售 价:¥
9.8
温馨提示:数字商品不支持退换货,不提供源文件,不支持导出打印
为你推荐
Learning Android Forensics
Table of Contents
Learning Android Forensics
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Errata
Piracy
Questions
1. Introducing Android Forensics
Mobile forensics
The mobile forensics approach
Investigation Preparation
Seizure and Isolation
Acquisition
Examination and Analysis
Reporting
Challenges in mobile forensics
The Android architecture
The Linux kernel
Libraries
Dalvik virtual machine
The application framework
The applications layer
Android security
Security at OS level through Linux kernel
Permission model
Application sandboxing
SELinux in Android
Application Signing
Secure interprocess communication
Android hardware components
Core components
Central processing unit
Baseband processor
Memory
SD Card
Display
Battery
Android boot process
Boot ROM code execution
The boot loader
The Linux kernel
The init process
Zygote and Dalvik
System server
Summary
2. Setting Up an Android Forensic Environment
The Android forensic setup
The Android SDK
Installing the Android SDK
Android Virtual Device
Connecting and accessing an Android device from the workstation
Identifying the device cable
Installing device drivers
Accessing the device
Android Debug Bridge
Using adb to access the device
Detecting a connected device
Directing commands to a specific device
Issuing shell commands
Basic Linux commands
Installing an application
Pulling data from the device
Pushing data to the device
Restarting the adb server
Viewing log data
Rooting Android
What is rooting?
Why root?
Recovery and fastboot
Recovery mode
Accessing the recovery mode
Custom recovery
Fastboot mode
Locked and unlocked boot loaders
How to root
Rooting an unlocked boot loader
Rooting a locked boot loader
ADB on a rooted device
Summary
3. Understanding Data Storage on Android Devices
Android partition layout
Common partitions in Android
boot loader
boot
recovery
userdata
system
cache
radio
Identifying partition layout
Android file hierarchy
An overview of directories
acct
cache
d
data
dalvik-cache
data
dev
init
mnt
proc
root
sbin
misc
sdcard
system
build.prop
app
framework
ueventd.goldfish.rc and ueventd.rc
Application data storage on the device
Shared preferences
Internal storage
External storage
SQLite database
Network
Android filesystem overview
Viewing filesystems on an Android device
Common Android filesystems
Flash memory filesystems
Media-based filesystems
Pseudo filesystems
Summary
4. Extracting Data Logically from Android Devices
Logical extraction overview
What data can be recovered logically?
Root access
Manual ADB data extraction
USB debugging
Using ADB shell to determine if a device is rooted
ADB pull
Recovery mode
Fastboot mode
Determining bootloader status
Booting to a custom recovery image
ADB backup extractions
Extracting a backup over ADB
Parsing ADB backups
Data locations within ADB backups
ADB Dumpsys
Dumpsys batterystats
Dumpsys procstats
Dumpsys user
Dumpsys App Ops
Dumpsys Wi-Fi
Dumpsys notification
Dumpsys conclusions
Bypassing Android lock screens
Lock screen types
None/Slide lock screens
Pattern lock screens
Password/PIN lock screens
Smart Locks
Trusted Face
Trusted Location
Trusted Device
General bypass information
Cracking an Android pattern lock
Cracking an Android PIN/Password
Android SIM card extractions
Acquiring SIM card data
SIM security
SIM cloning
Issues and opportunities with Android Lollipop
Summary
5. Extracting Data Physically from Android Devices
Physical extraction overview
What data can be acquired physically?
Root access
Extracting data physically with dd
Determining what to image
Writing to an SD card
Writing directly to an examiner's computer with netcat
Installing netcat on the device
Using netcat
Extracting data physically with nanddump
Verifying a full physical image
Analyzing a full physical image
Autopsy
Issues with analyzing physical dumps
Imaging and analyzing Android RAM
What can be found in RAM?
Imaging RAM with LiME
Imaging RAM with mem
Output from mem
Acquiring Android SD cards
What can be found on an SD card?
SD card security
Advanced forensic methods
JTAG
Chip-off
Bypassing Android full-disk encryption
Summary
6. Recovering Deleted Data from an Android Device
An overview of data recovery
How can deleted files be recovered?
Recovering data deleted from an SD card
Recovering data deleted from internal memory
Recovering deleted data by parsing SQLite files
Recovering deleted data through file carving techniques
Analyzing backups
Summary
7. Forensic Analysis of Android Applications
Application analysis
Why do app analysis?
The layout of this chapter
Determining what apps are installed
Understanding Linux epoch time
Wi-Fi analysis
Contacts/call analysis
SMS/MMS analysis
User dictionary analysis
Gmail analysis
Google Chrome analysis
Decoding the WebKit time format
Google Maps analysis
Google Hangouts analysis
Google Keep analysis
Converting a Julian date
Google Plus analysis
Facebook analysis
Facebook Messenger analysis
Skype analysis
Recovering video messages from Skype
Snapchat analysis
Viber analysis
Tango analysis
Decoding Tango messages
WhatsApp analysis
Decrypting WhatsApp backups
Kik analysis
WeChat analysis
Decrypting the WeChat EnMicroMsg.db database
Application reverse engineering
Obtaining the application's APK file
Disassembling an APK file
Determining an application's permissions
Viewing the application's code
Summary
8. Android Forensic Tools Overview
ViaExtract
Backup extraction with ViaExtract
Logical extraction with ViaExtract
Examining data in ViaExtract
Other tools within ViaExtract
Autopsy
Creating a case in Autopsy
Analyzing data in Autopsy
ViaLab Community Edition
Setting up the emulator in ViaLab
Installing an application on the emulator
Analyzing data with ViaLab
Summary
Conclusion
Index
买过这本书的人还买过
读了这本书的人还在读
同类图书排行榜
购物车
个人中心
