Smartphone and tablet technology has changed dramatically and rapidly in the last several years and continues to do so at an astounding pace. These smaller computing devices are so common, with the ability to replace their desktop counterparts in human-to-computer interactions. Sit in any café, airport, or public place that offers Wi-Fi and you will see humans with their faces ostensibly glued to their device screens, interacting on their device with such focus, seemingly oblivious to their own physical environment.
Smartphone and tablet devices have become large digital storage vaults that store our personal and professional secrets. Strangely enough, with little faith, we have also begun to allow ourselves to accept backup up of this data to the cloud so that important aspects of our local device storage are now also in cloud storage. Why did I mention cloud storage? Cloud backup data can be accessed outside of the device itself through other processes, when access to the device data itself may be obstructed due to security mechanisms. This book addresses cloud forensics from the various smartphone platforms.
Whilst this could be considered a highly technical book, it is an excellent read for both novices and experienced examiners alike. For those that have read any of the blog articles that have been published by Elcomsoft, you will find a comfortable approach to the way this book has been written.
The authors of this book strive to provide essential information about a number of concepts including the following:
NAND eMMC flash memory
A brief summary of JTAG forensics
NANDroid backups
iOS security and acquisition method
Password breaking on iOS backups
Windows Phones security and acquisition
BlackBerry 7 and BlackBerry data acquisition methods and password breaking
There are of course references to customized tools that are developed by the authors and their colleagues. What this highlights to anyone reading this is that in the field of mobile forensics, no one tool can do it all. I know and say this from experience because I have used all the tools mentioned in this book. All tools have their strengths and limitations. But to be effective, an examiner must have at least several tools to cover the broad range of technology in mobile forensics.
This book is written to represent a natural flow in the e-discovery process, covering the different stages of mobile forensics from seizing the device to acquiring the data and analyzing evidence. The book covers basic handling, acquisition, and analysis techniques for smartphones and tablets running the most popular operating systems: Android, iOS, Windows Phone, Windows 8, 8.1, and RT, and BlackBerry. The following topics are covered in detail:
Seizing techniques:
Shielding the device: the use of the Faraday bag
Preserving volatile memory and capturing memory dumps
Acquisition techniques:
Physical acquisition (via USB connection)
Logical acquisition via data backups
Over-the-air acquisition and cloud analysis
Evidence discovery and data analysis:
Finding, viewing, and analyzing evidence
Tools for mobile forensics:
Acquisition and analysis tools overview
Tools for acquiring iOS devices
Tools for acquiring Android, BlackBerry, and Windows Phone devices
Tools for discovering and analyzing evidence
It is important to note the bits that this book does not cover. These include:
JTAG acquisition
Chip-off imaging
Disk imaging tools
Tools for acquiring Windows 8 and 8.1 devices
We will not go into any technical detail, such as which hex code at what address means what, or how to calculate UDID, or how to use ADB to break through passcode protection on Android 2.1. We believe these things are meaningless for a law enforcement officer, and should only interest technicians working in an acquisition lab – and this book is not for them.
Chapter 1, Introducing Mobile Forensics, introduces the concept of mobile devices as a source of valuable evidence. The chapter describes what types of evidence are generally available in mobile devices. It also outlines acquisition options depending on whether the reader has access to the actual device, knows the user’s login and password (such as an Apple ID or Google Account password), or has access to the computer that was used to sync the mobile device. This chapter also discusses the various techniques used by suspects to counter forensic efforts, and suggests methods to overcome such efforts. This chapter is essential to understand what, why, and how the expert is trying to achieve when investigating mobile devices. After reading this chapter, you will understand the big picture of mobile forensics and realize that there is no single straightforward path to acquiring mobile evidence, and understand that available acquisition options strongly depend on various factors. You’ll get an idea of how to seize and store mobile devices and how to detect and counter anti-forensic efforts.
Chapter 2, Acquisition Methods Overview, gives an overview of the acquisition methods available for different mobile platforms. With the wide range of mobile devices around, multiple acquisition methods exist. There is no single universal acquisition method available for all models. Some acquisition methods depend on the phone’s lock and encryption status, OS version, type of available storage, and so on. Investigators have to work their way through the investigation to discover what acquisition methods are available for a particular device.
Chapter 3, Acquisition – Approaching Android Devices, discusses the options available for acquiring information from Android devices, providing a detailed outline of physical, logical, and over-the-air acquisition methods for Android smartphones and tablets. In this chapter, the reader will learn what acquisition methods are available for the Android platform, which acquisition techniques are available in what circumstances, and how to choose the appropriate acquisition method for a given device. This chapter also covers one of the most challenging aspects of mobile forensics: the ability to recover destroyed evidence. In this chapter, we discuss exactly how modern smartphones handle deleted data, depending on the operating system (Android, iOS, Windows) and encryption status. We’ll address the differences between internal (eMMC) and external (SD) storage of the device in the context of being able to recover information from unallocated areas.
Chapter 4, Practical Steps to Android Acquisition, discusses the massive amounts of information collected by Google, and explains how to extract this information from Google servers. We’ll be using forensic tools to download data from Google, view it, and examine obtained evidence. The acquisition of Google Accounts can provide a much deeper insight into user activities than what’s available in a single Android smartphone. This chapter offers a detailed discussion and demonstration of various physical acquisition methods available for a wide range of Android devices, including manufacturer-specific low-level service modes (LG, Qualcomm, and Mediatek), using custom recoveries (CWM, TWRP) for dumping the data partition, making NANDroid backups, and using command-line tools such as dd for live imaging the device. In addition, this chapter discusses the issue of encryption and its effect on physical acquisition.
Chapter 5, iOS – Introduction and Physical Acquisition, discusses the benefits and unique features of physical acquisition, and talks about stored passwords and Apple secure storage, the keychain. This chapter provides a detailed compatibility matrix for physical acquisition, discusses which locked devices can be acquired without knowing the correct passcode, and lists forensic tools that offer physical acquisition of Apple iOS devices. It discusses the differences between 32-bit and 64-bit Apple hardware, and explains how to install a jailbreak.
Chapter 6, iOS Logical and Cloud Acquisition, introduces the concept of the logical acquisition of iOS devices. Logical acquisition consists of extracting existing iTunes backups or making the device produce a backup and then extracting it. The differences between encrypted and unencrypted backups are explained, outlining the benefits of producing encrypted backups with a known password over unencrypted one. This chapter outlines the basics of recovering unknown backup passwords. In addition, this chapter provides step-by-step instructions on using Elcomsoft Phone Breaker to extract iOS backups. If the backup is protected with an unknown password, detailed instructions and recommendations on recovering the password are provided. This chapter explains the advantages and applicability of over-the-air acquisition, and demonstrates how to use Elcomsoft Phone Breaker for cloud acquisition. In addition, this chapter discusses the use of binary authentication tokens to bypass an Apple ID and password, as well as two-factor authentication.
Chapter 7, Acquisition – Approaching Windows Phone and Windows 10 Mobile, introduces Windows Phone forensics. It outlines the available methods and approaches to acquiring Windows Phone 8 and 8.1 and Windows 10 Mobile devices. Physical acquisition, bootloader exploits, invasive (advanced) acquisition via JTAG, and chip-off are explained. In this chapter, we discuss the differences in device encryption between generations of the Windows Phone platform, and provide a detailed walkthrough of over-the-air acquisition of Windows mobile devices using Elcomsoft Phone Breaker.
Chapter 8, Acquisition - Approaching Windows 8, 8.1, 10, and RT Tablets, covers major points that make tablet forensics different from the traditional PC and laptop acquisition approach. We’ll cover the new Connected Standby mode replacing traditional Sleep and Hibernate modes of Windows laptops, discuss Secure Boot on various Windows tablet platforms, review UEFI BIOS settings, and learn how to start the tablet from a bootable USB media. We’ll also cover techniques on capturing the content of the device’s RAM and imaging non-removable eMMC media. General acquisition steps for Windows RT devices are also described, as standard Windows recovery media cannot be used with RT devices.
Chapter 9, Acquisition - Approaching BlackBerry, provides an introduction, overview, and in-depth tutorials on acquiring BlackBerry smartphones running legacy (BB OS 1 through 7.1) and modern (BlackBerry 10) versions of the OS. BlackBerry backups and backup passwords (legacy BB OS) are explained. This chapter provides tutorials on how to extract and view legacy BlackBerry backups and recover passwords protecting these backups. The reader will learn how to use Elcomsoft Phone Breaker to decrypt BlackBerry 10 backups and view their content with Elcomsoft Phone Viewer or Oxygen Forensic Suite.
Chapter 10, Dealing with Issues, Obstacles, and Special Cases, covers some of the most challenging aspects of mobile forensics: the ability to recover destroyed evidence and the challenge presented by two-factor authentication. In this chapter, we discuss how exactly modern smartphones handle deleted data depending on the operating system (Android, iOS, Windows) and encryption status. We’ll address the differences between internal (eMMC) and external (SD) storage of the device in the context of being able to recover information from unallocated areas. This chapter also covers the issue of two-factor authentication during over-the-air acquisition. Experts face a serious roadblock when attempting to acquire information from the suspect’s cloud account over the air if two-factor authentication is enabled on their account. Cloud acquisition becomes more challenging if there is no access to the secondary authentication factor. However, there are ways to bypass two-factor authentication. These methods are outlined in this chapter, to be discussed in more detail in the more technical chapters of this book.
Chapter 11, Mobile Forensic Tools and Case Studies, outlines several mobile forensic tools that can be used for acquiring mobile devices. Cellerbrite UFED, Micro Systemation XRY, AccessData MPE+, Oxygen Forensic Toolkit, Magnet ACQUIRE, BlackBag Mobilyze, and the range of ElcomSoft tools for mobile forensics are listed and briefly reviewed. In addition, this chapter has several case studies on using mobile forensic tools for corporate investigations and data recovery.
Modern mobile forensics is impossible without using tools. Currently, there is no single, all-in-one tool to cover the complete mobile acquisition and analysis process. Different assignments and different circumstances will require the use of multiple tools. We list the tools used throughout this book here.
For many Android smartphones, we used Oxygen Forensic Suite and Oxygen Forensic Extractor, a commercial product from Oxygen Forensics (http://www.oxygen-forensic.com/en/).
For Android smartphones, you’ll need ADB and Fastboot from Android SDK Tools (part of Android Studio 2.1) as a free download from Google (http://developer.android.com/sdk/index.html).
In addition, you may need TWRP custom recovery (custom built and specific to acquisition target, http://twrp.me) or CWM custom recovery (custom built for specific acquisition target, https://www.clockworkmod.com/), the Busybox package (version depends on acquisition target’s Android version, https://busybox.net/), unyaffs 1.0 (only if acquisition target uses the yaffs file system, https://github.com/ehlers/unyaffs) and Netcat 1.10 (http://nc110.sourceforge.net/). These tools are available as open source downloads from their respective developers.
For Apple iOS devices, we used the following commercial tools: Elcomsoft iOS Forensic Toolkit (https://www.elcomsoft.com/eift.html), Elcomsoft Phone Breaker (demo version downloadable from https://www.elcomsoft.com/eppb.html), and Elcomsoft Phone Viewer (https://www.elcomsoft.com/epv.html). Elcomsoft Phone Breaker and Phone Viewer were also used for acquiring BlackBerry OS, BlackBerry 10, and Windows Phone/Windows 10 Mobile devices.
We wrote this book for law enforcement and IT security officers who have to deal with digital evidence as part of their daily job. We wanted this book to serve as an introduction and a general guide to mobile forensics. We are aware of the sheer diversity of ecosystems, generations of operating systems, devices, and applications on the market. We have first-hand experience with Android forks, custom ROMs, and manufacturer, operator, and user customizations that can turn a familiar device into a big question mark.
And this is why we strongly believe that there is no way one could possible know of (or even hear about) more than a few variations.
For this reason, we no longer believe in manual acquisition and analysis. We believe in tools. There is no need to invent the wheel or waste endless hours on something the right tool could accomplish in minutes. There are tens of thousands of different device models, and each model can be running a different version of the OS or use a different set of OEM or operator customizations, each with its own security implications. There are millions of applications, each implementing their own way of storing, organizing, and protecting data. It is technically impossible for a single expert to know everything. However, it is still possible to learn about methods, tools, and techniques to acquire and analyze evidence in most real-life situations.
However, even the best tools won’t do any good if you don’t know or don’t follow the basic rules of seizing, handling, and acquiring mobile devices. Make one mistake in a single step, and you risk losing access to evidence, locking down the easier acquisition paths, or even permanently destroying the very data you were about to access. And even if you succeed in extracting evidence, if you don’t stick to the guidelines, the evidence you obtained may not be admissible. This is why we’ll cover the entire workflow from seizing a mobile device to acquiring its content to viewing data and analyzing evidence.
Being able to analyze a mobile device suspected in leaking sensitive information is of great importance to corporate security. However, a passcode lock in a smartphone that was used by an ex-employee may become a major problem if the company does not store recovery keys for each and every mobile device allowed in the corporate network. How do you break into an ex-employee’s passcode-locked iPhone? What can you do with a BlackBerry smartphone? Is there a good reason behind not allowing jailbroken devices on corporate premises? Dealing with this sort of problem requires the use of dedicated tools, and even then a positive outcome is not a given. In this book, you’ll learn about the tools and methods used to deal with information stored in smartphones and tablets.
In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "The platform offers a limited capability for creating offline backups via the command line (adb backup)."
New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "Additionally, using the ADB backup requires having the phone unlocked and the ADB Debugging option enabled."
Feedback from our readers is always welcome. Let us know what you think about this book-what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of. To send us general feedback, simply e-mail [email protected], and mention the book's title in the subject of your message. If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from https://www.packtpub.com/sites/default/files/downloads/MobileForensicsAdvancedInvestigativeStrategies_ColorImages.pdf.
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books-maybe a mistake in the text or the code-we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.
To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.
Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at [email protected] with a link to the suspected pirated material.
We appreciate your help in protecting our authors and our ability to bring you valuable content.
If you have a problem with any aspect of this book, you can contact us at [email protected], and we will do our best to address the problem.