You are previewing Mobile Forensic Investigations: A Guide to Evidence Collection, Analysis, and Presentation.
O'Reilly logo
Mobile Forensic Investigations: A Guide to Evidence Collection, Analysis, and Presentation

Book Description

This in-depth guide reveals the art of mobile forensics investigation with comprehensive coverage of the entire mobile forensics investigation lifecycle, from evidence collection through advanced data analysis to reporting and presenting findings.

Mobile Forensics Investigation: A Guide to Evidence Collection, Analysis, and Presentation leads examiners through the mobile forensics investigation process, from isolation and seizure of devices, to evidence extraction and analysis, and finally through the process of documenting and presenting findings. This book gives you not only the knowledge of how to use mobile forensics tools but also the understanding of how and what these tools are doing, enabling you to present your findings and your processes in a court of law. This holistic approach to mobile forensics, featuring the technical alongside the legal aspects of the investigation process, sets this book apart from the competition. This timely guide is a much-needed resource in today’s mobile computing landscape.

  • Notes offer personal insights from the author's years in law enforcement
  • Tips highlight useful mobile forensics software applications, including open source applications that anyone can use free of charge
  • Case studies document actual cases taken from submissions to the author's podcast series
  • Photographs demonstrate proper legal protocols, including seizure and storage of devices, and screenshots showcase mobile forensics software at work
  • Provides you with a holistic understanding of mobile forensics

Table of Contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. Dedication
  5. About the Author
  6. Contents at a Glance
  7. Contents
  8. Introduction
  9. CHAPTER 1 Introduction to the World of Mobile Device Forensics
    1. A Brief History of the Mobile Device
      1. Martin Cooper
      2. Size Evolution
      3. Data Evolution
      4. Storage Evolution
    2. Mobile Device Data: The Relevance Today
      1. Mobile Devices in the Media
    3. The Overuse of the Word “Forensic”
      1. Write Blockers and Mobile Devices
    4. Mobile Device Technology and Mobile Forensics
      1. From Data Transfer to Data Forensics
      2. Processes and Procedures
    5. Examination Awareness and Progression
    6. Data Storage Points
      1. Mobile Technology Acronyms
      2. Mobile Device
      3. SIM
      4. Media Storage Cards
      5. Mobile Device Backups
    7. Educational Resources
      1. Phone Scoop
      2. GSMArena
      3. Forums
    8. Preparing for Your Journey
    9. Chapter Summary
  10. CHAPTER 2 Mobile Devices vs. Computer Devices in the World of Forensics
    1. Computer Forensics Defined
      1. International Association of Computer Investigative Specialists (IACIS)
      2. International Society of Forensic Computer Examiners (ISFCE)
    2. Applying Forensic Processes and Procedures
      1. Seizure
      2. Collection
      3. Analysis/Examination
      4. Presentation
    3. Approach to Mobile Device Forensics
      1. NIST and Mobile Forensics
      2. Process and Procedure
    4. Standard Operating Procedure Document
      1. Purpose and Scope
      2. Definitions
      3. Equipment/Materials
      4. General Information
      5. Procedure
      6. References/Documents
      7. Successful SOP Creation and Execution
      8. Creation of a Workflow
    5. Specialty Mobile Forensic Units
    6. Forensic Software
    7. Common Misconceptions
      1. Seasoned Computer Forensics Examiners’ Misconceptions
      2. First Responders’ Misconceptions
    8. Chapter Summary
  11. CHAPTER 3 Collecting Mobile Devices, USB Drives, and Storage Media at the Scene
    1. Lawful Device Seizure
      1. Before the Data Seizure
    2. Fourth Amendment Rights
      1. The Supreme Court and Mobile Device Data Seizure
      2. Warrantless Searches
      3. Location to Be Searched: Physical Location
      4. Location to Be Searched: Mobile Device
    3. Securing the Scene
      1. Data Volatility at the Scene
      2. Asking the Right Questions
    4. Examining the Scene for Evidence
      1. USB Drives
      2. Chargers and USB Cables
      3. SD Cards
      4. SIM Cards
      5. Older Mobile Devices
      6. Personal Computers
    5. Once You Find It, What’s Next?
      1. Inventory and Location
    6. Data Collection: Where and When
    7. Chapter Summary
  12. CHAPTER 4 Preparing, Protecting, and Seizing Digital Device Evidence
    1. Before Seizure: Understanding Mobile Device Communication
      1. Cellular Communication
      2. Bluetooth Communication
      3. Wi-Fi Communication
      4. Near Field Communication
    2. Understanding Mobile Device Security
      1. Apple iOS Devices
      2. Android Devices
      3. Windows Mobile and Windows Phone
      4. BlackBerry Devices
    3. Photographing the Evidence at the Scene
    4. Tagging and Marking Evidence
    5. Documentating the Evidence at the Scene
      1. Mobile Device
      2. Mobile Device Accessories
      3. SIM Card
      4. Memory Cards
    6. Dealing with Power Issues: The Device State
    7. Bagging Sensitive Evidence
      1. Types of Bagging Equipment
      2. Properly Bagging Mobile Device Evidence
    8. Transporting Mobile Device Evidence
      1. To Storage
      2. To the Lab
    9. Establishing Chain of Custody
    10. Chapter Summary
  13. CHAPTER 5 Toolbox Forensics: Multiple-Tool Approach
    1. Choosing the Right Tools
      1. Analyzing Several Devices Collectively
      2. Verifying and Validating Software
      3. Using Multiple Tools to Your Advantage
    2. Dealing with Challenges
      1. Overcoming Challenges by Verification and Validation
      2. Overcoming Challenges for Single- and Multiple-Tool Examinations
    3. Chapter Summary
  14. CHAPTER 6 Mobile Forensic Tool Overview
    1. Collection Types
      1. Logical Collection
      2. Physical Collection
    2. Collection Pyramid
      1. Collection Additions
      2. Nontraditional Tools
    3. Traditional Tool Matrix
    4. Tools Available
      1. Open Source Tools
      2. Freeware Tools
      3. Commercial Tools
    5. Chapter Summary
  15. CHAPTER 7 Preparing the Environment for Your First Collection
    1. Creating the Ideal System
      1. Processor (CPU)
      2. RAM
      3. Input/Output (I/O)
      4. Storage
      5. External Storage
      6. Operating System
    2. Device Drivers and Multiple-Tool Environments
      1. Understanding Drivers
      2. Finding Mobile Device Drivers
      3. Installing Drivers
      4. Cleaning the Computer System of Unused Drivers and Ports
    3. Chapter Summary
  16. CHAPTER 8 Conducting a Collection of a Mobile Device: Considerations and Actions
    1. Initial Considerations
      1. Isolating the Device
      2. Device Collection Type: Logical or Physical
    2. Initial Documentation
      1. Device
      2. Battery
      3. UICC
      4. Memory Card
      5. JTAG or Chip-Off
    3. Isolation of the Mobile Device
      1. Methods, Appliances, and Techniques for Isolating a Device
    4. Mobile Device Processing Workflow
      1. Feature Phone Collections
      2. BlackBerry Collections
      3. Windows Mobile and Windows Phone Examinations
      4. Apple iOS Connections and Collections
      5. Android OS Connections and Collections
    5. Chapter Summary
  17. CHAPTER 9 Analyzing SIM Cards
    1. Smart Card Overview: SIM and UICC
      1. SIM Card Analysis
      2. File System UICC Structure
      3. Network Information Data Locations
      4. User Data Locations
    2. Chapter Summary
  18. CHAPTER 10 Analyzing Feature Phone, BlackBerry, and Windows Phone Data
    1. Avoiding Tool Hashing Inconsistencies
    2. Iceberg Theory
    3. Feature Phones
      1. Feature Phone “Tip of the Iceberg Data”
      2. Parsing a Feature Phone File System
    4. BlackBerry Devices
      1. BlackBerry “Tip of the Iceberg Data”
      2. Blackberry Database Breakdown
      3. BlackBerry Data Formats and Data Types
      4. BlackBerry 10 File System
    5. Windows Phone
      1. Windows Phone “Tip of the Iceberg Data”
      2. Windows Phone File System
    6. Chapter Summary
  19. CHAPTER 11 Advanced iOS Analysis
    1. The iOS File System
    2. iOS “Tip of the Iceberg Data”
    3. File System Structure
      1. App Data
      2. App Caches
      3. Additional File System Locations
    4. iOS Evidentiary File Types
      1. SQLite Databases
      2. Property Lists
      3. Miscellaneous iOS Files
    5. Chapter Summary
  20. CHAPTER 12 Querying SQLite and Taming the Forensic Snake
    1. Querying of the SQLite Database
      1. What Is a SQL Query?
      2. Building a Simple SQL Query
      3. Automating Query Building
    2. Analysis with Python
      1. Python Terminology
      2. Using Python Scripts
      3. Hashing a Directory of Files
      4. Using Regular Expressions
    3. Chapter Summary
  21. CHAPTER 13 Advanced Android Analysis
    1. Android Device Information
      1. Partitions
      2. The File System
    2. Predominate Android File Types
    3. Artifacts
    4. “Tip of the Iceberg Data”
      1. Additional File System Locations
      2. /data Folder
    5. File Interrogation
      1. Scripts
    6. Android App Files and Malware
      1. Analysis Levels
    7. Chapter Summary
  22. CHAPTER 14 Presenting the Data as a Mobile Forensics Expert
    1. Presenting the Data
      1. The Importance of Taking Notes
      2. The Audience
      3. Format of the Examiner’s Presentation
      4. Why Being Technical Is Not Always Best
      5. What Data to Include in the Report
      6. To Include or Not to Include
    2. Becoming a Mobile Forensic Device Expert
      1. Importance of a Complete Collection
      2. Conforming to Current Expectations May Not Be the Best Approach
      3. Additional Suggestions and Advice
    3. Chapter Summary
  23. Index