Become well-versed with forensics for the Android, iOS, and Windows 10 mobile platforms by learning essential techniques and exploring real-life scenarios

Key Features

Apply advanced forensic techniques to recover deleted data from mobile devices
Retrieve and analyze data stored not only on mobile devices but also on the cloud and other connected mediums
Use the power of mobile forensics on popular mobile platforms by exploring different tips, tricks, and techniques

Book Description

Mobile phone forensics is the science of retrieving data from a mobile phone under forensically sound conditions. This updated fourth edition of Practical Mobile Forensics delves into the concepts of mobile forensics and its importance in today's world.

The book focuses on teaching you the latest forensic techniques to investigate mobile devices across various mobile platforms. You will learn forensic techniques for multiple OS versions, including iOS 11 to iOS 13, Android 8 to Android 10, and Windows 10. The book then takes you through the latest open source and commercial mobile forensic tools, enabling you to analyze and retrieve data effectively. From inspecting the device and retrieving data from the cloud, through to successfully documenting reports of your investigations, you'll explore new techniques while building on your practical knowledge. Toward the end, you will understand the reverse engineering of applications and ways to identify malware. Finally, the book guides you through parsing popular third-party applications, including Facebook and WhatsApp.

By the end of this book, you will be proficient in various mobile forensic techniques to analyze and extract data from mobile devices with the help of open source solutions.

What you will learn

Discover new data extraction, data recovery, and reverse engineering techniques in mobile forensics
Understand iOS, Windows, and Android security mechanisms
Identify sensitive files on every mobile platform
Extract data from iOS, Android, and Windows platforms
Understand malware analysis, reverse engineering, and data analysis of mobile devices
Explore various data recovery techniques on all three mobile platforms

Who this book is for

This book is for forensic examiners with basic experience in mobile forensics or open source solutions for mobile forensics. Computer security professionals, researchers or anyone looking to gain a deeper understanding of mobile internals will also find this book useful. Some understanding of digital forensic practices will be helpful to grasp the concepts covered in the book more effectively.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

Perlego offers two plans: Essential and Complete

Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.

Both plans are available with monthly, semester, or annual billing cycles.

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.

Yes, you can access Practical Mobile Forensics by Rohit Tamma,Oleg Skulkin,Heather Mahalik,Satish Bommisetty in PDF and/or ePUB format, as well as other popular books in Computer Science & Computer Networking. We have over one million books available in our catalogue for you to explore.

Information

Publisher

Packt Publishing

Year

2020

eBook ISBN

9781838644420

Edition

Topic

Computer Science

Subtopic

Computer Networking

Index

Computer Science

Section 1: iOS Forensics

This section will provide you with an overview of iOS devices such as iPhones and iPads, as well as an overview of the operating systems and filesystems they run. You will learn about the different types of forensic acquisition methods, including logical acquisition and filesystem acquisition, the process of jailbreaking, performing forensic analysis on the most common artifact sources, and how to work with popular mobile forensic software.

This section will consist of the following chapters:

Chapter 2, Understanding the Internals of iOS Devices
Chapter 3, Data Acquisition from iOS Devices
Chapter 4, Data Acquisition from iOS Backups
Chapter 5, iOS Data Analysis and Recovery
Chapter 6, iOS Forensic Tools

Understanding the Internals of iOS Devices

According to Apple, there were 1.4 billion active Apple devices in 2019, 900 million of which were running on iOS. While iOS is the leading operating system (OS) for tablets worldwide, Android continues to be the leading OS for smartphones. Regardless of the statistics, if you are a forensic examiner, the chances are that you will need to conduct an examination of an iOS device.

In order to perform a forensic examination of an iOS device, you as the examiner must understand the internal components and inner workings of that device. Developing an understanding of the underlying components of a mobile device will help you understand the criticalities involved in the forensic process, including what data can be acquired, where the data is stored, and what methods can be used to access the data from that device. So, before we delve into the examination of iOS devices, it is necessary to gain an understanding of the different models that exist and their internal components. Throughout this book, we will perform forensic acquisition and analysis on iOS devices, including the iPhone, iPad, and Apple Watch.

The goal of this chapter is to introduce you to iOS device technology. We will cover details that may often get overlooked but will help you during your forensic investigation. You must understand the different iOS devices and how data is stored on these devices before you can successfully extract it.

In this chapter, we will cover the following topics in detail:

iPhone models and hardware
iPad models and hardware
The Hierarchical File System (HFS) Plus and Apple File System (APFS) filesystems
The iPhone OS

iPhone models and hardware

The iPhone is among the most popular smartphones on the market. Apple released the first-generation iPhone in June 2007. Since the first release, the iPhone became extremely popular due to its many groundbreaking features and usability. The introduction of the iPhone has since redefined the entire world of mobile computing. Consumers have started looking for faster and more efficient phones. Various iPhone models now exist, with different features and storage capabilities to serve consumer requirements.

The iPhones released since the third edition of Practical Mobile Forensics—the iPhone XR, XS, XS Max, 11, and 11 Pro—can be challenging when it comes to dealing with filesystem forensic acquisition methods. Just like the devices released since the iPhone 5, there is no method or tool available to physically recover data from these devices, unless they are jailbroken. However, logical acquisition can be obtained if the iPhone is unlocked. Acquisition methods for data extraction are available and will be discussed in Chapter 3, Data Acquisition from iOS Devices, and Chapter 4, Data Acquisition from iOS Backups. Now, let's learn how to identify the correct hardware model.

Identifying the correct hardware model

Before examining an iPhone, it is necessary to identify the correct hardware model and the firmware version installed on the device. Knowing the iPhone's details helps you to understand the criticalities and possibilities of obtaining evidence from an iPhone. For example, in many cases, the device passcode is required in order to obtain a logical image. Depending on the iOS version, device model, and passcode complexity, it may be possible to obtain the device passcode using a brute-force attack.

There are various ways to identify the hardware of a device. The easiest way to identify the hardware of some devices is to observe the model number displayed on the back of the device. To make this task even simpler, you can use Apple's Knowledge Base articles. More information on iPhone models can be found at https://support.apple.com/en-in/HT201296.

The firmware version of an iPhone can be found by accessing the Settings option and then navigating to General | About | Software Version, as shown in the following screenshot. The purpose of the firmware is to enable certain features and assist with the general functioning of the device:

The iPhone About screen, displaying the software version 13.2

Alternatively, the ideviceinfo command-line tool that is available in the libimobiledevice software library (http://www.libimobiledevice.org/) can be used to identify the iPhone model and its iOS version.

To obtain the iPhone model and its iOS version information on a Windows 10 workstation, follow these steps:

Download the latest binaries from the following link: https://dev.azure.com/libimobiledevice-win32/imobiledevice-net/_build/results?buildId=419 (click on Artifacts | Binaries to start downloading).
Unzip the archive with x86 or x64 binaries, depending on your workstation's version.
Open Command Prompt and change the directory to the one with binaries (use the cd command for this).
Connect the iPhone to your workstation using a Universal Serial Bus (USB) cable (for the latest iOS versions, the passcode is also required), and run the ideviceinfo command with the -s option, as shown in the following code: