Book Image

Mobile Forensics ??? Advanced Investigative Strategies

By : Oleg Afonin, Vladimir Katalov
Book Image

Mobile Forensics ??? Advanced Investigative Strategies

By: Oleg Afonin, Vladimir Katalov

Overview of this book

Investigating digital media is impossible without forensic tools. Dealing with complex forensic problems requires the use of dedicated tools, and even more importantly, the right strategies. In this book, you’ll learn strategies and methods to deal with information stored on smartphones and tablets and see how to put the right tools to work. We begin by helping you understand the concept of mobile devices as a source of valuable evidence. Throughout this book, you will explore strategies and "plays" and decide when to use each technique. We cover important techniques such as seizing techniques to shield the device, and acquisition techniques including physical acquisition (via a USB connection), logical acquisition via data backups, over-the-air acquisition. We also explore cloud analysis, evidence discovery and data analysis, tools for mobile forensics, and tools to help you discover and analyze evidence. By the end of the book, you will have a better understanding of the tools and methods used to deal with the challenges of acquiring, preserving, and extracting evidence stored on smartphones, tablets, and the cloud.

Related Content you might be interested in

Current Title:

Small book image
Mobile Forensics ??? Advanced Investigative Strategies
Oleg Afonin | Vladimir Katalov
Sep, 2016 | 412 pages
No titles found
Table of Contents (18 chapters)
Mobile Forensics – Advanced Investigative Strategies
Mobile Forensics – Advanced Investigative Strategies
Credits
Credits
Foreword
Foreword
About the Authors
About the Authors
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Introducing Mobile Forensics
Introducing Mobile Forensics
Why we need mobile forensics
Available information
Stages of mobile forensics
Summary
2
Acquisition Methods Overview
Acquisition Methods Overview
Over-the-air acquisition
Logical acquisition (backup analysis)
Physical acquisition
JTAG
Chip-off
In-system programming
Summary
3
Acquisition – Approaching Android Devices
Acquisition – Approaching Android Devices
Android platform fragmentation
AOSP, GMS, and their forensic implications
Summary
4
Practical Steps to Android Acquisition
Practical Steps to Android Acquisition
Android physical acquisition
Approaching physical acquisition
Live imaging
Google Account acquisition – over-the-air
Summary
5
iOS – Introduction and Physical Acquisition
iOS – Introduction and Physical Acquisition
iOS forensics – introduction
Tutorial – physical acquisition with Elcomsoft iOS Forensic Toolkit
Summary
6
iOS Logical and Cloud Acquisition
iOS Logical and Cloud Acquisition
Understanding backups - local, cloud, encrypted and unencrypted
Encrypted versus unencrypted iTunes backups
Breaking backup passwords
A fast CPU and a faster video card
Knowing the user helps breaking the password
Tutorial - logical acquisition with Elcomsoft Phone Breaker
Elcomsoft Phone Breaker on a Mac, inside a virtual PC, or via RDP
iOS Cloud forensics - over-the-air acquisition
Tutorial - cloud acquisition with Elcomsoft Phone Breaker
Downloading iCloud/iCloud Drive backups - using authentication tokens
Extracting authentication tokens
Two-factor authentication
What next?
Summary
7
Acquisition – Approaching Windows Phone and Windows 10 Mobile
Acquisition – Approaching Windows Phone and Windows 10 Mobile
Windows Phone security model
Windows Phone physical acquisition
JTAG forensics on Windows Phone 8.x and Windows 10 Mobile
Windows Phone 8/8.1 and Windows 10 Mobile cloud forensics
Acquiring Windows Phone backups over the air
Summary
8
Acquisition – Approaching Windows 8, 8.1, 10, and RT Tablets
Acquisition – Approaching Windows 8, 8.1, 10, and RT Tablets
Windows 8, 8.1, 10, and RT on portable touchscreen devices
Acquisition of Windows tablets
Imaging Built-in eMMC Storage
Booting Windows tablets from recovery media
Acquiring a BitLocker encryption key
Imaging Windows RT tablets
Cloud Acquisition
Summary
9
Acquisition – Approaching BlackBerry
Acquisition – Approaching BlackBerry
The history of the BlackBerry OS - BlackBerry 1.0-7.1
Acquiring BlackBerry 10
Analyzing BlackBerry backups
Summary
10
Dealing with Issues, Obstacles, and Special Cases
Dealing with Issues, Obstacles, and Special Cases
Cloud acquisition and two-factor authentication
Unallocated space
Accessing destroyed evidence in different mobile platforms
Windows Phone 8 and 8.1 – possible for end-user devices with limitations
Windows RT, Windows 8/8.1, and Windows 10
eMMC and deleted data
SD cards
SQLite databases (access to call logs, browsing history, and many more)
Summary
11
Mobile Forensic Tools and Case Studies
Mobile Forensic Tools and Case Studies
Cellebrite
Micro Systemation AB
AccessData
Oxygen Forensic toolkit
Magnet ACQUIRE
BlackBag Mobilyze
ElcomSoft tools
Case studies
BlackBerry scenarios
Summary

Case studies

In this chapter, we'll review some typical scenarios that call for different approaches and tools when handling mobile acquisition.

Mobile forensics

I have a ton of iPhones in my lab. Only get to spend about 40 minutes on each. What can you get me in 40 minutes?

This is a typical question coming from a police officer working in a busy environment. What can be done on these iPhones in such a restricted timeframe?

It depends on what's available. If all you have is a working but locked iPhone, and the passcode is not known, the only chance of extracting anything off the phone is to attempt physical acquisition. If the phone falls within the compatibility matrix, you can follow these steps to extract information out of the device. With its characteristic-guaranteed timeframe, physical acquisition is the only way to obtain information out of a locked device.

If you know the user's Apple ID and password, you can use Elcomsoft Phone Breaker to perform a selective download of essential...

Previous Section
End of Section 9
Next Section