Practical Mobile Forensics - Fourth Edition

Practical Mobile Forensics - Fourth Edition

by Rohit Tamma, Oleg Skulkin, Heather Mahalik, Satish Bommisetty
Released April 2020
Publisher(s): Packt Publishing
ISBN: 9781838647520

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Become well-versed with forensics for the Android, iOS, and Windows 10 mobile platforms by learning essential techniques and exploring real-life scenarios

Key Features

  • Apply advanced forensic techniques to recover deleted data from mobile devices
  • Retrieve and analyze data stored not only on mobile devices but also on the cloud and other connected mediums
  • Use the power of mobile forensics on popular mobile platforms by exploring different tips, tricks, and techniques

Book Description

Mobile phone forensics is the science of retrieving data from a mobile phone under forensically sound conditions. This updated fourth edition of Practical Mobile Forensics delves into the concepts of mobile forensics and its importance in today's world.

The book focuses on teaching you the latest forensic techniques to investigate mobile devices across various mobile platforms. You will learn forensic techniques for multiple OS versions, including iOS 11 to iOS 13, Android 8 to Android 10, and Windows 10. The book then takes you through the latest open source and commercial mobile forensic tools, enabling you to analyze and retrieve data effectively. From inspecting the device and retrieving data from the cloud, through to successfully documenting reports of your investigations, you'll explore new techniques while building on your practical knowledge. Toward the end, you will understand the reverse engineering of applications and ways to identify malware. Finally, the book guides you through parsing popular third-party applications, including Facebook and WhatsApp.

By the end of this book, you will be proficient in various mobile forensic techniques to analyze and extract data from mobile devices with the help of open source solutions.

What you will learn

  • Discover new data extraction, data recovery, and reverse engineering techniques in mobile forensics
  • Understand iOS, Windows, and Android security mechanisms
  • Identify sensitive files on every mobile platform
  • Extract data from iOS, Android, and Windows platforms
  • Understand malware analysis, reverse engineering, and data analysis of mobile devices
  • Explore various data recovery techniques on all three mobile platforms

Who this book is for

This book is for forensic examiners with basic experience in mobile forensics or open source solutions for mobile forensics. Computer security professionals, researchers or anyone looking to gain a deeper understanding of mobile internals will also find this book useful. Some understanding of digital forensic practices will be helpful to grasp the concepts covered in the book more effectively.

Table of contents

  1. Title Page
  2. Copyright and Credits
    1. Practical Mobile Forensics Fourth Edition
  3. About Packt
    1. Why subscribe?
  4. Contributors
    1. About the authors
    2. About the reviewers
    3. Packt is searching for authors like you
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the color images
      2. Conventions used
    4. Disclaimer
    5. Get in touch
      1. Reviews
  6. Introduction to Mobile Forensics
    1. The need for mobile forensics
    2. Understanding mobile forensics
    3. Challenges in mobile forensics
    4. The mobile phone evidence extraction process
      1. The evidence intake phase
      2. The identification phase
        1. The legal authority
        2. Data that needs to be extracted
        3. The make, model, and identifying information for the device
        4. Data storage media
        5. Other sources of potential evidence
      3. The preparation phase
      4. The isolation phase
      5. The processing phase
      6. The verification phase
      7. The documenting and reporting phase
      8. The archiving phase
    5. Practical mobile forensic approaches
      1. Understanding mobile operating systems
        1. Android
        2. iOS
        3. Windows Phone
      2. Mobile forensic tool leveling system
        1. Manual extraction
        2. Logical analysis
        3. Hex dump
        4. Chip-off
        5. Micro read
      3. Data acquisition methods
        1. Physical acquisition
        2. Logical acquisition
        3. Manual acquisition
    6. Potential evidence stored on mobile phones
    7. Examination and analysis
    8. Rules of evidence
    9. Good forensic practices
      1. Securing the evidence
      2. Preserving the evidence
      3. Documenting the evidence and changes
      4. Reporting
    10. Summary
  7. Section 1: iOS Forensics
  8. Understanding the Internals of iOS Devices
    1. iPhone models and hardware
      1. Identifying the correct hardware model
      2. Understanding the iPhone hardware
    2. iPad models and hardware
      1. Understanding the iPad hardware
    3. The HFS Plus and APFS filesystems
      1. The HFS Plus filesystem
        1. The HFS Plus volume
      2. The APFS filesystem
        1. The APFS structure
      3. Disk layout
    4. The iPhone OS
      1. The iOS architecture
      2. iOS security
        1. Passcodes, Touch ID, and Face ID
        2. Code signing
        3. Sandboxing
        4. Encryption
        5. Data protection
        6. Address Space Layout Randomization (ASLR)
        7. Privilege separation
        8. Stack-smashing protection
        9. Data Execution Prevention (DEP)
        10. Data wiping
        11. Activation Lock
      3. The App Store
      4. Jailbreaking
    5. Summary
  9. Data Acquisition from iOS Devices
    1. Operating modes of iOS devices
      1. Normal mode
      2. Recovery mode
      3. DFU mode
      4. Setting up the forensic environment
    2. Password protection and potential bypasses
    3. Logical acquisition
      1. Practical logical acquisition with libimobiledevice
      2. Practical logical acquisition with the Belkasoft Acquisition Tool
      3. Practical logical acquisition with Magnet ACQUIRE
    4. Filesystem acquisition
      1. Practical jailbreaking
      2. Practical filesystem acquisition with free tools
      3. Practical filesystem acquisition with Elcomsoft iOS Forensic Toolkit
    5. Summary
  10. Data Acquisition from iOS Backups
    1. Working with iTunes backups
    2. Creating and analyzing backups with iTunes
      1. Understanding the backup structure
        1. info.plist
        2. manifest.plist
        3. status.plist
        4. manifest.db
    3. Extracting unencrypted backups
      1. iBackup Viewer
      2. iExplorer
    4. Handling encrypted backup files
      1. Elcomsoft Phone Breaker
    5. Working with iCloud backups
      1. Extracting iCloud backups
    6. Summary
  11. iOS Data Analysis and Recovery
    1. Interpreting iOS timestamps
      1. Unix timestamps
      2. Mac absolute time
      3. WebKit/Chrome time
    2. Working with SQLite databases
      1. Connecting to a database
      2. Exploring SQLite special commands
      3. Exploring standard SQL queries
      4. Accessing a database using commercial tools
    3. Key artifacts – important iOS database files
      1. Address book contacts
      2. Address book images
      3. Call history
      4. Short Message Service (SMS) messages
      5. Calendar events
      6. Notes
      7. Safari bookmarks and history
      8. Voicemail
      9. Recordings
      10. Device interaction
      11. Phone numbers
    4. Property lists
      1. Important plist files
    5. Other important files
      1. Local dictionary
      2. Photos
      3. Thumbnails
      4. Wallpaper
      5. Downloaded third-party applications
    6. Recovering deleted SQLite records
    7. Summary
  12. iOS Forensic Tools
    1. Working with Cellebrite UFED Physical Analyzer
      1. Features of Cellebrite UFED Physical Analyzer
      2. Advanced logical acquisition and analysis with Cellebrite UFED Physical Analyzer
    2. Working with Magnet AXIOM
      1. Features of Magnet AXIOM
      2. Logical acquisition and analysis with Magnet AXIOM
    3. Working with Belkasoft Evidence Center
      1. Features of Belkasoft Evidence Center
      2. Logical acquisition and analysis with Belkasoft Evidence Center
    4. Working with Elcomsoft Phone Viewer
      1. Features of Elcomsoft Phone Viewer
      2. Filesystem analysis with Elcomsoft Phone Viewer
    5. Summary
  13. Section 2: Android Forensics
  14. Understanding Android
    1. The evolution of Android
    2. The Android architecture
      1. The Linux kernel layer
      2. The Hardware Abstraction Layer
      3. Libraries
      4. Dalvik Virtual Machine (DVM)
      5. ART
      6. The Java API framework layer
      7. The system apps layer
    3. Android security
      1. Secure kernel
      2. The permission model
      3. Application sandbox
      4. Secure IPC
      5. Application signing
      6. Security-Enhanced Linux (SELinux)
      7. FDE
      8. Android Keystore
      9. TEE
      10. Verified Boot
    4. The Android file hierarchy
    5. The Android filesystem
      1. Viewing filesystems on an Android device
      2. Common filesystems found on Android
        1. Flash memory filesystems
        2. Media-based filesystems
        3. Pseudo filesystems
    6. Summary
  15. Android Forensic Setup and Pre-Data Extraction Techniques
    1. Setting up a forensic environment for Android
      1. Installing the software
      2. Installing the Android platform tools
      3. Creating an Android virtual device
    2. Connecting an Android device to a workstation
      1. Identifying the device cable
      2. Installing device drivers
      3. Accessing the connected device
      4. The Android debug bridge
        1. USB debugging
      5. Accessing the device using adb
        1. Detecting connected devices
        2. Killing the local ADB server
        3. Accessing the adb shell
        4. Basic Linux commands
      6. Handling an Android device
    3. Screen lock bypassing techniques
      1. Using ADB to bypass the screen lock
      2. Deleting the gesture.key file
      3. Updating the settings.db file
      4. Checking for the modified recovery mode and ADB connection
      5. Flashing a new recovery partition
      6. Using automated tools
      7. Using Android Device Manager
      8. Bypass using Find My Mobile (for Samsung phones only)
      9. Smudge attack
      10. Using the forgot password/forgot pattern option
      11. Bypassing third-party lock screens by booting into safe mode
      12. Secure USB debugging bypass using ADB keys
      13. Secure USB debugging bypass in Android 4.4.2
      14. Crashing the lock screen UI in Android 5.x
      15. Other techniques
    4. Gaining root access
      1. What is rooting?
      2. Understanding the rooting process
      3. Rooting an Android device
      4. Root access - ADB shell
    5. Summary
  16. Android Data Extraction Techniques
    1. Understanding data extraction techniques
    2. Manual data extraction
    3. Logical data extraction
      1. ADB pull data extraction
      2. Using SQLite Browser to view the data
        1. Extracting device information
        2. Extracting call logs
        3. Extracting SMS/MMS
        4. Extracting browser history information
      3. Analysis of social networking/IM chats
      4. ADB backup extraction
      5. ADB dumpsys extraction
      6. Using content providers
    4. Physical data extraction
      1. Imaging an Android phone
      2. Imaging a memory (SD) card
      3. Joint Test Action Group
      4. The chip-off technique
    5. Summary
  17. Android Data Analysis and Recovery
    1. Analyzing and extracting data from Android image files using the Autopsy tool
      1. The Autopsy platform
        1. Adding an image to Autopsy
        2. Analyzing an image using Autopsy
    2. Understanding techniques to recover deleted files from the SD card and the internal memory
      1. Recovering deleted data from an external SD card
      2. Recovering data deleted from the internal memory
      3. Recovering deleted files by parsing SQLite files
      4. Recovering files using file-carving techniques
      5. Recovering contacts using your Google account
    3. Summary
  18. Android App Analysis, Malware, and Reverse Engineering
    1. Analyzing widely used Android apps to retrieve valuable data
      1. Facebook Android app analysis
      2. WhatsApp Android app analysis
      3. Skype Android app analysis
      4. Gmail Android app analysis
      5. Google Chrome Android app analysis
    2. Techniques to reverse engineer an Android application
      1. Extracting an APK file from an Android device
        1. Steps to reverse engineer Android apps
    3. Android malware
      1. Types of Android malware
      2. How does Android malware spread?
      3. Identifying Android malware
    4. Summary
  19. Section 3: Windows Forensics and Third-Party Apps
  20. Windows Phone Forensics
    1. Windows Phone OS
    2. Windows 10 Mobile security model
      1. Chambers
      2. Encryption
      3. Capability-based model
      4. App sandboxing
    3. Windows Phone filesystem
    4. Data acquisition
    5. Commercial forensic tool acquisition methods
    6. Extracting data without the use of commercial tools
      1. SD card data extraction methods
    7. Key artifacts for examination
      1. Extracting contacts and SMS
      2. Extracting call history
      3. Extracting internet history
    8. Summary
  21. Parsing Third-Party Application Files
    1. Introduction to third-party applications
      1. Chat applications
      2. GPS applications
      3. Secure applications
      4. Financial applications
      5. Social networking applications
      6. Encoding versus encryption
    2. iOS, Android, and Windows Phone application data storage
      1. iOS applications
      2. Android applications
      3. Windows Phone applications
    3. Forensic methods used to extract third-party application data
      1. Commercial tools
        1. Oxygen Forensic Detective
        2. Magnet AXIOM
        3. UFED Physical Analyzer
      2. Open source/free tools
        1. Working with Autopsy
        2. Other methods of extracting application data
    4. Summary
  22. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: Practical Mobile Forensics - Fourth Edition
  • Author(s): Rohit Tamma, Oleg Skulkin, Heather Mahalik, Satish Bommisetty
  • Release date: April 2020
  • Publisher(s): Packt Publishing
  • ISBN: 9781838647520