12. [单选题] 陈民浩的手机中,总共安装3个文件传输软件,封包名称分别为com.apple.Sharing.AirDropUI、com.lenovo.anyshare、com.estmob.paprika,其中有哪一个软件曾经用来传送/接收文件功能?
A. com.apple.Sharing.AirDropUI
B. com.lenovo.anyshare
C. com.estmob.paprika
iphone里只有BC这两个包
先排除A,在他的iphone没看到这个
在C的包里看到realm数据库文件,看到有关传输文件数据
答案:C
13. [填空题] 承上题,与其有传送/接收过资料装置的装置ID是多少? (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
看deviceinfo表就可以知道
答案:5402313593439
14. [填空题] 承上题,这个装置名称是? (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
见上题
答案:Samsung SM-G930F
15. [填空题] 承上题,本机装置的装置ID是多少? (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
在他的另一个安卓机里也看到了类似的包名,推测应该是两部手机互传
在安卓手机里路径\data\com.estmob.android.sendanywhere\databases\main.db看到iphone手机对应的设备名和传输过的照片名
由此在recent_device表里就可以找到对应的设备id
或者查看com.estmob.paprika.properties.plist
答案:3836403626142
16. [单选题] 承上题,陈民浩的手机(CHAN_MH_mobile.zip)是传送方或是接收方?
A. 传送方
B. 接收方
C. 传送及接收方
通过transfer_history表里的开始传输时间戳得到开始传输时间是2025-04-23 10:58:18,而安卓手机里该照片创建时间是2025-04-23 10:53:07,所以iphone是接收方,安卓是传送方
答案:B
17. [单选题] 根据传送档案的名称,判断是以下哪一类型? (单选)
A. 屏幕截图
B. 手机拍摄影片
C. PDF文件
D. zip压缩文件
看文件名就知道了,再找到图片打开看一下
答案:A
18. [单选题] 承上题,接收至哪一个装置?
A. CHAN_MH_mobile.zip
B. blk0_sda.bin
C. FUNG_CC_mobile.zip
D. LAM_KH_Mobile.zip
E. WONG_CW_mobile.zip
见上面
答案:B
19. [单选题] 承上题,传送方是通过此文档传输软件的哪个模式作出传送?
A. SEND_PARTIALLY
B. SEND_PAPRIKA
C. SEND_DIRECTLY
D. SEND_BYCLOUD
E. SEND_BLUETOOTH
看16题的transfer_type
答案:C
20. [多选题]从来没有安装以下哪个网络浏览器?
A. Safari
B. Chrome
C. Firefox
D. edge
iphone里只看到safari,安卓里只看到自带的浏览器
答案:BCD
21. [填空题] 承上题,网络浏览器Safari有多少个书签(Bookmark)记录? (请以阿拉伯数字作答)
路径:\var\mobile\Library\Safari\Bookmarks.db,有bookmarks和bookmark_title_words表,根据title_words分词表,可以判断数千是从OpenRice开始的,在bookmarks往下数一共9个
答案:9
22. [多选题] 承上题,曾经通过Safari浏览器用下列哪一个字词进行过搜索?
A. 非法处理尸体最高刑罚
B. escape room hong kong
C. cypto wallet
D. 非法处理尸体
在目录下的history.db里
答案:ABC
23. [填空题] 有多少个图片文件曾经储存到iCloud? (请以阿拉伯数字作答)
iCloud 云盘数据的物理存放地:<font style="color:rgb(77, 77, 77);">/var/mobile/Library/Mobile Documents/</font>
答案:2
24. [填空题] 相册中有多少张图片是通过屏幕截图功能取得? (请以阿拉伯数字作答)
在Photos.sqlite里可以看到图片来源
sql语句筛选一下即可
select count(*)
from ZCLOUDMASTER
where ZIMPORTEDBYBUNDLEIDENTIFIER = 'com.apple.springboard'
答案:15
25. [填空题] 请参考参赛材料FUNG_CC_mobile.zip回答以下问题,这部智能手机连接过多少个 Wi-Fi 网络? (请以阿拉伯数字作答)
看\var\preferences\SystemConfiguration\com.apple.wifi-private-mac-networks.plist
答案:2
26. [单选题] 这部智能手机曾经连接过以下哪个无线网络?
i) THREE_WIFI
ii) wanchai
iii)iPhone(2)
iv) Router
A. 只有 i)
B. 只有 ii) 和 iii)
C. 只有 ii), iii) 和 iv)
D. 以上皆是
见上题
答案:B
27. [填空题] 这部手提手机最早连接(非热点)Wi-Fi的时间是什么? (请以GMT +8时区及以下格式作答: yyyy-MM-dd HH:mm:ss)
iphone(2)一看就是iphone的热点,所以就是wanchai,找到addedAt为最早连接时间,再加8
答案:2025-04-15 19:29:23
28. [填空题] 承上题,请列出这个连接的服务集识别码(SSID)? (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
见上题
答案:wanchai
29. [填空题] 承上题,请列出这个连接的登入金钥? (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
答案:hellowanchai
30. [单选题] 相册中有两张图像互换格式图片(gif)「IMG_0057.GIF」及「IMG_0062.GIF」,请指出由哪一个软件拍摄?
A. Infltr
B. Discreet
C. Meitu
D. Prisma
直接火眼了,数据库的话看Photos.sqlite,这里看数据库太麻烦
答案:A
31. [单选题] 曾经以空投(AirDrop)方式成功传送了文件到另外一个装置,以下哪一个陈述是正确的?
A. 传送了一个图片文件
B. 传送了两个图片文件
C. 传送了一个图片文件及一个文件
D. 传送了一个图片文件及两个文件
路径:\var\mobile\Library\CoreDuet\People\interactionC.db,interactionC.db用于记录机主的使用情况,再搜索airdrop,看到两个包名一个是与相册有关,一个与文件有关
答案:C
32. [填空题] 原生APP「相片」中,有一个图片文件曾经通过空投"AirDrop"方式成功传送,请指出这个图片文件的文件全名 (请包含扩展名,依照参赛材料中的原文作答,注意区分大小写、空格及符号)
Photos.sqlite查看被分享过的照片,sql语句只查到这一个
答案:IMG_0083.HEIC
33. [填空题] 承上题,请写出这个图片文件的开始传送的日期及时间? (请以GMT +8时区及以下格式作答: yyyy-MM-dd HH:mm:ss)
用西电大佬的sql
CREATE TABLE thefirst AS
SELECT ZASSET.ZSORTTOKEN AS 'ZASSET-SORT TOKEN',
ZASSET.ZPROMOTIONSCORE AS 'ZASSET-PROMOTION SCORE',
CASE ZASSET.ZCOMPLETE
WHEN 1 THEN '1-YES-1'
END AS 'ZASSET COMPLETE',
ZASSET.Z_PK AS 'ZASSET-ZPK',
ZADDASSETATTR.Z_PK AS 'ZADDASSETATTR-ZPK',
ZCLDMAST.Z_PK AS 'ZCLDMAST-ZPK=ZASSET-MASTER',
ZASSET.ZMASTER AS 'ZASSET-MASTER=ZCLDMAST-ZPK',
ZASSET.ZEXTENDEDATTRIBUTES AS 'ZASSET-EXTENDED ATTRIBUTES=ZEXTATTR-ZPK',
ZEXTATTR.Z_PK AS 'ZEXTATTR-ZPK=ZASSET-ZEXTENDEDATTRIBUTES',
CMZCLDMASTMEDDATA.ZCLOUDMASTER AS 'CMZCLDMASTMEDDATA-CLDMAST=ZCLDMAST-ZPK',
ZCLDMAST.ZMEDIAMETADATA AS 'ZCLDMAST-MEDIA METADATA KEY=ZCLDMASTMEDDATA.ZPK',
CMZCLDMASTMEDDATA.Z_PK AS 'CMZCLDMASTMEDDATA-ZPK=ZADDASSETATTR&ZCLDMAST-MEDIAMETADATA KEY',
CMZCLDMASTMEDDATA.Z_ENT AS 'CMZCLDMASTMEDDATA-ZENT',
ZASSET.ZUUID AS 'ZASSET-UUID = STORE.CLOUDPHOTODB',
ZASSET.ZCLOUDASSETGUID AS 'ZASSET-CLOUD_ASSET_GUID = STORE.CLOUDPHOTODB',
ZASSET.ZCLOUDCOLLECTIONGUID AS 'ZASSET.CLOUD COLLECTION GUID',
ZCLDMAST.ZCLOUDMASTERGUID AS 'ZCLDMAST-CLOUD_MASTER_GUID = STORE.CLOUDPHOTODB',
ZGENALBUM.ZCLOUDGUID AS 'ZGENALBUM-CLOUD_GUID = STORE.CLOUDPHOTODB',
ZSHARE.ZSCOPEIDENTIFIER AS 'ZSHARE-SCOPE ID = STORE.CLOUDPHOTODB',
ZADDASSETATTR.ZORIGINALASSETSUUID AS 'ZADDASSETATTR-ORIGINAL ASSETS UUID',
ZADDASSETATTR.ZPUBLICGLOBALUUID AS 'ZADDASSETATTR-PUBLIC GLOBAL UUID',
ZADDASSETATTR.ZMASTERFINGERPRINT AS 'ZADDASSETATTR-MASTER FINGERPRINT',
ZADDASSETATTR.ZORIGINATINGASSETIDENTIFIER AS 'ZADDASSETATTR-ORIGINATING ASSET IDENTIFIER',
ZCLDMAST.ZORIGINATINGASSETIDENTIFIER AS 'ZCLDMAST-ORIGINATING ASSET ID',
ZINTRESOU.ZFINGERPRINT AS 'ZINTRESOU-FINGERPRINT',
ZADDASSETATTR.ZADJUSTEDFINGERPRINT AS 'ZADDASSETATTR.ADJUSTED FINGERPRINT',
ZUNMADJ.ZOTHERADJUSTMENTSFINGERPRINT AS 'ZUNMADJ-OTHER ADJUSTMENTS FINGERPRINT',
ZUNMADJ.ZSIMILARTOORIGINALADJUSTMENTSFINGERPRINT AS 'ZUNMADJ-SIMILAR TO ORIG ADJUSTMENTS FINGERPRINT',
CASE PARENTZGENALBUM.ZCLOUDLOCALSTATE
WHEN 0 THEN '0-ICLDPHOTOS-ON=ASSET_IN_SHARED/OTHER-ALBUM/ICLDPHOTOS-OFF=GENERIC_ALBUM-0'
WHEN 1 THEN '1-ICLDPHOTOS-ON=ASSET_IN_GENERIC ALBUM-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || PARENTZGENALBUM.ZCLOUDLOCALSTATE || ''
END AS 'PARENTZGENALBUM-CLOUD-LOCAL-STATE-4START',
PARENTZGENALBUM.ZTITLE AS 'PARENTZGENALBUM-TITLE-4START',
DATETIME(PARENTZGENALBUM.ZCREATIONDATE + 978307200, 'UNIXEPOCH') AS 'PARENTZGENALBUM-CREATION DATE-4START',
DATETIME(ZGENALBUM.ZCREATIONDATE + 978307200, 'UNIXEPOCH') AS 'ZGENALBUM-CREATION DATE-4START',
CASE ZGENALBUM.ZCLOUDLOCALSTATE
WHEN 0 THEN '0-ICLDPHOTOS-ON=ASSET_IN_SHARED/OTHER-ALBUM/ICLDPHOTOS-OFF=GENERIC_ALBUM-0'
WHEN 1 THEN '1-ICLDPHOTOS-ON=ASSET_IN_GENERIC_ ALBUM-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZGENALBUM.ZCLOUDLOCALSTATE || ''
END AS 'ZGENALBUM-CLOUD_LOCAL_STATE-4START',
ZGENALBUM.ZTITLE AS 'ZGENALBUM-TITLE-4START',
CASE ZASSET.ZBUNDLESCOPE
WHEN 0 THEN '0-ICLDPHOTOS-ON=NOT-IN-SHARED-ALBUM_ICLDPHOTOS-OFF=ON-LOCAL-DEVICE-0'
WHEN 1 THEN '1-SWY-SYNDICATION_CMMASSET-1'
WHEN 2 THEN '2-ICLDPHOTOS-ON=ASSET-IN-CLOUD-SHARED-ALBUM-2'
WHEN 3 THEN '3-ICLDPHOTOS-ON=SWY-SYNDICATION-ASSET-3'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZBUNDLESCOPE || ''
END AS 'ZASSET-BUNDLE SCOPE',
CASE ZASSET.ZCLOUDISMYASSET
WHEN 0 THEN '0-NOT_MY_ASSET_IN_SHARED_ALBUM-0'
WHEN 1 THEN '1-MY_ASSET_IN_SHARED_ALBUM-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZCLOUDISMYASSET || ''
END AS 'ZASSET-CLOUD IS MY ASSET',
CASE ZASSET.ZCLOUDISDELETABLE
WHEN 0 THEN '0-NO-0'
WHEN 1 THEN '1-YES-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZCLOUDISDELETABLE || ''
END AS 'ZASSET-CLOUD IS DELETABLE/ASSET',
CASE ZASSET.ZCLOUDLOCALSTATE
WHEN 0 THEN 'ICLDPHOTOS ON=ASSET_IN_SHARED-OR-OTHERALBUM/ICLDPHOTOS_OFF=NOT_SYNCED-0'
WHEN 1 THEN 'ICLDPHOTOS ON=ASSET_CAN-BE-OR-HAS-BEEN_SYNCED_WITH_ICLOUD-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZCLOUDLOCALSTATE || ''
END AS 'ZASSET-CLOUD_LOCAL_STATE',
CASE ZASSET.ZVISIBILITYSTATE
WHEN 0 THEN '0-VISIBLE-PHOTO-LIBRARY-0'
WHEN 2 THEN '2-NOT-VISIBLE-PHOTO-LIBRARY-2'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZVISIBILITYSTATE || ''
END AS 'ZASSET-VISIBILITY STATE',
ZEXTATTR.ZCAMERAMAKE AS 'ZEXTATTR-CAMERA MAKE',
ZEXTATTR.ZCAMERAMODEL AS 'ZEXTATTR-CAMERA MODEL',
ZEXTATTR.ZLENSMODEL AS 'ZEXTATTR-LENS MODEL',
CASE ZEXTATTR.ZFLASHFIRED
WHEN 0 THEN '0-NO FLASH-0'
WHEN 1 THEN '1-FLASH FIRED-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZEXTATTR.ZFLASHFIRED || ''
END AS 'ZEXTATTR-FLASH FIRED',
ZEXTATTR.ZFOCALLENGTH AS 'ZEXTATTR-FOCAL LENGHT',
ZEXTATTR.ZFOCALLENGTHIN35MM AS 'ZEXTATTR-FOCAL LENTH IN 35MM',
ZEXTATTR.ZDIGITALZOOMRATIO AS 'ZEXTATTR-DIGITAL ZOOM RATIO',
CASE ZASSET.ZDERIVEDCAMERACAPTUREDEVICE
WHEN 0 THEN '0-BACK-CAMERA/OTHER-0'
WHEN 1 THEN '1-FRONT-CAMERA-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZDERIVEDCAMERACAPTUREDEVICE || ''
END AS 'ZASSET-DERIVED CAMERA CAPTURE DEVICE',
CASE ZADDASSETATTR.ZCAMERACAPTUREDEVICE
WHEN 0 THEN '0-BACK-CAMERA/OTHER-0'
WHEN 1 THEN '1-FRONT-CAMERA-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZADDASSETATTR.ZCAMERACAPTUREDEVICE || ''
END AS 'ZADDASSETATTR-CAMERA CAPTURED DEVICE',
CASE ZADDASSETATTR.ZIMPORTEDBY
WHEN 0 THEN '0-CLOUD-OTHER-0'
WHEN 1 THEN '1-NATIVE-BACK-CAMERA-1'
WHEN 2 THEN '2-NATIVE-FRONT-CAMERA-2'
WHEN 3 THEN '3-THIRD-PARTY-APP-3'
WHEN 4 THEN '4-STILLTESTING-4'
WHEN 5 THEN '5-PHOTOBOOTH_PL-ASSET-5'
WHEN 6 THEN '6-THIRD-PARTY-APP-6'
WHEN 7 THEN '7-ICLOUD_SHARE_LINK-CMMASSET-7'
WHEN 8 THEN '8-SYSTEM-PACKAGE-APP-8'
WHEN 9 THEN '9-NATIVE-APP-9'
WHEN 10 THEN '10-STILLTESTING-10'
WHEN 11 THEN '11-STILLTESTING-11'
WHEN 12 THEN '12-SWY_SYNDICATION_PL-12'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZADDASSETATTR.ZIMPORTEDBY || ''
END AS 'ZADDASSETATTR-IMPORTED BY',
CASE ZCLDMAST.ZIMPORTEDBY
WHEN 0 THEN '0-CLOUD-OTHER-0'
WHEN 1 THEN '1-NATIVE-BACK-CAMERA-1'
WHEN 2 THEN '2-NATIVE-FRONT-CAMERA-2'
WHEN 3 THEN '3-THIRD-PARTY-APP-3'
WHEN 4 THEN '4-STILLTESTING-4'
WHEN 5 THEN '5-PHOTOBOOTH_PL-ASSET-5'
WHEN 6 THEN '6-THIRD-PARTY-APP-6'
WHEN 7 THEN '7-ICLOUD_SHARE_LINK-CMMASSET-7'
WHEN 8 THEN '8-SYSTEM-PACKAGE-APP-8'
WHEN 9 THEN '9-NATIVE-APP-9'
WHEN 10 THEN '10-STILLTESTING-10'
WHEN 11 THEN '11-STILLTESTING-11'
WHEN 12 THEN '12-SWY_SYNDICATION_PL-12'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZCLDMAST.ZIMPORTEDBY || ''
END AS 'ZCLDMAST-IMPORTED BY',
ZADDASSETATTR.ZIMPORTEDBYBUNDLEIDENTIFIER AS 'ZADDASSETATTR.IMPORTED BY BUNDLE IDENTIFIER',
ZADDASSETATTR.ZIMPORTEDBYDISPLAYNAME AS 'ZADDASSETATTR-IMPORTED BY DISPLAY NAME',
ZCLDMAST.ZIMPORTEDBYBUNDLEIDENTIFIER AS 'ZCLDMAST-IMPORTED BY BUNDLE ID',
ZCLDMAST.ZIMPORTEDBYDISPLAYNAME AS 'ZCLDMAST-IMPORTED BY DISPLAY NAME',
ZASSET.ZIMAGEREQUESTHINTS AS 'ZASSET-IMAGEREQUESTHINTS/HEX-PATH',
CASE ZASSET.ZSAVEDASSETTYPE
WHEN 0 THEN '0-SAVED-VIA-OTHER-SOURCE-0'
WHEN 1 THEN '1-STILLTESTING-1'
WHEN 2 THEN '2-STILLTESTING-2'
WHEN 3 THEN '3-LOCAL-PHOTO-LIBRARY-ASSET-3'
WHEN 4 THEN '4-PHOTO-CLOUD-SHARING-DATA-ASSET-4'
WHEN 5 THEN '5-PHOTOBOOTH_PHOTO-LIBRARY-ASSET-5'
WHEN 6 THEN '6-CLOUD-PHOTO-LIBRARY-ASSET-6'
WHEN 7 THEN '7-STILLTESTING-7'
WHEN 8 THEN '8-ICLOUDLINK_CLOUDMASTERMOMENTASSET-8'
WHEN 12 THEN '12-SWY-SYNDICATION-PL-ASSET/AUTO-DISPLAYED_IN_LPL-12'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZSAVEDASSETTYPE || ''
END AS 'ZASSET-SAVED ASSET TYPE-LPL',
ZASSET.ZDIRECTORY AS 'ZASSET-DIRECTORY/PATH',
ZASSET.ZFILENAME AS 'ZASSET-FILENAME',
ZADDASSETATTR.ZORIGINALFILENAME AS 'ZADDASSETATTR-ORIGINAL FILENAME',
ZCLDMAST.ZORIGINALFILENAME AS 'ZCLDMAST-ORIG FILENAME',
ZADDASSETATTR.ZSYNDICATIONIDENTIFIER AS 'ZADDASSETATTR-SYNDICATION IDENTIFIER',
DATETIME(ZASSET.ZADDEDDATE + 978307200, 'UNIXEPOCH') AS 'ZASSET-ADD DATE',
CASE ZADDASSETATTR.ZDATECREATEDSOURCE
WHEN 0 THEN '0-CLOUD-ASSET-0'
WHEN 1 THEN '1-LOCAL_ASSET_EXIF-1'
WHEN 3 THEN '3-LOCAL_ASSET_NO_EXIF-3'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZADDASSETATTR.ZDATECREATEDSOURCE || ''
END AS 'ZADDASSETATTR-DATE CREATED SOURCE',
DATETIME(ZASSET.ZDATECREATED + 978307200, 'UNIXEPOCH') AS 'ZASSET-DATE CREATED',
DATETIME(ZCLDMAST.ZCREATIONDATE + 978307200, 'UNIXEPOCH') AS 'ZCLDMAST-CREATION DATE',
DATETIME(ZINTRESOU.ZCLOUDMASTERDATECREATED + 978307200, 'UNIXEPOCH') AS 'ZINTRESOU-CLDMST DATE CREATED',
ZADDASSETATTR.ZTIMEZONENAME AS 'ZADDASSETATTR-TIME ZONE NAME',
ZADDASSETATTR.ZTIMEZONEOFFSET AS 'ZADDASSETATTR-TIME ZONE OFFSET',
ZADDASSETATTR.ZINFERREDTIMEZONEOFFSET AS 'ZADDASSETATTR-INFERRED TIME ZONE OFFSET',
ZADDASSETATTR.ZEXIFTIMESTAMPSTRING AS 'ZADDASSETATTR-EXIF-STRING',
DATETIME(ZASSET.ZMODIFICATIONDATE + 978307200, 'UNIXEPOCH') AS 'ZASSET-MODIFICATION DATE',
CASE ZCLDMAST.ZCLOUDLOCALSTATE
WHEN 0 THEN '0-NOT SYNCED WITH CLOUD-0'
WHEN 1 THEN '1-PENDING UPLOAD-1'
WHEN 2 THEN '2-STILLTESTING'
WHEN 3 THEN '3-SYNCED WITH CLOUD-3'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZCLDMAST.ZCLOUDLOCALSTATE || ''
END AS 'ZCLDMAST-CLOUD LOCAL STATE',
DATETIME(ZCLDMAST.ZIMPORTDATE + 978307200, 'UNIXEPOCH') AS 'ZCLDMAST-IMPORT DATE',
ZASSET.ZIMPORTSESSION AS 'ZASSET-IMPORT SESSION',
ZADDASSETATTR.ZIMPORTSESSIONID AS 'ZADDASSETATTR-IMPORT SESSION ID',
DATETIME(ZADDASSETATTR.ZALTERNATEIMPORTIMAGEDATE + 978307200, 'UNIXEPOCH') AS 'ZADDASSETATTR-ALT IMPORT IMAGE DATE',
ZCLDMAST.ZIMPORTSESSIONID AS 'ZCLDMAST-IMPORT SESSION ID',
DATETIME(ZASSET.ZCLOUDBATCHPUBLISHDATE + 978307200, 'UNIXEPOCH') AS 'ZASSET-CLOUD BATCH PUBLISH DATE',
DATETIME(ZASSET.ZCLOUDSERVERPUBLISHDATE + 978307200, 'UNIXEPOCH') AS 'ZASSET-CLOUD SERVER PUBLISH DATE',
ZASSET.ZCLOUDDOWNLOADREQUESTS AS 'ZASSET-CLOUD DOWNLOAD REQUESTS',
ZASSET.ZCLOUDBATCHID AS 'ZASSET-CLOUD BATCH ID',
DATETIME(ZADDASSETATTR.ZLASTUPLOADATTEMPTDATE + 978307200, 'UNIXEPOCH') AS 'ZADDASSETATTR-LAST UPLOAD ATTEMPT DATE-SWY',
ZADDASSETATTR.ZUPLOADATTEMPTS AS 'ZADDASSETATTR-UPLOAD ATTEMPTS',
CASE ZASSET.ZLATITUDE
WHEN -180.0 THEN '-180.0'
ELSE ZASSET.ZLATITUDE
END AS 'ZASSET-LATITUDE',
ZEXTATTR.ZLATITUDE AS 'ZEXTATTR-LATITUDE',
CASE ZASSET.ZLONGITUDE
WHEN -180.0 THEN '-180.0'
ELSE ZASSET.ZLONGITUDE
END AS 'ZASSET-LONGITUDE',
ZEXTATTR.ZLONGITUDE AS 'ZEXTATTR-LONGITUDE',
CASE ZADDASSETATTR.ZGPSHORIZONTALACCURACY
WHEN -1.0 THEN '-1.0'
ELSE ZADDASSETATTR.ZGPSHORIZONTALACCURACY
END AS 'ZADDASSETATTR-GPS HORIZONTAL ACCURACY',
ZASSET.ZLOCATIONDATA AS 'ZASSET-LOCATION DATA/HEX',
ZADDASSETATTR.ZREVERSELOCATIONDATA AS 'ZADDASSETATTR-REVERSE LOCATION DATA/ORIG-ASSET/HEX NSKEYED PLIST',
CASE ZADDASSETATTR.ZSHIFTEDLOCATIONISVALID
WHEN 0 THEN '0-SHIFTED LOCATION NOT VALID-0'
WHEN 1 THEN '1-SHIFTED LOCATION VALID-1'
END AS 'ZADDASSETATTR-SHIFTED LOCATION VALID',
ZADDASSETATTR.ZSHIFTEDLOCATIONDATA AS 'ZADDASSETATTR-SHIFTED LOCATION DATA',
ZADDASSETATTR.ZLOCATIONHASH AS 'ZADDASSETATTR-LOCATION HASH',
CASE AAAZCLDMASTMEDDATA.Z_OPT
WHEN 1 THEN '1-STILLTESTING-CLOUD-1'
WHEN 2 THEN '2-STILLTESTING-THIS DEVICE-2'
WHEN 3 THEN '3-STILLTESTING-MUTED-3'
WHEN 4 THEN '4-STILLTESTING-UNKNOWN-4'
WHEN 5 THEN '5-STILLTESTING-UNKNOWN-5'
ELSE 'UNKNOWN-NEW-VALUE!: ' || AAAZCLDMASTMEDDATA.Z_OPT || ''
END AS 'AAAZCLDMASTMEDDATA-ZOPT',
ZADDASSETATTR.ZMEDIAMETADATATYPE AS 'ZADDASSETATTR-MEDIA METADATA TYPE',
AAAZCLDMASTMEDDATA.ZDATA AS 'AAAZCLDMASTMEDDATA-DATA/HEX',
CASE CMZCLDMASTMEDDATA.Z_OPT
WHEN 1 THEN '1-STILLTESTING-HAS_CLDMASTASSET-1'
WHEN 2 THEN '2-STILLTESTING-LOCAL_ASSET-2'
WHEN 3 THEN '3-STILLTESTING-MUTED-3'
WHEN 4 THEN '4-STILLTESTING-UNKNOWN-4'
WHEN 5 THEN '5-STILLTESTING-UNKNOWN-5'
ELSE 'UNKNOWN-NEW-VALUE!: ' || CMZCLDMASTMEDDATA.Z_OPT || ''
END AS 'CLDMASTERZCLDMASTMEDDATA-ZOPT',
ZCLDMAST.ZMEDIAMETADATATYPE AS 'ZCLDMAST-MEDIA METADATA TYPE',
CMZCLDMASTMEDDATA.ZDATA AS 'CMZCLDMASTMEDDATA-DATA/HEX',
CASE ZASSET.ZSEARCHINDEXREBUILDSTATE
WHEN 0 THEN '0-STILLTESTING-0'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZSEARCHINDEXREBUILDSTATE || ''
END AS 'ZASSET-SEARCH INDEX REBUILD STATE',
CASE ZASSET.ZORIENTATION
WHEN 1 THEN '1-VIDEO-DEFAULT/ADJUSTMENT/HORIZONTAL-CAMERA-(LEFT)-1'
WHEN 2 THEN '2-HORIZONTAL-CAMERA-(RIGHT)-2'
WHEN 3 THEN '3-HORIZONTAL-CAMERA-(RIGHT)-3'
WHEN 4 THEN '4-HORIZONTAL-CAMERA-(LEFT)-4'
WHEN 5 THEN '5-VERTICAL-CAMERA-(TOP)-5'
WHEN 6 THEN '6-VERTICAL-CAMERA-(TOP)-6'
WHEN 7 THEN '7-VERTICAL-CAMERA-(BOTTOM)-7'
WHEN 8 THEN '8-VERTICAL-CAMERA-(BOTTOM)-8'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZORIENTATION || ''
END AS 'ZASSET-ORIENTATION',
CASE ZADDASSETATTR.ZORIGINALORIENTATION
WHEN 1 THEN '1-VIDEO-DEFAULT/ADJUSTMENT/HORIZONTAL-CAMERA-(LEFT)-1'
WHEN 2 THEN '2-HORIZONTAL-CAMERA-(RIGHT)-2'
WHEN 3 THEN '3-HORIZONTAL-CAMERA-(RIGHT)-3'
WHEN 4 THEN '4-HORIZONTAL-CAMERA-(LEFT)-4'
WHEN 5 THEN '5-VERTICAL-CAMERA-(TOP)-5'
WHEN 6 THEN '6-VERTICAL-CAMERA-(TOP)-6'
WHEN 7 THEN '7-VERTICAL-CAMERA-(BOTTOM)-7'
WHEN 8 THEN '8-VERTICAL-CAMERA-(BOTTOM)-8'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZORIENTATION || ''
END AS 'ZADDASSETATTR-ORIGINAL ORIENTATION',
CASE ZASSET.ZKIND
WHEN 0 THEN '0-PHOTO-0'
WHEN 1 THEN '1-VIDEO-1'
END AS 'ZASSET-KIND',
CASE ZASSET.ZKINDSUBTYPE
WHEN 0 THEN '0-STILL-PHOTO-0'
WHEN 2 THEN '2-LIVE-PHOTO-2'
WHEN 10 THEN '10-SPRINGBOARD-SCREENSHOT-10'
WHEN 100 THEN '100-VIDEO-100'
WHEN 101 THEN '101-SLOW-MO-VIDEO-101'
WHEN 102 THEN '102-TIME-LAPSE-VIDEO-102'
WHEN 103 THEN '103-REPLAY_SCREEN_RECORDING-103'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZKINDSUBTYPE || ''
END AS 'ZASSET-KIND-SUB-TYPE',
CASE ZADDASSETATTR.ZCLOUDKINDSUBTYPE
WHEN 0 THEN '0-STILL-PHOTO-0'
WHEN 1 THEN '1-STILLTESTING'
WHEN 2 THEN '2-LIVE-PHOTO-2'
WHEN 3 THEN '3-SCREENSHOT-3'
WHEN 10 THEN '10-SPRINGBOARD-SCREENSHOT-10'
WHEN 100 THEN '100-VIDEO-100'
WHEN 101 THEN '101-SLOW-MO-VIDEO-101'
WHEN 102 THEN '102-TIME-LAPSE-VIDEO-102'
WHEN 103 THEN '103-REPLAY_SCREEN_RECORDING-103'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZADDASSETATTR.ZCLOUDKINDSUBTYPE || ''
END AS 'ZADDASSETATTR-CLOUD KIND SUB TYPE',
CASE ZASSET.ZPLAYBACKSTYLE
WHEN 1 THEN '1-IMAGE-1'
WHEN 2 THEN '2-IMAGE-ANIMATED-2'
WHEN 3 THEN '3-LIVE-PHOTO-3'
WHEN 4 THEN '4-VIDEO-4'
WHEN 5 THEN '5-VIDEO-LOOPING-5'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZPLAYBACKSTYLE || ''
END AS 'ZASSET-PLAYBACK STYLE',
ZASSET.ZPLAYBACKVARIATION AS 'ZASSET-PLAYBACK VARIATION',
ZASSET.ZDURATION AS 'ZASSET-VIDEO DURATION',
ZEXTATTR.ZDURATION AS 'ZEXTATTR-DURATION',
ZASSET.ZVIDEOCPDURATIONVALUE AS 'ZASSET-VIDEO CP DURATION',
ZADDASSETATTR.ZVIDEOCPDURATIONTIMESCALE AS 'ZADDASSETATTR-VIDEO CP DURATION TIME SCALE',
ZASSET.ZVIDEOCPVISIBILITYSTATE AS 'ZASSET-VIDEO CP VISIBILITY STATE',
ZADDASSETATTR.ZVIDEOCPDISPLAYVALUE AS 'ZADDASSETATTR-VIDEO CP DISPLAY VALUE',
ZADDASSETATTR.ZVIDEOCPDISPLAYTIMESCALE AS 'ZADDASSETATTR-VIDEO CP DISPLAY TIME SCALE',
ZINTRESOU.ZASSET AS 'ZINTRESOU-ASSET=ZASSET.ZPK',
ZINTRESOU.Z_PK AS 'ZINTRESOU-ZPK',
ZINTRESOU.Z_ENT AS 'ZINTRESOU-ZENT',
ZINTRESOU.Z_OPT AS 'ZINTRESOU-ZOPT',
CASE ZINTRESOU.ZDATASTORECLASSID
WHEN 0 THEN '0-LPL-ASSET_CPL-ASSET-0'
WHEN 1 THEN '1-STILLTESTING-1'
WHEN 2 THEN '2-PHOTO-CLOUD-SHARING-ASSET-2'
WHEN 3 THEN '3-SWY_SYNDICATION_ASSET-3'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZINTRESOU.ZDATASTORECLASSID || ''
END AS 'ZINTRESOU-DATASTORE CLASS ID',
CASE ZASSET.ZCLOUDPLACEHOLDERKIND
WHEN 0 THEN '0-LOCAL&CLOUDMASTER ASSET-0'
WHEN 1 THEN '1-STILLTESTING-1'
WHEN 2 THEN '2-STILLTESTING-2'
WHEN 3 THEN '3-JPG-ASSET_ONLY_PHDA/THUMB/V2-3'
WHEN 4 THEN '4-LPL-JPG-ASSET_CPLASSET-OTHERTYPE-4'
WHEN 5 THEN '5-ASSET_SYNCED_CPL_2_DEVICE-5'
WHEN 6 THEN '6-STILLTESTING-6'
WHEN 7 THEN '7-LPL-POSTER-JPG-ASSET_CPLASSET-MP4-7'
WHEN 8 THEN '8-LPL-JPG_ASSET_CPLASSET-LIVEPHOTO-MOV-8'
WHEN 9 THEN '9-CPL_MP4_ASSET_SAVED_2_LPL-9'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZCLOUDPLACEHOLDERKIND || ''
END AS 'ZASSET-CLOUD PLACEHOLDER KIND',
CASE ZINTRESOU.ZLOCALAVAILABILITY
WHEN -1 THEN '(-1)-IR_ASSET_NOT_AVAIL_LOCALLY(-1)'
WHEN 1 THEN '1-IR_ASSET_AVAIL_LOCALLY-1'
WHEN -32768 THEN '(-32768)_IR_ASSET-SWY-LINKED_ASSET(-32768)'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZINTRESOU.ZLOCALAVAILABILITY || ''
END AS 'ZINTRESOU-LOCAL AVAILABILITY',
CASE ZINTRESOU.ZLOCALAVAILABILITYTARGET
WHEN 0 THEN '0-STILLTESTING-0'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZINTRESOU.ZLOCALAVAILABILITYTARGET || ''
END AS 'ZINTRESOU-LOCAL AVAILABILITY TARGET',
CASE ZINTRESOU.ZCLOUDLOCALSTATE
WHEN 0 THEN '0-IR_ASSET_NOT_SYNCED_NO_IR-CLDMASTDATECREATED-0'
WHEN 1 THEN '1-IR_ASSET_PENING-UPLOAD-1'
WHEN 2 THEN '2-IR_ASSET_PHOTO_CLOUD_SHARE_ASSET_ON-LOCAL-DEVICE-2'
WHEN 3 THEN '3-IR_ASSET_SYNCED_ICLOUD-3'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZINTRESOU.ZCLOUDLOCALSTATE || ''
END AS 'ZINTRESOU-CLOUD LOCAL STATE',
CASE ZINTRESOU.ZREMOTEAVAILABILITY
WHEN 0 THEN '0-IR_ASSET-NOT-AVAIL-REMOTELY-0'
WHEN 1 THEN '1-IR_ASSET_AVAIL-REMOTELY-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZINTRESOU.ZREMOTEAVAILABILITY || ''
END AS 'ZINTRESOU-REMOTE AVAILABILITY',
CASE ZINTRESOU.ZREMOTEAVAILABILITYTARGET
WHEN 0 THEN '0-STILLTESTING-0'
WHEN 1 THEN '1-STILLTESTING-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZINTRESOU.ZREMOTEAVAILABILITYTARGET || ''
END AS 'ZINTRESOU-REMOTE AVAILABILITY TARGET',
ZINTRESOU.ZTRANSIENTCLOUDMASTER AS 'ZINTRESOU-TRANSIENT CLOUD MASTER',
ZINTRESOU.ZSIDECARINDEX AS 'ZINTRESOU-SIDE CAR INDEX',
ZINTRESOU.ZFILEID AS 'ZINTRESOU- FILE ID',
CASE ZINTRESOU.ZVERSION
WHEN 0 THEN '0-IR_ASSET_STANDARD-0'
WHEN 1 THEN '1-STILLTESTING-1'
WHEN 2 THEN '2-IR_ASSET_ADJUSTMENTS-MUTATION-2'
WHEN 3 THEN '3-IR_ASSET_NO_IR-CLDMASTDATECREATED-3'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZINTRESOU.ZVERSION || ''
END AS 'ZINTRESOU-VERSION',
ZADDASSETATTR.ZORIGINALFILESIZE AS 'ZADDASSETATTR- ORIGINAL-FILE-SIZE',
CASE ZINTRESOU.ZRESOURCETYPE
WHEN 0 THEN '0-PHOTO-0'
WHEN 1 THEN '1-VIDEO-1'
WHEN 3 THEN '3-LIVE-PHOTO-3'
WHEN 5 THEN '5-ADJUSTEMENT-DATA-5'
WHEN 6 THEN '6-SCREENSHOT-6'
WHEN 9 THEN '9-ALTERNATEPHOTO-3RDPARTYAPP-STILLTESTING-9'
WHEN 13 THEN '13-MOVIE-13'
WHEN 14 THEN '14-WALLPAPER-14'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZINTRESOU.ZRESOURCETYPE || ''
END AS 'ZINTRESOU-RESOURCE TYPE',
ZINTRESOU.ZDATASTOREKEYDATA AS 'ZINTRESOU-DATASTOREKEYDATA/HEX',
CASE ZINTRESOU.ZDATASTORESUBTYPE
WHEN 0 THEN '0-NO CLOUD INTER RESOURCE-0'
WHEN 1 THEN '1-MAIN-ASSET-ORIG-SIZE-1'
WHEN 2 THEN '2-PHOTO-WITH-ADJUSTMENTS-2'
WHEN 3 THEN '3-JPG-LARGE-THUMB-3'
WHEN 4 THEN '4-JPG-MED-THUMB-4'
WHEN 5 THEN '5-JPG-SMALL-THUMB-5'
WHEN 6 THEN '6-VIDEO-MED-DATA-6'
WHEN 7 THEN '7-VIDEO-SMALL-DATA-7'
WHEN 8 THEN '8-MP4-CLOUD-SHARE-8'
WHEN 9 THEN '9-STILLTESTING'
WHEN 10 THEN '10-3RDPARTYAPP_THUMB-STILLTESTING-10'
WHEN 11 THEN '11-STILLTESTING'
WHEN 12 THEN '12-STILLTESTING'
WHEN 13 THEN '13-PNG-OPTIMIZED_CPLASSET-13'
WHEN 14 THEN '14-WALLPAPER-14'
WHEN 15 THEN '15-HAS-MARKUP-AND-ADJUSTMENTS-15'
WHEN 16 THEN '16-VIDEO-WITH-ADJUSTMENTS-16'
WHEN 17 THEN '17-RAW_PHOTO-17_RT'
WHEN 18 THEN '18-LIVE-PHOTO-VIDEO_OPTIMIZED_CPLASSET-18'
WHEN 19 THEN '19-LIVE-PHOTO-WITH-ADJUSTMENTS-19'
WHEN 20 THEN '20-STILLTESTING'
WHEN 21 THEN '21-MOV-OPTIMIZED_HEVC-4K_VIDEO-21'
WHEN 22 THEN '22-ADJUST-MUTATION_AAE_ASSET-22'
WHEN 23 THEN '23-STILLTESTING'
WHEN 24 THEN '24-STILLTESTING'
WHEN 25 THEN '25-STILLTESTING'
WHEN 26 THEN '26-MOV-OPTIMIZED_CPLASSET-26'
WHEN 27 THEN '27-STILLTESTING'
WHEN 28 THEN '28-MOV-MED-HDR-DATA-28'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZINTRESOU.ZDATASTORESUBTYPE || ''
END AS 'ZINTRESOU-DATASTORE SUB-TYPE',
CASE ZINTRESOU.ZCLOUDSOURCETYPE
WHEN 0 THEN '0-NA-0'
WHEN 1 THEN '1-MAIN-ASSET-ORIG-SIZE-1'
WHEN 2 THEN '2-PHOTO-WITH-ADJUSTMENTS-2'
WHEN 3 THEN '3-JPG-LARGE-THUMB-3'
WHEN 4 THEN '4-JPG-MED-THUMB-4'
WHEN 5 THEN '5-JPG-SMALL-THUMB-5'
WHEN 6 THEN '6-VIDEO-MED-DATA-6'
WHEN 7 THEN '7-VIDEO-SMALL-DATA-7'
WHEN 8 THEN '8-MP4-CLOUD-SHARE-8'
WHEN 9 THEN '9-STILLTESTING'
WHEN 10 THEN '10-3RDPARTYAPP_THUMB-STILLTESTING-10'
WHEN 11 THEN '11-STILLTESTING'
WHEN 12 THEN '12-STILLTESTING'
WHEN 13 THEN '13-PNG-OPTIMIZED_CPLASSET-13'
WHEN 14 THEN '14-WALLPAPER-14'
WHEN 15 THEN '15-HAS-MARKUP-AND-ADJUSTMENTS-15'
WHEN 16 THEN '16-VIDEO-WITH-ADJUSTMENTS-16'
WHEN 17 THEN '17-RAW_PHOTO-17_RT'
WHEN 18 THEN '18-LIVE-PHOTO-VIDEO_OPTIMIZED_CPLASSET-18'
WHEN 19 THEN '19-LIVE-PHOTO-WITH-ADJUSTMENTS-19'
WHEN 20 THEN '20-STILLTESTING'
WHEN 21 THEN '21-MOV-OPTIMIZED_HEVC-4K_VIDEO-21'
WHEN 22 THEN '22-ADJUST-MUTATION_AAE_ASSET-22'
WHEN 23 THEN '23-STILLTESTING'
WHEN 24 THEN '24-STILLTESTING'
WHEN 25 THEN '25-STILLTESTING'
WHEN 26 THEN '26-MOV-OPTIMIZED_CPLASSET-26'
WHEN 27 THEN '27-STILLTESTING'
WHEN 28 THEN '28-MOV-MED-HDR-DATA-28'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZINTRESOU.ZCLOUDSOURCETYPE || ''
END AS 'ZINTRESOU-CLOUD SOURCE TYPE',
ZINTRESOU.ZDATALENGTH AS 'ZINTRESOU-DATA LENGTH',
CASE ZINTRESOU.ZRECIPEID
WHEN 0 THEN '0-ORIGFILESIZE_MATCH_DATALENGTH_OR_OPTIMIZED-0'
WHEN 65737 THEN '65737-FULL-JPG_ORIG-PRORAW_DNG-65737'
WHEN 65739 THEN '65739-JPG_LARGE_THUMB-65739'
WHEN 65741 THEN '65741-VARIOUS_ASSET_TYPES-OR-THUMBS-65741'
WHEN 65743 THEN '65743-RESOUTYPE-PHOTO_5003-OR-5005-JPG_THUMB-65743'
WHEN 65749 THEN '65749-LOCALVIDEOKEYFRAME-JPG_THUMB-65749'
WHEN 65938 THEN '65938-FULLSIZERENDER-PHOTO-OR-PLIST-65938'
WHEN 131072 THEN '131072-FULLSIZERENDER-VIDEO-OR-PLIST-131072'
WHEN 131077 THEN '131077-MEDIUM-MOV_HEVC-4K-131077'
WHEN 131079 THEN '131079-MEDIUM-MP4_ADJ-MUTATION_ASSET-131079'
WHEN 131081 THEN '131081-RESOUTYPE-VIDEO_5003-OR-5005-JPG_THUMB-131081'
WHEN 131272 THEN '131272-FULLSIZERENDER-VIDEO_LIVEPHOTO_ADJ-MUTATION-131272'
WHEN 131275 THEN '131275-MEDIUM-MOV_LIVEPHOTO-131275'
WHEN 131277 THEN '131277-NO-IR-ASSET_LIVEPHOTO-ICLOUD_SYNC_ASSET-131277'
WHEN 131475 THEN '131475-MEDIUM-HDR-MOV-131475'
WHEN 327683 THEN '327683-JPG-THUMB_FOR_3RDPARTY-STILLTESTING-327683'
WHEN 327687 THEN '627687-WALLPAPERCOMPUTERESOURCE-627687'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZINTRESOU.ZRECIPEID || ''
END AS 'ZINTRESOU-RECIPE ID',
CASE ZINTRESOU.ZCLOUDLASTPREFETCHDATE
WHEN 0 THEN '0-NA-0'
ELSE DATETIME(ZINTRESOU.ZCLOUDLASTPREFETCHDATE + 978307200, 'UNIXEPOCH')
END AS 'ZINTRESOU-CLOUD LAST PREFETCH DATE',
ZINTRESOU.ZCLOUDPREFETCHCOUNT AS 'ZINTRESOU-CLOUD PREFETCH COUNT',
DATETIME(ZINTRESOU.ZCLOUDLASTONDEMANDDOWNLOADDATE + 978307200, 'UNIXEPOCH') AS 'ZINTRESOU- CLOUD-LAST-ONDEMAND DOWNLOAD-DATE',
CASE ZINTRESOU.ZUTICONFORMANCEHINT
WHEN 0 THEN '0-NA/DOESNT_CONFORM-0'
WHEN 1 THEN '1-UTTYPEIMAGE-1'
WHEN 2 THEN '2-UTTYPEPRORAWPHOTO-2'
WHEN 3 THEN '3-UTTYPEMOVIE-3'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZINTRESOU.ZUTICONFORMANCEHINT || ''
END AS 'ZINTRESOU-UNIFORMTYPEID_UTI_CONFORMANCE_HINT',
CASE ZINTRESOU.ZCOMPACTUTI
WHEN 1 THEN '1-JPEG/THM-1'
WHEN 3 THEN '3-HEIC-3'
WHEN 6 THEN '6-PNG-6'
WHEN 7 THEN '7-STILLTESTING'
WHEN 9 THEN '9-DNG-9'
WHEN 23 THEN '23-JPEG/HEIC/QUICKTIME-MOV-23'
WHEN 24 THEN '24-MPEG4-24'
WHEN 36 THEN '36-WALLPAPER-36'
WHEN 37 THEN '37-ADJ/MUTATION_DATA-37'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZINTRESOU.ZCOMPACTUTI || ''
END AS 'ZINTRESOU-COMPACT-UTI',
ZASSET.ZUNIFORMTYPEIDENTIFIER AS 'ZASSET-UNIFORM TYPE ID',
ZASSET.ZORIGINALCOLORSPACE AS 'ZASSET-ORIGINAL COLOR SPACE',
ZCLDMAST.ZUNIFORMTYPEIDENTIFIER AS 'ZCLDMAST-UNIFORM_TYPE_ID',
CASE ZCLDMAST.ZFULLSIZEJPEGSOURCE
WHEN 0 THEN '0-CLDMAST-JPEG-SOURCE-VIDEO STILL-TESTING-0'
WHEN 1 THEN '1-CLDMAST-JPEG-SOURCE-OTHER- STILL-TESTING-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZCLDMAST.ZFULLSIZEJPEGSOURCE || ''
END AS 'ZCLDMAST-FULL SIZE JPEG SOURCE',
ZASSET.ZHDRGAIN AS 'ZASSET-HDR GAIN',
CASE ZASSET.ZHDRTYPE
WHEN 0 THEN '0-NO-HDR-0'
WHEN 3 THEN '3-HDR_PHOTO-3_RT'
WHEN 4 THEN '4-NON-HDR_VERSION-4_RT'
WHEN 5 THEN '5-HEVC_MOVIE-5'
WHEN 6 THEN '6-PANORAMA-6_RT'
WHEN 10 THEN '10-HDR-GAIN-10'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZHDRTYPE || ''
END AS 'ZASSET-ZHDR_TYPE',
ZEXTATTR.ZCODEC AS 'ZEXTATTR-CODEC',
ZINTRESOU.ZCODECFOURCHARCODENAME AS 'ZINTRESOU-CODEC FOUR CHAR CODE NAME',
ZCLDMAST.ZCODECNAME AS 'ZCLDMAST-CODEC NAME',
ZCLDMAST.ZVIDEOFRAMERATE AS 'ZCLDMAST-VIDEO FRAME RATE',
ZCLDMAST.ZPLACEHOLDERSTATE AS 'ZCLDMAST-PLACEHOLDER STATE',
CASE ZASSET.ZDEPTHTYPE
WHEN 0 THEN '0-NOT_PORTRAIT-0_RT'
ELSE 'PORTRAIT: ' || ZASSET.ZDEPTHTYPE || ''
END AS 'ZASSET-DEPTH_TYPE',
ZASSET.ZAVALANCHEUUID AS 'ZASSET-AVALANCHE UUID',
CASE ZASSET.ZAVALANCHEPICKTYPE
WHEN 0 THEN '0-NA/SINGLE_ASSET_BURST_UUID-0_RT'
WHEN 2 THEN '2-BURST_ASSET_NOT_SELECTED-2_RT'
WHEN 4 THEN '4-BURST_ASSET_PHOTOSAPP_PICKED_KEYIMAGE-4_RT'
WHEN 8 THEN '8-BURST_ASSET_SELECTED_FOR_LPL-8_RT'
WHEN 16 THEN '16-TOP_BURST_ASSET_INSTACK_KEYIMAGE-16_RT'
WHEN 32 THEN '32-STILLTESTING-32_RT'
WHEN 52 THEN '52-BURST_ASSET_VISIBLE_LPL-52'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZAVALANCHEPICKTYPE || ''
END AS 'ZASSET-AVALANCHE_PICK_TYPE/BURSTASSET',
CASE ZADDASSETATTR.ZCLOUDAVALANCHEPICKTYPE
WHEN 0 THEN '0-NA/SINGLE_ASSET_BURST_UUID-0_RT'
WHEN 2 THEN '2-BURST_ASSET_NOT_SELECTED-2_RT'
WHEN 4 THEN '4-BURST_ASSET_PHOTOSAPP_PICKED_KEYIMAGE-4_RT'
WHEN 8 THEN '8-BURST_ASSET_SELECTED_FOR_LPL-8_RT'
WHEN 16 THEN '16-TOP_BURST_ASSET_INSTACK_KEYIMAGE-16_RT'
WHEN 32 THEN '32-STILLTESTING-32_RT'
WHEN 52 THEN '52-BURST_ASSET_VISIBLE_LPL-52'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZADDASSETATTR.ZCLOUDAVALANCHEPICKTYPE || ''
END AS 'ZADDASSETATTR-CLOUD_AVALANCHE_PICK_TYPE/BURSTASSET',
CASE ZADDASSETATTR.ZCLOUDRECOVERYSTATE
WHEN 0 THEN '0-STILLTESTING'
WHEN 1 THEN '1-STILLTESTING'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZADDASSETATTR.ZCLOUDRECOVERYSTATE || ''
END AS 'ZADDASSETATTR-CLOUD RECOVERY STATE',
ZADDASSETATTR.ZCLOUDSTATERECOVERYATTEMPTSCOUNT AS 'ZADDASSETATTR-CLOUD STATE RECOVERY ATTEMPTS COUNT',
ZASSET.ZDEFERREDPROCESSINGNEEDED AS 'ZASSET-DEFERRED PROCESSING NEEDED',
ZASSET.ZVIDEODEFERREDPROCESSINGNEEDED AS 'ZASSET-VIDEO DEFERRED PROCESSING NEEDED',
ZADDASSETATTR.ZDEFERREDPHOTOIDENTIFIER AS 'ZADDASSETATTR-DEFERRED PHOTO IDENTIFIER',
ZADDASSETATTR.ZDEFERREDPROCESSINGCANDIDATEOPTIONS AS 'ZADDASSETATTR-DEFERRED PROCESSING CANDIDATE OPTIONS',
CASE ZASSET.ZHASADJUSTMENTS
WHEN 0 THEN '0-NO-ADJUSTMENTS-0'
WHEN 1 THEN '1-YES-ADJUSTMENTS-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZHASADJUSTMENTS || ''
END AS 'ZASSET-HAS ADJUSTMENTS/CAMERA-EFFECTS-FILTERS',
ZUNMADJ.ZASSETATTRIBUTES AS 'ZUNMADJ-ASSET ATTRIBUTES=ZADDASSETATTR.ZPK',
ZADDASSETATTR.ZUNMANAGEDADJUSTMENT AS 'ZADDASSETATTR-UNMANADJUST KEY=ZUNMADJ.ZPK',
ZUNMADJ.Z_PK AS 'ZUNMADJ-ZPK=ZADDASSETATTR.ZUNMANADJ KEY',
ZUNMADJ.ZUUID AS 'ZUNMADJ-UUID',
DATETIME(ZASSET.ZADJUSTMENTTIMESTAMP + 978307200, 'UNIXEPOCH') AS 'ZASSET-ADJUSTMENT TIMESTAMP',
DATETIME(ZUNMADJ.ZADJUSTMENTTIMESTAMP + 978307200, 'UNIXEPOCH') AS 'ZUNMADJ-ADJUSTMENT TIMESTAMP',
ZADDASSETATTR.ZEDITORBUNDLEID AS 'ZADDASSETATTR-EDITOR BUNDLE ID',
ZUNMADJ.ZEDITORLOCALIZEDNAME AS 'ZUNMADJ-EDITOR LOCALIZED NAME',
ZUNMADJ.ZADJUSTMENTFORMATIDENTIFIER AS 'ZUNMADJ-ADJUSTMENT FORMAT ID',
ZADDASSETATTR.ZMONTAGE AS 'ZADDASSETATTR-MONTAGE',
CASE ZUNMADJ.ZADJUSTMENTRENDERTYPES
WHEN 0 THEN '0-STANDARD OR PORTRAIT WITH ERROS-0'
WHEN 1 THEN '1-STILLTESTING'
WHEN 2 THEN '2-PORTRAIT-2'
WHEN 3 THEN '3-STILLTESTING'
WHEN 4 THEN '4-STILLTESTING'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZUNMADJ.ZADJUSTMENTRENDERTYPES || ''
END AS 'ZUNMADJ-ADJUSTMENT RENDER TYPES',
CASE ZUNMADJ.ZADJUSTMENTFORMATVERSION
WHEN 1.0 THEN '1.0-MARKUP-1.0'
WHEN 1.1 THEN '1.1-SLOW-MO-1.1'
WHEN 1.2 THEN '1.2-STILLTESTING'
WHEN 1.3 THEN '1.3-STILLTESTING'
WHEN 1.4 THEN '1.4-FILTER-1.4'
WHEN 1.5 THEN '1.5-ADJUST-1.5'
WHEN 1.6 THEN '1.6-VIDEO-TRIM-1.6'
WHEN 1.7 THEN '1.7-STILLTESTING'
WHEN 1.8 THEN '1.8-STILLTESTING'
WHEN 1.9 THEN '1.9-STILLTESTING'
WHEN 2.0 THEN '2.0-SCREENSHOTSERVICES-2.0'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZUNMADJ.ZADJUSTMENTFORMATVERSION || ''
END AS 'ZUNMADJ-ADJUSTMENT FORMAT VERSION',
ZUNMADJ.ZADJUSTMENTBASEIMAGEFORMAT AS 'ZUNMADJ-ADJUSTMENT BASE IMAGE FORMAT',
CASE ZASSET.ZFAVORITE
WHEN 0 THEN '0-ASSET NOT FAVORITE-0'
WHEN 1 THEN '1-ASSET FAVORITE-1'
END AS 'ZASSET-FAVORITE',
CASE ZASSET.ZHIDDEN
WHEN 0 THEN '0-ASSET NOT HIDDEN-0'
WHEN 1 THEN '1-ASSET HIDDEN-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZHIDDEN || ''
END AS 'ZASSET-HIDDEN',
CASE ZASSET.ZTRASHEDSTATE
WHEN 0 THEN '0-ASSET NOT IN TRASH/RECENTLY DELETED-0'
WHEN 1 THEN '1-ASSET IN TRASH/RECENTLY DELETED-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZTRASHEDSTATE || ''
END AS 'ZASSET-TRASHED STATE/LOCALASSETRECENTLYDELETED',
DATETIME(ZASSET.ZTRASHEDDATE + 978307200, 'UNIXEPOCH') AS 'ZASSET-TRASHED DATE',
CASE ZASSET.ZDELETEREASON
WHEN 1 THEN '1-STILLTESTING DELETE-REASON-1'
WHEN 2 THEN '2-STILLTESTING DELETE-REASON-2'
WHEN 3 THEN '3-STILLTESTING DELETE-REASON-3'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZDELETEREASON || ''
END AS 'ZASSET-DELETE-REASON',
CASE ZASSET.ZTRASHEDBYPARTICIPANT
WHEN 1 THEN '1-ASSET TRASHED/RECENTLY DELETED BY PARTICIPANT-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZTRASHEDBYPARTICIPANT || ''
END AS 'ZASSET-TRASHED BY PARTICIPANT',
CASE ZINTRESOU.ZTRASHEDSTATE
WHEN 0 THEN '0-ZINTRESOU-NOT IN TRASH/RECENTLY DELETED-0'
WHEN 1 THEN '1-ZINTRESOU-IN TRASH/RECENTLY DELETED-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZINTRESOU.ZTRASHEDSTATE || ''
END AS 'ZINTRESOU-TRASH STATE',
DATETIME(ZINTRESOU.ZTRASHEDDATE + 978307200, 'UNIXEPOCH') AS 'ZINTRESOU-TRASHED DATE',
CASE ZASSET.ZCLOUDDELETESTATE
WHEN 0 THEN '0-CLOUD ASSET NOT DELETED-0'
WHEN 1 THEN '1-CLOUD ASSET DELETED-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZCLOUDDELETESTATE || ''
END AS 'ZASSET-CLOUD DELETE STATE',
CASE ZINTRESOU.ZCLOUDDELETESTATE
WHEN 0 THEN '0-CLOUD INTRESOU NOT DELETED-0'
WHEN 1 THEN '1-CLOUD INTRESOU DELETED-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZINTRESOU.ZCLOUDDELETESTATE || ''
END AS 'ZINTRESOU-CLOUD DELETE STATE',
CASE ZADDASSETATTR.ZPTPTRASHEDSTATE
WHEN 0 THEN '0-PTP NOT IN TRASH-0'
WHEN 1 THEN '1-PTP IN TRASH-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZADDASSETATTR.ZPTPTRASHEDSTATE || ''
END AS 'ZADDASSETATTR-PTP TRASHED STATE',
CASE ZINTRESOU.ZPTPTRASHEDSTATE
WHEN 0 THEN '0-PTP INTRESOU NOT IN TRASH-0'
WHEN 1 THEN '1-PTP INTRESOU IN TRASH-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZINTRESOU.ZPTPTRASHEDSTATE || ''
END AS 'ZINTRESOU-PTP TRASHED STATE',
ZINTRESOU.ZCLOUDDELETEASSETUUIDWITHRESOURCETYPE AS 'ZINTRESOU-CLOUD DELETE ASSET UUID WITH RESOURCE TYPE',
DATETIME(ZMEDANLYASTATTR.ZMEDIAANALYSISTIMESTAMP + 978307200, 'UNIXEPOCH') AS 'ZMEDANLYASTATTR-MEDIA ANALYSIS TIMESTAMP',
DATETIME(ZASSET.ZANALYSISSTATEMODIFICATIONDATE + 978307200, 'UNIXEPOCH') AS 'ZASSET-ANALYSIS STATE MODIFICAION DATE',
ZADDASSETATTR.ZPENDINGVIEWCOUNT AS 'ZADDASSETATTR-PENDING VIEW COUNT',
ZADDASSETATTR.ZVIEWCOUNT AS 'ZADDASSETATTR-VIEW COUNT',
ZADDASSETATTR.ZPENDINGPLAYCOUNT AS 'ZADDASSETATTR-PENDING PLAY COUNT',
ZADDASSETATTR.ZPLAYCOUNT AS 'ZADDASSETATTR-PLAY COUNT',
ZADDASSETATTR.ZPENDINGSHARECOUNT AS 'ZADDASSETATTR-PENDING SHARE COUNT',
ZADDASSETATTR.ZSHARECOUNT AS 'ZADDASSETATTR-SHARE COUNT',
DATETIME(ZASSET.ZLASTSHAREDDATE + 978307200, 'UNIXEPOCH') AS 'ZASSET-LAST SHARED DATE',
ZADDASSETATTR.ZSHAREORIGINATOR AS 'ZADDASSETATTR-SHARE ORIGINATOR',
CASE ZASSET.ZSYNDICATIONSTATE
WHEN 0 THEN '0-LOCAL-PL_ASSET_SYNDICATION_STATE_NA-0'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZSYNDICATIONSTATE || ''
END AS 'ZASSET-SYNDICATION STATE-LPL',
ZADDASSETATTR.ZSYNDICATIONHISTORY AS 'ZADDASSETATTR-SYNDICATION HISTORY',
ZMEDANLYASTATTR.ZSYNDICATIONPROCESSINGVERSION AS 'ZMEDANLYASTATTR-SYNDICATION PROCESSING VERSION',
CASE ZMEDANLYASTATTR.ZSYNDICATIONPROCESSINGVALUE
WHEN 0 THEN '0-NA-0'
WHEN 1 THEN '1-STILLTESTING_WIDE-CAMERA_JPG-1'
WHEN 2 THEN '2-STILLTESTING_TELEPHOTO_CAMEAR_LENS-2'
WHEN 4 THEN '4-STILLTESTING_SWY_ASSET_ORIGASSETIMPORT_SYSTEMPACKAGEAPP-4'
WHEN 16 THEN '16-STILLTESTING-16'
WHEN 1024 THEN '1024-STILLTESTING_SWY_ASSET_ORIGASSETIMPORT_NATIVECAMERA-1024'
WHEN 2048 THEN '2048-STILLTESTING-2048'
WHEN 4096 THEN '4096-STILLTESTING_SWY_ASSET_MANUALLY_SAVED-4096'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZMEDANLYASTATTR.ZSYNDICATIONPROCESSINGVALUE || ''
END AS 'ZMEDANLYASTATTR-SYNDICATION PROCESSING VALUE',
CASE ZADDASSETATTR.ZALLOWEDFORANALYSIS
WHEN 0 THEN '0-ASSET NOT ALLOWED FOR ANALYSIS-0'
WHEN 1 THEN '1-ASSET ALLOWED FOR ANALYSIS-1'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZADDASSETATTR.ZALLOWEDFORANALYSIS || ''
END AS 'ZADDASSETATTR-ALLOWED FOR ANALYSIS',
ZADDASSETATTR.ZSCENEANALYSISVERSION AS 'ZADDASSETATTR-SCENE ANALYSIS VERSION',
CASE ZADDASSETATTR.ZSCENEANALYSISISFROMPREVIEW
WHEN 0 THEN '0-NO-0'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZADDASSETATTR.ZSCENEANALYSISISFROMPREVIEW || ''
END AS 'ZADDASSETATTR-SCENE ANALYSIS IS FROM PREVIEW',
DATETIME(ZADDASSETATTR.ZSCENEANALYSISTIMESTAMP + 978307200, 'UNIXEPOCH') AS 'ZADDASSETATTR-SCENE ANALYSIS TIMESTAMP',
CASE ZASSET.ZDUPLICATEASSETVISIBILITYSTATE
WHEN 0 THEN 'NO-DUPLICATES-0'
WHEN 1 THEN 'HAS DUPLICATE-1'
WHEN 2 THEN 'IS A DUPLICATE-2'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZASSET.ZDUPLICATEASSETVISIBILITYSTATE || ''
END AS 'ZASSET-DUPLICATION ASSET VISIBILITY STATE',
CASE ZADDASSETATTR.ZDESTINATIONASSETCOPYSTATE
WHEN 0 THEN '0-NO COPY-0'
WHEN 1 THEN '1-HAS A COPY-1'
WHEN 2 THEN '2-HAS A COPY-2'
ELSE 'UNKNOWN-NEW-VALUE!: ' || ZADDASSETATTR.ZDESTINATIONASSETCOPYSTATE || ''
END AS 'ZADDASSETATTR-DESTINATION ASSET COPY STATE',
ZSCENEP.ZDATA AS 'ZSCENEP-DATA/HEX NSKEYED PLIST',
ZSCENEP.ZDUPLICATEMATCHINGDATA AS 'ZSCENEP-DUPLICATE MATCHING DATA/HEX NSKEYED PLIST',
ZSCENEP.ZDUPLICATEMATCHINGALTERNATEDATA AS 'ZSCENEP-DUPLICATE MATCHING ALTERNAT DATA/HEX NSKEYED PLIST',
ZADDASSETATTR.ZSOURCEASSETFORDUPLICATIONSCOPEIDENTIFIER AS 'ZADDASSETATTR-SOURCE ASSET FOR DUPLICATION SCOPE ID',
ZCLDMAST.ZSOURCEMASTERFORDUPLICATIONSCOPEIDENTIFIER AS 'ZCLDMAST-SOURCE MASTER FOR DUPLICATION SCOPE ID',
ZADDASSETATTR.ZSOURCEASSETFORDUPLICATIONIDENTIFIER AS 'ZADDASSETATTR-SOURCE ASSET FOR DUPLICATION ID',
ZCLDMAST.ZSOURCEMASTERFORDUPLICATIONIDENTIFIER AS 'ZCLDMAST-SOURCE MASTER FOR DUPLICATION ID'
FROM ZASSET ZASSET
LEFT JOIN ZADDITIONALASSETATTRIBUTES ZADDASSETATTR ON ZADDASSETATTR.Z_PK = ZASSET.ZADDITIONALATTRIBUTES
LEFT JOIN ZEXTENDEDATTRIBUTES ZEXTATTR ON ZEXTATTR.Z_PK = ZASSET.ZEXTENDEDATTRIBUTES
LEFT JOIN ZINTERNALRESOURCE ZINTRESOU ON ZINTRESOU.ZASSET = ZASSET.Z_PK
LEFT JOIN ZSCENEPRINT ZSCENEP ON ZSCENEP.Z_PK = ZADDASSETATTR.ZSCENEPRINT
LEFT JOIN Z_28ASSETS Z28ASSETS ON Z28ASSETS.Z_3ASSETS = ZASSET.Z_PK
LEFT JOIN ZGENERICALBUM ZGENALBUM ON ZGENALBUM.Z_PK = Z28ASSETS.Z_28ALBUMS
LEFT JOIN ZUNMANAGEDADJUSTMENT ZUNMADJ ON ZADDASSETATTR.ZUNMANAGEDADJUSTMENT = ZUNMADJ.Z_PK
LEFT JOIN Z_27ALBUMLISTS Z27ALBUMLISTS ON Z27ALBUMLISTS.Z_27ALBUMS = ZGENALBUM.Z_PK
LEFT JOIN ZALBUMLIST ZALBUMLIST ON ZALBUMLIST.Z_PK = Z27ALBUMLISTS.Z_2ALBUMLISTS
LEFT JOIN ZGENERICALBUM PARENTZGENALBUM ON PARENTZGENALBUM.Z_PK = ZGENALBUM.ZPARENTFOLDER
LEFT JOIN ZCLOUDMASTER ZCLDMAST ON ZASSET.ZMASTER = ZCLDMAST.Z_PK
LEFT JOIN ZCLOUDMASTERMEDIAMETADATA AAAZCLDMASTMEDDATA ON AAAZCLDMASTMEDDATA.Z_PK = ZADDASSETATTR.ZMEDIAMETADATA
LEFT JOIN ZCLOUDMASTERMEDIAMETADATA CMZCLDMASTMEDDATA ON CMZCLDMASTMEDDATA.Z_PK = ZCLDMAST.ZMEDIAMETADATA
LEFT JOIN ZMEDIAANALYSISASSETATTRIBUTES ZMEDANLYASTATTR ON ZASSET.ZMEDIAANALYSISATTRIBUTES = ZMEDANLYASTATTR.Z_PK
LEFT JOIN ZSHARE ZSHARE ON ZSHARE.Z_PK = ZASSET.ZMOMENTSHARE
ORDER BY ZASSET.ZADDEDDATE
筛选出时间,看到last shared确定为传送时间
答案:2025-04-17 09:10:03
34. [填空题] 请指出哪一个多媒体文件同时储存在APP「文件」(套件识别码: com.apple.DocumentsApp)及APP「照片」(套件识别码: com.apple.mobileslideshow)中? (请包含扩展名,依照参赛材料中的原文作答,注意区分大小写、空格及符号)
APP文件的本地路径是\var\mobile\Applications\group.com.apple.FileProvider.LocalStorage
APP图片的本地路径就是相册了,路径:\var\mobile\Media\DCIM
计算哈希一样,确定为同一个文件
答案:IMG_0010.MOV
35. [填空题] 请指出在APP「照片」(套件识别码: com.apple.mobileslideshow)中的图片文件「IMG_0079.JPG」是由哪一个APP拍摄? 在(请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
在前面Photo.sqlite得到的新表进行筛选
答案:Discreet
36. [填空题] 承上题,已知该图片文件是由上述APP所拍摄,并其后储存在APP「照片」(套件识别码: com.apple.mobileslideshow)成「IMG_0079.JPG」,请问该图片的原文件名称? (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
根据IMG_0079.JPG的图片样子,去到包目录下找就可以了,路径:\var\mobile\Applications\com.uazoo.ssc\Documents\DiscreetCameraApp_1744790959352.png
答案:DiscreetCameraApp_1744790959352.png
37. [填空题] 承上题,请指出原文件的建立时间? (请以GMT +8时区及以下格式作答: yyyy-MM-dd HH:mm:ss)
xways要看内容创建时间,创建时间不准
答案:2025-04-16 16:09:19
38. [单选题] 请指出在APP「照片」(套件识别码: com.apple.mobileslideshow)中,储存多媒体文件「IMG_0014.MOV」与储存「IMG_0016.MOV」之间有没有其他多媒体文件储存到APP「照片」中?
A. 有
B. 没有
C. 有拍摄,但没有储存
D. 无法确认
看ZASSET表,两个文件的Z_PK是连续的,所以没有之间没有其他文件
答案:B
39. [单选题] 承上题,以下哪个陈述是正确描述上一题的答案?
A. 制作多媒体文件「IMG_0015.MOV」时,直接储存到隐藏相册中
B. 制作作多媒体文件「IMG_0015.MOV」时,直接上传到iCloud
C. 制作多媒体文件「IMG_0014.MOV」时用了缩时摄影
D. 制作多媒体文件「IMG_0015.MOV」时名称被更改为「IMG_0016.MOV」
没找到IMG_0015.MOV的相关信息,是不是文件名出错了
答案:C
40. [单选题] APP「照片」(套件识别码: com.apple.mobileslideshow)中,「IMG_0027.HEIC」的原地理位置信息(WGS84)是?
A. (22.2816569, 114.1756115)
B. (22.2826366666667, 114.168503333333)
C. (22.2826216666667, 114.168525)
D. (22.2826216666667, 114.168503333333)
直接相册里找,查看经纬度转换一下即可
答案:C
41. [单选题] 曾经通过网络浏览器「Safari」下载了多少个图片文件?
A. 1
B. 2
C. 3
D. 4
筛选包名
答案:2
42. [单选题] 多媒体文件「 IMG_0004.MOV」曾被修改后再储存成另一个文件,该文件名称是?
A. IMG_0085.mov
B. IMG_0086.mov
C. IMG_0087.mov
D. IMG_0088.mov
在ZCLDMAST-ORIG FILENAME筛选出 IMG_0004即可
答案:A
43. [填空题] 曾经通过人工智能聊天APP "POE"查询一个问题,请列出这个问题的完整句子? (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
poe是Quora旗下的产品,所以确定了包名com.quora.app.Experts,与poe相关,数据库路径:\var\mobile\Applications\com.quora.app.Experts\Documents\apollo_db.sqlite,先对key字段进行筛选,留下有meaasge的,再筛选出record里有text字段的。挨个查看发现370这条的record,有human和chat_input,疑似为用户和ai交互提出的问题,问一下ai,确为提问的句子,text是完整内容
答案: What’s that mean
44. [填空题] 承上题,请指出提问的日期及时间 (答题格式: yyyy-MM-dd HH:mm:ss 作答, GMT+8)
创建时间转一下时间戳
答案:2025-04-16 13:50:06
45. [填空题] 承上题,当时使用的是哪一个机器人? (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
根据这条消息id去反查
查看筛选结果,发现机器人id,再根据id查询
答案:gpt4_1_mini
46. [填空题] 承上题,当时的使用者名称是? (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
根据使用者的id进行反查
答案:Duncan
47. [填空题] 请指出即时通讯软件"WeChat"的 "WeChat ID" (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
答案:wxid_c9xyspglub7512
48. [单选题] 承上题,这个"WeChat ID"关注了多少个「视频号」?
A. 1
B. 2
C. 3
D. 4
视频号对应的是目录是finder,路径:\var\mobile\Applications\com.tencent.xin\Documents\5f1d6cc9474fbbc2fb3dc807008543d5\finder,看finder_main.db,finderContractTable3表里是视频号缓存信息,是否关注要看followstate
答案:B
49. [填空题] 请指出即时通讯软件WhatsApp的WhatsApp ID (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
路径:\var\mobile\Applications\group.net.whatsapp.WhatsApp.shared\Library\Preferences\group.net.whatsapp.WhatsApp.shared.plist
答案:85254974406@s.whatsapp.net
50. [单选题] 即时通讯软件WhatsApp中,封存了下列哪个聊天群?
A. 凤凰VIP会员心得交流群
B. 币淘 群组1
C. Sportsmen
D. Titus Wong Manson Finance
数据库ChatStorage.sqlite,表ZWACHATSESSION,看字段ARCHIVED‘
答案:A
51. [填空题] 即时通讯软件WhatsApp中,总共追踪了多少个频道? (请以阿拉伯数字作答)
ZSESSIONTYPE为5的频道
SELECT COUNT(*)
FROM ZWACHATSESSION
WHERE ZSESSIONTYPE == 5
答案:19
52. [单选题] 即时通讯软件「WhatsApp」中,下列哪个是群组 "Investors" 的管理员?
i) 85254974406@s.whatsapp.net
ii) 85260927726@s.whatsapp.net
iii) 85254961408@s.whatsapp.net
A. 只有 i)
B. 只有 i) 和 ii)
C. 只有 ii) 和 iii)
D. 以上皆是
要将ZWAGROUPMEMBER和ZWACHATSESSION两个表合并,ZWACHATSESSION里的z_pk和ZWAGROUPMEMBER的z_isadmin是对应的
SELECT
M.ZMEMBERJID, -- 管理员的账号ID
M.ZCONTACTNAME, -- 管理员的昵称
M.ZISADMIN -- 确认是 1 (管理员)
FROM
ZWAGROUPMEMBER M
JOIN
ZWACHATSESSION S
ON
S.Z_PK = M.ZCHATSESSION
WHERE
S.ZPARTNERNAME = 'Investors' -- 筛选群名为 Investors
AND M.ZISADMIN = 1; -- 筛选管理员1
答案:B
53. [填空题] 即时通讯软件「WhatsApp」中,群组 "Investors" 的群组ID? (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
在ZWACHATSESSION里筛选即可
答案:120363417204753192@g.us
54. [填空题] 即时通讯软件「WhatsApp」中,「社群」名称是什么? (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
火眼直接看
发现数据库里将社群的ZSESSIONTYPE设定为了4
答案:We are 3
55. [单选题] 承上题,请指出这个社群的群组图案的哈希值(SHA256格式)
A. B1A3706C574F81A3EE084FB9509997E06349E86D904D1DC10B879D1D5ED83125
B. B8BA258402925E139CAFBBBBBC809EC160B70BB03DBD4D0F3063F58F69D0B956
C. E43ADC646295BC5011577D4E733B6289D31A5E11ACB45285BE1FF530260DF383
D. 20E64C78F9926548CEEFB1783991A4AD71A6631F3C86002254342E323A898C6A
根据上一题得到的 ZCONTACTJID去包下的media目录找
答案:A
56. [填空题] 即时通讯软件「WhatsApp」中,找出WhatsApp ID:85254961408@s.whatsapp.net曾经是在而现在已经不在的群组,请指出该群组的名称。 (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
ZISACTIVE表示是否还在群里,1表示在,0表示不在,分组筛选即可
select ZCHATSESSION,ZISACTIVE,ZMEMBERJID
from ZWAGROUPMEMBER
where ZMEMBERJID=='85254961408@s.whatsapp.net'
order by ZCHATSESSION
根据ZCHATSESSION再去ZWACHATSESSION找即可
答案:Sportsmen
57. [填空题] 即时通讯软件「WhatsApp」中,总共出现了多少个「投票」活动? (请以阿拉伯数字作答)
数据库里没找到,按照messagetype为14找到60个,还是看火眼吧
群组消息里3个
频道消息里12个
答案:13
*58. [填空题] 承上题,总共在多少个「投票」活动中作出了投票? (请以阿拉伯数字作答)
挨个回到原位置查看,这里有support you应该是投票了
这俩个投票在一起,第一个没看到关于投票的回复,第二个根据回应有一个人投了
从数据库看发现这些消息的messagetype都是46,但是发现和上一题的数字不一样,不知道怎么排除
答案:2
59. [单选题] 即时通讯软件「WhatsApp」中,根据群组「 IQ COIN 💰💰💰💰」对话内容正在策划,哪一种犯罪计划?
A. 诈骗
B. 抢劫
C. 谋杀
D. 以上都不对
先确定ZCONTRACTJID为120363401289578356@g.us
到ZWAMESSAGE表里筛选出聊天记录
答案:A
60. [填空题] 承上题,该群组建立者的WhatsApp ID是什么? (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
从ZWACHATSESSION里确定Z_PK
再到ZWAGROUPINFO里筛选ZCHATSESSION为38的
答案:85254974406@s.whatsapp.net
61. [填空题] 承上题,该群组的建立时间是什么? (请以GMT +8时区及以下格式作答: yyyy-MM-dd HH:mm:ss)
接上题转时间戳即可,时间戳加上978307200再转换,iphone使用的是Mac Absolute Time
和火眼差1秒,答案是火眼这个
答案:2025-04-25 16:57:55
62. [单选题] 根据你的分析结果。三人因感情瓜葛内讧因而发生这次袭击事件。你怀疑梁燕玲曾到袭击现场,你将你的发现通知警察。警察扩大现场搜索范围,终于在案发现场附近,发现陈民浩名下的小汽车,车上发现一部智能手机。请你以参考LEUNG_YL_Mobile.zip,该手机用作注册iCloud的email?
A. lingleung1502@gmail.com
B. lingleung1502@yahoo.com.hk
C. lingleung1503@gmail.com
D. lingl1502@gmail.com
iDeviceinfo.txt里搜索icloud就可以看到
答案:A
63. [单选题] 参考LEUNG_YL_Mobile.zip,文件IMG_0021.HEIC 所拍摄的相机型号是甚么?
A. iPhone SE (3rd generation)
B. iPhone SE (2nd generation)
C. iPhone 12 mini
D. iPhone XR
答案:A
64. [填空题] 参考LEUNG_YL_Mobile.zip,文件IMG_0005.JPG所拍摄的座标(WGS 84) 是多少? (请以纬度,经度的顺序及以下格式作答xx.xxxxxx,xx.xxxxxx)
要到数据库里找
答案:22.337655,114.139441
65. [单选题] 参考LEUNG_YL_Mobile.zip,文件IMG_0022.JPG是以下哪种方向拍摄?
A. 不旋转
B. 旋转180度
C. 顺时针90度
D. 逆时针90度
回到数据库,看ZASSET表的 ZORIENTATION字段,1和3代表水平,home键分别在右和左,6表示顺时针旋转90度,home在下,8表示逆时针,home在上
答案:C
66. [填空题] 文件IMG_0022.JPG的建立时间(GMT +08:00)是? (请以GMT +8时区及以下格式作答: yyyy-MM-dd HH:mm:ss)
答案:2025-05-16 11:33:15
67. [填空题] 参考LEUNG_YL_Mobile.zip,在WhatsApp 与”85254974406@s.whatsapp.net”聊天对话中,于2025-05-16 11:33:39时的信息所传送的座标(WGS 84)是多少? (请以纬度,经度顺序及以下格式作答xx.xxxxxxxxxxxx, xxx.xxxxxxxxxxxx)
2025-05-16 11:33:39转换成时间戳769059219,获取Z_PK
再到ZWAMEDIAITEM
答案:22.2760486602783,114.295440673828
1
68. [填空题] 参考LEUNG_YL_Mobile.zip,在WhatsApp 与 "85254974406@s.whatsapp.net”聊天对话中,于2025-05-16 11:33:39时的信息所传送的座标(WGS 84)所指的餐厅英文名称是? (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
答案:Fai Kee Seafood Restaurant
69. [填空题] 参考LEUNG_YL_Mobile.zip,在WhatsApp 中聊天群组ID 120363401289578356里,于2025-04-29 08:31:02,机主传送了一个PDF 文件,该PDF的内容是什么? (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
先转换成时间戳767579462,在筛选确定pdf,但是没搜索到
再联系群的id名到包目录下的message里找,这个在题目时间的附近
简单的隐写,字体改成了白色
答案:0xe36D4bCf0132B8Dc7317C2Fb9bfa1845629F6638
70. [单选题] 参考LEUNG_YL_Mobile.zip,在WhatsApp 中聊天群组ID 120363401289578356里,有多少个参加者?
A. 2
B. 3
C. 4
D. 5
先到ZWACHATSESSION里筛选一下,确定Z_PK,再到ZWAGROUPMEMBER里对ZCHATSESSION用Z_PK值筛选
答案:B
71. [单选题] 参考LEUNG_YL_Mobile.zip,于2025-04-25 17:11:37 时使用WhatsApp 所拨打的手机号码是多少?
A. 85254962307
B. 85254961408
C. 85254974406
D. 85254993306
先转换成时间戳
在ZWACDCALLEVENT里筛选,在将ZWACDCALLEVENT里的Z_PK和 ZWACDCALLEVENTPARTICIPANT里的 Z1PARTICIPANTS相对应
答案:85254974406@s.whatsapp.net
72. [单选题] 参考LEUNG_YL_Mobile.zip,总共有多少个WhatsApp的通话记录? (包括拨打、接收及未接来电)
A. 4
B. 5
C. 6
D. 7
看ZWACDCALLEVENT的记录
答案:D
73. [单选题] 参考LEUNG_YL_Mobile.zip,WhatsApp 聊天群组ID 120363400622997111 的群组名称是?
A. Investors
B. Foodies
C. We are 3
D. Happy Sharing within 3
答案:D
74. [单选题] 参考LEUNG_YL_Mobile.zip,WhatsApp 聊天群组Happy Sharing within 3 于2025-04-17 10:12:34 传送的WGS 84座标是多少?
A. 22.323436345441, 113.276894376508
B. 22.326923370361, 114.168403625488
C. 21.239876452236, 115.925422314543
D. 20.124955642236, 114.168403625488
转换时间戳,然后在ZWAMEDIATIME里筛选
答案:B
75. [单选题] 参考LEUNG_YL_Mobile.zip,Instagram 的版本是?
A. 375.2.0.15.82 (722575504)
B. 376.1.0.14.56 (722575504)
C. 376.1.0.27.82 (722575504)
D. 376.0.0.17.23 (722575504)
Manifest里没找到,还是要去包目录下看,路径:\var\mobile\Applications\com.burbn.instagram\Library\Preferences\com.burbn.instagram.plist
答案:C
76. [填空题] 参考LEUNG_YL_Mobile.zip,社交媒体软件Instagram 的安装时间? (请以GMT+8时区及格式YYYY-MM-DD hh:mm:ss作答)
还是在com.burbn.instagram.plist里
答案:2025-04-26 11:50:47
77. [填空题] 跟据你的分析,警察在香港西贡蕉坑,找到一个行李箱,内藏一名女子尸体,身上没有任何身份证明文件,裤袋内搜获一个U盘,根据法医初步检验,死者头部及颈部有明显瘀伤,相信曾发生激烈争执,死因为气管受压导致窒息,死亡时间相信是在2025-05-16 0900时至1000时 。调查人员初步检查这个U盘,没有发现可疑资料,现在交由你进行电子数据鉴定工作。请参考参赛材料LEUNG_YL_USB.E01,回答以下问题,这个U盘里有多少个分区? (请以阿拉伯数字作答)
答案:2
78. [填空题] 参考LEUNG_YL_USB.E01,这个U盘里的分区结构是什么? (请以英文大写作答)
xways看属性
答案:MBR
79. [单选题] 参考LEUNG_YL_USB.E01,以下哪项描述是正确的?
i) U盘的总容量是16GB
ii) 文件系统包括 FAT32、exFAT 和 NTFS
iii) exFAT 分区的容量是 16GB
iv) 分区标签名是 "SanDisk"
A. 只有 i) 和 ii)
B. 只有 i) 和 iii)
C. 只有 ii) 和 iv)
D. 以上皆非
总容量29.3G,1错误
只有exFAT和FAT16,2错误
只有分区1是exFAT分区,看分区1属性即可,3错误
名称是TIM,4错误
答案:D
80. [单选题] 参考LEUNG_YL_USB.E01,以下哪项描述是正确的?
i) 此U盘曾连接到一台名为 "PC" 的电脑
ii) U盘内存有一个已加密的压缩文件
iii) 已加密的压缩文件的创建日期系 2025-05-15
A. 只有 ii)
B. 只有 iii)
C. 只有 ii) 和 iii)
D. 以上皆是
1没看到
2和3正确,zip打出,打开就知道,3看修改时间就行
答案:C
81. [填空题] 承上题,该压缩文件的解压密码是多少? (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
有张图片,图片里就是密码
答案:54d#e(nm
82. [单选题] 参考LEUNG_YL_USB.E01,以下哪项描述是正确的?
i) 这是一个可引导U盘
ii) 有一个分区标签名为 "EFI"
iii) 卷标日期为 2025-05-15 (UTC +8)
iv) 有一个分区的总容量小于 500 MB
A. 只有 i)
B. 只有 i) 和 ii)
C. 只有 i), iii) 和 iv)
D. 以上皆是
分区2有WEPE,有EFI,确定是通过微PE引导的U盘,1正确
直接看属性,2正确
3正确
总容量350MB,4正确
答案:D
83. [填空题] tammy.txt文件的内容是什么? (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
导出并解压WEPE64.WIM,在program files里可以找到文件, WEPE64.WIM 可以理解为系统的镜像文件
答案:due_diligence
84. [填空题] 文件“xcontainer”的加密算法是什么? (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
有一个vera_key,文件损坏了,可以ftk挂载镜像,然后用rstudio恢复文件,就可以得到密钥文件,再将容器解密就可以看到加密算法
答案:AES(Twofish)
85. [单选题] 分析文档 "xcontainer" 的属性。关于此磁盘镜像,以下哪项描述是正确的?
i) 大小为 4943872 字节
ii) 文件系统是 FAT
iii) 没有嵌入式备份头
iv) 块大小为 128 位
A. 只有 i) 和 ii)
B. 只有 ii) 和 iv)
C. 只有 ii), iii) 和 iv)
D. 以上皆是
veracrypt查看,1错误,从属性里可以看到有嵌入式备份头,3错误,属性里可以看到4,4正确
直接查看属性,2正确
答案:C
86. [单选题] WinPE 启动后,系统会自动将核心映像挂载在哪个虚拟机?
A. C:
B. D:
C. X:
D. Z:\
对U盘进行仿真,具体可以看开头几位大佬的wp,大概步骤和创建一个新虚拟机一样,使用U盘挂载后的物理磁盘进行引导,就可以仿真起来
答案:C
87. [单选题] 下列哪些 Windows PE 指令在预设环境下无法执行?
i) Powershell
ii). Eventvwr
iii). Hostname
iV). Diskpart
A. 只有 i) 和 ii)
B. 只有 iii) 和 iv)
C. 只有 i), ii) 和 iii)
D. 以上皆是
在环境里挨个试一下即可
答案:C
88. [单选题] 必须包含哪个文件,才能启动 Windows PE环境?
A. WEPE64.wim
B. install.wim
C. WinPE.log
D. hiberfil.sys
见83题
答案:A
89. [单选题] 若要判断一个U盘是否为可开机的Windows PE,以下哪些文件必须存在?
i) WEPE64.wim 或 boot.wim
ii) bootmgr
iii) EFI\Boot\bootx64.efi
iv) hiberfil.sys
A. 只有 ii 和 iv
B. 只有 i), ii) 和 iii)
C. 只有 i) 和 iv)
D. 以上皆是
理论知识,通过上题,1正确,bootmgr是管理器,bootx64.efi属于引导文件,选项4直接问ai了
答案:B
90. [单选题] 这个 WinPE U盘的操作环境 (Operating Environment) 是基于哪一个 Windows 版本?
A. Windows 7
B. Windows 8.1
C. Windows 10 PE
D. Windows 11 PE
查看系统即可
答案:C
91. [填空题] 根据你综合多项通讯软件的对话记录,浏览记录及资料分析,发现冯子超、陈民浩伙同女子梁燕玲共同做了一宗涉及加密货币投资的诈骗案件,因东窗事发打算携赃而逃。女子梁燕玲负责处理有关清洗黑钱事项,警察相信梁燕玲携带同相关材料逃跑,请你运用电子数据鉴定技巧寻找与加密货币相关的材料,尽快启动冻结程序。参考LEUNG_YL_USB.E01,该U盘盘有一个加密的文件,该文件所用的加密软件名称是? (只需回答软件名称,不需要回答软件版本,(请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
加密文件应该就是上面找到的xcontainer加密容器,使用的是Veracrypt加密的
答案:Veracrypt
92. [填空题] 参考LEUNG_YL_USB.E01,请列出与IQ Coin有关的虚拟钱包的地址 (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
解密容器后有一张图片,扫一下二维码即可
答案:0x548dafDe4B17d7d3C9485E79B3B5018801C7855E
93. [填空题] 承上题,这个钱包属于哪一种加密货币 (请以英文大写作答)
虚拟币检材压缩包的密码就是上一题的地址,查看第一张图片
答案:BNB
94. [填空题] 承上题,这个钱包总共有多少次存入记录? (请以阿拉伯数字作答)
图上就1条
答案:1
*95. [填空题] 承上题,存入款项的支账地址是什么? (请依照参赛材料中的原文作答,注意区分大小写、空格及符号)
按照上题,到Bscscan里找
答案:0x6144ACfdf84bbEC6bccB310516A89D4b3ee48c1A
96. [填空题] 承上题,这项交易传送了多少BEP-20 IQ Coin? (请以阿拉伯数字依照参赛材料中的原文作答,注意区分大小写、空格及符号和不用标点符号 )
见94题
答案:1000000000
97. [判断题] 助记词是由加密货币钱包生成的一系列单词,帮助用户恢复其私钥。助记词通常由12到24个单词组成
A. 正确
B. 错误
答案:A
98. [填空题] 根据你的信息警察查知这个加密钱包涉及近期一宗巨额诈骗案,请你查出这个钱包余额额度,警察将会进行冻结程序。请指出包含有疑似助记词的文件的希哈值(MD5格式) (请以阿拉伯数字和英文大写作答)
解密挂载xcontainer容器,会看都tmp.txt,内容满足助记词格式
答案:183B8E0C6365FEE834479269141A3F91
浙公网安备 33010602011771号