Index

A

• acquisition via a custom ramdisk
  • about / Acquisition via a custom ramdisk
  • forensic environment setup / The forensic environment setup
  • forensic toolkit, creating / Creating and loading the forensic toolkit
  • device communication, establishing / Establishing communication with the device
  • passcode, bypassing / Bypassing the passcode
  • data partition, imaging / Imaging the data partition
  • data partition, decrypting / Decrypting the data partition
  • deleted data, recovering / Recovering the deleted data
• acquisition via jail breaking
  • performing / Acquisition via jailbreaking
• Activation Lock, iOS security
  • about / Activation Lock
• adb
  • about / Using the adb pull command
• adb pull command
  • used, for logical data extraction / Using the adb pull command
• AddressBook.sqlitedb
  • about / Address book contacts
  • ABPerson / Address book contacts
  • ABMultiValue / Address book contacts
  • ABMultiValueLabel / Address book contacts
• AddressBookImages.sqlitedb file
  • about / Address book images
• Address Space Layout Randomization (ASLR), iOS security
  • about / Address Space Layout Randomization
• AFLogical / Using content providers
  • about / The AFLogical tool
  • editions / The AFLogical tool
  • OSE / The AFLogical tool
  • LE / The AFLogical tool
• AFLogical LE
  • about / AFLogical Law Enforcement (LE)
  • logical data, extracting from device / AFLogical Law Enforcement (LE)
• AFLogical OSE
  • about / AFLogical Open Source Edition
  • installing / AFLogical Open Source Edition
• AFLogical OSE 1.5.2
  • downloading / Using content providers
• Alpine / 1.x – the first iPhone
• Android
  • about / Android
• Android app
  • analysis / Android app analysis
• Android apps
  • reverse engineering / Reverse engineering Android apps, Steps to reverse engineer Android apps
• Android Debug Bridge (adb)
  • about / Android Debug Bridge
  • used, for accessing device / Accessing the device using adb
• Android device
  • accessing, adb used / Accessing the device using adb
  • connected devices, detecting / Detecting connected devices
  • local adb server, killing / Killing the local adb server
  • adb shell, accessing / Accessing the adb shell
  • handling / Handling an Android device
  • rooting / Rooting an Android device
  • root access / Root access – adb shell
  • imaging / Imaging an Android Phone
  • data extraction techniques / Data extraction techniques
• Android device, connecting to workstation
  • device cable, identifying / Identifying the device cable
  • device drivers, installing / Installing the device drivers
• Android file hierarchy
  • /boot / Android file hierarchy
  • /system / Android file hierarchy
  • /recovery / Android file hierarchy
  • /data / Android file hierarchy
  • /cache / Android file hierarchy
  • /misc / Android file hierarchy
• Android file system
  • about / Android file system
  • viewing, on Android device / Viewing file systems on an Android device
  • Extended File System (EXT) / Extended File System – EXT
• Android model
  • about / The Android model
  • Linux kernel layer / The Linux kernel layer
  • libraries / Libraries
  • Dalvik virtual machine / Dalvik virtual machine
  • dalvik virtual machine / Dalvik virtual machine
  • application framework layer / The application framework layer
  • applications layer / The applications layer
• Android SDK
  • about / Android Software Development Kit
  • downloading / Android Software Development Kit
  • installing / Android SDK installation
• Android security
  • about / Android security
  • secure kernel / Secure kernel
  • permission model / The permission model
  • application sandbox / Application sandbox
  • secure interprocess communication / Secure interprocess communication
  • application signing / Application signing
• Apex / 4.x – Game Center and multitasking
• APK file
  • extracting from Android device / Extracting an APK file from an Android device
• AppDomain / Record
• application framework layer, Android model
  • about / The application framework layer
  • telephony manager / The application framework layer
  • content provider / The application framework layer
  • resource manager / The application framework layer
• Application sandbox / Application sandbox
• applications layer, Android model
  • about / The applications layer
• App sandboxing
  • about / App sandboxing
• App Store / 2.x – App Store and 3G
  • about / App Store
• archiving phase, Mobile phone evidence extraction process
  • about / The archiving phase
• Autopsy
  • about / Autopsy
  • download link / Autopsy
  • Android, analyzing / Analyzing an Android in Autopsy
• AVD
  • about / Android Virtual Device
  • creating / Android Virtual Device

B

• b-tree layout / Recovering deleted SQLite records
• backup analysis, BlackBerry
  • about / BlackBerry backup analysis
• backup file, BlackBerry
  • file header / BlackBerry backup analysis
  • database name blocks / BlackBerry backup analysis
  • database records / BlackBerry backup analysis
  • database record fields / BlackBerry backup analysis
• backup structure, iTunes
  • about / Understanding the backup structure
  • info.plist file / info.plist
  • manifest.plist file / manifest.plist
  • status.plist file / status.plist
  • manifest.mbdb file / manifest.mbdb
• BigBear / 2.x – App Store and 3G
• BlackBerry analysis
  • about / BlackBerry analysis
  • backup analysis / BlackBerry backup analysis
  • forensic image analysis / BlackBerry forensic image analysis
  • encrypted BlackBerry backup file / Encrypted BlackBerry backup files
  • forensic tools / Forensic tools for BlackBerry analysis
• BlackBerry backup
  • creating / Creating a BlackBerry backup
• BlackBerry Backup (BBB) file / Creating a BlackBerry backup
• BlackBerry Backup Extractor / Forensic tools for BlackBerry analysis
  • using / Forensic tools for BlackBerry analysis
  • URL / Forensic tools for BlackBerry analysis
  • installing / Forensic tools for BlackBerry analysis
• BlackBerry backup file
  • about / Forensic tools for BlackBerry analysis
• BlackBerry Desktop Manager (BDM) / Creating a BlackBerry backup
• BlackBerry Desktop Software
  • installing / Creating a BlackBerry backup
  • URL / Creating a BlackBerry backup
• BlackBerry Enterprise Server (BES) / BlackBerry OS
• BlackBerry Internet Service (BIS) / BlackBerry OS
• BlackBerry Limited / BlackBerry OS
• BlackBerry Link / Creating a BlackBerry backup
• BlackBerry OS
  • about / BlackBerry OS, BlackBerry OS
  • URL / BlackBerry OS
  • version history / BlackBerry OS
  • security features / Security features
  • data acquisition / Data acquisition
• BlackBerry RIM / BlackBerry OS
• BlackBerry security
  • about / Security features
• BlackBerry timestamp types
  • URL / BlackBerry forensic image analysis
• Boot ROM / Normal mode
• browser history
  • extracting / Extracting browser history
• Bulk Extractor
  • about / Forensic tools for BlackBerry analysis
  • URL / Forensic tools for BlackBerry analysis

C

• Calendar.sqlitedb file
  • about / Calendar events
• call logs
  • extracting / Extracting call logs
• call_history.db file
  • about / Call history
• capabilities
  • about / Capability-based model
• capabilities-based model, Windows Phone
  • about / Capability-based model
• CelleBrite
  • about / Cellebrite – UFED
• CelleBrite Physical Analyzer
  • about / Cellebrite – UFED
• Cellebrite Physical Analyzer / BlackBerry forensic image analysis
• CelleBrite UFED
  • about / Cellebrite – UFED
• Cellebrite UFED
  • about / Cellebrite UFED Physical Analyzer
  • URL / Cellebrite UFED Physical Analyzer
  • features / Features of Cellebrite UFED Physical Analyzer
  • usage / Usage of Cellebrite UFED Physical Analyzer
  • physical acquisition of iOS, performing / Usage of Cellebrite UFED Physical Analyzer
  • supported devices / Supported devices
• Cellebrite UFED Touch / Standard acquisition methods
  • BlackBerry Z10 support / Standard acquisition methods
  • BlackBerry Curve support / Standard acquisition methods
• cgroup file system / Viewing file systems on an Android device
• chambers
  • about / Windows chambers
• ChevronWP7
  • about / Data acquisition
  • used, for sideloading / Sideloading using ChevronWP7
• Chip-off
  • about / Chip-off
  • process / Chip-off
• chip-off method
  • about / Chip-off
• chip-off technique, screen lock bypassing techniques / Other techniques
• ClockworkMod / Rooting an Android device
• Clockwork recovery / Rooting an Android device
• Cocoa Touch layer, iOS
  • about / The Cocoa Touch layer
• code signing, iOS security
  • about / Code signing
• codesign_allocate tool path
  • verifying / Verifying the codesign_allocate tool path
• COD files / Security features
• Connector app / MOBILedit
• consolidated.db file
  • about / Consolidated GPS cache
• consolidated GPS cache
  • about / Consolidated GPS cache
• content providers
  • used, for data extraction / Using content providers
• cookies
  • about / Cookies
• Core OS layer, iOS
  • about / The Core OS layer
• Core Services layer, iOS
  • about / The Core Services layer
• custom ramdisk
  • building / Building a custom ramdisk
  • booting / Booting the custom ramdisk
• Cydia application / Acquisition via jailbreaking

D

• .dump table-name command / SQLite special commands
• /data directory
  • extracting, on rooted device / Extracting the /data directory on a rooted device
  • extracting, on non-rooted device / Extracting the /data directory on a rooted device
• Dalvik bytecode / Reverse engineering Android apps
• Dalvik Virtual Machine (DVM) / Reverse engineering Android apps
• data acquisition
  • about / Data acquisition
  • sideloading, ChevronWP7 used / Sideloading using ChevronWP7
  • data, extracting / Extracting the data
• data acquisition, BlackBerry
  • about / Data acquisition
  • standard acquisition methods / Standard acquisition methods
  • BlackBerry backup, creating / Creating a BlackBerry backup
• data acquisition methods
  • about / Data acquisition methods
  • physical acquisition / Physical acquisition
  • logical acquisition / Logical acquisition
  • manual acquisition / Manual acquisition
• data execution prevention (DEP), iOS security
  • about / Data execution prevention
• data extraction, Windows Phone device
  • performing / Extracting the data
  • SMS, extracting / Extracting SMS
  • e-mail, extracting / Extracting e-mail
  • application data, extracting / Extracting application data
• data extraction techniques, Android device
  • types / Data extraction techniques
  • manual data extraction / Manual data extraction
  • logical data extraction / Logical data extraction
  • physical data extraction / Physical data extraction
• data protection, iOS security
  • about / Data protection
• data recovery
  • about / Data recovery
  • performing / Data recovery
  • deleted files, recovering / Recovering the deleted files
  • deleted data, recovering from SD card / Recovering deleted data from an SD card
  • deleted data, recovering from internal memory / Recovering data deleted from internal memory
  • deleted files, recovering by parsing SQLite files / Recovering deleted files by parsing SQLite files
  • files, recovering using file carving techniques / Recovering files using file-carving techniques
• data storage, Android device
  • shared preferences / Using the adb pull command
  • internal storage / Using the adb pull command
  • external storage / Using the adb pull command
  • SQLite database / Using the adb pull command
• data synchronization / iTunes backup
• data wipe, iOS security
  • about / Data wipe
• deleted SQLite records
  • recovering / Recovering deleted SQLite records
• device information
  • extracting / Extracting device information
• device locking / Handling an Android device
• devpts file system / Viewing file systems on an Android device
• dex2jar tool / Steps to reverse engineer Android apps
• DFU mode, iOS devices
  • about / DFU mode
  • enabling / DFU mode
  • verifying / DFU mode
• differential backup
  • about / Understanding the backup structure
• DiskDigger / Recovering files using file-carving techniques
• disk layout, iOS devices
  • system partition / Disk layout
  • about / Disk layout
  • user data partition / Disk layout
  • mounted partitions, viewing / Disk layout
  • raw disk images, viewing / Disk layout
• document and reporting phase, Mobile phone evidence extraction process
  • about / The document and reporting phase
• dot commands
  • about / SQLite special commands
  • .tables / SQLite special commands
  • .schema table-name / SQLite special commands
  • .dump table-name / SQLite special commands
  • .output file-name / SQLite special commands
  • .headers on / SQLite special commands
  • .help / SQLite special commands
  • .exit / SQLite special commands
  • .mode MODE / SQLite special commands
• downloaded applications
  • about / Downloaded applications
• DVM
  • about / Dalvik virtual machine

E

• .exit command / SQLite special commands
• e-mail database
  • about / E-mail database
• eDiscovery
  • about / BlackBerry analysis
• Effaceable Storage / Recovering the deleted data
• EIFT
  • about / Elcomsoft iOS Forensic Toolkit
  • URL / Elcomsoft iOS Forensic Toolkit
  • features / Features of EIFT
  • usage / Usage of EIFT
  • guided mode / Guided mode
  • manual mode / Manual mode
• EIFT-supported devices
  • about / EIFT-supported devices
  • compatibilities / Compatibility notes
• Elcomsoft BlackBerry Backup Explorer / Forensic tools for BlackBerry analysis
• Elcomsoft IPD Viewer
  • using / Forensic tools for BlackBerry analysis
• Elcomsoft Phone Password Breaker / Encrypted BlackBerry backup files
• Elevated Rights Chamber (ERC)
  • about / Windows chambers
• encrypted backup, iTunes
  • creating / Encrypted backup
  • extracting / Extracting encrypted backups
  • extracting, iPhone Data Protection Tools used / iPhone Data Protection Tools
  • keychain, decrypting / Decrypting the keychain
• encrypted BlackBerry backup file
  • about / Encrypted BlackBerry backup files
  • cracking / Encrypted BlackBerry backup files
• encryption, iOS security
  • about / Encryption
• Escrow keybag / Pairing records
• ES Explorer / Extracting an APK file from an Android device
• evidence
  • about / Potential evidence stored on mobile phones
  • rules / Authentic
  • securing / Securing the evidence
  • preserving / Preserving the evidence
  • documenting / Documenting the evidence
• evidence intake phase, Mobile phone evidence extraction process
  • about / The evidence intake phase
• Extended File System (EXT)
  • about / Extended File System – EXT

F

• Fastboot utility / Flashing a new recovery partition
• file carving
  • about / Recovering files using file-carving techniques
  • used, for recovering files / Recovering files using file-carving techniques
• file system, iPhone
  • HFSX / File system
• Find My Friends service / iCloud backup
• Find My iPhone service / iCloud backup
• Flash Friendly File System (F3FS) / Extended File System – EXT
• forensic best practices
  • evidence, securing / Securing the evidence
  • evidence, preserving / Preserving the evidence
  • evidence, documenting / Documenting the evidence
  • all changes, documenting / Documenting all changes
• forensic environment
  • setting up / A forensic environment setup
  • Android SDK / Android Software Development Kit
  • Android SDK installation / Android SDK installation
  • AVD / Android Virtual Device
  • Android device, connecting to workstation / Connecting an Android device to a workstation
  • connected device, accessing / Accessing the connected device
  • Android Debug Bridge (adb) / Android Debug Bridge
  • Android device, accessing with adb / Accessing the device using adb
  • Android device, handling / Handling an Android device
• forensic environment setup, acquisition via a custom ramdisk
  • performing / The forensic environment setup
  • ldid tool, downloading / Downloading and installing the ldid tool
  • ldid tool, installing / Downloading and installing the ldid tool
  • codesign_allocate tool path, verifying / Verifying the codesign_allocate tool path
  • OSXFuse, installing / Installing OSXFuse
  • Python modules, installing / Installing Python modules
  • iPhone Data Protection Tools, downloading / Downloading iPhone Data Protection Tools
  • IMG3FS tool, building / Building the IMG3FS tool
  • redsn0w, downloading / Downloading redsn0w
• forensic image analysis, BlackBerry
  • about / BlackBerry forensic image analysis
• forensic toolkit, acquisition via a custom ramdisk
  • creating / Creating and loading the forensic toolkit
  • loading / Creating and loading the forensic toolkit
  • iOS firmware file, downloading / Downloading the iOS firmware file
  • kernel, modifying / Modifying the kernel
  • custom ramdisk, building / Building a custom ramdisk
  • custom ramdisk, booting / Booting the custom ramdisk
• forensic tools
  • overview / Forensic tools overview
  • AFLogical tool / The AFLogical tool
  • MOBILedit / MOBILedit
  • Autopsy / Autopsy
• forensic tools, for BlackBerry analysis
  • about / Forensic tools for BlackBerry analysis
  • Cellebrite Physical Analyzer / Forensic tools for BlackBerry analysis
  • Oxygen Forensics Suite / Forensic tools for BlackBerry analysis
  • Microsystemation XRY / Forensic tools for BlackBerry analysis
  • AccessData MPE+ / Forensic tools for BlackBerry analysis

G

• Game Center / 4.x – Game Center and multitasking
• Global Positioning System (GPS) / 2.x – App Store and 3G
• guided mode, EIFT
  • about / Guided mode
  • physical acquisition of iPhone 4, performing / Guided mode

H

• .headers on command / SQLite special commands
• .help command / SQLite special commands
• Heavenly / 1.x – the first iPhone
• hex dump
  • about / Hex dump
• HFS Plus file system
  • about / The HFS Plus file system
  • URL / The HFS Plus file system
• HFS Plus volume
  • about / The HFS Plus volume
  • structure / The HFS Plus volume
• HFS volumes / The HFS Plus file system
• HFSX
  • about / File system
• Hierarchical File System (HFS)
  • about / The HFS Plus file system
• HomeDomain / Record
• HomeDomain plist files
  • about / The HomeDomain plist files

I

• iBackupBot / Open source or free methods
• iBEC loader
  • about / DFU mode
• iBoot
  • about / Normal mode
• iCloud / 5.x – Siri and iCloud
  • about / iCloud backup
  • Find My iPhone service / iCloud backup
  • Find My Friends service / iCloud backup
• iCloud backup
  • performing / iCloud backup
  • extracting / Extracting iCloud backups
• identification phase, Mobile phone evidence extraction process
  • about / The identification phase
  • legal authority / The legal authority
  • examinations goals / The goals of the examination
  • make and model, identifying / The make, model, and identifying information for the device
  • removable data storage / Removable and external data storage
  • potential evidence sources / Other sources of potential evidence
• ideviceinfo command-line tool
  • about / iPhone models
  • URL / iPhone models
• iExplorer / Open source or free methods
• iFunBox / Open source or free methods
• imaging process, memory (SD) card
  • memory card, connecting / Imaging a memory (SD) card
  • memory card, protecting / Imaging a memory (SD) card
  • hash value, calculating / Imaging a memory (SD) card
  • disk image, creating / Imaging a memory (SD) card
• imaging the device
  • about / Imaging an Android Phone
• IM chats analysis
  • about / Analysis of social networking/IM chats
• IMG3FS tool
  • building / Building the IMG3FS tool
• info.plist file
  • about / info.plist
  • content / info.plist
• Innsbruck / 7.x – the iPhone 5S and beyond
• Inter@active Pager Backup (IPD) / Creating a BlackBerry backup
• iOS
  • about / iOS, iPhone operating system
  • differences, with Mac OS X / iPhone operating system
• iOS acquisition methods
  • open source methods / Open source or free methods
• iOS architecture
  • about / The iOS architecture
  • layers / The iOS architecture
  • Cocoa Touch layer / The Cocoa Touch layer
  • Media layer / The Media layer
  • Core Services layer / The Core Services layer
  • Core OS layer / The Core OS layer
• iOS data analysis and recovery
  • timestamps / Timestamps
  • SQLite databases / SQLite databases
  • property list / Property lists
  • cookies / Cookies
  • keyboard cache / Keyboard cache
  • photos directory / Photos
  • wallpaper directory / Wallpaper
  • snapshots directory / Snapshots
  • recordings directory / Recordings
  • downloaded applications / Downloaded applications
  • deleted SQLite records, recovering / Recovering deleted SQLite records
• iOS devices
  • iPhone / iPhone models
  • iPad / iPad models
  • disk layout / Disk layout
  • operating modes / Operating modes of iOS devices
  • physical acquisition / Physical acquisition
• iOS firmware file
  • downloading / Downloading the iOS firmware file
• iOS history
  • about / iOS history
  • iPhone OS 1.x / 1.x – the first iPhone
  • App Store / 2.x – App Store and 3G
  • iPhone 3G / 2.x – App Store and 3G
  • iPad / 3.x – the first iPad
  • game center / 4.x – Game Center and multitasking
  • multitasking / 4.x – Game Center and multitasking
  • Siri / 5.x – Siri and iCloud
  • iCloud / 5.x – Siri and iCloud
  • Apple Maps / 6.x – Apple Maps
  • iPhone 5S / 7.x – the iPhone 5S and beyond
• iOS security
  • about / iOS security
  • features / iOS security
  • passcodes / Passcode
  • code signing / Code signing
  • sandboxing / Sandboxing
  • encryption / Encryption
  • data protection / Data protection
  • Address Space Layout Randomization (ASLR) / Address Space Layout Randomization
  • privilege separation / Privilege separation
  • stack smashing protection / Stack smashing protection
  • data execution prevention (DEP) / Data execution prevention
  • data wipe / Data wipe
  • Activation Lock / Activation Lock
• iPad hardware
  • about / iPad hardware
  • internal images / iPad hardware
• iPad models
  • iOS versions / iPad models
  • specifications and features / iPad models
• IPD file
  • information, viewing with BlackBerry Backup Extractor / Forensic tools for BlackBerry analysis
• iPhone
  • about / iPhone models
  • models / iPhone models
  • model, identifying / iPhone models
  • examining / iPhone models
  • model number / iPhone models
  • firmware version / iPhone models
  • specifications and features / iPhone models
  • file system / File system
• iPhone Backup Browser
  • unencrypted backup, extracting / iPhone Backup Browser
  • about / iPhone Backup Browser
• iPhone Backup Extractor
  • about / iPhone Backup Extractor
  • unencrypted backup, extracting / iPhone Backup Extractor
• iPhone backups
  • iTunes backup / iTunes backup
  • iCloud backup / iCloud backup
• iPhone Data Protection Tools
  • about / Acquisition via a custom ramdisk, iPhone Data Protection Tools
  • installing / Downloading iPhone Data Protection Tools
  • unencrypted backup, extracting / iPhone Data Protection Tools
  • encrypted backup, extracting / iPhone Data Protection Tools
• iPhone hardware
  • about / iPhone hardware
  • internal images / iPhone hardware
• iPhone OS
  • about / iPhone operating system
• iPhone Password Breaker
  • about / iPhone Password Breaker
  • backup password, brute forcing / iPhone Password Breaker
• iPhone Software Development Kit (SDK) / 2.x – App Store and 3G
• iRecovery Stick
  • about / Paraben iRecovery Stick
  • URL / Paraben iRecovery Stick
  • features / Features of Paraben iRecovery Stick
  • usage / Usage of Paraben iRecovery Stick
  • acquisition of iOS device, performing / Usage of Paraben iRecovery Stick
  • supported devices / Devices supported by Paraben iRecovery Stick
• isolation phase, Mobile phone evidence extraction process
  • about / The isolation phase
• iTunes
  • about / iTunes backup
  • auto-syncing, disabling / iTunes backup
• iTunes backup
  • performing / iTunes backup
  • records, pairing / Pairing records
  • backup structure / Understanding the backup structure
  • unencrypted backup, creating / Unencrypted backup
  • encrypted backup, creating / Encrypted backup
• IV (initialization vector) / Extracting encrypted backups

J

• jailbreaking
  • about / Jailbreaking
  • URL / Jailbreaking
• Java Development Environment (JDE) / BlackBerry OS
• Java Virtual Machine (JVM) / Security features
• JD-GUI tool / Steps to reverse engineer Android apps
• Joint Test Action Group (JTAG) method / Chip-off
• JTAG
  • about / JTAG
  • process / JTAG
• JTAG technique, screen lock bypassing techniques / Other techniques

K

• Kernel Address Space Layout Randomization / Acquisition via jailbreaking
• Kernel Address Space Protection / Acquisition via jailbreaking
• keyboard cache
  • about / Keyboard cache
• Kirkwood / 3.x – the first iPad

L

• ldid tool
  • downloading / Downloading and installing the ldid tool
  • installing / Downloading and installing the ldid tool
• Least Privileged Chamber (LPC)
  • about / Windows chambers
• libraries, Android model
  • about / Libraries
• LiME
  • about / Recovering deleted data from an SD card
• Linux kernel layer, Android model
  • about / The Linux kernel layer
• lockdown certificates / Pairing records
• logical acquisition method
  • about / Logical acquisition
• logical data extraction
  • about / Logical data extraction
  • performing / Logical data extraction
  • performing, adb pull command used / Using the adb pull command
  • /data directory, extracting on rooted device / Extracting the /data directory on a rooted device
  • /data directory, extracting on non-rooted device / Extracting the /data directory on a rooted device
  • performing, SQLite Browser used / Using SQLite Browser
  • device information, extracting / Extracting device information
  • call logs, extracting / Extracting call logs
  • SMS/MMS, extracting / Extracting SMS/MMS
  • browser history, extracting / Extracting browser history
  • social networking analysis / Analysis of social networking/IM chats
  • IM chats analysis / Analysis of social networking/IM chats
  • performing, content providers used / Using content providers
• logical extraction process
  • about / Logical extraction
• Low-Level boot loader (LLB) / Normal mode

M

• .mode MODE command / SQLite special commands
• M2Crypto
  • about / Installing Python modules
  • installing / Installing Python modules
• Mac absolute time
  • about / Mac absolute time
• Mac OS X 10.8
  • iPhone model, obtaining / iPhone models
  • iPhone iOS version, obtaining / iPhone models
• manifest.mbdb file
  • about / manifest.mbdb
  • header / Header
  • records / Record
• manifest.plist file
  • about / manifest.plist
  • content / manifest.plist
• manual acquisition method
  • about / Manual acquisition
• manual data extraction
  • about / Manual data extraction
  • Android device, rooting / Using root access to acquire an Android device
• manual extraction process
  • about / Manual extraction
• manual mode, EIFT
  • about / Manual mode
• MCC/MNC codes
  • reference link / Call history
• Media layer, iOS
  • about / The Media layer
• memory (SD) card
  • imaging / Imaging a memory (SD) card
  • imaging, WinHex used / Imaging a memory (SD) card
  • imaging process / Imaging a memory (SD) card
• Mercurial source code management system
  • installing / Installing Python modules
• micro read / Micro read
• Microsoft .NET Framework 4 / iPhone Backup Browser
• Mobile Data System (MDS) / BlackBerry OS
• Mobile Device Management (MDM) / Handling an Android device
• MOBILedit
  • about / MOBILedit
  • URL / MOBILedit
  • used, for extracting information from Android phone / MOBILedit
• Mobile forensic approaches
  • about / Practical mobile forensic approaches
  • mobile operating systems overview / Mobile operating systems overview
  • Mobile forensic tool leveling system / Mobile forensic tool leveling system
  • data acquisition methods / Data acquisition methods
• Mobile forensics
  • about / Mobile forensics
  • challenges / Mobile forensic challenges
• Mobile forensic tool leveling system
  • about / Mobile forensic tool leveling system
  • manual extraction / Manual extraction
  • logical extraction / Logical extraction
  • hex dump / Hex dump
  • chip-off / Chip-off
  • micro read / Micro read
• mobile operating systems
  • overview / Mobile operating systems overview
  • Android / Android
  • iOS / iOS
  • Windows phone / Windows phone
  • BlackBerry OS / BlackBerry OS
• Mobile phone evidence extraction process
  • about / Mobile phone evidence extraction process
  • evidence intake phase / The evidence intake phase
  • identification phase / The identification phase
  • preparation phase / The preparation phase
  • isolation phase / The isolation phase
  • processing phase / The processing phase
  • verification phase / The verification phase
  • document and reporting phase / The document and reporting phase
  • presentation phase / The presentation phase
  • archiving phase / The archiving phase
• mobile phones
  • evidence / Potential evidence stored on mobile phones
• model number, iPhone / iPhone models
• mount command / Disk layout

N

• NAND
  • about / Physical acquisition
• normal mode, iOS devices
  • about / Normal mode
• Notes database
  • about / Notes

O

• .output file-name command / SQLite special commands
• operating modes, iOS devices
  • about / Operating modes of iOS devices
  • normal mode / Normal mode
  • recovery mode / Recovery mode
  • DFU mode / DFU mode
• OSXFuse
  • installing / Installing OSXFuse
• over the air (OTA) software updates / 5.x – Siri and iCloud
• Oxygen Forensics IPD Viewer / Forensic tools for BlackBerry analysis
• Oxygen Forensics SQLite Viewer
  • about / Recovering deleted files by parsing SQLite files
• Oxygen Forensics Suite
  • installing / Forensic tools for BlackBerry analysis
• Oxygen Forensic Suite 2014
  • about / Oxygen Forensic Suite 2014
  • URL / Oxygen Forensic Suite 2014
  • features / Features of Oxygen Forensic Suite
  • usage / Usage of Oxygen Forensic Suite
  • acquisition of iOS, performing / Usage of Oxygen Forensic Suite
  • supported devices / Oxygen Forensic Suite 2014 supported devices

P

• passcodes, iOS security
  • about / Passcode
• PBKDF2 (Password-Based Key Derivation Function 2) / Extracting encrypted backups
• photos directory
  • about / Photos
• photos metadata
  • about / The photos metadata
• physical acquisition, iOS devices
  • about / Physical acquisition
• physical acquisition method
  • about / Physical acquisition
• physical data extraction
  • performing / Physical data extraction
  • JTAG / JTAG
  • Chip-off technique / Chip-off
• plist
  • about / Property lists
• Plist Editor for Windows
  • URL / Property lists
• plutil command-line utility, Mac OS X
  • about / Property lists
• preparation phase, Mobile phone evidence extraction process
  • about / The preparation phase
• presentation phase, Mobile phone evidence extraction process
  • about / The presentation phase
• privilege separation, iOS security
  • about / Privilege separation
• processing phase, Mobile phone evidence extraction process
  • about / The processing phase
• proc file system / Viewing file systems on an Android device
• property list / Pairing records
  • about / Property lists
• Property List Editor
  • about / Property lists
• Property List Editor application / Understanding the backup structure
• PyCrypto / Installing Python modules
• Python modules
  • installing / Installing Python modules

Q

• QuickTime Player
  • about / Voicemail

R

• re-balling
  • about / Chip-off
• read-only memory (ROM) / Normal mode
• recordings directory
  • about / Recordings
• recovery loop
  • about / Recovery mode
• recovery mode, iOS devices
  • about / Recovery mode
• redsn0w tool
  • about / Recovery mode
  • downloading / Downloading redsn0w
• Remo Recover for Android tool
  • used, for recovering deleted files from SD card / Recovering deleted data from an SD card
  • about / Recovering deleted data from an SD card
  • downloading / Recovering deleted data from an SD card
• Research in Motion (RIM)
  • about / BlackBerry OS
• reverse engineering, Android apps
  • APK file, extracting from Android device / Extracting an APK file from an Android device
  • performing / Steps to reverse engineer Android apps
• Robust File System (RFS) / Extended File System – EXT
• root / What is rooting?
• root access
  • gaining / Gaining root access
• RootDomain plist files
  • about / The RootDomain plist files
• rootfs file system / Viewing file systems on an Android device
• rooting
  • about / What is rooting?
  • Android device / Rooting an Android device
  • Clockwork recovery / Rooting an Android device
  • ClockworkMod / Rooting an Android device
  • advantages / Rooting an Android device
  • disadvantages / Rooting an Android device
  • adb shell, running / Root access – adb shell
• rules, evidence
  • admissible / Admissible
  • authentic / Authentic
  • complete / Complete
  • reliable / Reliable
  • believable / Believable

S

• .schema table-name command / SQLite special commands
• Safari bookmarks database
  • about / Safari bookmarks
• Safari web caches
  • about / The Safari web caches
• Samsung Android device
  • data extracting, UFED used / Physical extraction
• sandboxing, iOS security
  • about / Sandboxing
• Scalpel
  • about / Recovering files using file-carving techniques
  • using, on Ubuntu workstation / Recovering files using file-carving techniques
• screen lock bypassing techniques
  • about / Screen lock bypassing techniques
  • pattern lock / Screen lock bypassing techniques
  • PIN code / Screen lock bypassing techniques
  • alphanumeric passcode / Screen lock bypassing techniques
  • adb, used / Using adb to bypass the screen lock
  • gesture.key file, deleting / Deleting the gesture.key file
  • settings.db file, updating / Updating the settings.db file
  • modified recovery mode, checking / Checking for the modified recovery mode and adb connection
  • adb connection, checking / Checking for the modified recovery mode and adb connection
  • recovery partition, flashing / Flashing a new recovery partition
  • smudge attack / Smudge attack
  • Gmail account, using / Using the primary Gmail account
  • JTAG / Other techniques
  • chip-off technique / Other techniques
• secure boot chain / Normal mode
• secure ROM / Normal mode
• security chambers
  • about / Windows chambers
  • Trusted Computing Base (TCB) / Windows chambers
  • Elevated Rights Chamber (ERC) / Windows chambers
  • Standard Rights Chamber (SRC) / Windows chambers
  • Least Privileged Chamber (LPC) / Windows chambers
• security features, BlackBerry
  • about / Security features
• security model, Windows Phone OS
  • about / Security model
• Siri / 5.x – Siri and iCloud
• Sleuth Kit / Autopsy
• SMS/MMS
  • extracting / Extracting SMS/MMS
• SMS database
  • about / SMS messages
• SMS Spotlight cache
  • about / SMS Spotlight cache
• smudge attack / Smudge attack
• snapshots directory
  • about / Snapshots
• social networking analysis
  • about / Analysis of social networking/IM chats
• SQLite
  • about / SQLite databases
• sqlite3 command-line utility / SQLite databases
• SQLite Browser
  • URL / SQLite databases
  • used, for logical data extraction / Using SQLite Browser
• SQLite command-line client
  • URL / SQLite databases
• SQLite commands
  • about / SQLite special commands
• SQLite databases
  • about / SQLite databases
  • connecting to / Connecting to a database
  • commands / SQLite special commands
  • standard SQL queries / Standard SQL queries
  • address book contacts / Address book contacts
  • address book images / Address book images
  • call history / Call history
  • SMS database / SMS messages
  • SMS Spotlight cache / SMS Spotlight cache
  • calendar events / Calendar events
  • e-mail database / E-mail database
  • notes database / Notes
  • Safari bookmarks / Safari bookmarks
  • Safari web caches / The Safari web caches
  • web application cache / The web application cache
  • WebKit storage / The WebKit storage
  • photos metadata / The photos metadata
  • consolidated GPS cache / Consolidated GPS cache
  • voicemail database / Voicemail
• SQLite files
  • using / Recovering deleted files by parsing SQLite files
  • URL / Recovering deleted files by parsing SQLite files
• SQLite Professional
  • URL / SQLite databases
• SQLite Spy
  • URL / SQLite databases
• stack smashing protection, iOS security
  • about / Stack smashing protection
• standard acquisition methods
  • about / Standard acquisition methods
• Standard Rights Chamber (SRC)
  • about / Windows chambers
• standard SQL queries
  • SELECT / Standard SQL queries
  • INSERT / Standard SQL queries
  • DELETE / Standard SQL queries
  • ALTER / Standard SQL queries
• status.plist file
  • about / status.plist
  • content / status.plist
• Sundance / 6.x – Apple Maps
• Super Backup app
  • about / Recovering deleted data from an SD card
• System keybag / Bypassing the passcode, Pairing records
• system partition, iOS device disk layout
  • about / Disk layout
• SystemPreferencesDomain plist files
  • about / The SystemPreferencesDomain plist files

T

• .tables command / SQLite special commands
• Telluride / 5.x – Siri and iCloud
• Test Access Ports (TAPs) / Chip-off
• tiles / Windows Phone OS
• timestamps
  • about / Timestamps
  • Unix timestamp / Unix timestamps
  • Mac absolute time / Mac absolute time
• tmpfs file system / Viewing file systems on an Android device
• Trusted Computing Base (TCB)
  • about / Windows chambers

U

• UFED Touch
  • used, for extracting data from Samsung Android device / Physical extraction
• unencrypted backup, iTunes
  • creating / Unencrypted backup
  • extracting / Extracting unencrypted backups
  • extracting, iPhone Backup Extractor used / iPhone Backup Extractor
  • extracting, iPhone Backup Browser used / iPhone Backup Browser, iPhone Data Protection Tools
  • keychain, decrypting / Decrypting the keychain
• Unique Device Identifier (UDID) / Bypassing the passcode, Understanding the backup structure
• Unix timestamp
  • about / Unix timestamps
• user data partition, iOS device disk layout
  • about / Disk layout

V

• verification phase, Mobile phone evidence extraction process
  • about / The verification phase
  • extracted data, comparing to handset data / Comparing extracted data to the handset data
  • results, comparing using multiple tools / Using multiple tools and comparing the results
  • hash values, using / Using hash values
• VFAT / Extended File System – EXT
• viaForensics / The AFLogical tool
• Visual C++ 2010 runtime / iPhone Backup Browser
• voicemail database
  • about / Voicemail
• volume structure, HFS Plus
  • volume header / The HFS Plus volume
  • allocation file / The HFS Plus volume
  • extents overflow file / The HFS Plus volume
  • catalog file / The HFS Plus volume
  • attribute file / The HFS Plus volume
  • startup file / The HFS Plus volume
  • alternate volume header file / The HFS Plus volume

W

• wallpaper directory
  • about / Wallpaper
• web application cache
  • about / The web application cache
• WebKit storage, Safari
  • about / The WebKit storage
• Wildcat / 3.x – the first iPad
• Windows phone
  • about / Windows phone
• Windows Phone Device Manager
  • downloading / Extracting the data
• Windows Phone file system
  • about / Windows Phone file system
  • Application Data directory / Windows Phone file system
  • Applications directory / Windows Phone file system
  • My Documents directory / Windows Phone file system
  • Windows directory / Windows Phone file system
• Windows Phone OS
  • about / Windows Phone OS
  • security model / Security model
  • chambers / Windows chambers
  • capabilities-based model / Capability-based model
  • App sandboxing / App sandboxing
• Windows Phone SDK 7.1
  • downloading / Extracting the data
• Windows registry / Windows Phone file system
• WinHex
  • used, for imaging memory (SD) card / Imaging a memory (SD) card
• WirelessDomain plist files
  • about / The WirelessDomain plist files

Y

• Yet Another Flash File System 2(YAFFS2) / Extended File System – EXT

Z

• Zune software
  • downloading / Extracting the data