iOS Forensics for Investigators: Take Mobile Forensics to the Next Level by Analyzing, Extracting, and Reporting Sensitive Evidence

Cover
Title Page
Copyright and Credits
Contributors
Table of Contents
Preface
Section 1 – Data Acquisition from iOS Devices
Chapter 1: Introducing iOS Forensics
	Understanding mobile forensics
		The new golden age for iOS forensics
		Challenges in iOS forensics
	Dissecting the iOS operating system
		Understanding the iOS filesystem
	Understanding iOS security
		User authentication
		Encryption and Data Protection
	Establishing a workflow
		Seizure and identification
		Preservation
		Acquisition
		Analysis
		Validation
		Reporting
	Summary
Chapter 2: Data Acquisition from iOS Devices
	Understanding acquisition methods
		Logical acquisitions
		Physical acquisitions
		Filesystem acquisitions
	Jailbreaking the device
		Jailbreaking with checkra1n
	Triaging the device
		Deciding the best acquisition method
	Performing a logical acquisition
		Logical acquisition with Cellebrite UFED
		Logical acquisition with Elcomsoft iOS Forensic Toolkit
	Performing a filesystem acquisition
		Checkm8 full filesystem acquisition using Cellebrite UFED
		Agent-based full filesystem acquisition
	Summary
Section 2 – iOS Data Analysis
Chapter 3: Using Forensic Tools
	Understanding forensic tools
		Tool validation
	Working with Cellebrite Physical Analyzer
		Loading evidence and selective decoding
		Viewing decoded data
		Using the AppGenie
	Working with Magnet AXIOM
		Loading evidence and on-the-fly processing
		Analyzing evidence with AXIOM Examine
	Using open source tools
		Apollo
		iLEAPP
		iOS Triage
		Sysdiagnose
		Analyzing data with iLEAPP
	Summary
Chapter 4: Working with Common iOS Artifacts
	Understanding the importance of validation
	Working with iOS artifacts
		Introducing SQLite
		Tables, columns, and rows
		Running SQL queries
		Pages, vacuuming, and write-ahead logs
		Recovering deleted data
		Working with property lists
		Working with protocol buffers
	Locating common artifacts
	Summary
Chapter 5: Pattern-of-Life Forensics
	Introducing pattern-of-life forensics
		Meaningful SQLite databases
	Working with timestamps
		Unix timestamps
		Mac timestamps
	Logs, events, and user interaction
		The KnowledgeC database
		Analyzing application usage
		Analyzing user interaction
	Introducing Apollo
	Summary
Chapter 6: Dissecting Location Data
	Introducing location data
	GPS fixes, cell towers, and Wi-Fi networks
		Satellite GPS
		Cell towers
		Wi-Fi and Bluetooth
	Locating location artifacts
		Analyzing location data
		Understanding Significant Locations
		Analyzing Wi-Fi locations
		Understanding Harvested Locations
		Analyzing harvested cell tower data
		Analyzing harvested Wi-Fi data
		Advanced iOS location artifacts
	Analyzing location data using forensic tools
		Viewing location data with Physical Analyzer
		Analyzing location data with Apollo
	Summary
Chapter 7: Analyzing Connectivity Data
	Introducing cellular forensics
		Analyzing the PowerLog
		Analyzing the address book
		Analyzing the call log
	Analyzing networking data
		Analyzing network usage
	Introducing Bluetooth forensics
	Understanding Safari forensics
		Analyzing Safari history
		Introducing private browsing
	Summary
Chapter 8: Email and Messaging Forensics
	Introducing email forensics
		Extracting email metadata
		Analyzing email content
	Understanding messaging forensics
		Analyzing SMS and iMessage artifacts
	Introducing third-party messaging apps
	Recovering deleted messages
		Detecting deleted messages using Mirf
	Summary
Chapter 9: Photo, Video, and Audio Forensics
	Introducing media forensics
	Analyzing photos and videos
		Understanding Photos.sqlite
	Introducing EXIF metadata
		Viewing EXIF metadata
	Analyzing user viewing activity
	Summary
Chapter 10: Analyzing Third-Party Apps
	Introducing iOS applications
		Identifying installed applications
		Tracking application GUIDs
	Dynamic application analysis
		Connecting to the test device
		Using cda to locate an application\'s containers
		Using fsmon to monitor filesystem events
		Using mitmproxy to monitor network activity
		Advanced application analysis
	Practical third-party applications forensics
		Social networking applications
		Messaging applications
		Productivity applications
		Multimedia applications
	Summary
Chapter 11: Locked Devices, iTunes Backups, and iCloud Forensics
	Acquiring locked devices
		Using lockdown pairing records to access the device
		Passcode cracking
	BFU acquisition of locked devices
		Performing a BFU acquisition using the Elcomsoft iOS Forensic Toolkit
		Performing a BFU acquisition using the Cellebrite UFED
	Introducing iTunes backups
		Locating backup files
		Analyzing iTunes backups
		Cracking iTunes backup passwords
	Introducing iCloud forensics
		iCloud backups
		iCloud synced data
		Accessing iCloud data
		Introducing iCloud Keychain
		Extracting iCloud Keychain and synced data
		Extracting iCloud backups
	Summary
Section 3 – Reporting
Chapter 12: Writing a Forensic Report and Building a Timeline
	Mobile forensics reporting
		Writing a forensic report
	Creating reports using Cellebrite Physical Analyzer
		Generating a preliminary device report
		Generating a complete report
	Introducing timelines
	Building a timeline with Magnet AXIOM
	Summary
Index
Other Books You May Enjoy