O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Practical Mobile Forensics - Third Edition

Book Description

Investigate, analyze, and report iOS, Android, and Windows devices

About This Book

  • Get hands-on experience in performing simple to complex mobile forensics techniques.
  • Retrieve and analyze data stored not only on mobile devices but also through the cloud and other connected mediums.
  • A practical guide to leveraging the power of mobile forensics on popular mobile platforms with lots of tips, tricks, and caveats.

Who This Book Is For

If you are a forensics professional and are eager to widen your forensics skill set to mobile forensics then, this book is for you. Some understanding of digital forensics practices would do wonders.

What You Will Learn

  • Discover the new techniques in practical mobile forensics
  • Understand the architecture and security mechanisms present in iOS and Android platforms
  • Identify sensitive files on the iOS and Android platforms
  • Set up a forensic environment
  • Extract data from the iOS and Android platforms
  • Recover data on the iOS and Android platforms
  • Understand the forensics of Windows devices
  • Explore various third-party application techniques and data recovery techniques

In Detail

Covering up-to-date mobile platforms, this book will focuses on teaching you the most recent techniques for investigating mobile devices. We delve mobile forensics techniques in iOS 9-11, Android 7-8 devices, and Windows 10. We will demonstrate the latest open source and commercial mobile forensics tools, enabling you to analyze and retrieve data effectively. You will learn how to introspect and retrieve data from the cloud, and document and prepare reports of your investigations.

By the end of this book, you will have mastered the current operating systems and the relevant techniques to recover data from mobile devices by leveraging open source solutions.

Style and approach

This book takes a very practical approach and depicts real-life mobile forensics scenarios with lots of tips and tricks to help you acquire the required forensics skillset for various mobile platforms.

Downloading the example code for this book You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.

Table of Contents

  1. Introduction to Mobile Forensics
    1. Why do we need mobile forensics?
    2. Mobile forensics
      1. Challenges in mobile forensics
    3. The mobile phone evidence extraction process
      1. The evidence intake phase
      2. The identification phase
        1. The legal authority
        2. The goals of the examination
        3. The make, model, and identifying information for the device
        4. Removable and external data storage
        5. Other sources of potential evidence
      3. The preparation phase
      4. The isolation phase
      5. The processing phase
      6. The verification phase
        1. Comparing extracted data to the handset data
        2. Using multiple tools and comparing the results
        3. Using hash values
      7. The documenting and reporting phase
      8. The presentation phase
      9. The archiving phase
    4. Practical mobile forensic approaches
      1. Overview of mobile operating systems 
        1. Android
        2. iOS
        3. Windows Phone
      2. Mobile forensic tool leveling system
        1. Manual extraction
        2. Logical extraction
        3. Hex dump
        4. Chip-off
        5. Micro read
      3. Data acquisition methods
        1. Physical acquisition
        2. Logical acquisition
        3. Manual acquisition
    5. Potential evidence stored on mobile phones
    6. Examination and analysis
    7. Rules of evidence
    8. Good forensic practices
      1. Securing the evidence
      2. Preserving the evidence
      3. Documenting the evidence and changes
      4. Reporting
    9. Summary
  2. Understanding the Internals of iOS Devices
    1. iPhone models
      1. Identifying the correct hardware model
    2. iPhone hardware
    3. iPad models
    4. Understanding the iPad hardware
    5. Apple Watch models
    6. Understanding the Apple Watch hardware
    7. The filesystem
    8. The HFS Plus filesystem
      1. The HFS Plus volume
    9. The APFS filesystem
      1. The APFS structure
    10. Disk layout
    11. iPhone operating system
      1. The iOS architecture
      2. iOS security
        1. Passcodes, Touch ID, and Face ID
        2. Code Signing
        3. Sandboxing
        4. Encryption
        5. Data protection
        6. Address Space Layout Randomization
        7. Privilege separation
        8. Stack-smashing protection
        9. Data execution prevention
        10. Data wipe
        11. Activation Lock
      3. The App Store
      4. Jailbreaking
    12. Summary
  3. Data Acquisition from iOS Devices
    1. Operating modes of iOS devices
      1. The normal mode
      2. The recovery mode
      3. DFU mode
      4. Setting up the forensic environment
      5. Password protection and potential bypasses
    2. Logical acquisition
      1. Practical logical acquisition with libimobiledevice
      2. Practical logical acquisition with Belkasoft Acquisition Tool
      3. Practical logical acquisition with Magnet ACQUIRE
    3. Filesystem acquisition
      1. Practical jailbreaking
      2. Practical filesystem acquisition with Elcomsoft iOS Forensic Toolkit
    4. Physical acquisition
      1. Practical physical acquisition with Elcomsoft iOS Forensic Toolkit
    5. Summary
  4. Data Acquisition from iOS Backups
    1. iTunes backup
      1. Creating backups with iTunes
      2. Understanding the backup structure
        1. info.plist
        2. manifest.plist
        3. status.plist
        4. manifest.db
    2. Extracting unencrypted backups
      1. iBackup Viewer
      2. iExplorer
      3. BlackLight
    3. Encrypted backup
      1. Elcomsoft Phone Breaker
    4. Working with iCloud backups
      1. Extracting iCloud backups
    5. Summary
  5. iOS Data Analysis and Recovery
    1. Timestamps
      1. Unix timestamps
      2. Mac absolute time
      3. WebKit/Chrome time
      4. SQLite databases
        1. Connecting to a database
        2. SQLite special commands
        3. Standard SQL queries
        4. Accessing a database using commercial tools
      5. Key artifacts – important iOS database files
        1. Address book contacts
        2. Address book images
        3. Call history
        4. SMS messages
        5. Calendar events
        6. Notes
        7. Safari bookmarks and cache
        8. Photo metadata
        9. Consolidated GPS cache
        10. Voicemail
      6. Property lists
        1. Important plist files
          1. The HomeDomain plist files
          2. The RootDomain plist files
          3. The WirelessDomain plist files
          4. The SystemPreferencesDomain plist files
      7. Other important files
        1. Cookies
        2. Keyboard cache
        3. Photos
        4. Thumbnails
        5. Wallpaper
        6. Recordings
        7. Downloaded applications
      8. Apple Watch
      9. Recovering deleted SQLite records
    2. Summary
  6. iOS Forensic Tools
    1. Working with Cellebrite UFED Physical Analyzer
      1. Features of Cellebrite UFED Physical Analyzer
      2. Advanced logical acquisition and analysis with Cellebrite UFED Physical Analyzer
    2. Working with Magnet AXIOM
      1. Features of Magnet AXIOM
      2. Logical acquisition and analysis with Magnet AXIOM
    3. Working with Belkasoft Evidence Center
      1. Features of Belkasoft Evidence Center
      2.  iTunes backup parsing and analysis with Belkasoft Evidence Center
    4. Working with Oxygen Forensic Detective
      1. Features of Oxygen Forensic Detective
      2. Logical acquisition and analysis with Oxygen Forensic Detective
    5. Summary
  7. Understanding Android
    1. The evolution of Android
    2. The Android model
      1. The Linux kernel layer
      2. The Hardware Abstraction Layer
      3. Libraries
      4. Dalvik virtual machine
      5. Android Runtime (ART)
      6. The Java API framework layer
      7. The system apps layer
    3. Android security
      1. Secure kernel
      2. The permission model
      3. Application sandbox
      4. Secure inter-process communication
      5. Application signing
      6. Security-Enhanced Linux
      7. Full Disk Encryption
      8. Trusted Execution Environment
    4. The Android file hierarchy
    5. The Android file system
      1. Viewing file systems on an Android device
      2. Common file systems found on Android
    6. Summary
  8. Android Forensic Setup and Pre-Data Extraction Techniques
    1. Setting up the forensic environment for Android
      1. The Android Software Development Kit
      2. The Android SDK installation
      3. An Android Virtual Device
      4. Connecting an Android device to a workstation
        1. Identifying the device cable
        2. Installing the device drivers
      5. Accessing the connected device
      6. The Android Debug Bridge
        1. USB debugging
      7. Accessing the device using adb
        1. Detecting connected devices
        2. Killing the local adb server
        3. Accessing the adb shell
        4. Basic Linux commands
      8. Handling an Android device
    2. Screen lock bypassing techniques
      1. Using adb to bypass the screen lock
      2. Deleting the gesture.key file
      3. Updating the settings.db file
      4. Checking for the modified recovery mode and adb connection
      5. Flashing a new recovery partition
      6. Using automated tools
      7. Using Android Device Manager
      8. Smudge attack
      9. Using the Forgot Password/Forgot Pattern option
      10. Bypassing third-party lock screens by booting into safe mode
      11. Securing the USB debugging bypass using adb keys
      12. Securing the USB debugging bypass in Android 4.4.2
      13. Crashing the lock screen UI in Android 5.x
      14. Other techniques
    3. Gaining root access
      1. What is rooting?
      2. Rooting an Android device
      3. Root access - adb shell
    4. Summary
  9. Android Data Extraction Techniques
    1. Data extraction techniques
      1. Manual data extraction
      2. Logical data extraction
        1. ADB pull data extraction
        2. Using SQLite Browser to view the data
          1. Extracting device information
          2. Extracting call logs
          3. Extracting SMS/MMS
          4. Extracting browser history
        3. Analysis of social networking/IM chats
        4. ADB backup extraction
          1. ADB dumpsys extraction
        5. Using content providers
      3. Physical data extraction
        1. Imaging an Android phone
        2. Imaging a memory (SD) card
        3. Joint Test Action Group
        4. Chip-off
    2. Summary
  10. Android Data Analysis and Recovery
    1. Analyzing an Android image
      1. Autopsy
        1. Adding an image to Autopsy
        2. Analyzing an image using Autopsy
    2. Android data recovery
      1. Recovering deleted data from an external SD card
      2. Recovering data deleted from internal memory
      3. Recovering deleted files by parsing SQLite files
      4. Recovering files using file-carving techniques
      5. Recovering contacts using your Google account
    3. Summary
  11. Android App Analysis, Malware, and Reverse Engineering
    1. Analyzing Android apps
      1. Facebook Android app analysis
      2. WhatsApp Android app analysis
      3. Skype Android app analysis
      4. Gmail Android app analysis
      5. Google Chrome Android app analysis
    2. Reverse engineering Android apps
      1. Extracting an APK file from an Android device
        1. Steps to reverse engineer Android apps
    3. Android malware
      1. How does malware spread?
      2. Identifying Android malware
    4. Summary
  12. Windows Phone Forensics
    1. Windows Phone OS
    2. Security model
      1. Chambers
      2. Encryption
      3. Capability-based model
      4. App sandboxing
    3. Windows Phone filesystem
    4. Data acquisition
    5. Commercial forensic tool acquisition methods
      1. Extracting data without the use of commercial tools
      2. SD card data extraction methods
    6. Key artifacts for examination
      1. Extracting contacts and SMS
      2. Extracting call history
      3. Extracting internet history
    7. Summary
  13. Parsing Third-Party Application Files
    1. Third-party application overview
      1. Chat applications
      2. GPS applications
      3. Secure applications
      4. Financial applications
      5. Social networking applications
    2. Encoding versus encryption
    3. Application data storage
      1. iOS applications
      2. Android applications
      3. Windows Phone applications
    4. Forensic methods used to extract third-party application data
      1. Commercial tools
        1. Oxygen Detective
        2. Magnet IEF
        3. UFED Physical Analyzer
      2. Open source tools
        1. Autopsy
        2. Other methods of extracting application data
    5. Summary
  14. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think