The exponential growth in smartphones has revolutionized several aspects of our lives. Smartphones are one of the most quickly adopted consumer technologies in recent history. Despite their small size, smartphones are capable of performing many tasks, such as sending private messages and confidential emails, taking photos and videos, making online purchases, viewing sensitive information such as medical records and salary slips, completing banking transactions, accessing social networking sites, and managing business tasks. Hence, a mobile device is now a huge repository of sensitive data, which could provide a wealth of information about its owner. This has in turn led to the evolution of mobile device forensics, a branch of digital forensics, which deals with retrieving data from a mobile device. Today, there is a huge demand for specialized forensic experts, especially given the fact that the data retrieved from a mobile device is court-admissible.
Mobile forensics is all about using scientific methodologies to recover data stored within a mobile phone for legal purposes. Unlike traditional computer forensics, mobile forensics has limitations in obtaining evidence due to rapid changes in technology and the fast-paced evolution of mobile software. With different operating systems and a wide range of models being released onto the market, mobile forensics has expanded over the past few years. Specialized forensic techniques and skills are required in order to extract data under different conditions.
This book takes you through various techniques to help you learn how to forensically recover data from different mobile devices with the iOS, Android, and Windows Mobile operating systems. This book also covers behind the scenes details, such as how data is stored and what tools actually do in the background, giving you deeper knowledge on several topics. Step-by-step instructions enable you to try forensically recovering data yourself.
The book is organized in a manner that allows you to focus independently on chapters that are specific to your required platform.
This book is intended for forensic examiners with little or basic experience in mobile forensics or open source solutions for mobile forensics. The book will also be useful to computer security professionals, researchers, and anyone seeking a deeper understanding of mobile internals. It will also come in handy for those who are trying to recover accidentally deleted data (photos, contacts, SMS messages, and more).
Chapter 1, Introduction to Mobile Forensics, introduces you to the concepts of mobile forensics, the core values, and the challenges involved. The chapter also provides an overview of practical approaches and best practices involved in performing mobile forensics.
Chapter 2, Understanding the Internals of iOS Devices, provides an overview of the popular Apple iOS devices, including an outline of different models and their hardware. The book explains iOS security features and device security and its impact on iOS forensics approaches, focusing on iOS 9-11. The chapter also gives an overview of the HFS+ and APFS filesystems and outlines the sensitive files that are useful for forensic examination.
Chapter 3, Data Acquisition from iOS Devices, covers various types of forensic acquisition methods that can be performed on iOS devices, including logical, filesystem, and physical, and guides you to prepare your desktop machine for forensic work. The chapter also discusses passcode bypass techniques.
Chapter 4, Data Acquisition from iOS Backups, provides detailed explanations of modern iOS backups and details what types of files are stored in a backup. The chapter also includes step-by-step guides on creating encrypted and unencrypted backups and introduces forensic tools capable of recovering data from backups.
Chapter 5, iOS Data Analysis and Recovery, discusses the types of data that is stored on iOS devices and its most common locations in the filesystem. Common file types used in iOS devices, such as plists and SQLite databases, are discussed in detail in order to provide an understanding of how data is stored on a device, which will help forensic examiners to efficiently recover data from those files.
Chapter 6, iOS Forensic Tools, introduces you to the most widely used commercial mobile forensic suites, Cellebrite UFED, Belkasoft Evidence Center, Magnet AXIOM, and Oxygen Forensic Detective, and contains step-by-step guides on how to use them in mobile forensic examinations.
Chapter 7, Understanding Android, introduces you to the Android model, filesystem, and its security features. This chapter provides an explanation of how data is stored on any android device, which will be useful when carrying out forensic investigations.
Chapter 8, Android Forensic Setup and Pre-Data Extraction Techniques, guides you through Android forensic setup and other techniques to use before extracting any information. Screen lock bypass techniques and gaining root access are also discussed in this chapter.
Chapter 9, Android Data Extraction Techniques, provides an explanation of physical, filesystem, and logical acquisition techniques to extract relevant information from an Android device. This chapter covers imaging the device and other advanced techniques, such as JTAG and Chip-Off.
Chapter 10, Android Data Analysis and Recovery, explains how to extract and analyze data from Android image files. The chapter also covers the possibilities and limitations of recovering deleted data from Android devices.
Chapter 11, Android App Analysis, Malware, and Reverse Engineering, includes an analysis of some of the most widely used Android apps to retrieve valuable data. The chapter also covers Android malware and techniques to reverse engineer an Android app to view its data.
Chapter 12, Windows Phone Forensics, provides a basic overview of forensic approaches when dealing with Windows Phones.
Chapter 13, Parsing Third-Party Application Files, guides you through how applications are stored on Android, iOS, and Windows devices and how commercial and open source tools parse through application data.
The book details practical forensic approaches and explains techniques in a simple manner. The content is organized in a way that allows even a user with basic computer skills to examine a device and extract the required data. A Mac, Windows, or Linux computer would be helpful to successfully repeat the methods defined in this book. Where possible, methods for all computer platforms are provided.
We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/PracticalMobileForensicsThirdEdition_ColorImages.pdf.
There are a number of text conventions used throughout this book.
CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Alternatively, the ideviceinfo command-line tool available in the libimobiledevice software library (http://www.libimobiledevice.org/) can be used to identify the iPhone model and its iOS version."
Any command-line input or output is written as follows:
$ ruby -e "$(curl -fsSL
https://raw.githubusercontent.com/Homebrew/install/master/install)"
< /dev/null 2> /dev/nullBold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Launch Belkasoft Acquisition Tool and choose the Mobile device option:"
Feedback from our readers is always welcome.
General feedback: Email [email protected] and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.
Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!
For more information about Packt, please visit packtpub.com.