Book Image

Practical Mobile Forensics

Book Image

Practical Mobile Forensics

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
Practical Mobile Forensics
Jul, 2014 | 328 pages
No titles found
Table of Contents (20 chapters)
Practical Mobile Forensics
Practical Mobile Forensics
Credits
Credits
About the Authors
About the Authors
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Introduction to Mobile Forensics
Introduction to Mobile Forensics
Mobile forensics
Mobile phone evidence extraction process
Practical mobile forensic approaches
Potential evidence stored on mobile phones
Rules of evidence
Good forensic practices
Summary
2
Understanding the Internals of iOS Devices
Understanding the Internals of iOS Devices
iPhone models
iPhone hardware
iPad models
iPad hardware
File system
The HFS Plus file system
Disk layout
iPhone operating system
Summary
3
Data Acquisition from iOS Devices
Data Acquisition from iOS Devices
Operating modes of iOS devices
Physical acquisition
Acquisition via a custom ramdisk
Acquisition via jailbreaking
Summary
4
Data Acquisition from iOS Backups
Data Acquisition from iOS Backups
iTunes backup
iCloud backup
Summary
5
iOS Data Analysis and Recovery
iOS Data Analysis and Recovery
Timestamps
SQLite databases
Property lists
Other important files
Recovering deleted SQLite records
Summary
6
iOS Forensic Tools
iOS Forensic Tools
Elcomsoft iOS Forensic Toolkit
Oxygen Forensic Suite 2014
Cellebrite UFED Physical Analyzer
Paraben iRecovery Stick
Open source or free methods
Summary
7
Understanding Android
Understanding Android
The Android model
Android security
Android file hierarchy
Android file system
Summary
8
Android Forensic Setup and Pre Data Extraction Techniques
Android Forensic Setup and Pre Data Extraction Techniques
A forensic environment setup
Screen lock bypassing techniques
Gaining root access
Summary
9
Android Data Extraction Techniques
Android Data Extraction Techniques
Imaging an Android Phone
Data extraction techniques
Summary
10
Android Data Recovery Techniques
Android Data Recovery Techniques
Data recovery
Summary
11
Android App Analysis and Overview of Forensic Tools
Android App Analysis and Overview of Forensic Tools
Android app analysis
Reverse engineering Android apps
Forensic tools overview
Cellebrite – UFED
MOBILedit
Autopsy
Summary
12
Windows Phone Forensics
Windows Phone Forensics
Windows Phone OS
Windows Phone file system
Data acquisition
Summary
13
BlackBerry Forensics
BlackBerry Forensics
BlackBerry OS
Data acquisition
BlackBerry analysis
Summary
Index
Index

Acquisition via a custom ramdisk

Acquisition via a custom ramdisk is a novel method to acquire data from an iPhone. It gains access to the file system by loading a custom ramdisk into the memory and exploiting a weakness in the boot process while the device is in the DFU mode. A custom ramdisk contains the forensic tools necessary to dump the file system over USB via an SSH tunnel. Loading a custom ramdisk onto a device will not alter the user data, and thus the evidence will not be destroyed.

Imagine a computer that is protected with an OS-level password, we can still access the hard disk contents by booting with a live CD. Similarly, on the iPhone, we can load a custom ramdisk over USB and access the file system. However, the iPhone secure boot chain prevents us from loading the custom ramdisk. We can achieve this by exploiting a Boot ROM vulnerability and patching successive stages, as shown in the following figure:

An exploited boot chain of an iPhone in DFU mode

Hacker communities have...

Previous Section
End of Section 4
Next Section