Book Image

Practical Mobile Forensics

Book Image

Practical Mobile Forensics

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
Practical Mobile Forensics
Jul, 2014 | 328 pages
No titles found
Table of Contents (20 chapters)
Practical Mobile Forensics
Practical Mobile Forensics
Credits
Credits
About the Authors
About the Authors
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Introduction to Mobile Forensics
Introduction to Mobile Forensics
Mobile forensics
Mobile phone evidence extraction process
Practical mobile forensic approaches
Potential evidence stored on mobile phones
Rules of evidence
Good forensic practices
Summary
2
Understanding the Internals of iOS Devices
Understanding the Internals of iOS Devices
iPhone models
iPhone hardware
iPad models
iPad hardware
File system
The HFS Plus file system
Disk layout
iPhone operating system
Summary
3
Data Acquisition from iOS Devices
Data Acquisition from iOS Devices
Operating modes of iOS devices
Physical acquisition
Acquisition via a custom ramdisk
Acquisition via jailbreaking
Summary
4
Data Acquisition from iOS Backups
Data Acquisition from iOS Backups
iTunes backup
iCloud backup
Summary
5
iOS Data Analysis and Recovery
iOS Data Analysis and Recovery
Timestamps
SQLite databases
Property lists
Other important files
Recovering deleted SQLite records
Summary
6
iOS Forensic Tools
iOS Forensic Tools
Elcomsoft iOS Forensic Toolkit
Oxygen Forensic Suite 2014
Cellebrite UFED Physical Analyzer
Paraben iRecovery Stick
Open source or free methods
Summary
7
Understanding Android
Understanding Android
The Android model
Android security
Android file hierarchy
Android file system
Summary
8
Android Forensic Setup and Pre Data Extraction Techniques
Android Forensic Setup and Pre Data Extraction Techniques
A forensic environment setup
Screen lock bypassing techniques
Gaining root access
Summary
9
Android Data Extraction Techniques
Android Data Extraction Techniques
Imaging an Android Phone
Data extraction techniques
Summary
10
Android Data Recovery Techniques
Android Data Recovery Techniques
Data recovery
Summary
11
Android App Analysis and Overview of Forensic Tools
Android App Analysis and Overview of Forensic Tools
Android app analysis
Reverse engineering Android apps
Forensic tools overview
Cellebrite – UFED
MOBILedit
Autopsy
Summary
12
Windows Phone Forensics
Windows Phone Forensics
Windows Phone OS
Windows Phone file system
Data acquisition
Summary
13
BlackBerry Forensics
BlackBerry Forensics
BlackBerry OS
Data acquisition
BlackBerry analysis
Summary
Index
Index

Physical acquisition

iOS devices have two types of memory: volatile (RAM) and non-volatile (NAND Flash). RAM is used to load and execute the key parts of the operating system or the application. The data stored on the RAM is lost after a device reboots. RAM usually contains very important application information such as active applications, usernames, passwords, and encryption keys. Though the information stored in the RAM can be crucial in an investigation, currently there is no method or tool available to acquire the RAM memory from a live iPhone.

Unlike RAM, NAND is non-volatile memory and retains the data stored in it even after a device reboots. NAND flash is the main storage area and contains the system files and user data (http://www.nist.gov/forensics/research/upload/draft-guidelines-on-mobile-device-forensics.pdf). The goal of physical acquisition is to perform a bit-by-bit copy of the NAND memory, similar to the way in which a computer hard drive would be forensically acquired....

Previous Section
End of Section 3
Next Section