Index
A
- acquisition via a custom ramdisk
- about / Acquisition via a custom ramdisk
- forensic environment setup / The forensic environment setup
- forensic toolkit, creating / Creating and loading the forensic toolkit
- device communication, establishing / Establishing communication with the device
- passcode, bypassing / Bypassing the passcode
- data partition, imaging / Imaging the data partition
- data partition, decrypting / Decrypting the data partition
- deleted data, recovering / Recovering the deleted data
- acquisition via jail breaking
- performing / Acquisition via jailbreaking
- Activation Lock, iOS security
- about / Activation Lock
- adb
- about / Using the adb pull command
- adb pull command
- used, for logical data extraction / Using the adb pull command
- AddressBook.sqlitedb
- about / Address book contacts
- ABPerson / Address book contacts
- ABMultiValue / Address book contacts
- ABMultiValueLabel / Address book contacts
- AddressBookImages.sqlitedb file
- about / Address book images
- Address Space Layout Randomization (ASLR), iOS security
- AFLogical / Using content providers
- about / The AFLogical tool
- editions / The AFLogical tool
- OSE / The AFLogical tool
- LE / The AFLogical tool
- AFLogical LE
- about / AFLogical Law Enforcement (LE)
- logical data, extracting from device / AFLogical Law Enforcement (LE)
- AFLogical OSE
- about / AFLogical Open Source Edition
- installing / AFLogical Open Source Edition
- AFLogical OSE 1.5.2
- downloading / Using content providers
- Alpine / 1.x – the first iPhone
- Android
- about / Android
- Android app
- analysis / Android app analysis
- Android apps
- reverse engineering / Reverse engineering Android apps, Steps to reverse engineer Android apps
- Android Debug Bridge (adb)
- about / Android Debug Bridge
- used, for accessing device / Accessing the device using adb
- Android device
- accessing, adb used / Accessing the device using adb
- connected devices, detecting / Detecting connected devices
- local adb server, killing / Killing the local adb server
- adb shell, accessing / Accessing the adb shell
- handling / Handling an Android device
- rooting / Rooting an Android device
- root access / Root access – adb shell
- imaging / Imaging an Android Phone
- data extraction techniques / Data extraction techniques
- Android device, connecting to workstation
- device cable, identifying / Identifying the device cable
- device drivers, installing / Installing the device drivers
- Android file hierarchy
- /boot / Android file hierarchy
- /system / Android file hierarchy
- /recovery / Android file hierarchy
- /data / Android file hierarchy
- /cache / Android file hierarchy
- /misc / Android file hierarchy
- Android file system
- about / Android file system
- viewing, on Android device / Viewing file systems on an Android device
- Extended File System (EXT) / Extended File System – EXT
- Android model
- about / The Android model
- Linux kernel layer / The Linux kernel layer
- libraries / Libraries
- Dalvik virtual machine / Dalvik virtual machine
- dalvik virtual machine / Dalvik virtual machine
- application framework layer / The application framework layer
- applications layer / The applications layer
- Android SDK
- about / Android Software Development Kit
- downloading / Android Software Development Kit
- installing / Android SDK installation
- Android security
- about / Android security
- secure kernel / Secure kernel
- permission model / The permission model
- application sandbox / Application sandbox
- secure interprocess communication / Secure interprocess communication
- application signing / Application signing
- Apex / 4.x – Game Center and multitasking
- APK file
- extracting from Android device / Extracting an APK file from an Android device
- AppDomain / Record
- application framework layer, Android model
- about / The application framework layer
- telephony manager / The application framework layer
- content provider / The application framework layer
- resource manager / The application framework layer
- Application sandbox / Application sandbox
- applications layer, Android model
- about / The applications layer
- App sandboxing
- about / App sandboxing
- App Store / 2.x – App Store and 3G
- about / App Store
- archiving phase, Mobile phone evidence extraction process
- about / The archiving phase
- Autopsy
- about / Autopsy
- download link / Autopsy
- Android, analyzing / Analyzing an Android in Autopsy
- AVD
- about / Android Virtual Device
- creating / Android Virtual Device
B
- b-tree layout / Recovering deleted SQLite records
- backup analysis, BlackBerry
- about / BlackBerry backup analysis
- backup file, BlackBerry
- file header / BlackBerry backup analysis
- database name blocks / BlackBerry backup analysis
- database records / BlackBerry backup analysis
- database record fields / BlackBerry backup analysis
- backup structure, iTunes
- about / Understanding the backup structure
- info.plist file / info.plist
- manifest.plist file / manifest.plist
- status.plist file / status.plist
- manifest.mbdb file / manifest.mbdb
- BigBear / 2.x – App Store and 3G
- BlackBerry analysis
- about / BlackBerry analysis
- backup analysis / BlackBerry backup analysis
- forensic image analysis / BlackBerry forensic image analysis
- encrypted BlackBerry backup file / Encrypted BlackBerry backup files
- forensic tools / Forensic tools for BlackBerry analysis
- BlackBerry backup
- creating / Creating a BlackBerry backup
- BlackBerry Backup (BBB) file / Creating a BlackBerry backup
- BlackBerry Backup Extractor / Forensic tools for BlackBerry analysis
- BlackBerry backup file
- BlackBerry Desktop Manager (BDM) / Creating a BlackBerry backup
- BlackBerry Desktop Software
- installing / Creating a BlackBerry backup
- URL / Creating a BlackBerry backup
- BlackBerry Enterprise Server (BES) / BlackBerry OS
- BlackBerry Internet Service (BIS) / BlackBerry OS
- BlackBerry Limited / BlackBerry OS
- BlackBerry Link / Creating a BlackBerry backup
- BlackBerry OS
- about / BlackBerry OS, BlackBerry OS
- URL / BlackBerry OS
- version history / BlackBerry OS
- security features / Security features
- data acquisition / Data acquisition
- BlackBerry RIM / BlackBerry OS
- BlackBerry security
- about / Security features
- BlackBerry timestamp types
- Boot ROM / Normal mode
- browser history
- extracting / Extracting browser history
- Bulk Extractor
C
- Calendar.sqlitedb file
- about / Calendar events
- call logs
- extracting / Extracting call logs
- call_history.db file
- about / Call history
- capabilities
- about / Capability-based model
- capabilities-based model, Windows Phone
- about / Capability-based model
- CelleBrite
- about / Cellebrite – UFED
- CelleBrite Physical Analyzer
- about / Cellebrite – UFED
- Cellebrite Physical Analyzer / BlackBerry forensic image analysis
- CelleBrite UFED
- about / Cellebrite – UFED
- Cellebrite UFED
- about / Cellebrite UFED Physical Analyzer
- URL / Cellebrite UFED Physical Analyzer
- features / Features of Cellebrite UFED Physical Analyzer
- usage / Usage of Cellebrite UFED Physical Analyzer
- physical acquisition of iOS, performing / Usage of Cellebrite UFED Physical Analyzer
- supported devices / Supported devices
- Cellebrite UFED Touch / Standard acquisition methods
- BlackBerry Z10 support / Standard acquisition methods
- BlackBerry Curve support / Standard acquisition methods
- cgroup file system / Viewing file systems on an Android device
- chambers
- about / Windows chambers
- ChevronWP7
- about / Data acquisition
- used, for sideloading / Sideloading using ChevronWP7
- Chip-off
- chip-off method
- about / Chip-off
- chip-off technique, screen lock bypassing techniques / Other techniques
- ClockworkMod / Rooting an Android device
- Clockwork recovery / Rooting an Android device
- Cocoa Touch layer, iOS
- about / The Cocoa Touch layer
- code signing, iOS security
- about / Code signing
- codesign_allocate tool path
- verifying / Verifying the codesign_allocate tool path
- COD files / Security features
- Connector app / MOBILedit
- consolidated.db file
- about / Consolidated GPS cache
- consolidated GPS cache
- about / Consolidated GPS cache
- content providers
- used, for data extraction / Using content providers
- cookies
- about / Cookies
- Core OS layer, iOS
- about / The Core OS layer
- Core Services layer, iOS
- about / The Core Services layer
- custom ramdisk
- building / Building a custom ramdisk
- booting / Booting the custom ramdisk
- Cydia application / Acquisition via jailbreaking
D
- .dump table-name command / SQLite special commands
- /data directory
- extracting, on rooted device / Extracting the /data directory on a rooted device
- extracting, on non-rooted device / Extracting the /data directory on a rooted device
- Dalvik bytecode / Reverse engineering Android apps
- Dalvik Virtual Machine (DVM) / Reverse engineering Android apps
- data acquisition
- about / Data acquisition
- sideloading, ChevronWP7 used / Sideloading using ChevronWP7
- data, extracting / Extracting the data
- data acquisition, BlackBerry
- about / Data acquisition
- standard acquisition methods / Standard acquisition methods
- BlackBerry backup, creating / Creating a BlackBerry backup
- data acquisition methods
- about / Data acquisition methods
- physical acquisition / Physical acquisition
- logical acquisition / Logical acquisition
- manual acquisition / Manual acquisition
- data execution prevention (DEP), iOS security
- about / Data execution prevention
- data extraction, Windows Phone device
- performing / Extracting the data
- SMS, extracting / Extracting SMS
- e-mail, extracting / Extracting e-mail
- application data, extracting / Extracting application data
- data extraction techniques, Android device
- types / Data extraction techniques
- manual data extraction / Manual data extraction
- logical data extraction / Logical data extraction
- physical data extraction / Physical data extraction
- data protection, iOS security
- about / Data protection
- data recovery
- about / Data recovery
- performing / Data recovery
- deleted files, recovering / Recovering the deleted files
- deleted data, recovering from SD card / Recovering deleted data from an SD card
- deleted data, recovering from internal memory / Recovering data deleted from internal memory
- deleted files, recovering by parsing SQLite files / Recovering deleted files by parsing SQLite files
- files, recovering using file carving techniques / Recovering files using file-carving techniques
- data storage, Android device
- shared preferences / Using the adb pull command
- internal storage / Using the adb pull command
- external storage / Using the adb pull command
- SQLite database / Using the adb pull command
- data synchronization / iTunes backup
- data wipe, iOS security
- about / Data wipe
- deleted SQLite records
- recovering / Recovering deleted SQLite records
- device information
- extracting / Extracting device information
- device locking / Handling an Android device
- devpts file system / Viewing file systems on an Android device
- dex2jar tool / Steps to reverse engineer Android apps
- DFU mode, iOS devices
- differential backup
- DiskDigger / Recovering files using file-carving techniques
- disk layout, iOS devices
- system partition / Disk layout
- about / Disk layout
- user data partition / Disk layout
- mounted partitions, viewing / Disk layout
- raw disk images, viewing / Disk layout
- document and reporting phase, Mobile phone evidence extraction process
- about / The document and reporting phase
- dot commands
- about / SQLite special commands
- .tables / SQLite special commands
- .schema table-name / SQLite special commands
- .dump table-name / SQLite special commands
- .output file-name / SQLite special commands
- .headers on / SQLite special commands
- .help / SQLite special commands
- .exit / SQLite special commands
- .mode MODE / SQLite special commands
- downloaded applications
- about / Downloaded applications
- DVM
- about / Dalvik virtual machine
E
- .exit command / SQLite special commands
- e-mail database
- about / E-mail database
- eDiscovery
- about / BlackBerry analysis
- Effaceable Storage / Recovering the deleted data
- EIFT
- about / Elcomsoft iOS Forensic Toolkit
- URL / Elcomsoft iOS Forensic Toolkit
- features / Features of EIFT
- usage / Usage of EIFT
- guided mode / Guided mode
- manual mode / Manual mode
- EIFT-supported devices
- about / EIFT-supported devices
- compatibilities / Compatibility notes
- Elcomsoft BlackBerry Backup Explorer / Forensic tools for BlackBerry analysis
- Elcomsoft IPD Viewer
- Elcomsoft Phone Password Breaker / Encrypted BlackBerry backup files
- Elevated Rights Chamber (ERC)
- about / Windows chambers
- encrypted backup, iTunes
- creating / Encrypted backup
- extracting / Extracting encrypted backups
- extracting, iPhone Data Protection Tools used / iPhone Data Protection Tools
- keychain, decrypting / Decrypting the keychain
- encrypted BlackBerry backup file
- about / Encrypted BlackBerry backup files
- cracking / Encrypted BlackBerry backup files
- encryption, iOS security
- about / Encryption
- Escrow keybag / Pairing records
- ES Explorer / Extracting an APK file from an Android device
- evidence
- about / Potential evidence stored on mobile phones
- rules / Authentic
- securing / Securing the evidence
- preserving / Preserving the evidence
- documenting / Documenting the evidence
- evidence intake phase, Mobile phone evidence extraction process
- about / The evidence intake phase
- Extended File System (EXT)
- about / Extended File System – EXT
F
- Fastboot utility / Flashing a new recovery partition
- file carving
- about / Recovering files using file-carving techniques
- used, for recovering files / Recovering files using file-carving techniques
- file system, iPhone
- HFSX / File system
- Find My Friends service / iCloud backup
- Find My iPhone service / iCloud backup
- Flash Friendly File System (F3FS) / Extended File System – EXT
- forensic best practices
- evidence, securing / Securing the evidence
- evidence, preserving / Preserving the evidence
- evidence, documenting / Documenting the evidence
- all changes, documenting / Documenting all changes
- forensic environment
- setting up / A forensic environment setup
- Android SDK / Android Software Development Kit
- Android SDK installation / Android SDK installation
- AVD / Android Virtual Device
- Android device, connecting to workstation / Connecting an Android device to a workstation
- connected device, accessing / Accessing the connected device
- Android Debug Bridge (adb) / Android Debug Bridge
- Android device, accessing with adb / Accessing the device using adb
- Android device, handling / Handling an Android device
- forensic environment setup, acquisition via a custom ramdisk
- performing / The forensic environment setup
- ldid tool, downloading / Downloading and installing the ldid tool
- ldid tool, installing / Downloading and installing the ldid tool
- codesign_allocate tool path, verifying / Verifying the codesign_allocate tool path
- OSXFuse, installing / Installing OSXFuse
- Python modules, installing / Installing Python modules
- iPhone Data Protection Tools, downloading / Downloading iPhone Data Protection Tools
- IMG3FS tool, building / Building the IMG3FS tool
- redsn0w, downloading / Downloading redsn0w
- forensic image analysis, BlackBerry
- forensic toolkit, acquisition via a custom ramdisk
- creating / Creating and loading the forensic toolkit
- loading / Creating and loading the forensic toolkit
- iOS firmware file, downloading / Downloading the iOS firmware file
- kernel, modifying / Modifying the kernel
- custom ramdisk, building / Building a custom ramdisk
- custom ramdisk, booting / Booting the custom ramdisk
- forensic tools
- overview / Forensic tools overview
- AFLogical tool / The AFLogical tool
- MOBILedit / MOBILedit
- Autopsy / Autopsy
- forensic tools, for BlackBerry analysis
- about / Forensic tools for BlackBerry analysis
- Cellebrite Physical Analyzer / Forensic tools for BlackBerry analysis
- Oxygen Forensics Suite / Forensic tools for BlackBerry analysis
- Microsystemation XRY / Forensic tools for BlackBerry analysis
- AccessData MPE+ / Forensic tools for BlackBerry analysis
G
- Game Center / 4.x – Game Center and multitasking
- Global Positioning System (GPS) / 2.x – App Store and 3G
- guided mode, EIFT
- about / Guided mode
- physical acquisition of iPhone 4, performing / Guided mode
H
- .headers on command / SQLite special commands
- .help command / SQLite special commands
- Heavenly / 1.x – the first iPhone
- hex dump
- about / Hex dump
- HFS Plus file system
- about / The HFS Plus file system
- URL / The HFS Plus file system
- HFS Plus volume
- about / The HFS Plus volume
- structure / The HFS Plus volume
- HFS volumes / The HFS Plus file system
- HFSX
- about / File system
- Hierarchical File System (HFS)
- about / The HFS Plus file system
- HomeDomain / Record
- HomeDomain plist files
- about / The HomeDomain plist files
I
- iBackupBot / Open source or free methods
- iBEC loader
- about / DFU mode
- iBoot
- about / Normal mode
- iCloud / 5.x – Siri and iCloud
- about / iCloud backup
- Find My iPhone service / iCloud backup
- Find My Friends service / iCloud backup
- iCloud backup
- performing / iCloud backup
- extracting / Extracting iCloud backups
- identification phase, Mobile phone evidence extraction process
- about / The identification phase
- legal authority / The legal authority
- examinations goals / The goals of the examination
- make and model, identifying / The make, model, and identifying information for the device
- removable data storage / Removable and external data storage
- potential evidence sources / Other sources of potential evidence
- ideviceinfo command-line tool
- about / iPhone models
- URL / iPhone models
- iExplorer / Open source or free methods
- iFunBox / Open source or free methods
- imaging process, memory (SD) card
- memory card, connecting / Imaging a memory (SD) card
- memory card, protecting / Imaging a memory (SD) card
- hash value, calculating / Imaging a memory (SD) card
- disk image, creating / Imaging a memory (SD) card
- imaging the device
- about / Imaging an Android Phone
- IM chats analysis
- IMG3FS tool
- building / Building the IMG3FS tool
- info.plist file
- about / info.plist
- content / info.plist
- Innsbruck / 7.x – the iPhone 5S and beyond
- Inter@active Pager Backup (IPD) / Creating a BlackBerry backup
- iOS
- about / iOS, iPhone operating system
- differences, with Mac OS X / iPhone operating system
- iOS acquisition methods
- open source methods / Open source or free methods
- iOS architecture
- about / The iOS architecture
- layers / The iOS architecture
- Cocoa Touch layer / The Cocoa Touch layer
- Media layer / The Media layer
- Core Services layer / The Core Services layer
- Core OS layer / The Core OS layer
- iOS data analysis and recovery
- timestamps / Timestamps
- SQLite databases / SQLite databases
- property list / Property lists
- cookies / Cookies
- keyboard cache / Keyboard cache
- photos directory / Photos
- wallpaper directory / Wallpaper
- snapshots directory / Snapshots
- recordings directory / Recordings
- downloaded applications / Downloaded applications
- deleted SQLite records, recovering / Recovering deleted SQLite records
- iOS devices
- iPhone / iPhone models
- iPad / iPad models
- disk layout / Disk layout
- operating modes / Operating modes of iOS devices
- physical acquisition / Physical acquisition
- iOS firmware file
- downloading / Downloading the iOS firmware file
- iOS history
- about / iOS history
- iPhone OS 1.x / 1.x – the first iPhone
- App Store / 2.x – App Store and 3G
- iPhone 3G / 2.x – App Store and 3G
- iPad / 3.x – the first iPad
- game center / 4.x – Game Center and multitasking
- multitasking / 4.x – Game Center and multitasking
- Siri / 5.x – Siri and iCloud
- iCloud / 5.x – Siri and iCloud
- Apple Maps / 6.x – Apple Maps
- iPhone 5S / 7.x – the iPhone 5S and beyond
- iOS security
- about / iOS security
- features / iOS security
- passcodes / Passcode
- code signing / Code signing
- sandboxing / Sandboxing
- encryption / Encryption
- data protection / Data protection
- Address Space Layout Randomization (ASLR) / Address Space Layout Randomization
- privilege separation / Privilege separation
- stack smashing protection / Stack smashing protection
- data execution prevention (DEP) / Data execution prevention
- data wipe / Data wipe
- Activation Lock / Activation Lock
- iPad hardware
- about / iPad hardware
- internal images / iPad hardware
- iPad models
- iOS versions / iPad models
- specifications and features / iPad models
- IPD file
- information, viewing with BlackBerry Backup Extractor / Forensic tools for BlackBerry analysis
- iPhone
- about / iPhone models
- models / iPhone models
- model, identifying / iPhone models
- examining / iPhone models
- model number / iPhone models
- firmware version / iPhone models
- specifications and features / iPhone models
- file system / File system
- iPhone Backup Browser
- unencrypted backup, extracting / iPhone Backup Browser
- about / iPhone Backup Browser
- iPhone Backup Extractor
- about / iPhone Backup Extractor
- unencrypted backup, extracting / iPhone Backup Extractor
- iPhone backups
- iTunes backup / iTunes backup
- iCloud backup / iCloud backup
- iPhone Data Protection Tools
- about / Acquisition via a custom ramdisk, iPhone Data Protection Tools
- installing / Downloading iPhone Data Protection Tools
- unencrypted backup, extracting / iPhone Data Protection Tools
- encrypted backup, extracting / iPhone Data Protection Tools
- iPhone hardware
- about / iPhone hardware
- internal images / iPhone hardware
- iPhone OS
- about / iPhone operating system
- iPhone Password Breaker
- about / iPhone Password Breaker
- backup password, brute forcing / iPhone Password Breaker
- iPhone Software Development Kit (SDK) / 2.x – App Store and 3G
- iRecovery Stick
- about / Paraben iRecovery Stick
- URL / Paraben iRecovery Stick
- features / Features of Paraben iRecovery Stick
- usage / Usage of Paraben iRecovery Stick
- acquisition of iOS device, performing / Usage of Paraben iRecovery Stick
- supported devices / Devices supported by Paraben iRecovery Stick
- isolation phase, Mobile phone evidence extraction process
- about / The isolation phase
- iTunes
- about / iTunes backup
- auto-syncing, disabling / iTunes backup
- iTunes backup
- performing / iTunes backup
- records, pairing / Pairing records
- backup structure / Understanding the backup structure
- unencrypted backup, creating / Unencrypted backup
- encrypted backup, creating / Encrypted backup
- IV (initialization vector) / Extracting encrypted backups
J
- jailbreaking
- about / Jailbreaking
- URL / Jailbreaking
- Java Development Environment (JDE) / BlackBerry OS
- Java Virtual Machine (JVM) / Security features
- JD-GUI tool / Steps to reverse engineer Android apps
- Joint Test Action Group (JTAG) method / Chip-off
- JTAG
- JTAG technique, screen lock bypassing techniques / Other techniques
K
- Kernel Address Space Layout Randomization / Acquisition via jailbreaking
- Kernel Address Space Protection / Acquisition via jailbreaking
- keyboard cache
- about / Keyboard cache
- Kirkwood / 3.x – the first iPad
L
- ldid tool
- downloading / Downloading and installing the ldid tool
- installing / Downloading and installing the ldid tool
- Least Privileged Chamber (LPC)
- about / Windows chambers
- libraries, Android model
- about / Libraries
- LiME
- Linux kernel layer, Android model
- about / The Linux kernel layer
- lockdown certificates / Pairing records
- logical acquisition method
- about / Logical acquisition
- logical data extraction
- about / Logical data extraction
- performing / Logical data extraction
- performing, adb pull command used / Using the adb pull command
- /data directory, extracting on rooted device / Extracting the /data directory on a rooted device
- /data directory, extracting on non-rooted device / Extracting the /data directory on a rooted device
- performing, SQLite Browser used / Using SQLite Browser
- device information, extracting / Extracting device information
- call logs, extracting / Extracting call logs
- SMS/MMS, extracting / Extracting SMS/MMS
- browser history, extracting / Extracting browser history
- social networking analysis / Analysis of social networking/IM chats
- IM chats analysis / Analysis of social networking/IM chats
- performing, content providers used / Using content providers
- logical extraction process
- about / Logical extraction
- Low-Level boot loader (LLB) / Normal mode
M
- .mode MODE command / SQLite special commands
- M2Crypto
- about / Installing Python modules
- installing / Installing Python modules
- Mac absolute time
- about / Mac absolute time
- Mac OS X 10.8
- iPhone model, obtaining / iPhone models
- iPhone iOS version, obtaining / iPhone models
- manifest.mbdb file
- about / manifest.mbdb
- header / Header
- records / Record
- manifest.plist file
- about / manifest.plist
- content / manifest.plist
- manual acquisition method
- about / Manual acquisition
- manual data extraction
- about / Manual data extraction
- Android device, rooting / Using root access to acquire an Android device
- manual extraction process
- about / Manual extraction
- manual mode, EIFT
- about / Manual mode
- MCC/MNC codes
- reference link / Call history
- Media layer, iOS
- about / The Media layer
- memory (SD) card
- imaging / Imaging a memory (SD) card
- imaging, WinHex used / Imaging a memory (SD) card
- imaging process / Imaging a memory (SD) card
- Mercurial source code management system
- installing / Installing Python modules
- micro read / Micro read
- Microsoft .NET Framework 4 / iPhone Backup Browser
- Mobile Data System (MDS) / BlackBerry OS
- Mobile Device Management (MDM) / Handling an Android device
- MOBILedit
- Mobile forensic approaches
- about / Practical mobile forensic approaches
- mobile operating systems overview / Mobile operating systems overview
- Mobile forensic tool leveling system / Mobile forensic tool leveling system
- data acquisition methods / Data acquisition methods
- Mobile forensics
- about / Mobile forensics
- challenges / Mobile forensic challenges
- Mobile forensic tool leveling system
- about / Mobile forensic tool leveling system
- manual extraction / Manual extraction
- logical extraction / Logical extraction
- hex dump / Hex dump
- chip-off / Chip-off
- micro read / Micro read
- mobile operating systems
- overview / Mobile operating systems overview
- Android / Android
- iOS / iOS
- Windows phone / Windows phone
- BlackBerry OS / BlackBerry OS
- Mobile phone evidence extraction process
- about / Mobile phone evidence extraction process
- evidence intake phase / The evidence intake phase
- identification phase / The identification phase
- preparation phase / The preparation phase
- isolation phase / The isolation phase
- processing phase / The processing phase
- verification phase / The verification phase
- document and reporting phase / The document and reporting phase
- presentation phase / The presentation phase
- archiving phase / The archiving phase
- mobile phones
- evidence / Potential evidence stored on mobile phones
- model number, iPhone / iPhone models
- mount command / Disk layout
N
- NAND
- about / Physical acquisition
- normal mode, iOS devices
- about / Normal mode
- Notes database
- about / Notes
O
- .output file-name command / SQLite special commands
- operating modes, iOS devices
- about / Operating modes of iOS devices
- normal mode / Normal mode
- recovery mode / Recovery mode
- DFU mode / DFU mode
- OSXFuse
- installing / Installing OSXFuse
- over the air (OTA) software updates / 5.x – Siri and iCloud
- Oxygen Forensics IPD Viewer / Forensic tools for BlackBerry analysis
- Oxygen Forensics SQLite Viewer
- Oxygen Forensics Suite
- installing / Forensic tools for BlackBerry analysis
- Oxygen Forensic Suite 2014
- about / Oxygen Forensic Suite 2014
- URL / Oxygen Forensic Suite 2014
- features / Features of Oxygen Forensic Suite
- usage / Usage of Oxygen Forensic Suite
- acquisition of iOS, performing / Usage of Oxygen Forensic Suite
- supported devices / Oxygen Forensic Suite 2014 supported devices
P
- passcodes, iOS security
- about / Passcode
- PBKDF2 (Password-Based Key Derivation Function 2) / Extracting encrypted backups
- photos directory
- about / Photos
- photos metadata
- about / The photos metadata
- physical acquisition, iOS devices
- about / Physical acquisition
- physical acquisition method
- about / Physical acquisition
- physical data extraction
- performing / Physical data extraction
- JTAG / JTAG
- Chip-off technique / Chip-off
- plist
- about / Property lists
- Plist Editor for Windows
- URL / Property lists
- plutil command-line utility, Mac OS X
- about / Property lists
- preparation phase, Mobile phone evidence extraction process
- about / The preparation phase
- presentation phase, Mobile phone evidence extraction process
- about / The presentation phase
- privilege separation, iOS security
- about / Privilege separation
- processing phase, Mobile phone evidence extraction process
- about / The processing phase
- proc file system / Viewing file systems on an Android device
- property list / Pairing records
- about / Property lists
- Property List Editor
- about / Property lists
- Property List Editor application / Understanding the backup structure
- PyCrypto / Installing Python modules
- Python modules
- installing / Installing Python modules
Q
- QuickTime Player
- about / Voicemail
R
- re-balling
- about / Chip-off
- read-only memory (ROM) / Normal mode
- recordings directory
- about / Recordings
- recovery loop
- about / Recovery mode
- recovery mode, iOS devices
- about / Recovery mode
- redsn0w tool
- about / Recovery mode
- downloading / Downloading redsn0w
- Remo Recover for Android tool
- used, for recovering deleted files from SD card / Recovering deleted data from an SD card
- about / Recovering deleted data from an SD card
- downloading / Recovering deleted data from an SD card
- Research in Motion (RIM)
- about / BlackBerry OS
- reverse engineering, Android apps
- APK file, extracting from Android device / Extracting an APK file from an Android device
- performing / Steps to reverse engineer Android apps
- Robust File System (RFS) / Extended File System – EXT
- root / What is rooting?
- root access
- gaining / Gaining root access
- RootDomain plist files
- about / The RootDomain plist files
- rootfs file system / Viewing file systems on an Android device
- rooting
- about / What is rooting?
- Android device / Rooting an Android device
- Clockwork recovery / Rooting an Android device
- ClockworkMod / Rooting an Android device
- advantages / Rooting an Android device
- disadvantages / Rooting an Android device
- adb shell, running / Root access – adb shell
- rules, evidence
- admissible / Admissible
- authentic / Authentic
- complete / Complete
- reliable / Reliable
- believable / Believable
S
- .schema table-name command / SQLite special commands
- Safari bookmarks database
- about / Safari bookmarks
- Safari web caches
- about / The Safari web caches
- Samsung Android device
- data extracting, UFED used / Physical extraction
- sandboxing, iOS security
- about / Sandboxing
- Scalpel
- about / Recovering files using file-carving techniques
- using, on Ubuntu workstation / Recovering files using file-carving techniques
- screen lock bypassing techniques
- about / Screen lock bypassing techniques
- pattern lock / Screen lock bypassing techniques
- PIN code / Screen lock bypassing techniques
- alphanumeric passcode / Screen lock bypassing techniques
- adb, used / Using adb to bypass the screen lock
- gesture.key file, deleting / Deleting the gesture.key file
- settings.db file, updating / Updating the settings.db file
- modified recovery mode, checking / Checking for the modified recovery mode and adb connection
- adb connection, checking / Checking for the modified recovery mode and adb connection
- recovery partition, flashing / Flashing a new recovery partition
- smudge attack / Smudge attack
- Gmail account, using / Using the primary Gmail account
- JTAG / Other techniques
- chip-off technique / Other techniques
- secure boot chain / Normal mode
- secure ROM / Normal mode
- security chambers
- about / Windows chambers
- Trusted Computing Base (TCB) / Windows chambers
- Elevated Rights Chamber (ERC) / Windows chambers
- Standard Rights Chamber (SRC) / Windows chambers
- Least Privileged Chamber (LPC) / Windows chambers
- security features, BlackBerry
- about / Security features
- security model, Windows Phone OS
- about / Security model
- Siri / 5.x – Siri and iCloud
- Sleuth Kit / Autopsy
- SMS/MMS
- extracting / Extracting SMS/MMS
- SMS database
- about / SMS messages
- SMS Spotlight cache
- about / SMS Spotlight cache
- smudge attack / Smudge attack
- snapshots directory
- about / Snapshots
- social networking analysis
- SQLite
- about / SQLite databases
- sqlite3 command-line utility / SQLite databases
- SQLite Browser
- URL / SQLite databases
- used, for logical data extraction / Using SQLite Browser
- SQLite command-line client
- URL / SQLite databases
- SQLite commands
- about / SQLite special commands
- SQLite databases
- about / SQLite databases
- connecting to / Connecting to a database
- commands / SQLite special commands
- standard SQL queries / Standard SQL queries
- address book contacts / Address book contacts
- address book images / Address book images
- call history / Call history
- SMS database / SMS messages
- SMS Spotlight cache / SMS Spotlight cache
- calendar events / Calendar events
- e-mail database / E-mail database
- notes database / Notes
- Safari bookmarks / Safari bookmarks
- Safari web caches / The Safari web caches
- web application cache / The web application cache
- WebKit storage / The WebKit storage
- photos metadata / The photos metadata
- consolidated GPS cache / Consolidated GPS cache
- voicemail database / Voicemail
- SQLite files
- SQLite Professional
- URL / SQLite databases
- SQLite Spy
- URL / SQLite databases
- stack smashing protection, iOS security
- about / Stack smashing protection
- standard acquisition methods
- about / Standard acquisition methods
- Standard Rights Chamber (SRC)
- about / Windows chambers
- standard SQL queries
- SELECT / Standard SQL queries
- INSERT / Standard SQL queries
- DELETE / Standard SQL queries
- ALTER / Standard SQL queries
- status.plist file
- about / status.plist
- content / status.plist
- Sundance / 6.x – Apple Maps
- Super Backup app
- System keybag / Bypassing the passcode, Pairing records
- system partition, iOS device disk layout
- about / Disk layout
- SystemPreferencesDomain plist files
T
- .tables command / SQLite special commands
- Telluride / 5.x – Siri and iCloud
- Test Access Ports (TAPs) / Chip-off
- tiles / Windows Phone OS
- timestamps
- about / Timestamps
- Unix timestamp / Unix timestamps
- Mac absolute time / Mac absolute time
- tmpfs file system / Viewing file systems on an Android device
- Trusted Computing Base (TCB)
- about / Windows chambers
U
- UFED Touch
- used, for extracting data from Samsung Android device / Physical extraction
- unencrypted backup, iTunes
- creating / Unencrypted backup
- extracting / Extracting unencrypted backups
- extracting, iPhone Backup Extractor used / iPhone Backup Extractor
- extracting, iPhone Backup Browser used / iPhone Backup Browser, iPhone Data Protection Tools
- keychain, decrypting / Decrypting the keychain
- Unique Device Identifier (UDID) / Bypassing the passcode, Understanding the backup structure
- Unix timestamp
- about / Unix timestamps
- user data partition, iOS device disk layout
- about / Disk layout
V
- verification phase, Mobile phone evidence extraction process
- about / The verification phase
- extracted data, comparing to handset data / Comparing extracted data to the handset data
- results, comparing using multiple tools / Using multiple tools and comparing the results
- hash values, using / Using hash values
- VFAT / Extended File System – EXT
- viaForensics / The AFLogical tool
- Visual C++ 2010 runtime / iPhone Backup Browser
- voicemail database
- about / Voicemail
- volume structure, HFS Plus
- volume header / The HFS Plus volume
- allocation file / The HFS Plus volume
- extents overflow file / The HFS Plus volume
- catalog file / The HFS Plus volume
- attribute file / The HFS Plus volume
- startup file / The HFS Plus volume
- alternate volume header file / The HFS Plus volume
W
- wallpaper directory
- about / Wallpaper
- web application cache
- about / The web application cache
- WebKit storage, Safari
- about / The WebKit storage
- Wildcat / 3.x – the first iPad
- Windows phone
- about / Windows phone
- Windows Phone Device Manager
- downloading / Extracting the data
- Windows Phone file system
- about / Windows Phone file system
- Application Data directory / Windows Phone file system
- Applications directory / Windows Phone file system
- My Documents directory / Windows Phone file system
- Windows directory / Windows Phone file system
- Windows Phone OS
- about / Windows Phone OS
- security model / Security model
- chambers / Windows chambers
- capabilities-based model / Capability-based model
- App sandboxing / App sandboxing
- Windows Phone SDK 7.1
- downloading / Extracting the data
- Windows registry / Windows Phone file system
- WinHex
- used, for imaging memory (SD) card / Imaging a memory (SD) card
- WirelessDomain plist files
- about / The WirelessDomain plist files
Y
- Yet Another Flash File System 2(YAFFS2) / Extended File System – EXT
Z
- Zune software
- downloading / Extracting the data