You are previewing Practical Mobile Forensics.
O'Reilly logo
Practical Mobile Forensics

Book Description

Dive into mobile forensics on iOS, Android, Windows, and BlackBerry devices with this action-packed, practical guide

In Detail

With the advent of smartphones, the usage and functionality of mobile devices has grown enormously along with the sensitive information contained in these devices. Law enforcement agencies around the world have realized the importance of evidence present on a mobile device and how it can influence the outcome of an investigation.

Practical Mobile Forensics explains mobile forensic techniques on the iOS, Android, Windows, and BlackBerry platforms. You will learn the fundamentals of mobile forensics, and different techniques to extract data from a device, recover deleted data, bypass the screen lock mechanisms, and various other tools that aid in a forensic examination.

This book will teach you everything you need to know to forensically examine a mobile device. The techniques described are not only useful for budding forensic investigators, but will also come in handy for those who may want to recover accidentally deleted data.

What You Will Learn

  • Learn different approaches to practical mobile forensics
  • Understand the architecture and security mechanisms present in iOS and Android platforms
  • Identify sensitive files on iOS and Android platforms
  • Set up the forensic environment
  • Extract data on iOS and Android platforms
  • Recover data on iOS and Android platforms
  • Understand the forensics of Windows and BlackBerry devices
  • Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.

    Table of Contents

    1. Practical Mobile Forensics
      1. Table of Contents
      2. Practical Mobile Forensics
      3. Credits
      4. About the Authors
      5. About the Reviewers
      6. www.PacktPub.com
        1. Support files, eBooks, discount offers, and more
          1. Why subscribe?
          2. Free access for Packt account holders
      7. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the example code
          2. Downloading the color images of the book
          3. Errata
          4. Piracy
          5. Questions
      8. 1. Introduction to Mobile Forensics
        1. Mobile forensics
          1. Mobile forensic challenges
        2. Mobile phone evidence extraction process
          1. The evidence intake phase
          2. The identification phase
            1. The legal authority
            2. The goals of the examination
            3. The make, model, and identifying information for the device
            4. Removable and external data storage
            5. Other sources of potential evidence
          3. The preparation phase
          4. The isolation phase
          5. The processing phase
          6. The verification phase
            1. Comparing extracted data to the handset data
            2. Using multiple tools and comparing the results
            3. Using hash values
          7. The document and reporting phase
          8. The presentation phase
          9. The archiving phase
        3. Practical mobile forensic approaches
          1. Mobile operating systems overview
            1. Android
            2. iOS
            3. Windows phone
            4. BlackBerry OS
          2. Mobile forensic tool leveling system
            1. Manual extraction
            2. Logical extraction
            3. Hex dump
            4. Chip-off
            5. Micro read
          3. Data acquisition methods
            1. Physical acquisition
            2. Logical acquisition
            3. Manual acquisition
        4. Potential evidence stored on mobile phones
        5. Rules of evidence
          1. Admissible
          2. Authentic
          3. Complete
          4. Reliable
          5. Believable
        6. Good forensic practices
          1. Securing the evidence
          2. Preserving the evidence
          3. Documenting the evidence
          4. Documenting all changes
        7. Summary
      9. 2. Understanding the Internals of iOS Devices
        1. iPhone models
        2. iPhone hardware
        3. iPad models
        4. iPad hardware
        5. File system
        6. The HFS Plus file system
          1. The HFS Plus volume
        7. Disk layout
        8. iPhone operating system
          1. iOS history
            1. 1.x – the first iPhone
            2. 2.x – App Store and 3G
            3. 3.x – the first iPad
            4. 4.x – Game Center and multitasking
            5. 5.x – Siri and iCloud
            6. 6.x – Apple Maps
            7. 7.x – the iPhone 5S and beyond
          2. The iOS architecture
            1. The Cocoa Touch layer
            2. The Media layer
            3. The Core Services layer
            4. The Core OS layer
          3. iOS security
            1. Passcode
            2. Code signing
            3. Sandboxing
            4. Encryption
            5. Data protection
            6. Address Space Layout Randomization
            7. Privilege separation
            8. Stack smashing protection
            9. Data execution prevention
            10. Data wipe
            11. Activation Lock
          4. App Store
          5. Jailbreaking
        9. Summary
      10. 3. Data Acquisition from iOS Devices
        1. Operating modes of iOS devices
          1. Normal mode
          2. Recovery mode
          3. DFU mode
        2. Physical acquisition
        3. Acquisition via a custom ramdisk
          1. The forensic environment setup
            1. Downloading and installing the ldid tool
            2. Verifying the codesign_allocate tool path
            3. Installing OSXFuse
            4. Installing Python modules
            5. Downloading iPhone Data Protection Tools
            6. Building the IMG3FS tool
            7. Downloading redsn0w
          2. Creating and loading the forensic toolkit
            1. Downloading the iOS firmware file
            2. Modifying the kernel
            3. Building a custom ramdisk
            4. Booting the custom ramdisk
          3. Establishing communication with the device
          4. Bypassing the passcode
          5. Imaging the data partition
          6. Decrypting the data partition
          7. Recovering the deleted data
        4. Acquisition via jailbreaking
        5. Summary
      11. 4. Data Acquisition from iOS Backups
        1. iTunes backup
          1. Pairing records
          2. Understanding the backup structure
            1. info.plist
            2. manifest.plist
            3. status.plist
            4. manifest.mbdb
              1. Header
              2. Record
          3. Unencrypted backup
            1. Extracting unencrypted backups
              1. iPhone Backup Extractor
              2. iPhone Backup Browser
              3. iPhone Data Protection Tools
            2. Decrypting the keychain
          4. Encrypted backup
            1. Extracting encrypted backups
              1. iPhone Data Protection Tools
            2. Decrypting the keychain
              1. iPhone Password Breaker
        2. iCloud backup
          1. Extracting iCloud backups
        3. Summary
      12. 5. iOS Data Analysis and Recovery
        1. Timestamps
          1. Unix timestamps
          2. Mac absolute time
        2. SQLite databases
          1. Connecting to a database
          2. SQLite special commands
          3. Standard SQL queries
          4. Important database files
            1. Address book contacts
            2. Address book images
            3. Call history
            4. SMS messages
            5. SMS Spotlight cache
            6. Calendar events
            7. E-mail database
            8. Notes
            9. Safari bookmarks
            10. The Safari web caches
            11. The web application cache
            12. The WebKit storage
            13. The photos metadata
            14. Consolidated GPS cache
            15. Voicemail
        3. Property lists
          1. Important plist files
            1. The HomeDomain plist files
            2. The RootDomain plist files
            3. The WirelessDomain plist files
            4. The SystemPreferencesDomain plist files
        4. Other important files
          1. Cookies
          2. Keyboard cache
          3. Photos
          4. Wallpaper
          5. Snapshots
          6. Recordings
          7. Downloaded applications
        5. Recovering deleted SQLite records
        6. Summary
      13. 6. iOS Forensic Tools
        1. Elcomsoft iOS Forensic Toolkit
          1. Features of EIFT
          2. Usage of EIFT
            1. Guided mode
            2. Manual mode
          3. EIFT-supported devices
            1. Compatibility notes
        2. Oxygen Forensic Suite 2014
          1. Features of Oxygen Forensic Suite
          2. Usage of Oxygen Forensic Suite
          3. Oxygen Forensic Suite 2014 supported devices
        3. Cellebrite UFED Physical Analyzer
          1. Features of Cellebrite UFED Physical Analyzer
          2. Usage of Cellebrite UFED Physical Analyzer
          3. Supported devices
        4. Paraben iRecovery Stick
          1. Features of Paraben iRecovery Stick
          2. Usage of Paraben iRecovery Stick
          3. Devices supported by Paraben iRecovery Stick
        5. Open source or free methods
        6. Summary
      14. 7. Understanding Android
        1. The Android model
          1. The Linux kernel layer
          2. Libraries
          3. Dalvik virtual machine
          4. The application framework layer
          5. The applications layer
        2. Android security
          1. Secure kernel
          2. The permission model
          3. Application sandbox
          4. Secure interprocess communication
          5. Application signing
        3. Android file hierarchy
        4. Android file system
          1. Viewing file systems on an Android device
          2. Extended File System – EXT
        5. Summary
      15. 8. Android Forensic Setup and Pre Data Extraction Techniques
        1. A forensic environment setup
          1. Android Software Development Kit
          2. Android SDK installation
          3. Android Virtual Device
          4. Connecting an Android device to a workstation
            1. Identifying the device cable
            2. Installing the device drivers
          5. Accessing the connected device
          6. Android Debug Bridge
          7. Accessing the device using adb
            1. Detecting connected devices
            2. Killing the local adb server
            3. Accessing the adb shell
          8. Handling an Android device
        2. Screen lock bypassing techniques
          1. Using adb to bypass the screen lock
          2. Deleting the gesture.key file
          3. Updating the settings.db file
          4. Checking for the modified recovery mode and adb connection
          5. Flashing a new recovery partition
          6. Smudge attack
          7. Using the primary Gmail account
          8. Other techniques
        3. Gaining root access
          1. What is rooting?
          2. Rooting an Android device
          3. Root access – adb shell
        4. Summary
      16. 9. Android Data Extraction Techniques
        1. Imaging an Android Phone
        2. Data extraction techniques
          1. Manual data extraction
          2. Using root access to acquire an Android device
          3. Logical data extraction
            1. Using the adb pull command
            2. Extracting the /data directory on a rooted device
            3. Using SQLite Browser
            4. Extracting device information
            5. Extracting call logs
            6. Extracting SMS/MMS
            7. Extracting browser history
            8. Analysis of social networking/IM chats
            9. Using content providers
          4. Physical data extraction
            1. JTAG
            2. Chip-off
          5. Imaging a memory (SD) card
        3. Summary
      17. 10. Android Data Recovery Techniques
        1. Data recovery
          1. Recovering the deleted files
            1. Recovering deleted data from an SD card
            2. Recovering data deleted from internal memory
            3. Recovering deleted files by parsing SQLite files
            4. Recovering files using file-carving techniques
        2. Summary
      18. 11. Android App Analysis and Overview of Forensic Tools
        1. Android app analysis
        2. Reverse engineering Android apps
          1. Extracting an APK file from an Android device
          2. Steps to reverse engineer Android apps
        3. Forensic tools overview
          1. The AFLogical tool
          2. AFLogical Open Source Edition
          3. AFLogical Law Enforcement (LE)
        4. Cellebrite – UFED
          1. Physical extraction
        5. MOBILedit
        6. Autopsy
          1. Analyzing an Android in Autopsy
        7. Summary
      19. 12. Windows Phone Forensics
        1. Windows Phone OS
          1. Security model
          2. Windows chambers
          3. Capability-based model
            1. App sandboxing
        2. Windows Phone file system
        3. Data acquisition
          1. Sideloading using ChevronWP7
          2. Extracting the data
            1. Extracting SMS
            2. Extracting e-mail
            3. Extracting application data
        4. Summary
      20. 13. BlackBerry Forensics
        1. BlackBerry OS
          1. Security features
        2. Data acquisition
          1. Standard acquisition methods
          2. Creating a BlackBerry backup
        3. BlackBerry analysis
          1. BlackBerry backup analysis
          2. BlackBerry forensic image analysis
          3. Encrypted BlackBerry backup files
          4. Forensic tools for BlackBerry analysis
        4. Summary
      21. Index