O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Practical Mobile Forensics - Second Edition

Book Description

A hands-on guide to mastering mobile forensics for the iOS, Android, and the Windows Phone platforms

About This Book

  • Get to grips with the basics of mobile forensics and the various forensic approaches
  • Retrieve and analyze the data stored on mobile devices and on the cloud
  • A practical guide to leverage the power of mobile forensics on the popular mobile platforms with lots of tips, tricks and caveats

Who This Book Is For

This book is for forensics professionals who are eager to widen their forensics skillset to mobile forensics and acquire data from mobile devices.

What You Will Learn

  • Discover the new features in practical mobile forensics
  • Understand the architecture and security mechanisms present in iOS and Android platforms
  • Identify sensitive files on the iOS and Android platforms
  • Set up the forensic environment
  • Extract data on the iOS and Android platforms
  • Recover data on the iOS and Android platforms
  • Understand the forensics of Windows devices
  • Explore various third-party application techniques and data recovery techniques

In Detail

Mobile phone forensics is the science of retrieving data from a mobile phone under forensically sound conditions. This book is an update to Practical Mobile Forensics and it delves into the concepts of mobile forensics and its importance in today's world.

We will deep dive into mobile forensics techniques in iOS 8 - 9.2, Android 4.4 - 6, and Windows Phone devices. We will demonstrate the latest open source and commercial mobile forensics tools, enabling you to analyze and retrieve data effectively. You will learn how to introspect and retrieve data from cloud, and document and prepare reports for your investigations.

By the end of this book, you will have mastered the current operating systems and techniques so you can recover data from mobile devices by leveraging open source solutions.

Style and approach

This book takes a very practical approach and depicts real-life mobile forensics scenarios with lots of tips and tricks to help acquire the required forensics skillset for various mobile platforms.

Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the code file.

Table of Contents

  1. Practical Mobile Forensics - Second Edition
    1. Practical Mobile Forensics - Second Edition
    2. Credits
    3. About the Authors
    4. About the Reviewer
    5. www.PacktPub.com
      1. eBooks, discount offers, and more
        1. Why subscribe?
        2. Free access for Packt account holders
    6. Preface
      1. What this book covers
      2. What you need for this book
      3. Who this book is for
      4. Conventions
      5. Reader feedback
      6. Customer support
        1. Errata
        2. Piracy
        3. Questions
    7. 1. Introduction to Mobile Forensics
      1. Why do we need mobile forensics?
      2. Mobile forensics
        1. Challenges in mobile forensics
      3. The mobile phone evidence extraction process
        1. The evidence intake phase
        2. The identification phase
          1. The legal authority
          2. The goals of the examination
          3. The make, model, and identifying information for the device
          4. Removable and external data storage
          5. Other sources of potential evidence
        3. The preparation phase
        4. The isolation phase
        5. The processing phase
        6. The verification phase
          1. Comparing extracted data to the handset data
          2. Using multiple tools and comparing the results
          3. Using hash values
        7. The document and reporting phase
        8. The presentation phase
        9. The archiving phase
      4. Practical mobile forensic approaches
        1. Mobile operating systems overview
          1. Android
          2. iOS
          3. Windows phone
        2. Mobile forensic tool leveling system
          1. Manual extraction
          2. Logical extraction
          3. Hex dump
          4. Chip-off
          5. Micro read
        3. Data acquisition methods
          1. Physical acquisition
          2. Logical acquisition
          3. Manual acquisition
      5. Potential evidence stored on mobile phones
      6. Rules of evidence
      7. Good forensic practices
        1. Securing the evidence
        2. Preserving the evidence
        3. Documenting the evidence
        4. Documenting all changes
      8. Summary
    8. 2. Understanding the Internals of iOS Devices
      1. iPhone models
        1. Identifying the correct hardware model
      2. iPhone hardware
      3. iPad models
      4. Understanding the iPad hardware
      5. Apple Watch models
      6. Understanding the Apple Watch hardware
      7. File system
      8. The HFS Plus file system
        1. The HFS Plus volume
      9. Disk layout
      10. iPhone operating system
        1. The iOS architecture
        2. iOS security
          1. Passcodes
          2. Code signing
          3. Sandboxing
          4. Encryption
          5. Data protection
          6. Address Space Layout Randomization
          7. Privilege separation
          8. Stack smashing protection
          9. Data execution prevention
          10. Data wipe
          11. Activation Lock
        3. The App Store
        4. Jailbreaking
      11. Summary
    9. 3. iOS Forensic Tools
      1. Working with Elcomsoft iOS Forensic Toolkit
        1. Features of EIFT
        2. Usage of EIFT
          1. The guided mode
          2. The manual mode
        3. EIFT-supported devices
          1. Compatibility notes
      2. Oxygen Forensic Detective
        1. Features of Oxygen Forensic Detective
        2. Usage of Oxygen Forensic Detective
      3. Working with Cellebrite UFED Physical Analyzer
        1. Features of Cellebrite UFED Physical Analyzer
        2. Usage of Cellebrite UFED Physical Analyzer
        3. Supported devices
      4. Working with BlackLight
        1. Features of BlackLight
        2. Usage of BlackLight
      5. Open source or free methods
      6. Working with Magnet ACQUIRE
        1. Features of Magnet ACQUIRE
        2. Usage of Magnet ACQUIRE
      7. Working with NowSecureCE
        1. Features of NowSecureCE
        2. Usage of NowSecureCE
      8. Summary
    10. 4. Data Acquisition from iOS Devices
      1. Operating modes of iOS devices
        1. The normal mode
        2. The recovery mode
        3. DFU mode
        4. Setting up the forensic environment
      2. Physical acquisition
        1. Physical acquisition via a custom ramdisk
        2. Imaging the user and system partitions
      3. Encrypted file systems
      4. File system acquisition
      5. Logical acquisition
      6. Bypassing the passcode
      7. Acquisition of jailbroken devices
      8. Summary
    11. 5. Data Acquisition from iOS Backups
      1. iTunes backup
        1. Pairing records
        2. Understanding the backup structure
          1. info.plist
          2. manifest.plist
          3. status.plist
          4. manifest.mbdb
            1. Header
            2. Record
        3. Unencrypted backup
          1. Extracting unencrypted backups
            1. iPhone Backup Extractor
            2. iExplorer
            3. BlackLight
          2. Decrypting the keychain
        4. Encrypted backup
          1. Extracting encrypted backups
          2. Decrypting the keychain
            1. Elcomsoft Phone Breaker
      2. Working with iCloud backups
        1. Extracting iCloud backups
      3. Summary
    12. 6. iOS Data Analysis and Recovery
      1. Timestamps
        1. UNIX timestamps
        2. Mac absolute time
      2. SQLite databases
        1. Connecting to a database
        2. SQLite special commands
        3. Standard SQL queries
        4. Accessing a database using commercial tools
        5. Key artifacts - important iOS database files
          1. Address book contacts
          2. Address book images
          3. Call history
          4. SMS messages
          5. Calendar events
          6. Notes
          7. Safari bookmarks and cache
          8. The photos metadata
          9. Consolidated GPS cache
          10. Voicemail
      3. Property lists
        1. Important plist files
          1. The HomeDomain plist files
          2. The RootDomain plist files
          3. The WirelessDomain plist files
          4. The SystemPreferencesDomain plist files
      4. Other important files
        1. Cookies
        2. Keyboard cache
        3. Photos
        4. Wallpaper
        5. Snapshots
        6. Recordings
        7. Downloaded applications
      5. The Apple Watch
      6. Recovering deleted SQLite records
      7. Summary
    13. 7. Understanding Android
      1. The evolution of Android
      2. The Android model
        1. The Linux kernel layer
        2. Libraries
        3. Dalvik virtual machine
        4. Android Runtime (ART)
        5. The Application Framework layer
        6. The applications layer
      3. The Android security
        1. Secure kernel
        2. The permission model
        3. Application sandbox
        4. Secure inter-process communication
        5. Application signing
        6. Security-Enhanced Linux
        7. Full disk encryption
      4. The Android file hierarchy
      5. The Android file system
        1. Viewing file systems on an Android device
        2. Common file systems found on Android
      6. Summary
    14. 8. Android Forensic Setup and Pre Data Extraction Techniques
      1. Setting up the forensic environment for Android
        1. The Android Software Development Kit
        2. The Android SDK installation
        3. An Android Virtual Device
        4. Connecting an Android device to a workstation
          1. Identifying the device cable
          2. Installing the device drivers
        5. Accessing the connected device
        6. The Android Debug Bridge
          1. USB debugging
        7. Accessing the device using adb
          1. Detecting connected devices
          2. Killing the local adb server
          3. Accessing the adb shell
        8. Handling an Android device
      2. Screen lock bypassing techniques
        1. Using adb to bypass the screen lock
        2. Deleting the gesture.key file
        3. Updating the settings.db file
        4. Checking for the modified recovery mode and adb connection
        5. Flashing a new recovery partition
        6. Using automated tools
        7. Using Android Device Manager
        8. Smudge attack
        9. Using the Forgot Password/Forgot Pattern option
        10. Bypassing Third-Party Lock Screen by booting into safe mode
        11. Secure USB debugging bypass using adb keys
        12. Secure USB debugging bypass in Android 4.4.2
        13. Crashing the lock screen UI in Android 5.x
        14. Other techniques
      3. Gaining root access
        1. What is rooting?
        2. Rooting an Android device
        3. Root access - adb shell
      4. Summary
    15. 9. Android Data Extraction Techniques
      1. Data extraction techniques
        1. Manual data extraction
        2. Logical data extraction
          1. ADB pull data extraction
            1. Using SQLite Browser to view the data
            2. Extracting device information
            3. Extracting call logs
            4. Extracting SMS/MMS
            5. Extracting browser history
            6. Analysis of social networking/IM chats
          2. ADB backup extraction
          3. ADB dumpsys extraction
          4. Using content providers
        3. Physical data extraction
          1. Imaging an Android Phone
          2. Imaging a memory (SD) card
          3. Joint Test Action Group
          4. Chip-off
      2. Summary
    16. 10. Android Data Analysis and Recovery
      1. Analyzing an Android image
        1. Autopsy
          1. Adding an image to Autopsy
          2. Analyzing an image using Autopsy
      2. Android data recovery
        1. Recovering deleted data from external SD card
        2. Recovering data deleted from internal memory
        3. Recovering deleted files by parsing SQLite files
        4. Recovering files using file carving techniques
          1. Recovering contacts using your Google account
      3. Summary
    17. 11. Android App Analysis, Malware, and Reverse Engineering
      1. Analyzing Android apps
        1. Facebook Android app analysis
        2. WhatsApp Android app analysis
        3. Skype Android app analysis
        4. Gmail Android app analysis
        5. Google Chrome Android app analysis
      2. Reverse engineering Android apps
        1. Extracting an APK file from an Android device
        2. Steps to reverse engineer Android apps
      3. Android malware
        1. How does malware spread?
        2. Identifying Android malware
      4. Summary
    18. 12. Windows Phone Forensics
      1. Windows Phone OS
        1. Security model
          1. Windows chambers
          2. Encryption
          3. Capability-based model
          4. App sandboxing
      2. The Windows Phone file system
      3. Data acquisition
        1. Sideloading using ChevronWP7
        2. Commercial forensic tool acquisition methods
        3. Extracting data without the use of commercial tools
        4. SD card data extraction methods
        5. Key artifacts for examination
          1. Extracting SMS
          2. Extracting e-mail
          3. Extracting application data
      4. Summary
    19. 13. Parsing Third-Party Application Files
      1. Third-party application overview
        1. Chat applications
        2. GPS applications
        3. Secure applications
        4. Financial applications
        5. Social networking applications
      2. Encoding versus encryption
      3. Application data storage
        1. iOS applications
        2. Android applications
        3. Windows Phone applications
      4. Forensic methods used to extract third-party application data
        1. Commercial tools
          1. Oxygen Detective
          2. Magnet IEF
          3. UFED Physical Analyzer
        2. Open source tools
          1. Autopsy
          2. Other methods to extract application data
      5. Summary