A hands-on guide to mastering mobile forensics for the iOS, Android, and the Windows Phone platforms
Rohit Tamma . Oleg Skulkin . Heather Mahalik . Satish Bommisetty
Purchase Now !
Just with Paypal
Just with Paypal
Book Details
Price
|
3.50 |
|---|---|
Pages
| 392 p |
File Size
|
17,694 KB |
File Type
|
PDF format |
ISBN
| 978-1-78883-919-8 |
Copyright©
| 2018 Packt Publishing |
Rohit Tamma is a security program manager currently working with Microsoft. With over
8 years of experience in the field of security, his background spans management and
technical consulting roles in the areas of application and cloud security, mobile security,
penetration testing, and security training. Rohit has also coauthored couple of books, such
as Practical Mobile Forensics and Learning Android Forensics, which explain various ways to
perform forensics on the mobile platforms. You can contact him on Twitter at @RohitTamma.
Writing this book has been a great experience because it has taught me several things,
which could not have been otherwise possible. I would like to dedicate this book to my
parents for helping me in every possible way throughout my life.
Oleg Skulkin is a digital forensics "enthusional" (enthusiast and professional) from Russia
with more than 6 years of experience, and is currently employed by Group-IB, one of the
global leaders in preventing and investigating high-tech crimes and online fraud. He holds
a number of certifications, including GCFA, MCFE, and ACE. Oleg is a coauthor of Windows
Forensics Cookbook, and you can find his articles about different aspects of digital forensics
both in Russian and foreign magazines. Finally, he is a very active blogger, and he updates
the Cyber Forensicator blog daily.
I would like to thank my mom and wife for their support and understanding, my friend,
Igor Mikhaylov, and my teammates from Group-IB Digital Forensics Lab: Valeriy Baulin,
Sergey Nikitin, Vitaliy Trifonov, Roman Rezvuhin, Artem Artemov, Alexander Ivanov,
Alexander Simonyan, Alexey Kashtanov, Pavel Zevahin, Vladimir Martyshin, Nikita
Panov, Anastasiya Barinova, and Vesta Matveeva.
Heather Mahalik is the director of forensic engineering with ManTech CARD, where she
leads the forensic effort focusing on mobile and digital exploitation. She is a senior
instructor and author for the SANS Institute, and she is also the course leader for the
FOR585 Advanced Smartphone Forensics course. With over 15 years of experience in digital
forensics, she continues to thrive on smartphone investigations, digital forensics, forensic
course development and instruction, and research on application analysis and smartphone forensics.
Satish Bommisetty is a security analyst working for a Fortune 500 company. His primary
areas of interest include iOS forensics, iOS application security, and web application
security. He has presented at international conferences, such as ClubHACK and C0C0n. He
is also one of the core members of the Hyderabad OWASP chapter. He has identified and
disclosed vulnerabilities within the websites of Google, Facebook, Yandex, PayPal, Yahoo!,
AT&T, and more, and they are listed in their hall of fame.
About the reviewer
Igor Mikhaylov has been working as a forensics expert for 21 years. During this time, he
has attended a lot of seminars and training classes in top forensic companies and forensic
departments of government organizations. He has experience and skills in cellphones
forensics, chip-off forensics, malware forensics, and other fields. He has worked on several
thousand forensic cases.
He is the reviewer of Windows Forensics Cookbook by Oleg Skulkin and Scar de Courcier, Packt Publishing, 2017.
He is the author of Mobile Forensics Cookbook, Packt Publishing, 2017.
Preface
The exponential growth in smartphones has revolutionized several aspects of our lives.
Smartphones are one of the most quickly adopted consumer technologies in recent history.
Despite their small size, smartphones are capable of performing many tasks, such as
sending private messages and confidential emails, taking photos and videos, making online
purchases, viewing sensitive information such as medical records and salary slips,
completing banking transactions, accessing social networking sites, and managing business
tasks. Hence, a mobile device is now a huge repository of sensitive data, which could
provide a wealth of information about its owner. This has in turn led to the evolution of
mobile device forensics, a branch of digital forensics, which deals with retrieving data from
a mobile device. Today, there is a huge demand for specialized forensic experts, especially
given the fact that the data retrieved from a mobile device is court-admissible.
Mobile forensics is all about using scientific methodologies to recover data stored within a
mobile phone for legal purposes. Unlike traditional computer forensics, mobile forensics
has limitations in obtaining evidence due to rapid changes in technology and the fast-paced
evolution of mobile software. With different operating systems and a wide range of models
being released onto the market, mobile forensics has expanded over the past few years.
Specialized forensic techniques and skills are required in order to extract data under
different conditions.
This book takes you through various techniques to help you learn how to forensically
recover data from different mobile devices with the iOS, Android, and Windows Mobile
operating systems. This book also covers behind the scenes details, such as how data is
stored and what tools actually do in the background, giving you deeper knowledge on
several topics. Step-by-step instructions enable you to try forensically recovering data yourself.
The book is organized in a manner that allows you to focus independently on chapters that
are specific to your required platform.
Table of Contents
Chapter 1: Introduction to Mobile Forensics 6
Why do we need mobile forensics? 7
Mobile forensics 8
Challenges in mobile forensics 10
The mobile phone evidence extraction process 12
The evidence intake phase 13
The identification phase 14
The legal authority 14
The goals of the examination 14
The make, model, and identifying information for the device 14
Removable and external data storage 15
Other sources of potential evidence 15
The preparation phase 15
The isolation phase 16
The processing phase 16
The verification phase 16
Comparing extracted data to the handset data 17
Using multiple tools and comparing the results 17
Using hash values 17
The documenting and reporting phase 17
The presentation phase 18
The archiving phase 18
Practical mobile forensic approaches 18
Overview of mobile operating systems 19
Android 19
iOS 20
Windows Phone 20
Mobile forensic tool leveling system 20
Manual extraction 22
Logical extraction 22
Hex dump 22
Chip-off 23
Micro read 23
Data acquisition methods 24
Physical acquisition 24
Logical acquisition 24
Manual acquisition 25
Potential evidence stored on mobile phones 25
Examination and analysis 26
Rules of evidence 28
Good forensic practices 29
Securing the evidence 29
Preserving the evidence 29
Documenting the evidence and changes 30
Reporting 30
Summary 31
Chapter 2: Understanding the Internals of iOS Devices 32
iPhone models 33
Identifying the correct hardware model 33
iPhone hardware 41
iPad models 42
Understanding the iPad hardware 44
Apple Watch models 45
Understanding the Apple Watch hardware 46
The filesystem 48
The HFS Plus filesystem 48
The HFS Plus volume 49
The APFS filesystem 50
The APFS structure 51
Disk layout 52
iPhone operating system 53
The iOS architecture 54
iOS security 55
Passcodes, Touch ID, and Face ID 56
Code Signing 56
Sandboxing 56
Encryption 57
Data protection 57
Address Space Layout Randomization 57
Privilege separation 57
Stack-smashing protection 57
Data execution prevention 58
Data wipe 58
Activation Lock 58
The App Store 58
Jailbreaking 59
Summary 60
Chapter 3: Data Acquisition from iOS Devices 61
Operating modes of iOS devices 62
The normal mode 62
The recovery mode 64
DFU mode 67
Setting up the forensic environment 70
Password protection and potential bypasses 70
Logical acquisition 71
Practical logical acquisition with libimobiledevice 72
Practical logical acquisition with Belkasoft Acquisition Tool 73
Practical logical acquisition with Magnet ACQUIRE 78
Filesystem acquisition 81
Practical jailbreaking 82
Practical filesystem acquisition with Elcomsoft iOS Forensic Toolkit 83
Physical acquisition 83
Practical physical acquisition with Elcomsoft iOS Forensic Toolkit 84
Summary 87
Chapter 4: Data Acquisition from iOS Backups 88
iTunes backup 89
Creating backups with iTunes 92
Understanding the backup structure 94
info.plist 95
manifest.plist 96
status.plist 96
manifest.db 97
Extracting unencrypted backups 99
iBackup Viewer 99
iExplorer 101
BlackLight 103
Encrypted backup 105
Elcomsoft Phone Breaker 105
Working with iCloud backups 107
Extracting iCloud backups 109
Summary 110
Chapter 5: iOS Data Analysis and Recovery 111
Timestamps 112
Unix timestamps 112
Mac absolute time 113
WebKit/Chrome time 113
SQLite databases 114
Connecting to a database 115
SQLite special commands 116
Standard SQL queries 117
Accessing a database using commercial tools 117
Key artifacts – important iOS database files 121
Address book contacts 122
Address book images 124
Call history 126
SMS messages 127
Calendar events 128
Notes 129
Safari bookmarks and cache 130
Photo metadata 131
Consolidated GPS cache 132
Voicemail 133
Property lists 133
Important plist files 134
The HomeDomain plist files 135
The RootDomain plist files 136
The WirelessDomain plist files 137
The SystemPreferencesDomain plist files 137
Other important files 137
Cookies 138
Keyboard cache 139
Photos 139
Thumbnails 140
Wallpaper 140
Recordings 141
Downloaded applications 141
Apple Watch 141
Recovering deleted SQLite records 144
Summary 145
Chapter 6: iOS Forensic Tools 146
Working with Cellebrite UFED Physical Analyzer 147
Features of Cellebrite UFED Physical Analyzer 147
Advanced logical acquisition and analysis with Cellebrite UFED Physical
Analyzer 148
Working with Magnet AXIOM 156
Features of Magnet AXIOM 156
Logical acquisition and analysis with Magnet AXIOM 157
Working with Belkasoft Evidence Center 166
Features of Belkasoft Evidence Center 166
iTunes backup parsing and analysis with Belkasoft Evidence Center 167
Working with Oxygen Forensic Detective 172
Features of Oxygen Forensic Detective 172
Logical acquisition and analysis with Oxygen Forensic Detective 173
Summary 178
Chapter 7: Understanding Android 179
The evolution of Android 180
The Android model 181
The Linux kernel layer 183
The Hardware Abstraction Layer 183
Libraries 184
Dalvik virtual machine 184
Android Runtime (ART) 185
The Java API framework layer 186
The system apps layer 186
Android security 186
Secure kernel 187
The permission model 188
Application sandbox 189
Secure inter-process communication 189
Application signing 189
Security-Enhanced Linux 190
Full Disk Encryption 190
Trusted Execution Environment 191
The Android file hierarchy 191
The Android file system 194
Viewing file systems on an Android device 194
Common file systems found on Android 197
Summary 199
Chapter 8: Android Forensic Setup and Pre-Data Extraction
Techniques 200
Setting up the forensic environment for Android 201
The Android Software Development Kit 201
The Android SDK installation 202
An Android Virtual Device 204
Connecting an Android device to a workstation 208
Identifying the device cable 209
Installing the device drivers 209
Accessing the connected device 210
The Android Debug Bridge 211
USB debugging 212
Accessing the device using adb 214
Detecting connected devices 214
Killing the local adb server 214
Accessing the adb shell 214
Basic Linux commands 215
Handling an Android device 218
Screen lock bypassing techniques 219
Using adb to bypass the screen lock 220
Deleting the gesture.key file 220
Updating the settings.db file 221
Checking for the modified recovery mode and adb connection 222
Flashing a new recovery partition 222
Using automated tools 223
Using Android Device Manager 225
Smudge attack 226
Using the Forgot Password/Forgot Pattern option 227
Bypassing third-party lock screens by booting into safe mode 228
Securing the USB debugging bypass using adb keys 228
Securing the USB debugging bypass in Android 4.4.2 229
Crashing the lock screen UI in Android 5.x 230
Other techniques 231
Gaining root access 232
What is rooting? 232
Rooting an Android device 233
Root access - adb shell 236
Summary 237
Chapter 9: Android Data Extraction Techniques 238
Data extraction techniques 239
Manual data extraction 240
Logical data extraction 240
ADB pull data extraction 240
Using SQLite Browser to view the data 243
Extracting device information 244
Extracting call logs 245
Extracting SMS/MMS 246
Extracting browser history 247
Analysis of social networking/IM chats 248
ADB backup extraction 249
ADB dumpsys extraction 251
Using content providers 253
Physical data extraction 257
Imaging an Android phone 257
Imaging a memory (SD) card 261
Joint Test Action Group 262
Chip-off 264
Summary 265
Chapter 10: Android Data Analysis and Recovery 266
Analyzing an Android image 267
Autopsy 267
Adding an image to Autopsy 267
Analyzing an image using Autopsy 271
Android data recovery 272
Recovering deleted data from an external SD card 273
Recovering data deleted from internal memory 280
Recovering deleted files by parsing SQLite files 280
Recovering files using file-carving techniques 283
Recovering contacts using your Google account 287
Summary 289
Chapter 11: Android App Analysis, Malware, and Reverse Engineering 290
Analyzing Android apps 291
Facebook Android app analysis 292
WhatsApp Android app analysis 294
Skype Android app analysis 294
Gmail Android app analysis 296
Google Chrome Android app analysis 297
Reverse engineering Android apps 299
Extracting an APK file from an Android device 300
Steps to reverse engineer Android apps 302
Android malware 304
How does malware spread? 307
Identifying Android malware 308
Summary 311
Chapter 12: Windows Phone Forensics 312
Windows Phone OS 312
Security model 315
Chambers 315
Encryption 316
Capability-based model 316
App sandboxing 318
Windows Phone filesystem 318
Data acquisition 321
Commercial forensic tool acquisition methods 322
Extracting data without the use of commercial tools 325
SD card data extraction methods 328
Key artifacts for examination 332
Extracting contacts and SMS 332
Extracting call history 333
Extracting internet history 333
Summary 334
Chapter 13: Parsing Third-Party Application Files 335
Third-party application overview 336
Chat applications 337
GPS applications 339
Secure applications 340
Financial applications 341
Social networking applications 341
Encoding versus encryption 345
Application data storage 348
iOS applications 349
Android applications 350
Windows Phone applications 353
Forensic methods used to extract third-party application data 353
Commercial tools 354
Oxygen Detective 354
Magnet IEF 357
UFED Physical Analyzer 360
Open source tools 361
Autopsy 361
Other methods of extracting application data 365
Summary 366
Other Books You May Enjoy 367
Index 370
Bookscreen
Who this book is for
This book is intended for forensic examiners with little or basic experience in mobile
forensics or open source solutions for mobile forensics. The book will also be useful to
computer security professionals, researchers, and anyone seeking a deeper understanding
of mobile internals. It will also come in handy for those who are trying to recover
accidentally deleted data (photos, contacts, SMS messages, and more).