Practical Mobile Forensics
eBook - ePub

Practical Mobile Forensics

Forensically investigate and analyze iOS, Android, and Windows 10 devices, 4th Edition

Rohit Tamma, Oleg Skulkin, Heather Mahalik, Satish Bommisetty

Share book
  1. 400 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Practical Mobile Forensics

Forensically investigate and analyze iOS, Android, and Windows 10 devices, 4th Edition

Rohit Tamma, Oleg Skulkin, Heather Mahalik, Satish Bommisetty

Book details
Book preview
Table of contents
Citations

About This Book

Become well-versed with forensics for the Android, iOS, and Windows 10 mobile platforms by learning essential techniques and exploring real-life scenarios

Key Features

  • Apply advanced forensic techniques to recover deleted data from mobile devices
  • Retrieve and analyze data stored not only on mobile devices but also on the cloud and other connected mediums
  • Use the power of mobile forensics on popular mobile platforms by exploring different tips, tricks, and techniques

Book Description

Mobile phone forensics is the science of retrieving data from a mobile phone under forensically sound conditions. This updated fourth edition of Practical Mobile Forensics delves into the concepts of mobile forensics and its importance in today's world.

The book focuses on teaching you the latest forensic techniques to investigate mobile devices across various mobile platforms. You will learn forensic techniques for multiple OS versions, including iOS 11 to iOS 13, Android 8 to Android 10, and Windows 10. The book then takes you through the latest open source and commercial mobile forensic tools, enabling you to analyze and retrieve data effectively. From inspecting the device and retrieving data from the cloud, through to successfully documenting reports of your investigations, you'll explore new techniques while building on your practical knowledge. Toward the end, you will understand the reverse engineering of applications and ways to identify malware. Finally, the book guides you through parsing popular third-party applications, including Facebook and WhatsApp.

By the end of this book, you will be proficient in various mobile forensic techniques to analyze and extract data from mobile devices with the help of open source solutions.

What you will learn

  • Discover new data extraction, data recovery, and reverse engineering techniques in mobile forensics
  • Understand iOS, Windows, and Android security mechanisms
  • Identify sensitive files on every mobile platform
  • Extract data from iOS, Android, and Windows platforms
  • Understand malware analysis, reverse engineering, and data analysis of mobile devices
  • Explore various data recovery techniques on all three mobile platforms

Who this book is for

This book is for forensic examiners with basic experience in mobile forensics or open source solutions for mobile forensics. Computer security professionals, researchers or anyone looking to gain a deeper understanding of mobile internals will also find this book useful. Some understanding of digital forensic practices will be helpful to grasp the concepts covered in the book more effectively.

Frequently asked questions

How do I cancel my subscription?
Simply head over to the account section in settings and click on ā€œCancel Subscriptionā€ - itā€™s as simple as that. After you cancel, your membership will stay active for the remainder of the time youā€™ve paid for. Learn more here.
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoā€™s features. The only differences are the price and subscription period: With the annual plan youā€™ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Practical Mobile Forensics an online PDF/ePUB?
Yes, you can access Practical Mobile Forensics by Rohit Tamma, Oleg Skulkin, Heather Mahalik, Satish Bommisetty in PDF and/or ePUB format, as well as other popular books in Informatik & Hardware. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Packt Publishing
Year
2020
ISBN
9781838644420
Edition
4
Topic
Informatik
Subtopic
Hardware

Section 1: iOS Forensics

This section will provide you with an overview of iOS devices such as iPhones and iPads, as well as an overview of the operating systems and filesystems they run. You will learn about the different types of forensic acquisition methods, including logical acquisition and filesystem acquisition, the process of jailbreaking, performing forensic analysis on the most common artifact sources, and how to work with popular mobile forensic software.
This section will consist of the following chapters:
  • Chapter 2, Understanding the Internals of iOS Devices
  • Chapter 3, Data Acquisition from iOS Devices
  • Chapter 4, Data Acquisition from iOS Backups
  • Chapter 5, iOS Data Analysis and Recovery
  • Chapter 6, iOS Forensic Tools

Understanding the Internals of iOS Devices

According to Apple, there were 1.4 billion active Apple devices in 2019, 900 million of which were running on iOS. While iOS is the leading operating system (OS) for tablets worldwide, Android continues to be the leading OS for smartphones. Regardless of the statistics, if you are a forensic examiner, the chances are that you will need to conduct an examination of an iOS device.
In order to perform a forensic examination of an iOS device, you as the examiner must understand the internal components and inner workings of that device. Developing an understanding of the underlying components of a mobile device will help you understand the criticalities involved in the forensic process, including what data can be acquired, where the data is stored, and what methods can be used to access the data from that device. So, before we delve into the examination of iOS devices, it is necessary to gain an understanding of the different models that exist and their internal components. Throughout this book, we will perform forensic acquisition and analysis on iOS devices, including the iPhone, iPad, and Apple Watch.
The goal of this chapter is to introduce you to iOS device technology. We will cover details that may often get overlooked but will help you during your forensic investigation. You must understand the different iOS devices and how data is stored on these devices before you can successfully extract it.
In this chapter, we will cover the following topics in detail:
  • iPhone models and hardware
  • iPad models and hardware
  • The Hierarchical File System (HFS) Plus and Apple File System (APFS) filesystems
  • The iPhone OS

iPhone models and hardware

The iPhone is among the most popular smartphones on the market. Apple released the first-generation iPhone in June 2007. Since the first release, the iPhone became extremely popular due to its many groundbreaking features and usability. The introduction of the iPhone has since redefined the entire world of mobile computing. Consumers have started looking for faster and more efficient phones. Various iPhone models now exist, with different features and storage capabilities to serve consumer requirements.
The iPhones released since the third edition of Practical Mobile Forensicsā€”the iPhone XR, XS, XS Max, 11, and 11 Proā€”can be challenging when it comes to dealing with filesystem forensic acquisition methods. Just like the devices released since the iPhone 5, there is no method or tool available to physically recover data from these devices, unless they are jailbroken. However, logical acquisition can be obtained if the iPhone is unlocked. Acquisition methods for data extraction are available and will be discussed in Chapter 3, Data Acquisition from iOS Devices, and Chapter 4, Data Acquisition from iOS Backups. Now, let's learn how to identify the correct hardware model.

Identifying the correct hardware model

Before examining an iPhone, it is necessary to identify the correct hardware model and the firmware version installed on the device. Knowing the iPhone's details helps you to understand the criticalities and possibilities of obtaining evidence from an iPhone. For example, in many cases, the device passcode is required in order to obtain a logical image. Depending on the iOS version, device model, and passcode complexity, it may be possible to obtain the device passcode using a brute-force attack.
There are various ways to identify the hardware of a device. The easiest way to identify the hardware of some devices is to observe the model number displayed on the back of the device. To make this task even simpler, you can use Apple's Knowledge Base articles. More information on iPhone models can be found at https://support.apple.com/en-in/HT201296.
The firmware version of an iPhone can be found by accessing the Settings option and then navigating to General | About | Software Version, as shown in the following screenshot. The purpose of the firmware is to enable certain features and assist with the general functioning of the device:
The iPhone About screen, displaying the software version 13.2
Alternatively, the ideviceinfo command-line tool that is available in the libimobiledevice software library (http://www.libimobiledevice.org/) can be used to identify the iPhone model and its iOS version.
To obtain the iPhone model and its iOS version information on a Windows 10 workstation, follow these steps:
  1. Download the latest binaries from the following link: https://dev.azure.com/libimobiledevice-win32/imobiledevice-net/_build/results?buildId=419 (click on Artifacts | Binaries to start downloading).
  2. Unzip the archive with x86 or x64 binaries, depending on your workstation's version.
  3. Open Command Prompt and change the directory to the one with binaries (use the cd command for this).
  4. Connect the iPhone to your workstation using a Universal Serial Bus (USB) cable (for the latest iOS versions, the passcode is also required), and run the ideviceinfo command with the -s option, as shown in the following code:
$ ideviceinfo -s
The output of the ideviceinfo command displays the iPhone identifier, its internal name, and the iOS version, as shown in the following screenshot:
The output from ideviceinfo displaying firmware version 13.2
Some other tools, such as iExplorer, will provide access to...

Table of contents