Practical Mobile Forensics - Third Edition电子书

Title Page

Copyright and Credits

Practical Mobile Forensics Third Edition

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the authors

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Introduction to Mobile Forensics

Why do we need mobile forensics?

Mobile forensics

Challenges in mobile forensics

The mobile phone evidence extraction process

The evidence intake phase

The identification phase

The legal authority

The goals of the examination

The make, model, and identifying information for the device

Removable and external data storage

Other sources of potential evidence

The preparation phase

The isolation phase

The processing phase

The verification phase

Comparing extracted data to the handset data

Using multiple tools and comparing the results

Using hash values

The documenting and reporting phase

The presentation phase

The archiving phase

Practical mobile forensic approaches

Overview of mobile operating systems

Android

iOS

Windows Phone

Mobile forensic tool leveling system

Manual extraction

Logical extraction

Hex dump

Chip-off

Micro read

Data acquisition methods

Physical acquisition

Logical acquisition

Manual acquisition

Potential evidence stored on mobile phones

Examination and analysis

Rules of evidence

Good forensic practices

Securing the evidence

Preserving the evidence

Documenting the evidence and changes

Reporting

Summary

Understanding the Internals of iOS Devices

iPhone models

Identifying the correct hardware model

iPhone hardware

iPad models

Understanding the iPad hardware

Apple Watch models

Understanding the Apple Watch hardware

The filesystem

The HFS Plus filesystem

The HFS Plus volume

The APFS filesystem

The APFS structure

Disk layout

iPhone operating system

The iOS architecture

iOS security

Passcodes, Touch ID, and Face ID

Code Signing

Sandboxing

Encryption

Data protection

Address Space Layout Randomization

Privilege separation

Stack-smashing protection

Data execution prevention

Data wipe

Activation Lock

The App Store

Jailbreaking

Summary

Data Acquisition from iOS Devices

Operating modes of iOS devices

The normal mode

The recovery mode

DFU mode

Setting up the forensic environment

Password protection and potential bypasses

Logical acquisition

Practical logical acquisition with libimobiledevice

Practical logical acquisition with Belkasoft Acquisition Tool

Practical logical acquisition with Magnet ACQUIRE

Filesystem acquisition

Practical jailbreaking

Practical filesystem acquisition with Elcomsoft iOS Forensic Toolkit

Physical acquisition

Practical physical acquisition with Elcomsoft iOS Forensic Toolkit

Summary

Data Acquisition from iOS Backups

iTunes backup

Creating backups with iTunes

Understanding the backup structure

info.plist

manifest.plist

status.plist

manifest.db

Extracting unencrypted backups

iBackup Viewer

iExplorer

BlackLight

Encrypted backup

Elcomsoft Phone Breaker

Working with iCloud backups

Extracting iCloud backups

Summary

iOS Data Analysis and Recovery

Timestamps

Unix timestamps

Mac absolute time

WebKit/Chrome time

SQLite databases

Connecting to a database

SQLite special commands

Standard SQL queries

Accessing a database using commercial tools

Key artifacts – important iOS database files

Address book contacts

Address book images

Call history

SMS messages

Calendar events

Notes

Safari bookmarks and cache

Photo metadata

Consolidated GPS cache

Voicemail

Property lists

Important plist files

The HomeDomain plist files

The RootDomain plist files

The WirelessDomain plist files

The SystemPreferencesDomain plist files

Other important files

Cookies

Keyboard cache

Photos

Thumbnails

Wallpaper

Recordings

Downloaded applications

Apple Watch

Recovering deleted SQLite records

Summary

iOS Forensic Tools

Working with Cellebrite UFED Physical Analyzer

Features of Cellebrite UFED Physical Analyzer

Advanced logical acquisition and analysis with Cellebrite UFED Physical Analyzer

Working with Magnet AXIOM

Features of Magnet AXIOM

Logical acquisition and analysis with Magnet AXIOM

Working with Belkasoft Evidence Center

Features of Belkasoft Evidence Center

iTunes backup parsing and analysis with Belkasoft Evidence Center

Working with Oxygen Forensic Detective

Features of Oxygen Forensic Detective

Logical acquisition and analysis with Oxygen Forensic Detective

Summary

Understanding Android

The evolution of Android

The Android model

The Linux kernel layer

The Hardware Abstraction Layer

Libraries

Dalvik virtual machine

Android Runtime (ART)

The Java API framework layer

The system apps layer

Android security

Secure kernel

The permission model

Application sandbox

Secure inter-process communication

Application signing

Security-Enhanced Linux

Full Disk Encryption

Trusted Execution Environment

The Android file hierarchy

The Android file system

Viewing file systems on an Android device

Common file systems found on Android

Summary

Android Forensic Setup and Pre-Data Extraction Techniques

Setting up the forensic environment for Android

The Android Software Development Kit

The Android SDK installation

An Android Virtual Device

Connecting an Android device to a workstation

Identifying the device cable

Installing the device drivers

Accessing the connected device

The Android Debug Bridge

USB debugging

Accessing the device using adb

Detecting connected devices

Killing the local adb server

Accessing the adb shell

Basic Linux commands

Handling an Android device

Screen lock bypassing techniques

Using adb to bypass the screen lock

Deleting the gesture.key file

Updating the settings.db file

Checking for the modified recovery mode and adb connection

Flashing a new recovery partition

Using automated tools

Using Android Device Manager

Smudge attack

Using the Forgot Password/Forgot Pattern option

Bypassing third-party lock screens by booting into safe mode

Securing the USB debugging bypass using adb keys

Securing the USB debugging bypass in Android 4.4.2

Crashing the lock screen UI in Android 5.x

Other techniques

Gaining root access

What is rooting?

Rooting an Android device

Root access - adb shell

Summary

Android Data Extraction Techniques

Data extraction techniques

Manual data extraction

Logical data extraction

ADB pull data extraction

Using SQLite Browser to view the data

Extracting device information

Extracting call logs

Extracting SMS/MMS

Extracting browser history

Analysis of social networking/IM chats

ADB backup extraction

ADB dumpsys extraction

Using content providers

Physical data extraction

Imaging an Android phone

Imaging a memory (SD) card

Joint Test Action Group

Chip-off

Summary

Android Data Analysis and Recovery

Analyzing an Android image

Autopsy

Adding an image to Autopsy

Analyzing an image using Autopsy

Android data recovery

Recovering deleted data from an external SD card

Recovering data deleted from internal memory

Recovering deleted files by parsing SQLite files

Recovering files using file-carving techniques

Recovering contacts using your Google account

Summary

Android App Analysis, Malware, and Reverse Engineering

Analyzing Android apps

Facebook Android app analysis

WhatsApp Android app analysis

Skype Android app analysis

Gmail Android app analysis

Google Chrome Android app analysis

Reverse engineering Android apps

Extracting an APK file from an Android device

Steps to reverse engineer Android apps

Android malware

How does malware spread?

Identifying Android malware

Summary

Windows Phone Forensics

Windows Phone OS

Security model

Chambers

Encryption

Capability-based model

App sandboxing

Windows Phone filesystem

Data acquisition

Commercial forensic tool acquisition methods

Extracting data without the use of commercial tools

SD card data extraction methods

Key artifacts for examination

Extracting contacts and SMS

Extracting call history

Extracting internet history

Summary

Parsing Third-Party Application Files

Third-party application overview

Chat applications

GPS applications

Secure applications

Financial applications

Social networking applications

Encoding versus encryption

Application data storage

iOS applications

Android applications

Windows Phone applications

Forensic methods used to extract third-party application data

Commercial tools

Oxygen Detective

Magnet IEF

UFED Physical Analyzer

Open source tools

Autopsy

Other methods of extracting application data

Summary

Other Books You May Enjoy

Leave a review - let other readers know what you think