Mobile Forensics - Advanced Investigative Strategies : Master Powerful Strategies to Acquire and Analyze Evidence from Real-Life Scenarios.

Cover -- Copyright -- Credits -- Foreword -- About the Authors -- About the Reviewer -- www.PacktPub.com -- Table of Contents -- Preface -- Chapter 1: Introducing Mobile Forensics -- Why we need mobile forensics -- Available information -- Mobile devices -- Personal computers -- Cloud storage -- Stages of mobile forensics -- Stage 1 - device seizure -- Seizing - what and how should we seize? -- The use of Faraday bags -- Keeping the power on -- Dealing with the kill switch -- Mobile device anti-forensics -- Stage 2 - data acquisition -- Root, jailbreak, and unlocked bootloader -- Android ADB debugging -- SIM cloning -- SIM card memory -- Memory card -- Stage 3 - data analysis -- Summary -- Chapter 2: Acquisition Methods Overview -- Over-the-air acquisition -- Apple iCloud -- Windows Phone 8, Windows 10 Mobile, and Windows RT/8/8.1/10 -- Google Android -- Logical acquisition (backup analysis) -- Apple iOS -- BlackBerry 10 -- Android -- Nandroid backups -- Physical acquisition -- Apple iOS -- Android -- Windows Phone 8 and Windows 10 Mobile -- Limitations and availability -- Tools for physical acquisition -- JTAG -- Chip-off -- In-system programming -- Summary -- Chapter 3: Acquisition - Approaching Android Devices -- Android platform fragmentation -- AOSP, GMS, and their forensic implications -- Android logical acquisition -- OEM software -- Android acquisition - special considerations -- Unallocated space -- eMMC storage -- Remapping and overprovisioning -- Wear leveling -- Trimming -- What happens to the deleted data? -- JTAG forensics -- When to JTAG a device -- Limitations of JTAG forensics -- Step-by-step JTAG acquisition -- Chip-off acquisition -- Chip-off and encryption -- In-system programming forensics -- Summary -- Chapter 4: Practical Steps to Android Acquisition -- Android physical acquisition -- Encryption.

Approaching physical acquisition -- Encryption status - Is the data partition encrypted? -- Service mode available -- LG smartphones -- Devices based on the Qualcomm reference platform -- Mediatek-based Chinese phones -- Bootloaded status -- Root status -- LG smartphones' LAF mode -- MediaTek smartphones -- Qualcomm bootloader exploit -- Qualcomm-based smartphones - HS-USB 9006 -- Encryption -- The Qualcomm 9006 mode -- Tools for imaging via Qualcomm Download Mode 9006 -- Using custom recoveries -- Imaging via custom recovery - making a Nandroid backup -- Imaging via custom recovery - physical imaging via dd -- Imaging the device -- NANDroid backups -- Is unlocked bootloader required? -- Is root access required? -- Producing a Nandroid backup -- Analyzing Nandroid backups -- Live imaging -- Live imaging with root (via dd) -- Live imaging without root (via ADB backup) -- Live imaging using Oxygen Forensic Suite -- Google Account acquisition - over-the-air -- Why Google Account? -- Google Account - what's inside? -- A word on Android backups -- Google Takeout -- Google Account acquisition and analysis using Elcomsoft Cloud Explorer -- Two-factor authentication -- User alerts -- Viewing, searching, and analyzing data -- Summary -- Chapter 5: iOS - Introduction and Physical Acquisition -- iOS forensics - introduction -- Generations of Apple hardware -- Is jailbreak required? -- Geolocation information -- Where is the information stored? -- iOS acquisition methods overview -- iOS acquisition methods compared -- iOS advanced logical acquisition -- iOS physical acquisition -- Physical acquisition benefits -- What's unique about physical acquisition? -- The future of physical acquisition -- Physical acquisition compatibility matrix -- Unallocated space - unavailable since iOS 4 -- Sending device to Apple -- The role of passcode.

Physical acquisition of iOS 8 and 9 -- Tools for iOS physical acquisition -- Tutorial - physical acquisition with Elcomsoft iOS Forensic Toolkit -- What the does the tool do? -- Prerequisites -- Acquiring 64-bit Apple devices -- Comparing 64-bit process and traditional physical acquisition -- Supported devices and iOS versions -- Performing physical acquisition on a 64-bit iOS device -- What is available via 64-bit physical acquisition -- Locked device with unknown passcode -- Viewing and analyzing the image -- Potential legal implications -- Summary -- Chapter 6: iOS Logical and Cloud Acquisition -- Understanding backups - local, cloud, encrypted and unencrypted -- Encrypted versus unencrypted iTunes backups -- Breaking backup passwords -- Breaking the password - how long will it take? -- A fast CPU and a faster video card -- Breaking complex passwords -- Knowing the user helps breaking the password -- Tutorial - logical acquisition with Elcomsoft Phone Breaker -- Breaking the password -- Decrypting the backup -- Dealing with long and complex passwords -- Elcomsoft Phone Breaker on a Mac, inside a virtual PC, or via RDP -- iOS Cloud forensics - over-the-air acquisition -- About Apple iCloud -- Getting started with iCloud Keychain -- Getting started with iCloud Drive -- Understanding iCloud forensics -- Tutorial - cloud acquisition with Elcomsoft Phone Breaker -- Downloading iCloud backups - using Apple ID and password -- Downloading iCloud/iCloud Drive backups - using authentication tokens -- Extracting authentication tokens -- iCloud authentication tokens (iOS 6 through 9) - limitations -- iCloud Drive authentication tokens (iOS 9 and newer) - a different beast altogether -- Quick start - selective downloading -- Two-factor authentication -- Two-factor authentication is optional.

Two-factor authentication versus two-step verification - understanding the differences -- Two-step verification -- Two-factor authentication -- No app-specific passwords in two-factor authentication -- Cloud acquisition with two-step verification and two-factor authentication -- What next? -- Summary -- Chapter 7: Acquisition - Approaching Windows Phone and Windows 10 Mobile -- Windows Phone security model -- Windows Phone physical acquisition -- JTAG forensics on Windows Phone 8.x and Windows 10 Mobile -- Windows Phone 8.x device encryption -- Windows 10 Mobile device encryption -- Windows Phone 8/8.1 and Windows 10 Mobile cloud forensics -- Acquiring Windows Phone backups over the air -- Summary -- Chapter 8: Acquisition - Approaching Windows 8, 8.1, 10, and RT Tablets -- Windows 8, 8.1, 10, and RT on portable touchscreen devices -- Acquisition of Windows tablets -- Understanding Secure Boot -- Connected Standby (InstantGo) -- BitLocker device encryption -- BitLocker and Encrypting File System -- BitLocker and hibernation -- BitLocker acquisition summary -- Capturing a memory dump -- Types of evidence available in volatile memory -- Special case - Windows RT devices -- SD cards and Windows File History -- Imaging Built-in eMMC Storage -- eMMC and deleted data recovery -- Windows 8 and Windows 10 encryption - TRIM versus BitLocker -- Booting Windows tablets from recovery media -- Special case - recovery media for Windows RT -- Steps to boot from recovery media -- Configuring UEFI BIOS to boot from recovery media -- Acquiring a BitLocker encryption key -- Breaking into Microsoft Account to acquire the BitLocker Recovery Key -- Using Elcomsoft Forensic Disk Decryptor to unlock BitLocker partitions -- BitLocker keys and Trusted Platform Module -- Imaging Windows RT tablets -- BitLocker encryption -- DISM - a built-in tool to image Windows RT.

Must be logged in with an administrative account -- Must be logged in -- Booting to  the WinRE command prompt -- Entering BitLocker Recovery Key -- Using DISM.exe to image the drive -- Cloud Acquisition -- Summary -- Chapter 9: Acquisition - Approaching BlackBerry -- The history of the BlackBerry OS - BlackBerry 1.0-7.1 -- BlackBerry 7 JTAG, ISP, and chip-off acquisition -- Acquiring BlackBerry desktop backups -- Decrypting the backup -- BlackBerry Password Keeper and BlackBerry Wallet -- BlackBerry Password Keeper -- BlackBerry Wallet -- BlackBerry security model - breaking a device password -- Acquiring BlackBerry 10 -- Getting started -- BlackBerry 10 backups -- BlackBerry 10 - considering ISP and chip-off forensics -- Acquiring BlackBerry 10 backups -- Using Elcomsoft Phone Breaker -- Using Oxygen Forensic Suite -- Analyzing BlackBerry backups -- Summary -- Chapter 10: Dealing with Issues, Obstacles, and Special Cases -- Cloud acquisition and two-factor authentication -- Two-factor authentication - Apple, Google, and Microsoft -- Online versus offline authentication -- App passwords and two-factor authentication -- Google's two-factor authentication -- Microsoft's implementation -- Apple's two-step verification -- Apple's two-factor authentication -- Bypassing Apple's two-factor authentication -- Two-factor authentication - a real roadblock -- Unallocated space -- The issue of unallocated space -- Accessing destroyed evidence in different mobile platforms -- Apple iOS - impossible -- BlackBerry - Iffy -- SD cards -- Android - possible with limitations -- Android - built-in storage -- Unencrypted storage -- Encrypted storage -- Encryption in different versions of Android -- Android - SD cards -- Android - SD card encryption -- Windows Phone 8 and 8.1 - possible for end-user devices with limitations -- Windows Phone BitLocker encryption.

Windows Phone SD cards.

About This BookA straightforward guide to address the roadblocks face when doing mobile forensicsSimplify mobile forensics using the right mix of methods, techniques, and toolsGet valuable advice to put you in the mindset of a forensic professional, regardless of your career level or experienceWho This Book Is For This book is for forensic analysts and law enforcement and IT security officers who have to deal with digital evidence as part of their daily job. Some basic familiarity with digital forensics is assumed, but no experience with mobile forensics is required. What You Will LearnUnderstand the challenges of mobile forensicsGrasp how to properly deal with digital evidenceExplore the types of evidence available on iOS, Android, Windows, and BlackBerry mobile devicesKnow what forensic outcome to expect under given circumstancesDeduce when and how to apply physical, logical, over-the-air, and low-level (advanced) acquisition methodsGet in-depth knowledge of the different acquisition methods for all major mobile platformsDiscover important mobile acquisition tools and techniques for all of the major platformsIn Detail Investigating digital media is impossible without forensic tools. Dealing with complex forensic problems requires the use of dedicated tools, and even more importantly, the right strategies. In this book, you'll learn strategies and methods to deal with information stored on smartphones and tablets and see how to put the right tools to work. We begin by helping you understand the concept of mobile devices as a source of valuable evidence. Throughout this book, you will explore strategies and "plays" and decide when to use each technique. We cover important techniques such as seizing techniques to shield the device, and acquisition techniques including physical acquisition (via a USB connection), logical acquisition via data

backups, and over-the-air acquisition. We also explore cloud analysis, evidence discovery and data analysis, tools for mobile forensics, and tools to help you discover and analyze evidence. By the end of the book, you will have a better understanding of the tools and methods used to deal with the challenges of acquiring, preserving, and extracting evidence stored on smartphones, tablets, and the cloud.

Description based on publisher supplied metadata and other sources.

Electronic reproduction. Ann Arbor, Michigan : ProQuest Ebook Central, 2024. Available via World Wide Web. Access may be limited to ProQuest Ebook Central affiliated libraries.