O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Mobile Forensics – Advanced Investigative Strategies

Book Description

Master powerful strategies to acquire and analyze evidence from real-life scenarios

About This Book
  • A straightforward guide to address the roadblocks face when doing mobile forensics
  • Simplify mobile forensics using the right mix of methods, techniques, and tools
  • Get valuable advice to put you in the mindset of a forensic professional, regardless of your career level or experience
Who This Book Is For

This book is for forensic analysts and law enforcement and IT security officers who have to deal with digital evidence as part of their daily job. Some basic familiarity with digital forensics is assumed, but no experience with mobile forensics is required.

What You Will Learn
  • Understand the challenges of mobile forensics
  • Grasp how to properly deal with digital evidence
  • Explore the types of evidence available on iOS, Android, Windows, and BlackBerry mobile devices
  • Know what forensic outcome to expect under given circumstances
  • Deduce when and how to apply physical, logical, over-the-air, or low-level (advanced) acquisition methods
  • Get in-depth knowledge of the different acquisition methods for all major mobile platforms
  • Discover important mobile acquisition tools and techniques for all of the major platforms
In Detail

Investigating digital media is impossible without forensic tools. Dealing with complex forensic problems requires the use of dedicated tools, and even more importantly, the right strategies. In this book, you’ll learn strategies and methods to deal with information stored on smartphones and tablets and see how to put the right tools to work.

We begin by helping you understand the concept of mobile devices as a source of valuable evidence. Throughout this book, you will explore strategies and "plays" and decide when to use each technique. We cover important techniques such as seizing techniques to shield the device, and acquisition techniques including physical acquisition (via a USB connection), logical acquisition via data backups, over-the-air acquisition. We also explore cloud analysis, evidence discovery and data analysis, tools for mobile forensics, and tools to help you discover and analyze evidence.

By the end of the book, you will have a better understanding of the tools and methods used to deal with the challenges of acquiring, preserving, and extracting evidence stored on smartphones, tablets, and the cloud.

Style and approach

This book takes a unique strategy-based approach, executing them on real-world scenarios. You will be introduced to thinking in terms of "game plans," which are essential to succeeding in analyzing evidence and conducting investigations.

Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the code file.

Table of Contents

  1. Mobile Forensics – Advanced Investigative Strategies
    1. Mobile Forensics – Advanced Investigative Strategies
    2. Credits
    3. Foreword
    4. About the Authors
    5. About the Reviewer
    6. www.PacktPub.com
      1. Why subscribe?
    7. Preface
      1. What this book covers
      2. What you need for this book
      3. Who this book is for
      4. Conventions
      5. Reader feedback
      6. Customer support
        1. Downloading the color images of this book
        2. Errata
        3. Piracy
        4. Questions
    8. 1. Introducing Mobile Forensics
      1. Why we need mobile forensics
      2. Available information
        1. Mobile devices
        2. Personal computers
        3. Cloud storage
      3. Stages of mobile forensics
        1. Stage 1 - device seizure
          1. Seizing - what and how should we seize?
          2. The use of Faraday bags
          3. Keeping the power on
          4. Dealing with the kill switch
          5. Mobile device anti-forensics
        2. Stage 2 - data acquisition
          1. Root, jailbreak, and unlocked bootloader
          2. Android ADB debugging
          3. SIM cloning
          4. SIM card memory
          5. Memory card
        3. Stage 3 - data analysis
      4. Summary
    9. 2. Acquisition Methods Overview
      1. Over-the-air acquisition
        1. Apple iCloud
        2. Windows Phone 8, Windows 10 Mobile, and Windows RT/8/8.1/10
        3. Google Android
      2. Logical acquisition (backup analysis)
        1. Apple iOS
        2. BlackBerry 10
        3. Android
        4. Nandroid backups
      3. Physical acquisition
        1. Apple iOS
        2. Android
        3. Windows Phone 8 and Windows 10 Mobile
        4. Limitations and availability
        5. Tools for physical acquisition
      4. JTAG
      5. Chip-off
      6. In-system programming
      7. Summary
    10. 3. Acquisition – Approaching Android Devices
      1. Android platform fragmentation
      2. AOSP, GMS, and their forensic implications
        1. Android logical acquisition
          1. OEM software
        2. Android acquisition – special considerations
          1. Unallocated space
            1. eMMC storage
            2. Remapping and overprovisioning
            3. Wear leveling
            4. Trimming
            5. What happens to the deleted data?
          2. JTAG forensics
            1. When to JTAG a device
            2. Limitations of JTAG forensics
            3. Step-by-step JTAG acquisition
          3. Chip-off acquisition
            1. Chip-off and encryption
          4. In-system programming forensics
      3. Summary
    11. 4. Practical Steps to Android Acquisition
      1. Android physical acquisition
        1. Encryption
      2. Approaching physical acquisition
        1. Encryption status – Is the data partition encrypted?
          1. Service mode available
          2. LG smartphones
          3. Devices based on the Qualcomm reference platform
          4. Mediatek-based Chinese phones
          5. Bootloaded status
          6. Root status
        2. LG smartphones' LAF mode
        3. MediaTek smartphones
        4. Qualcomm bootloader exploit
          1. Qualcomm-based smartphones – HS-USB 9006
          2. Encryption
        5. The Qualcomm 9006 mode
          1. Tools for imaging via Qualcomm Download Mode 9006
        6. Using custom recoveries
          1. Imaging via custom recovery – making a Nandroid backup
          2. Imaging via custom recovery – physical imaging via dd
          3. Imaging the device
        7. NANDroid backups
          1. Is unlocked bootloader required?
          2. Is root access required?
          3. Producing a Nandroid backup
          4. Analyzing Nandroid backups
      3. Live imaging
        1. Live imaging with root (via dd)
        2. Live imaging without root (via ADB backup)
        3. Live imaging using Oxygen Forensic Suite
      4. Google Account acquisition – over-the-air
        1. Why Google Account?
        2. Google Account – what's inside?
        3. A word on Android backups
        4. Google Takeout
        5. Google Account acquisition and analysis using Elcomsoft Cloud Explorer
        6. Two-factor authentication
        7. User alerts
        8. Viewing, searching, and analyzing data
      5. Summary
    12. 5. iOS – Introduction and Physical Acquisition
      1. iOS forensics – introduction
        1. Generations of Apple hardware
        2. Is jailbreak required?
        3. Geolocation information
        4. Where is the information stored?
        5. iOS acquisition methods overview
        6. iOS acquisition methods compared
        7. iOS advanced logical acquisition
        8. iOS physical acquisition
        9. Physical acquisition benefits
        10. What's unique about physical acquisition?
        11. The future of physical acquisition
        12. Physical acquisition compatibility matrix
        13. Unallocated space – unavailable since iOS 4
        14. Sending device to Apple
        15. The role of passcode
        16. Physical acquisition of iOS 8 and 9
        17. Tools for iOS physical acquisition
      2. Tutorial – physical acquisition with Elcomsoft iOS Forensic Toolkit
        1. What the does the tool do?
          1. Prerequisites
        2. Acquiring 64-bit Apple devices
          1. Comparing 64-bit process and traditional physical acquisition
        3. Supported devices and iOS versions
          1. Performing physical acquisition on a 64-bit iOS device
          2. What is available via 64-bit physical acquisition
          3. Locked device with unknown passcode
          4. Viewing and analyzing the image
          5. Potential legal implications
      3. Summary
    13. 6. iOS Logical and Cloud Acquisition
      1. Understanding backups - local, cloud, encrypted and unencrypted
      2. Encrypted versus unencrypted iTunes backups
      3. Breaking backup passwords
        1. Breaking the password - how long will it take?
      4. A fast CPU and a faster video card
        1. Breaking complex passwords
      5. Knowing the user helps breaking the password
      6. Tutorial - logical acquisition with Elcomsoft Phone Breaker
        1. Breaking the password
        2. Decrypting the backup
        3. Dealing with long and complex passwords
      7. Elcomsoft Phone Breaker on a Mac, inside a virtual PC, or via RDP
      8. iOS Cloud forensics - over-the-air acquisition
        1. About Apple iCloud
        2. Getting started with iCloud Keychain
        3. Getting started with iCloud Drive
        4. Understanding iCloud forensics
      9. Tutorial - cloud acquisition with Elcomsoft Phone Breaker
        1. Downloading iCloud backups - using Apple ID and password
      10. Downloading iCloud/iCloud Drive backups - using authentication tokens
      11. Extracting authentication tokens
        1. iCloud authentication tokens (iOS 6 through 9) - limitations
        2. iCloud Drive authentication tokens (iOS 9 and newer) - a different beast altogether
        3. Quick start - selective downloading
      12. Two-factor authentication
        1. Two-factor authentication is optional
        2. Two-factor authentication versus two-step verification - understanding the differences
        3. Two-step verification
        4. Two-factor authentication
        5. No app-specific passwords in two-factor authentication
        6. Cloud acquisition with two-step verification and two-factor authentication
      13. What next?
      14. Summary
    14. 7. Acquisition – Approaching Windows Phone and Windows 10 Mobile
      1. Windows Phone security model
      2. Windows Phone physical acquisition
      3. JTAG forensics on Windows Phone 8.x and Windows 10 Mobile
        1. Windows Phone 8.x device encryption
        2. Windows 10 Mobile device encryption
      4. Windows Phone 8/8.1 and Windows 10 Mobile cloud forensics
      5. Acquiring Windows Phone backups over the air
      6. Summary
    15. 8. Acquisition – Approaching Windows 8, 8.1, 10, and RT Tablets
      1. Windows 8, 8.1, 10, and RT on portable touchscreen devices
      2. Acquisition of Windows tablets
        1. Understanding Secure Boot
        2. Connected Standby (InstantGo)
        3. BitLocker device encryption
          1. BitLocker and Encrypting File System
          2. BitLocker and hibernation
          3. BitLocker acquisition summary
        4. Capturing a memory dump
        5. Types of evidence available in volatile memory
        6. Special case – Windows RT devices
        7. SD cards and Windows File History
      3. Imaging Built-in eMMC Storage
        1. eMMC and deleted data recovery
        2. Windows 8 and Windows 10 encryption – TRIM versus BitLocker
      4. Booting Windows tablets from recovery media
        1. Special case – recovery media for Windows RT
        2. Steps to boot from recovery media
        3. Configuring UEFI BIOS to boot from recovery media
      5. Acquiring a BitLocker encryption key
        1. Breaking into Microsoft Account to acquire the BitLocker Recovery Key
        2. Using Elcomsoft Forensic Disk Decryptor to unlock BitLocker partitions
        3. BitLocker keys and Trusted Platform Module
      6. Imaging Windows RT tablets
        1. BitLocker encryption
        2. DISM – a built-in tool to image Windows RT
        3. Must be logged in with an administrative account
        4. Must be logged in
        5. Booting to  the WinRE command prompt
          1. Entering BitLocker Recovery Key
          2. Using DISM.exe to image the drive
      7. Cloud Acquisition
      8. Summary
    16. 9. Acquisition – Approaching BlackBerry
      1. The history of the BlackBerry OS - BlackBerry 1.0-7.1
        1. BlackBerry 7 JTAG, ISP, and chip-off acquisition
        2. Acquiring BlackBerry desktop backups
        3. Decrypting the backup
        4. BlackBerry Password Keeper and BlackBerry Wallet
          1. BlackBerry Password Keeper
          2. BlackBerry Wallet
        5. BlackBerry security model - breaking a device password
      2. Acquiring BlackBerry 10
        1. Getting started
        2. BlackBerry 10 backups
        3. BlackBerry 10 - considering ISP and chip-off forensics
        4. Acquiring BlackBerry 10 backups
          1. Using Elcomsoft Phone Breaker
          2. Using Oxygen Forensic Suite
      3. Analyzing BlackBerry backups
      4. Summary
    17. 10. Dealing with Issues, Obstacles, and Special Cases
      1. Cloud acquisition and two-factor authentication
        1. Two-factor authentication – Apple, Google, and Microsoft
        2. Online versus offline authentication
        3. App passwords and two-factor authentication
        4. Google's two-factor authentication
        5. Microsoft's implementation
        6. Apple's two-step verification
        7. Apple's two-factor authentication
        8. Bypassing Apple's two-factor authentication
        9. Two-factor authentication – a real roadblock
      2. Unallocated space
        1. The issue of unallocated space
      3. Accessing destroyed evidence in different mobile platforms
        1. Apple iOS – impossible
        2. BlackBerry – Iffy
          1. SD cards
        3. Android – possible with limitations
          1. Android – built-in storage
          2. Unencrypted storage
          3. Encrypted storage
          4. Encryption in different versions of Android
        4. Android – SD cards
          1. Android – SD card encryption
      4. Windows Phone 8 and 8.1 – possible for end-user devices with limitations
        1. Windows Phone BitLocker encryption
        2. Windows Phone SD cards
      5. Windows RT, Windows 8/8.1, and Windows 10
      6. eMMC and deleted data
        1. eMMC and SSD – similarities
        2. eMMC and SSD – differences
        3. Overprovisioning and remapping
        4. User data in overprovisioned areas
        5. Delete operations on non-encrypted eMMC drives
        6. eMMC conclusion
      7. SD cards
        1. SD card encryption
          1. Apple iOS
          2. Android
          3. Windows Phone 8/8.1
          4. Windows 10 Mobile
          5. Windows RT
        2. Windows 8 through 10
        3. BlackBerry OS 1 through 7
          1. BlackBerry 10
        4. SD cards conclusion
      8. SQLite databases (access to call logs, browsing history, and many more)
      9. Summary
    18. 11. Mobile Forensic Tools and Case Studies
      1. Cellebrite
      2. Micro Systemation AB
      3. AccessData
      4. Oxygen Forensic toolkit
      5. Magnet ACQUIRE
      6. BlackBag Mobilyze
      7. ElcomSoft tools
      8. Case studies
        1. Mobile forensics
        2. Data recovery
      9. BlackBerry scenarios
        1. Locked BlackBerry devices
          1. Locked BlackBerry, not attached to BlackBerry Enterprise Server (BES)
          2. Locked BlackBerry attached to BES
          3. Locked BlackBerry attached to BES with Pretty Good Privacy (PGP) encryption
          4. Locked BlackBerry, not attached to BES
          5. Locked BlackBerry - completed successful chipoff
          6. Locked BlackBerry - password does not work
        2. Unlocked BlackBerry devices
          1. Unlocked BlackBerry device with no password
          2. Unlocked BlackBerry device with password
      10. Summary