Book Image

Practical Mobile Forensics - Second Edition

By : Heather Mahalik, Rohit Tamma, Satish Bommisetty
Book Image

Practical Mobile Forensics - Second Edition

By: Heather Mahalik, Rohit Tamma, Satish Bommisetty

Overview of this book

Mobile phone forensics is the science of retrieving data from a mobile phone under forensically sound conditions. This book is an update to Practical Mobile Forensics and it delves into the concepts of mobile forensics and its importance in today's world. We will deep dive into mobile forensics techniques in iOS 8 - 9.2, Android 4.4 - 6, and Windows Phone devices. We will demonstrate the latest open source and commercial mobile forensics tools, enabling you to analyze and retrieve data effectively. You will learn how to introspect and retrieve data from cloud, and document and prepare reports for your investigations. By the end of this book, you will have mastered the current operating systems and techniques so you can recover data from mobile devices by leveraging open source solutions.

Related Content you might be interested in

Current Title:

Small book image
Practical Mobile Forensics - Second Edition
Heather Mahalik | Rohit Tamma | Satish Bommisetty
May, 2016 | 412 pages
No titles found
Table of Contents (19 chapters)
Practical Mobile Forensics - Second Edition
Practical Mobile Forensics - Second Edition
Credits
Credits
About the Authors
About the Authors
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Introduction to Mobile Forensics
Introduction to Mobile Forensics
Why do we need mobile forensics?
Mobile forensics
The mobile phone evidence extraction process
Practical mobile forensic approaches
Potential evidence stored on mobile phones
Rules of evidence
Good forensic practices
Summary
2
Understanding the Internals of iOS Devices
Understanding the Internals of iOS Devices
iPhone models
iPhone hardware
iPad models
Understanding the iPad hardware
Apple Watch models
Understanding the Apple Watch hardware
File system
The HFS Plus file system
Disk layout
iPhone operating system
Summary
3
iOS Forensic Tools
iOS Forensic Tools
Working with Elcomsoft iOS Forensic Toolkit
Oxygen Forensic Detective
Working with Cellebrite UFED Physical Analyzer
Working with BlackLight
Open source or free methods
Working with Magnet ACQUIRE
Working with NowSecureCE
Summary
4
Data Acquisition from iOS Devices
Data Acquisition from iOS Devices
Operating modes of iOS devices
Physical acquisition
Encrypted file systems
File system acquisition
Logical acquisition
Bypassing the passcode
Acquisition of jailbroken devices
Summary
5
Data Acquisition from iOS Backups
Data Acquisition from iOS Backups
iTunes backup
Working with iCloud backups
Summary
6
iOS Data Analysis and Recovery
iOS Data Analysis and Recovery
Timestamps
SQLite databases
Property lists
Other important files
The Apple Watch
Recovering deleted SQLite records
Summary
7
Understanding Android
Understanding Android
The evolution of Android
The Android model
The Android security
The Android file hierarchy
The Android file system
Summary
8
Android Forensic Setup and Pre Data Extraction Techniques
Android Forensic Setup and Pre Data Extraction Techniques
Setting up the forensic environment for Android
Screen lock bypassing techniques
Gaining root access
Summary
9
Android Data Extraction Techniques
Android Data Extraction Techniques
Data extraction techniques
Summary
10
Android Data Analysis and Recovery
Android Data Analysis and Recovery
Analyzing an Android image
Android data recovery
Summary
11
Android App Analysis, Malware, and Reverse Engineering
Android App Analysis, Malware, and Reverse Engineering
Analyzing Android apps
Reverse engineering Android apps
Android malware
Summary
12
Windows Phone Forensics
Windows Phone Forensics
Windows Phone OS
The Windows Phone file system
Data acquisition
Summary
13
Parsing Third-Party Application Files
Parsing Third-Party Application Files
Third-party application overview
Encoding versus encryption
Application data storage
Forensic methods used to extract third-party application data
Summary

Encrypted file systems

In addition to the acquisition hurdles, the file system on the iPhone is encrypted. Since the release of the iPhone 3GS, the hardware and firmware encryption are built into iOS devices. Every iOS device has a dedicated AES 256-bit crypto engine (the AES cryptographic accelerator) with two hardcoded keys: UID (Unique ID) and GID (Group ID) (as stated by Zdziarski). The CPU on the device cannot read the hardcoded keys but can use them for encryption and decryption through the AES accelerator. The UID key is unique for each device and is used to create device-specific keys (the 0x835 key and the 0x89B key) that are later used for file system encryption. The UID allows data to be cryptographically tied to a particular device; so, even if the flash chip is moved from one device to other, the files are not readable and remain encrypted. The GID key is shared by all devices with the same application processor (for example, all devices that use the A7 chip) and is used to...

Previous Section
End of Section 4
Next Section