Practical Mobile Forensics, : A Hands-On Guide to Mastering Mobile Forensics for the IOS, Android, and the Windows Phone Platforms.
- 3rd ed.
- 1 online resource (392 pages)
Cover -- Title Page -- Copyright and Credits -- Packt Upsell -- Contributors -- Table of Contents -- Preface -- Chapter 1: Introduction to Mobile Forensics -- Why do we need mobile forensics? -- Mobile forensics -- Challenges in mobile forensics -- The mobile phone evidence extraction process -- The evidence intake phase -- The identification phase -- The legal authority -- The goals of the examination -- The make, model, and identifying information for the device -- Removable and external data storage -- Other sources of potential evidence -- The preparation phase -- The isolation phase -- The processing phase -- The verification phase -- Comparing extracted data to the handset data -- Using multiple tools and comparing the results -- Using hash values -- The documenting and reporting phase -- The presentation phase -- The archiving phase -- Practical mobile forensic approaches -- Overview of mobile operating systems -- Android -- iOS -- Windows Phone -- Mobile forensic tool leveling system -- Manual extraction -- Logical extraction -- Hex dump -- Chip-off -- Micro read -- Data acquisition methods -- Physical acquisition -- Logical acquisition -- Manual acquisition -- Potential evidence stored on mobile phones -- Examination and analysis -- Rules of evidence -- Good forensic practices -- Securing the evidence -- Preserving the evidence -- Documenting the evidence and changes -- Reporting -- Summary -- Chapter 2: Understanding the Internals of iOS Devices -- iPhone models -- Identifying the correct hardware model -- iPhone hardware -- iPad models -- Understanding the iPad hardware -- Apple Watch models -- Understanding the Apple Watch hardware -- The filesystem -- The HFS Plus filesystem -- The HFS Plus volume -- The APFS filesystem -- The APFS structure -- Disk layout -- iPhone operating system -- The iOS architecture -- iOS security. Passcodes, Touch ID, and Face ID -- Code Signing -- Sandboxing -- Encryption -- Data protection -- Address Space Layout Randomization -- Privilege separation -- Stack-smashing protection -- Data execution prevention -- Data wipe -- Activation Lock -- The App Store -- Jailbreaking -- Summary -- Chapter 3: Data Acquisition from iOS Devices -- Operating modes of iOS devices -- The normal mode -- The recovery mode -- DFU mode -- Setting up the forensic environment -- Password protection and potential bypasses -- Logical acquisition -- Practical logical acquisition with libimobiledevice -- Practical logical acquisition with Belkasoft Acquisition Tool -- Practical logical acquisition with Magnet ACQUIRE -- Filesystem acquisition -- Practical jailbreaking -- Practical filesystem acquisition with Elcomsoft iOS Forensic Toolkit -- Physical acquisition -- Practical physical acquisition with Elcomsoft iOS Forensic Toolkit -- Summary -- Chapter 4: Data Acquisition from iOS Backups -- iTunes backup -- Creating backups with iTunes -- Understanding the backup structure -- info.plist -- manifest.plist -- status.plist -- manifest.db -- Extracting unencrypted backups -- iBackup Viewer -- iExplorer -- BlackLight -- Encrypted backup -- Elcomsoft Phone Breaker -- Working with iCloud backups -- Extracting iCloud backups -- Summary -- Chapter 5: iOS Data Analysis and Recovery -- Timestamps -- Unix timestamps -- Mac absolute time -- WebKit/Chrome time -- SQLite databases -- Connecting to a database -- SQLite special commands -- Standard SQL queries -- Accessing a database using commercial tools -- Key artifacts - important iOS database files -- Address book contacts -- Address book images -- Call history -- SMS messages -- Calendar events -- Notes -- Safari bookmarks and cache -- Photo metadata -- Consolidated GPS cache -- Voicemail -- Property lists. Important plist files -- The HomeDomain plist files -- The RootDomain plist files -- The WirelessDomain plist files -- The SystemPreferencesDomain plist files -- Other important files -- Cookies -- Keyboard cache -- Photos -- Thumbnails -- Wallpaper -- Recordings -- Downloaded applications -- Apple Watch -- Recovering deleted SQLite records -- Summary -- Chapter 6: iOS Forensic Tools -- Working with Cellebrite UFED Physical Analyzer -- Features of Cellebrite UFED Physical Analyzer -- Advanced logical acquisition and analysis with Cellebrite UFED Physical Analyzer -- Working with Magnet AXIOM -- Features of Magnet AXIOM -- Logical acquisition and analysis with Magnet AXIOM -- Working with Belkasoft Evidence Center -- Features of Belkasoft Evidence Center -- iTunes backup parsing and analysis with Belkasoft Evidence Center -- Working with Oxygen Forensic Detective -- Features of Oxygen Forensic Detective -- Logical acquisition and analysis with Oxygen Forensic Detective -- Summary -- Chapter 7: Understanding Android -- The evolution of Android -- The Android model -- The Linux kernel layer -- The Hardware Abstraction Layer -- Libraries -- Dalvik virtual machine -- Android Runtime (ART) -- The Java API framework layer -- The system apps layer -- Android security -- Secure kernel -- The permission model -- Application sandbox -- Secure inter-process communication -- Application signing -- Security-Enhanced Linux -- Full Disk Encryption -- Trusted Execution Environment -- The Android file hierarchy -- The Android file system -- Viewing file systems on an Android device -- Common file systems found on Android -- Summary -- Chapter 8: Android Forensic Setup and Pre-Data Extraction Techniques -- Setting up the forensic environment for Android -- The Android Software Development Kit -- The Android SDK installation -- An Android Virtual Device. Connecting an Android device to a workstation -- Identifying the device cable -- Installing the device drivers -- Accessing the connected device -- The Android Debug Bridge -- USB debugging -- Accessing the device using adb -- Detecting connected devices -- Killing the local adb server -- Accessing the adb shell -- Basic Linux commands -- Handling an Android device -- Screen lock bypassing techniques -- Using adb to bypass the screen lock -- Deleting the gesture.key file -- Updating the settings.db file -- Checking for the modified recovery mode and adb connection -- Flashing a new recovery partition -- Using automated tools -- Using Android Device Manager -- Smudge attack -- Using the Forgot Password/Forgot Pattern option -- Bypassing third-party lock screens by booting into safe mode -- Securing the USB debugging bypass using adb keys -- Securing the USB debugging bypass in Android 4.4.2 -- Crashing the lock screen UI in Android 5.x -- Other techniques -- Gaining root access -- What is rooting? -- Rooting an Android device -- Root access - adb shell -- Summary -- Chapter 9: Android Data Extraction Techniques -- Data extraction techniques -- Manual data extraction -- Logical data extraction -- ADB pull data extraction -- Using SQLite Browser to view the data -- Extracting device information -- Extracting call logs -- Extracting SMS/MMS -- Extracting browser history -- Analysis of social networking/IM chats -- ADB backup extraction -- ADB dumpsys extraction -- Using content providers -- Physical data extraction -- Imaging an Android phone -- Imaging a memory (SD) card -- Joint Test Action Group -- Chip-off -- Summary -- Chapter 10: Android Data Analysis and Recovery -- Analyzing an Android image -- Autopsy -- Adding an image to Autopsy -- Analyzing an image using Autopsy -- Android data recovery -- Recovering deleted data from an external SD card. Recovering data deleted from internal memory -- Recovering deleted files by parsing SQLite files -- Recovering files using file-carving techniques -- Recovering contacts using your Google account -- Summary -- Chapter 11: Android App Analysis, Malware, and Reverse Engineering -- Analyzing Android apps -- Facebook Android app analysis -- WhatsApp Android app analysis -- Skype Android app analysis -- Gmail Android app analysis -- Google Chrome Android app analysis -- Reverse engineering Android apps -- Extracting an APK file from an Android device -- Steps to reverse engineer Android apps -- Android malware -- How does malware spread? -- Identifying Android malware -- Summary -- Chapter 12: Windows Phone Forensics -- Windows Phone OS -- Security model -- Chambers -- Encryption -- Capability-based model -- App sandboxing -- Windows Phone filesystem -- Data acquisition -- Commercial forensic tool acquisition methods -- Extracting data without the use of commercial tools -- SD card data extraction methods -- Key artifacts for examination -- Extracting contacts and SMS -- Extracting call history -- Extracting internet history -- Summary -- Chapter 13: Parsing Third-Party Application Files -- Third-party application overview -- Chat applications -- GPS applications -- Secure applications -- Financial applications -- Social networking applications -- Encoding versus encryption -- Application data storage -- iOS applications -- Android applications -- Windows Phone applications -- Forensic methods used to extract third-party application data -- Commercial tools -- Oxygen Detective -- Magnet IEF -- UFED Physical Analyzer -- Open source tools -- Autopsy -- Other methods of extracting application data -- Summary -- Other Books You May Enjoy -- Index.
Mobile phone forensics is the science of retrieving data from a mobile phone under forensically sound conditions. This book is an update to Practical Mobile Forensics, Second Edition and it delves into the concepts of mobile forensics and its importance in today's world.
9781788835909
Mobile computing-Security measures. Cell phone systems-Security measures.