Mobile Forensics – Advanced Investigative Strategies电子书

Mobile Forensics – Advanced Investigative Strategies

Mobile Forensics – Advanced Investigative Strategies

Credits

Foreword

About the Authors

About the Reviewer

www.PacktPub.com

Why subscribe?

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the color images of this book

Errata

Piracy

Questions

1. Introducing Mobile Forensics

Why we need mobile forensics

Available information

Mobile devices

Personal computers

Cloud storage

Stages of mobile forensics

Stage 1 - device seizure

Seizing - what and how should we seize?

The use of Faraday bags

Keeping the power on

Dealing with the kill switch

Mobile device anti-forensics

Stage 2 - data acquisition

Root, jailbreak, and unlocked bootloader

Android ADB debugging

SIM cloning

SIM card memory

Memory card

Stage 3 - data analysis

Summary

2. Acquisition Methods Overview

Over-the-air acquisition

Apple iCloud

Windows Phone 8, Windows 10 Mobile, and Windows RT/8/8.1/10

Google Android

Logical acquisition (backup analysis)

Apple iOS

BlackBerry 10

Android

Nandroid backups

Physical acquisition

Apple iOS

Android

Windows Phone 8 and Windows 10 Mobile

Limitations and availability

Tools for physical acquisition

JTAG

Chip-off

In-system programming

Summary

3. Acquisition – Approaching Android Devices

Android platform fragmentation

AOSP, GMS, and their forensic implications

Android logical acquisition

OEM software

Android acquisition – special considerations

Unallocated space

eMMC storage

Remapping and overprovisioning

Wear leveling

Trimming

What happens to the deleted data?

JTAG forensics

When to JTAG a device

Limitations of JTAG forensics

Step-by-step JTAG acquisition

Chip-off acquisition

Chip-off and encryption

In-system programming forensics

Summary

4. Practical Steps to Android Acquisition

Android physical acquisition

Encryption

Approaching physical acquisition

Encryption status – Is the data partition encrypted?

Service mode available

LG smartphones

Devices based on the Qualcomm reference platform

Mediatek-based Chinese phones

Bootloaded status

Root status

LG smartphones' LAF mode

MediaTek smartphones

Qualcomm bootloader exploit

Qualcomm-based smartphones – HS-USB 9006

Encryption

The Qualcomm 9006 mode

Tools for imaging via Qualcomm Download Mode 9006

Using custom recoveries

Imaging via custom recovery – making a Nandroid backup

Imaging via custom recovery – physical imaging via dd

Imaging the device

NANDroid backups

Is unlocked bootloader required?

Is root access required?

Producing a Nandroid backup

Analyzing Nandroid backups

Live imaging

Live imaging with root (via dd)

Live imaging without root (via ADB backup)

Live imaging using Oxygen Forensic Suite

Google Account acquisition – over-the-air

Why Google Account?

Google Account – what's inside?

A word on Android backups

Google Takeout

Google Account acquisition and analysis using Elcomsoft Cloud Explorer

Two-factor authentication

User alerts

Viewing, searching, and analyzing data

Summary

5. iOS – Introduction and Physical Acquisition

iOS forensics – introduction

Generations of Apple hardware

Is jailbreak required?

Geolocation information

Where is the information stored?

iOS acquisition methods overview

iOS acquisition methods compared

iOS advanced logical acquisition

iOS physical acquisition

Physical acquisition benefits

What's unique about physical acquisition?

The future of physical acquisition

Physical acquisition compatibility matrix

Unallocated space – unavailable since iOS 4

Sending device to Apple

The role of passcode

Physical acquisition of iOS 8 and 9

Tools for iOS physical acquisition

Tutorial – physical acquisition with Elcomsoft iOS Forensic Toolkit

What the does the tool do?

Prerequisites

Acquiring 64-bit Apple devices

Comparing 64-bit process and traditional physical acquisition

Supported devices and iOS versions

Performing physical acquisition on a 64-bit iOS device

What is available via 64-bit physical acquisition

Locked device with unknown passcode

Viewing and analyzing the image

Potential legal implications

Summary

6. iOS Logical and Cloud Acquisition

Understanding backups - local, cloud, encrypted and unencrypted

Encrypted versus unencrypted iTunes backups

Breaking backup passwords

Breaking the password - how long will it take?

A fast CPU and a faster video card

Breaking complex passwords

Knowing the user helps breaking the password

Tutorial - logical acquisition with Elcomsoft Phone Breaker

Breaking the password

Decrypting the backup

Dealing with long and complex passwords

Elcomsoft Phone Breaker on a Mac, inside a virtual PC, or via RDP

iOS Cloud forensics - over-the-air acquisition

About Apple iCloud

Getting started with iCloud Keychain

Getting started with iCloud Drive

Understanding iCloud forensics

Tutorial - cloud acquisition with Elcomsoft Phone Breaker

Downloading iCloud backups - using Apple ID and password

Downloading iCloud/iCloud Drive backups - using authentication tokens

Extracting authentication tokens

iCloud authentication tokens (iOS 6 through 9) - limitations

iCloud Drive authentication tokens (iOS 9 and newer) - a different beast altogether

Quick start - selective downloading

Two-factor authentication

Two-factor authentication is optional

Two-factor authentication versus two-step verification - understanding the differences

Two-step verification

Two-factor authentication

No app-specific passwords in two-factor authentication

Cloud acquisition with two-step verification and two-factor authentication

What next?

Summary

7. Acquisition – Approaching Windows Phone and Windows 10 Mobile

Windows Phone security model

Windows Phone physical acquisition

JTAG forensics on Windows Phone 8.x and Windows 10 Mobile

Windows Phone 8.x device encryption

Windows 10 Mobile device encryption

Windows Phone 8/8.1 and Windows 10 Mobile cloud forensics

Acquiring Windows Phone backups over the air

Summary

8. Acquisition – Approaching Windows 8, 8.1, 10, and RT Tablets

Windows 8, 8.1, 10, and RT on portable touchscreen devices

Acquisition of Windows tablets

Understanding Secure Boot

Connected Standby (InstantGo)

BitLocker device encryption

BitLocker and Encrypting File System

BitLocker and hibernation

BitLocker acquisition summary

Capturing a memory dump

Types of evidence available in volatile memory

Special case – Windows RT devices

SD cards and Windows File History

Imaging Built-in eMMC Storage

eMMC and deleted data recovery

Windows 8 and Windows 10 encryption – TRIM versus BitLocker

Booting Windows tablets from recovery media

Special case – recovery media for Windows RT

Steps to boot from recovery media

Configuring UEFI BIOS to boot from recovery media

Acquiring a BitLocker encryption key

Breaking into Microsoft Account to acquire the BitLocker Recovery Key

Using Elcomsoft Forensic Disk Decryptor to unlock BitLocker partitions

BitLocker keys and Trusted Platform Module

Imaging Windows RT tablets

BitLocker encryption

DISM – a built-in tool to image Windows RT

Must be logged in with an administrative account

Must be logged in

Booting to the WinRE command prompt

Entering BitLocker Recovery Key

Using DISM.exe to image the drive

Cloud Acquisition

Summary

9. Acquisition – Approaching BlackBerry

The history of the BlackBerry OS - BlackBerry 1.0-7.1

BlackBerry 7 JTAG, ISP, and chip-off acquisition

Acquiring BlackBerry desktop backups

Decrypting the backup

BlackBerry Password Keeper and BlackBerry Wallet

BlackBerry Password Keeper

BlackBerry Wallet

BlackBerry security model - breaking a device password

Acquiring BlackBerry 10

Getting started

BlackBerry 10 backups

BlackBerry 10 - considering ISP and chip-off forensics

Acquiring BlackBerry 10 backups

Using Elcomsoft Phone Breaker

Using Oxygen Forensic Suite

Analyzing BlackBerry backups

Summary

10. Dealing with Issues, Obstacles, and Special Cases

Cloud acquisition and two-factor authentication

Two-factor authentication – Apple, Google, and Microsoft

Online versus offline authentication

App passwords and two-factor authentication

Google's two-factor authentication

Microsoft's implementation

Apple's two-step verification

Apple's two-factor authentication

Bypassing Apple's two-factor authentication

Two-factor authentication – a real roadblock

Unallocated space

The issue of unallocated space

Accessing destroyed evidence in different mobile platforms

Apple iOS – impossible

BlackBerry – Iffy

SD cards

Android – possible with limitations

Android – built-in storage

Unencrypted storage

Encrypted storage

Encryption in different versions of Android

Android – SD cards

Android – SD card encryption

Windows Phone 8 and 8.1 – possible for end-user devices with limitations

Windows Phone BitLocker encryption

Windows Phone SD cards

Windows RT, Windows 8/8.1, and Windows 10

eMMC and deleted data

eMMC and SSD – similarities

eMMC and SSD – differences

Overprovisioning and remapping

User data in overprovisioned areas

Delete operations on non-encrypted eMMC drives

eMMC conclusion

SD cards

SD card encryption

Apple iOS

Android

Windows Phone 8/8.1

Windows 10 Mobile

Windows RT

Windows 8 through 10

BlackBerry OS 1 through 7

BlackBerry 10

SD cards conclusion

SQLite databases (access to call logs, browsing history, and many more)

Summary

11. Mobile Forensic Tools and Case Studies

Cellebrite

Micro Systemation AB

AccessData

Oxygen Forensic toolkit

Magnet ACQUIRE

BlackBag Mobilyze

ElcomSoft tools

Case studies

Mobile forensics

Data recovery

BlackBerry scenarios

Locked BlackBerry devices

Locked BlackBerry, not attached to BlackBerry Enterprise Server (BES)

Locked BlackBerry attached to BES

Locked BlackBerry attached to BES with Pretty Good Privacy (PGP) encryption

Locked BlackBerry, not attached to BES

Locked BlackBerry - completed successful chipoff

Locked BlackBerry - password does not work

Unlocked BlackBerry devices

Unlocked BlackBerry device with no password

Unlocked BlackBerry device with password

Summary