Practical Mobile Forensics电子书

Practical Mobile Forensics

Table of Contents

Practical Mobile Forensics

Credits

About the Authors

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why subscribe?

Free access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Downloading the color images of the book

Errata

Piracy

Questions

1. Introduction to Mobile Forensics

Mobile forensics

Mobile forensic challenges

Mobile phone evidence extraction process

The evidence intake phase

The identification phase

The legal authority

The goals of the examination

The make, model, and identifying information for the device

Removable and external data storage

Other sources of potential evidence

The preparation phase

The isolation phase

The processing phase

The verification phase

Comparing extracted data to the handset data

Using multiple tools and comparing the results

Using hash values

The document and reporting phase

The presentation phase

The archiving phase

Practical mobile forensic approaches

Mobile operating systems overview

Android

iOS

Windows phone

BlackBerry OS

Mobile forensic tool leveling system

Manual extraction

Logical extraction

Hex dump

Chip-off

Micro read

Data acquisition methods

Physical acquisition

Logical acquisition

Manual acquisition

Potential evidence stored on mobile phones

Rules of evidence

Admissible

Authentic

Complete

Reliable

Believable

Good forensic practices

Securing the evidence

Preserving the evidence

Documenting the evidence

Documenting all changes

Summary

2. Understanding the Internals of iOS Devices

iPhone models

iPhone hardware

iPad models

iPad hardware

File system

The HFS Plus file system

The HFS Plus volume

Disk layout

iPhone operating system

iOS history

1.x – the first iPhone

2.x – App Store and 3G

3.x – the first iPad

4.x – Game Center and multitasking

5.x – Siri and iCloud

6.x – Apple Maps

7.x – the iPhone 5S and beyond

The iOS architecture

The Cocoa Touch layer

The Media layer

The Core Services layer

The Core OS layer

iOS security

Passcode

Code signing

Sandboxing

Encryption

Data protection

Address Space Layout Randomization

Privilege separation

Stack smashing protection

Data execution prevention

Data wipe

Activation Lock

App Store

Jailbreaking

Summary

3. Data Acquisition from iOS Devices

Operating modes of iOS devices

Normal mode

Recovery mode

DFU mode

Physical acquisition

Acquisition via a custom ramdisk

The forensic environment setup

Downloading and installing the ldid tool

Verifying the codesign_allocate tool path

Installing OSXFuse

Installing Python modules

Downloading iPhone Data Protection Tools

Building the IMG3FS tool

Downloading redsn0w

Creating and loading the forensic toolkit

Downloading the iOS firmware file

Modifying the kernel

Building a custom ramdisk

Booting the custom ramdisk

Establishing communication with the device

Bypassing the passcode

Imaging the data partition

Decrypting the data partition

Recovering the deleted data

Acquisition via jailbreaking

Summary

4. Data Acquisition from iOS Backups

iTunes backup

Pairing records

Understanding the backup structure

info.plist

manifest.plist

status.plist

manifest.mbdb

Header

Record

Unencrypted backup

Extracting unencrypted backups

iPhone Backup Extractor

iPhone Backup Browser

iPhone Data Protection Tools

Decrypting the keychain

Encrypted backup

Extracting encrypted backups

iPhone Data Protection Tools

Decrypting the keychain

iPhone Password Breaker

iCloud backup

Extracting iCloud backups

Summary

5. iOS Data Analysis and Recovery

Timestamps

Unix timestamps

Mac absolute time

SQLite databases

Connecting to a database

SQLite special commands

Standard SQL queries

Important database files

Address book contacts

Address book images

Call history

SMS messages

SMS Spotlight cache

Calendar events

E-mail database

Notes

Safari bookmarks

The Safari web caches

The web application cache

The WebKit storage

The photos metadata

Consolidated GPS cache

Voicemail

Property lists

Important plist files

The HomeDomain plist files

The RootDomain plist files

The WirelessDomain plist files

The SystemPreferencesDomain plist files

Other important files

Cookies

Keyboard cache

Photos

Wallpaper

Snapshots

Recordings

Downloaded applications

Recovering deleted SQLite records

Summary

6. iOS Forensic Tools

Elcomsoft iOS Forensic Toolkit

Features of EIFT

Usage of EIFT

Guided mode

Manual mode

EIFT-supported devices

Compatibility notes

Oxygen Forensic Suite 2014

Features of Oxygen Forensic Suite

Usage of Oxygen Forensic Suite

Oxygen Forensic Suite 2014 supported devices

Cellebrite UFED Physical Analyzer

Features of Cellebrite UFED Physical Analyzer

Usage of Cellebrite UFED Physical Analyzer

Supported devices

Paraben iRecovery Stick

Features of Paraben iRecovery Stick

Usage of Paraben iRecovery Stick

Devices supported by Paraben iRecovery Stick

Open source or free methods

Summary

7. Understanding Android

The Android model

The Linux kernel layer

Libraries

Dalvik virtual machine

The application framework layer

The applications layer

Android security

Secure kernel

The permission model

Application sandbox

Secure interprocess communication

Application signing

Android file hierarchy

Android file system

Viewing file systems on an Android device

Extended File System – EXT

Summary

8. Android Forensic Setup and Pre Data Extraction Techniques

A forensic environment setup

Android Software Development Kit

Android SDK installation

Android Virtual Device

Connecting an Android device to a workstation

Identifying the device cable

Installing the device drivers

Accessing the connected device

Android Debug Bridge

Accessing the device using adb

Detecting connected devices

Killing the local adb server

Accessing the adb shell

Handling an Android device

Screen lock bypassing techniques

Using adb to bypass the screen lock

Deleting the gesture.key file

Updating the settings.db file

Checking for the modified recovery mode and adb connection

Flashing a new recovery partition

Smudge attack

Using the primary Gmail account

Other techniques

Gaining root access

What is rooting?

Rooting an Android device

Root access – adb shell

Summary

9. Android Data Extraction Techniques

Imaging an Android Phone

Data extraction techniques

Manual data extraction

Using root access to acquire an Android device

Logical data extraction

Using the adb pull command

Extracting the /data directory on a rooted device

Using SQLite Browser

Extracting device information

Extracting call logs

Extracting SMS/MMS

Extracting browser history

Analysis of social networking/IM chats

Using content providers

Physical data extraction

JTAG

Chip-off

Imaging a memory (SD) card

Summary

10. Android Data Recovery Techniques

Data recovery

Recovering the deleted files

Recovering deleted data from an SD card

Recovering data deleted from internal memory

Recovering deleted files by parsing SQLite files

Recovering files using file-carving techniques

Summary

11. Android App Analysis and Overview of Forensic Tools

Android app analysis

Reverse engineering Android apps

Extracting an APK file from an Android device

Steps to reverse engineer Android apps

Forensic tools overview

The AFLogical tool

AFLogical Open Source Edition

AFLogical Law Enforcement (LE)

Cellebrite – UFED

Physical extraction

MOBILedit

Autopsy

Analyzing an Android in Autopsy

Summary

12. Windows Phone Forensics

Windows Phone OS

Security model

Windows chambers

Capability-based model

App sandboxing

Windows Phone file system

Data acquisition

Sideloading using ChevronWP7

Extracting the data

Extracting SMS

Extracting e-mail

Extracting application data

Summary

13. BlackBerry Forensics

BlackBerry OS

Security features

Data acquisition

Standard acquisition methods

Creating a BlackBerry backup

BlackBerry analysis

BlackBerry backup analysis

BlackBerry forensic image analysis

Encrypted BlackBerry backup files

Forensic tools for BlackBerry analysis

Summary

Index