Book Image

Mobile Forensics ??? Advanced Investigative Strategies

By : Oleg Afonin, Vladimir Katalov
Book Image

Mobile Forensics ??? Advanced Investigative Strategies

By: Oleg Afonin, Vladimir Katalov

Overview of this book

Investigating digital media is impossible without forensic tools. Dealing with complex forensic problems requires the use of dedicated tools, and even more importantly, the right strategies. In this book, you’ll learn strategies and methods to deal with information stored on smartphones and tablets and see how to put the right tools to work. We begin by helping you understand the concept of mobile devices as a source of valuable evidence. Throughout this book, you will explore strategies and "plays" and decide when to use each technique. We cover important techniques such as seizing techniques to shield the device, and acquisition techniques including physical acquisition (via a USB connection), logical acquisition via data backups, over-the-air acquisition. We also explore cloud analysis, evidence discovery and data analysis, tools for mobile forensics, and tools to help you discover and analyze evidence. By the end of the book, you will have a better understanding of the tools and methods used to deal with the challenges of acquiring, preserving, and extracting evidence stored on smartphones, tablets, and the cloud.

Related Content you might be interested in

Current Title:

Small book image
Mobile Forensics ??? Advanced Investigative Strategies
Oleg Afonin | Vladimir Katalov
Sep, 2016 | 412 pages
No titles found
Table of Contents (18 chapters)
Mobile Forensics – Advanced Investigative Strategies
Mobile Forensics – Advanced Investigative Strategies
Credits
Credits
Foreword
Foreword
About the Authors
About the Authors
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Introducing Mobile Forensics
Introducing Mobile Forensics
Why we need mobile forensics
Available information
Stages of mobile forensics
Summary
2
Acquisition Methods Overview
Acquisition Methods Overview
Over-the-air acquisition
Logical acquisition (backup analysis)
Physical acquisition
JTAG
Chip-off
In-system programming
Summary
3
Acquisition – Approaching Android Devices
Acquisition – Approaching Android Devices
Android platform fragmentation
AOSP, GMS, and their forensic implications
Summary
4
Practical Steps to Android Acquisition
Practical Steps to Android Acquisition
Android physical acquisition
Approaching physical acquisition
Live imaging
Google Account acquisition – over-the-air
Summary
5
iOS – Introduction and Physical Acquisition
iOS – Introduction and Physical Acquisition
iOS forensics – introduction
Tutorial – physical acquisition with Elcomsoft iOS Forensic Toolkit
Summary
6
iOS Logical and Cloud Acquisition
iOS Logical and Cloud Acquisition
Understanding backups - local, cloud, encrypted and unencrypted
Encrypted versus unencrypted iTunes backups
Breaking backup passwords
A fast CPU and a faster video card
Knowing the user helps breaking the password
Tutorial - logical acquisition with Elcomsoft Phone Breaker
Elcomsoft Phone Breaker on a Mac, inside a virtual PC, or via RDP
iOS Cloud forensics - over-the-air acquisition
Tutorial - cloud acquisition with Elcomsoft Phone Breaker
Downloading iCloud/iCloud Drive backups - using authentication tokens
Extracting authentication tokens
Two-factor authentication
What next?
Summary
7
Acquisition – Approaching Windows Phone and Windows 10 Mobile
Acquisition – Approaching Windows Phone and Windows 10 Mobile
Windows Phone security model
Windows Phone physical acquisition
JTAG forensics on Windows Phone 8.x and Windows 10 Mobile
Windows Phone 8/8.1 and Windows 10 Mobile cloud forensics
Acquiring Windows Phone backups over the air
Summary
8
Acquisition – Approaching Windows 8, 8.1, 10, and RT Tablets
Acquisition – Approaching Windows 8, 8.1, 10, and RT Tablets
Windows 8, 8.1, 10, and RT on portable touchscreen devices
Acquisition of Windows tablets
Imaging Built-in eMMC Storage
Booting Windows tablets from recovery media
Acquiring a BitLocker encryption key
Imaging Windows RT tablets
Cloud Acquisition
Summary
9
Acquisition – Approaching BlackBerry
Acquisition – Approaching BlackBerry
The history of the BlackBerry OS - BlackBerry 1.0-7.1
Acquiring BlackBerry 10
Analyzing BlackBerry backups
Summary
10
Dealing with Issues, Obstacles, and Special Cases
Dealing with Issues, Obstacles, and Special Cases
Cloud acquisition and two-factor authentication
Unallocated space
Accessing destroyed evidence in different mobile platforms
Windows Phone 8 and 8.1 – possible for end-user devices with limitations
Windows RT, Windows 8/8.1, and Windows 10
eMMC and deleted data
SD cards
SQLite databases (access to call logs, browsing history, and many more)
Summary
11
Mobile Forensic Tools and Case Studies
Mobile Forensic Tools and Case Studies
Cellebrite
Micro Systemation AB
AccessData
Oxygen Forensic toolkit
Magnet ACQUIRE
BlackBag Mobilyze
ElcomSoft tools
Case studies
BlackBerry scenarios
Summary

Extracting authentication tokens

A valid authentication token can only be extracted from a system if all of the following are true (in this case, we're discussing a Windows PC):

  • The user has iCloud for Windows installed

  • The user logged in to iCloud for Windows and did not sign out by the time of acquisition

  • The user did not change their Apple ID password by the time of acquisition

Note

Connection to a physical iOS device is not required at any stage.

Elcomsoft Phone Breaker offers two different methods for extracting tokens. When extracting a binary authentication token from the currently logged in user on a live system, investigators can use the supplied command-line tool (atex.exe). In all other cases, Elcomsoft Phone Breaker offers a convenient user interface.

The authentication token must be extracted from the user's computer, hard drive, or forensic disk image before it can be used. Elcomsoft Phone Breaker comes with tools allowing locating, extracting, and decrypting of binary authentication...

Previous Section
End of Section 12
Next Section