Book Image

Mobile Forensics Cookbook

By : Igor Mikhaylov
Book Image

Mobile Forensics Cookbook

By: Igor Mikhaylov

Overview of this book

Considering the emerging use of mobile phones, there is a growing need for mobile forensics. Mobile forensics focuses specifically on performing forensic examinations of mobile devices, which involves extracting, recovering and analyzing data for the purposes of information security, criminal and civil investigations, and internal investigations. Mobile Forensics Cookbook starts by explaining SIM cards acquisition and analysis using modern forensics tools. You will discover the different software solutions that enable digital forensic examiners to quickly and easily acquire forensic images. You will also learn about forensics analysis and acquisition on Android, iOS, Windows Mobile, and BlackBerry devices. Next, you will understand the importance of cloud computing in the world of mobile forensics and understand different techniques available to extract data from the cloud. Going through the fundamentals of SQLite and Plists Forensics, you will learn how to extract forensic artifacts from these sources with appropriate tools. By the end of this book, you will be well versed with the advanced mobile forensics techniques that will help you perform the complete forensic acquisition and analysis of user data stored in different devices.

Related Content you might be interested in

Current Title:

Small book image
Mobile Forensics Cookbook
Igor Mikhaylov
Dec, 2017 | 302 pages
Small book image
Practical Mobile Forensics
Heather Mahalik | Rohit Tamma | Oleg Skulkin | Satish Bommisetty
Jan, 2018 | 402 pages
Small book image
Practical Mobile Forensics
Heather Mahalik | Rohit Tamma | Oleg Skulkin | Satish Bommisetty
Apr, 2020 | 400 pages
Small book image
iOS Forensics for Investigators
Gianluca Tiepolo
May, 2022 | 316 pages
Table of Contents (18 chapters)
Title Page
Title Page
Credits
Credits
About the Author
About the Author
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Customer Feedback
Customer Feedback
Preface
Preface
Free Chapter
1
SIM Card Acquisition and Analysis
SIM Card Acquisition and Analysis
Introduction
SIM card acquisition and analysis with TULP2G
SIM card acquisition and analysis with MOBILedit Forensics
SIM card acquisition and analysis with SIMCon
SIM card acquisition and analysis with Oxygen Forensic
2
Android Device Acquisition
Android Device Acquisition
Introduction
Preparatory work
Android device acquisition with Oxygen Forensic
Android device acquisition with MOBILedit Forensic
Android device acquisition with Belkasoft Acquisition Tool
Android device acquisition with Magnet Aсquire
Making physical dumps of Android device without rooting
Unlocking locked Android device
Acquiring Android device through Wi-Fi
Samsung Android device acquisition with Smart Switch
3
Apple Device Acquisition
Apple Device Acquisition
Introduction
Apple device acquisition with Oxygen Forensics
Apple device acquisition with libmobiledevice
Apple device acquisition with Elcomsoft iOS Toolkit
Apple device acquisition with iTunes
Unlocking a locked Apple device
4
Windows Phone and BlackBerry Acquisition
Windows Phone and BlackBerry Acquisition
Introduction
BlackBerry acquisition with Oxygen Forensic
BlackBerry acquisition with BlackBerry Desktop Software
Windows Phone acquisition with Oxygen Forensic
Windows Phone acquisition with UFED 4PC
5
Clouds are Alternative Data Sources
Clouds are Alternative Data Sources
Introduction
Using Cloud Extractor to extract data from Android devices from the cloud
Using Electronic Evidence Examiner to extract data from a Facebook account
Using Elcomsoft Phone Breaker to extract data from iCloud
Using Belkasoft Evidence Center to extract data from iCloud
6
SQLite Forensics
SQLite Forensics
Introduction
Parsing SQLite databases with Belkasoft Evidence Center
Parsing SQLite databases with DB Browser for SQLite
Parsing SQLite databases with Oxygen Forensic SQLite Viewer
Parsing SQLite databases with SQLite Wizard
7
Understanding Plist Forensics
Understanding Plist Forensics
Introduction
Parsing plist with Apple Plist Viewer
Parsing plist with Belkasoft Evidence Center
Parsing plist with plist Editor Pro
Parsing plist with Plist Explorer
8
Analyzing Physical Dumps and Backups of Android Devices
Analyzing Physical Dumps and Backups of Android Devices
Introduction
Android physical dumps and backups parsing with Autopsy
Android TOT container parsing with Oxygen Forensics
Android backups parsing with Belkasoft Evidence Center
Android physical dumps and backups parsing with AXIOM
Android physical dumps parsing with Encase Forensic
Thumbnails analysis with ThumbnailExpert
9
iOS Forensics
iOS Forensics
Introduction
iOS backup parsing with iPhone Backup Extractor
iOS backup parsing with UFED Physical Analyzer
iOS backup parsing with BlackLight
iOS physical dump and backup parsing with Oxygen Forensic
iOS backup parsing with Belkasoft Evidence Center
iOS backup parsing with AXIOM
iOS backup parsing with Encase Forensic
iOS backup parsing with Elcomsoft Phone Viewer
Thumbnail analysis with iThmb Converter
10
Windows Phone and BlackBerry Forensics
Windows Phone and BlackBerry Forensics
Introduction
BlackBerry backup parsing with Elcomsoft Blackberry Backup Explorer Pro
BlackBerry backup parsing with Oxygen Forensic
Windows Phone physical dump and backup parsing with Oxygen Forensic
Windows Phone physical dump parsing with UFED Physical Analyzer
11
JTAG and Chip-off Techniques
JTAG and Chip-off Techniques
Introduction
A sample Android device JTAG
A sample Android device chip-off
A sample Windows Phone device JTAG
A sample iPhone device chip-off

SIM card acquisition and analysis with MOBILedit Forensics

MOBILedit Forensic is a commercial forensic software by the company Compelson. It is updated regularly. This program can extract data from phones, smartphones, and SIM cards. As the program developers state, MOBILedit Forensic is a program that allows us to extract data from a phone or SIM card with a minimum number of steps. Also, this program has a unique function on which we will focus in another chapter.

Getting ready

On the MOBILedit download page (http://www.mobiledit.com/download-list/mobiledit-forensic), click on DOWNLOAD. When the downloading process is finished, double-click on the downloaded file of the program and install it. After the first run of the program, you need to enter the license key. If the license key is not entered, the program will work in the trial mode for 7 days.

How to do it...

There are two ways of extracting data from SIM cards with MOBILedit Forensic:

  1. Extracting data through wizard
  2. Extracting data through the main window of the MOBILedit Forensic program

In this book, we will focus on the data extraction from SIM card via the main window of the MOBILedit Forensic program.

When you run the program, the information about the connected card reader will appear in the upper left corner of the main window of the MOBILedit Forensic program.

A fragment of the main window

If you click on Connect, the MOBILedit Forensic Wizard will start, through which you can extract data from mobile devices and SIM cards. Let's now see how to extract the data:

  1. Click on the image of the card reader. The information about Answer on Reset(ART) and ICCID of the SIM card will be displayed. If this SIM card is locked, you will be asked to enter the PIN or PUK code.

Fragment of the main window with information about the SIM card

  1. After entering the PIN or PUK codes, the SIM card will be unlocked and the Report Wizard option will appear on the main window. The fact that the examined SIM card was unlocked is indicated by the displayed International Code (IMSI), access to which is possible only after entering the correct PIN code.

 A fragment of the main window with information about the SIM card

  1. Click on the Report Wizard; it will open the MOBILedit Forensic Wizard window, which will extract data from the SIM card and generate a report.
  1. Fill in the fields Device Label, Device Name, Device Evidence Number, Owner Phone Number, Owner Name, and Phone Notes . Then click on the Next button.

Window MOBILedit Forensic Wizard

  1. The data will be extracted. The extraction status will be displayed in the MOBILedit Forensic Wizard window.
  1. When the extraction is finished, click on the Next button. After that, MOBILedit Forensic Wizard will display the following window:

The MOBILedit Forensic Wizard window

  1. Click on New Case. In the opened window, fill in the Label, Number, Name, E-mail, Phone Number, and Notes fields, and then click on the Next button.

The MOBILedit Forensic Wizard window   

  1. In the next window of MOBILedit Forensic Wizard, select the format in which the report will be generated and click on the Finish button.

Final window of MOBILedit Forensic Wizard

A forensic report about the extraction will be generated in the selected format.

How it works...

MOBILedit Forensics extracts data from the SIM card installed in the card reader that is connected to the expert's computer and generates the report, taking the minimum number of steps. It is useful if there are a lot of mobile devices or SIM cards that have to be investigated, as it speeds up the process of data extraction.

See also

Previous Section
End of Section 4
Next Section