Book Image

Mastering Mobile Forensics

By : Soufiane Tahiri
Book Image

Mastering Mobile Forensics

By: Soufiane Tahiri

Overview of this book

Mobile forensics presents a real challenge to the forensic community due to the fast and unstoppable changes in technology. This book aims to provide the forensic community an in-depth insight into mobile forensic techniques when it comes to deal with recent smartphones operating systems Starting with a brief overview of forensic strategies and investigation procedures, you will understand the concepts of file carving, GPS analysis, and string analyzing. You will also see the difference between encryption, encoding, and hashing methods and get to grips with the fundamentals of reverse code engineering. Next, the book will walk you through the iOS, Android and Windows Phone architectures and filesystem, followed by showing you various forensic approaches and data gathering techniques. You will also explore advanced forensic techniques and find out how to deal with third-applications using case studies. The book will help you master data acquisition on Windows Phone 8. By the end of this book, you will be acquainted with best practices and the different models used in mobile forensics.
Table of Contents (14 chapters)
Mastering Mobile Forensics
About the Author
About the Reviewer
Preparing a Mobile Forensic Workstation

iOS acquisition and forensic approaches

Before talking about acquisition, it's important to have at least an idea about some important iOS-related concepts: iOS boot process, operating modes, unique device identifier, and lockdown certificate.

iOS boot process and operating modes

Apple introduced what they call the Secure Boot Chain in which each step of the start-up process is cryptographically validated to ensure integrity and guarantee the chain of trust. The Apple root CA public key is shipped within the boot ROM code and is used to verify the Low-Level Bootloader (LLB). Once verified and loaded, LLB verifies and loads in turn the iBoot bootloader, which in turn verifies and loads the iOS kernel. This process is well described in the Apple's official iOS Security guide ( From these boot stages, three operating modes can be listed: LLB can be directly launched from Device Firmware Upgrade (DFU) mode; iBoot runs what is called...