book

Practical Mobile Forensics - Second Edition

Name: Practical Mobile Forensics - Second Edition
ISBN: 9781786464200

by Heather Mahalik, Rohit Tamma, Satish Bommisetty

May 2016

Beginner to intermediate

412 pages

8h 53m

English

Packt Publishing

Read now

Unlock full access

Practical Mobile Forensics - Second Edition
Practical Mobile Forensics - Second Edition
Credits
About the Authors
About the Reviewer
www.PacktPub.com
eBooks, discount offers, and moreWhy subscribe?Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions

Reader feedback
Customer support
ErrataPiracyQuestions
1. Introduction to Mobile Forensics
Why do we need mobile forensics?
Mobile forensics
Challenges in mobile forensics
The mobile phone evidence extraction process
The evidence intake phaseThe identification phaseThe legal authorityThe goals of the examinationThe make, model, and identifying information for the deviceRemovable and external data storageOther sources of potential evidenceThe preparation phaseThe isolation phaseThe processing phaseThe verification phaseComparing extracted data to the handset dataUsing multiple tools and comparing the resultsUsing hash valuesThe document and reporting phaseThe presentation phaseThe archiving phase
Practical mobile forensic approaches
Mobile operating systems overviewAndroidiOSWindows phoneMobile forensic tool leveling systemManual extractionLogical extractionHex dumpChip-offMicro readData acquisition methodsPhysical acquisitionLogical acquisitionManual acquisition
Potential evidence stored on mobile phones
Rules of evidence
Good forensic practices
Securing the evidencePreserving the evidenceDocumenting the evidenceDocumenting all changes
Summary
2. Understanding the Internals of iOS Devices
iPhone modelsIdentifying the correct hardware model
iPhone hardware
iPad models
Understanding the iPad hardware
Apple Watch models
Understanding the Apple Watch hardware
File system
The HFS Plus file system
The HFS Plus volume
Disk layout
iPhone operating system
The iOS architectureiOS securityPasscodesCode signingSandboxingEncryptionData protectionAddress Space Layout RandomizationPrivilege separationStack smashing protectionData execution preventionData wipeActivation LockThe App StoreJailbreaking
Summary
3. iOS Forensic Tools
Working with Elcomsoft iOS Forensic ToolkitFeatures of EIFTUsage of EIFTThe guided modeThe manual modeEIFT-supported devicesCompatibility notes
Oxygen Forensic Detective
Features of Oxygen Forensic DetectiveUsage of Oxygen Forensic Detective
Working with Cellebrite UFED Physical Analyzer
Features of Cellebrite UFED Physical AnalyzerUsage of Cellebrite UFED Physical AnalyzerSupported devices
Working with BlackLight
Features of BlackLightUsage of BlackLight
Open source or free methods
Working with Magnet ACQUIRE
Features of Magnet ACQUIREUsage of Magnet ACQUIRE
Working with NowSecureCE
Features of NowSecureCEUsage of NowSecureCE
Summary
4. Data Acquisition from iOS Devices
Operating modes of iOS devicesThe normal modeThe recovery modeDFU modeSetting up the forensic environment
Physical acquisition
Physical acquisition via a custom ramdiskImaging the user and system partitions
Encrypted file systems
File system acquisition
Logical acquisition
Bypassing the passcode
Acquisition of jailbroken devices
Summary
5. Data Acquisition from iOS Backups
iTunes backupPairing recordsUnderstanding the backup structureinfo.plistmanifest.pliststatus.plistmanifest.mbdbHeaderRecordUnencrypted backupExtracting unencrypted backupsiPhone Backup ExtractoriExplorerBlackLightDecrypting the keychainEncrypted backupExtracting encrypted backupsDecrypting the keychainElcomsoft Phone Breaker
Working with iCloud backups
Extracting iCloud backups
Summary
6. iOS Data Analysis and Recovery
TimestampsUNIX timestampsMac absolute time
SQLite databases
Connecting to a databaseSQLite special commandsStandard SQL queriesAccessing a database using commercial toolsKey artifacts - important iOS database filesAddress book contactsAddress book imagesCall historySMS messagesCalendar eventsNotesSafari bookmarks and cacheThe photos metadataConsolidated GPS cacheVoicemail
Property lists
Important plist filesThe HomeDomain plist filesThe RootDomain plist filesThe WirelessDomain plist filesThe SystemPreferencesDomain plist files
Other important files
CookiesKeyboard cachePhotosWallpaperSnapshotsRecordingsDownloaded applications
The Apple Watch
Recovering deleted SQLite records
Summary
7. Understanding Android
The evolution of Android
The Android model
The Linux kernel layerLibrariesDalvik virtual machineAndroid Runtime (ART)The Application Framework layerThe applications layer
The Android security
Secure kernelThe permission modelApplication sandboxSecure inter-process communicationApplication signingSecurity-Enhanced LinuxFull disk encryption
The Android file hierarchy
The Android file system
Viewing file systems on an Android deviceCommon file systems found on Android
Summary
8. Android Forensic Setup and Pre Data Extraction Techniques
Setting up the forensic environment for AndroidThe Android Software Development KitThe Android SDK installationAn Android Virtual DeviceConnecting an Android device to a workstationIdentifying the device cableInstalling the device driversAccessing the connected deviceThe Android Debug BridgeUSB debuggingAccessing the device using adbDetecting connected devicesKilling the local adb serverAccessing the adb shellHandling an Android device
Screen lock bypassing techniques
Using adb to bypass the screen lockDeleting the gesture.key fileUpdating the settings.db fileChecking for the modified recovery mode and adb connectionFlashing a new recovery partitionUsing automated toolsUsing Android Device ManagerSmudge attackUsing the Forgot Password/Forgot Pattern optionBypassing Third-Party Lock Screen by booting into safe modeSecure USB debugging bypass using adb keysSecure USB debugging bypass in Android 4.4.2Crashing the lock screen UI in Android 5.xOther techniques
Gaining root access
What is rooting?Rooting an Android deviceRoot access - adb shell
Summary
9. Android Data Extraction Techniques
Data extraction techniquesManual data extractionLogical data extractionADB pull data extractionUsing SQLite Browser to view the dataExtracting device informationExtracting call logsExtracting SMS/MMSExtracting browser historyAnalysis of social networking/IM chatsADB backup extractionADB dumpsys extractionUsing content providersPhysical data extractionImaging an Android PhoneImaging a memory (SD) cardJoint Test Action GroupChip-off
Summary
10. Android Data Analysis and Recovery
Analyzing an Android imageAutopsyAdding an image to AutopsyAnalyzing an image using Autopsy
Android data recovery
Recovering deleted data from external SD cardRecovering data deleted from internal memoryRecovering deleted files by parsing SQLite filesRecovering files using file carving techniquesRecovering contacts using your Google account
Summary
11. Android App Analysis, Malware, and Reverse Engineering
Analyzing Android appsFacebook Android app analysisWhatsApp Android app analysisSkype Android app analysisGmail Android app analysisGoogle Chrome Android app analysis
Reverse engineering Android apps
Extracting an APK file from an Android deviceSteps to reverse engineer Android apps
Android malware
How does malware spread?Identifying Android malware
Summary
12. Windows Phone Forensics
Windows Phone OSSecurity modelWindows chambersEncryptionCapability-based modelApp sandboxing
The Windows Phone file system
Data acquisition
Sideloading using ChevronWP7Commercial forensic tool acquisition methodsExtracting data without the use of commercial toolsSD card data extraction methodsKey artifacts for examinationExtracting SMSExtracting e-mailExtracting application data
Summary
13. Parsing Third-Party Application Files
Third-party application overviewChat applicationsGPS applicationsSecure applicationsFinancial applicationsSocial networking applications
Encoding versus encryption
Application data storage
iOS applicationsAndroid applicationsWindows Phone applications
Forensic methods used to extract third-party application data
Commercial toolsOxygen DetectiveMagnet IEFUFED Physical AnalyzerOpen source toolsAutopsyOther methods to extract application data
Summary

Overview

"Practical Mobile Forensics" provides a hands-on approach to mastering forensic techniques for mobile operating systems such as iOS, Android, and Windows Phone. Through this comprehensive guide, you will learn how to retrieve, analyze, and document data from mobile devices effectively.

What this Book will help me do

Understand mobile forensic principles and the forensic acquisition process for iOS, Android, and Windows platforms.
Utilize common open source and commercial tools to acquire and analyze mobile data.
Learn how to recover deleted or hidden information efficiently from devices and backups.
Gain insights into protecting the integrity and documenting findings during mobile forensic investigations.
Achieve proficiency in navigating current challenges with cloud and application data in mobile forensics.

Author(s)

None Mahalik, Rohit Tamma, and Satish Bommisetty are experienced forensic professionals and authors specializing in mobile platforms. Their practical expertise and clear instructional approach make complex topics accessible. By synthesizing real-world scenarios into clear methods, they provide valuable guidance to practitioners and learners of digital forensics.

Who is it for?

This book is ideal for forensic professionals who wish to expand their expertise to include mobile devices and cloud-based data extraction. It suits intermediate learners who are familiar with forensic concepts and seek deeper knowledge in practical mobile investigations. If you're looking to master efficient techniques and tools, this book addresses those needs effectively.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Practical Mobile Forensics - Third Edition

Publisher Resources

ISBN: 9781786464200

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills