Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices, 4th Edition

Cover
Title Page
Copyright and Credits
About Packt
Contributors
Table of Contents
Preface
Chapter 01: Introduction to Mobile Forensics
	The need for mobile forensics
	Understanding mobile forensics
	Challenges in mobile forensics
	The mobile phone evidence extraction process
		The evidence intake phase
		The identification phase
			The legal authority
			Data that needs to be extracted
			The make, model, and identifying information for the device
			Data storage media
			Other sources of potential evidence
		The preparation phase
		The isolation phase
		The processing phase
		The verification phase
		The documenting and reporting phase
		The archiving phase
	Practical mobile forensic approaches
		Understanding mobile operating systems 
			Android
			iOS
			Windows Phone
		Mobile forensic tool leveling system
			Manual extraction
			Logical analysis
			Hex dump
			Chip-off
			Micro read
		Data acquisition methods
			Physical acquisition
			Logical acquisition
			Manual acquisition
	Potential evidence stored on mobile phones
	Examination and analysis
	Rules of evidence
	Good forensic practices
		Securing the evidence
		Preserving the evidence
		Documenting the evidence and changes
		Reporting
	Summary
Section 1: iOS Forensics
Chapter 02: Understanding the Internals of iOS Devices
	iPhone models and hardware
		Identifying the correct hardware model
		Understanding the iPhone hardware
	iPad models and hardware
		Understanding the iPad hardware
	The HFS Plus and APFS filesystems
		The HFS Plus filesystem
			The HFS Plus volume
		The APFS filesystem
			The APFS structure
		Disk layout
	The iPhone OS
		The iOS architecture
		iOS security
			Passcodes, Touch ID, and Face ID
			Code signing
			Sandboxing
			Encryption
			Data protection
			Address Space Layout Randomization (ASLR)
			Privilege separation
			Stack-smashing protection
			Data Execution Prevention (DEP)
			Data wiping
			Activation Lock
		The App Store
		Jailbreaking
	Summary
Chapter 03: Data Acquisition from iOS Devices
	Operating modes of iOS devices
		Normal mode
		Recovery mode
		DFU mode
		Setting up the forensic environment
	Password protection and potential bypasses
	Logical acquisition
		Practical logical acquisition with libimobiledevice
		Practical logical acquisition with the Belkasoft Acquisition Tool
		Practical logical acquisition with Magnet ACQUIRE
	Filesystem acquisition
		Practical jailbreaking
		Practical filesystem acquisition with free tools
		Practical filesystem acquisition with Elcomsoft iOS Forensic Toolkit
	Summary
Chapter 04: Data Acquisition from iOS Backups
	Working with iTunes backups
	Creating and analyzing backups with iTunes
		Understanding the backup structure
			info.plist
			manifest.plist
			status.plist
			manifest.db
	Extracting unencrypted backups
		iBackup Viewer
		iExplorer
	Handling encrypted backup files
		Elcomsoft Phone Breaker
	Working with iCloud backups
		Extracting iCloud backups
	Summary
Chapter 05: iOS Data Analysis and Recovery
	Interpreting iOS timestamps
		Unix timestamps
		Mac absolute time
		WebKit/Chrome time
	Working with SQLite databases
		Connecting to a database
		Exploring SQLite special commands
		Exploring standard SQL queries
		Accessing a database using commercial tools
	Key artifacts – important iOS database files
		Address book contacts
		Address book images
		Call history
		Short Message Service (SMS) messages
		Calendar events
		Notes
		Safari bookmarks and history
		Voicemail
		Recordings
		Device interaction
		Phone numbers
	Property lists
		Important plist files
	Other important files
		Local dictionary
		Photos
		Thumbnails
		Wallpaper
		Downloaded third-party applications
	Recovering deleted SQLite records
	Summary
Chapter 06: iOS Forensic Tools
	Working with Cellebrite UFED Physical Analyzer
		Features of Cellebrite UFED Physical Analyzer
		Advanced logical acquisition and analysis with Cellebrite UFED Physical Analyzer
	Working with Magnet AXIOM
		Features of Magnet AXIOM
		Logical acquisition and analysis with Magnet AXIOM
	Working with Belkasoft Evidence Center
		Features of Belkasoft Evidence Center
		Logical acquisition and analysis with Belkasoft Evidence Center
	Working with Elcomsoft Phone Viewer
		Features of Elcomsoft Phone Viewer
		Filesystem analysis with Elcomsoft Phone Viewer
	Summary
Section 2: Android Forensics
Chapter 07: Understanding Android
	The evolution of Android
	The Android architecture
		The Linux kernel layer
		The Hardware Abstraction Layer
		Libraries
		Dalvik Virtual Machine (DVM)
		ART
		The Java API framework layer
		The system apps layer
	Android security
		Secure kernel
		The permission model
		Application sandbox
		Secure IPC
		Application signing
		Security-Enhanced Linux (SELinux)
		FDE
		Android Keystore
		TEE
		Verified Boot
	The Android file hierarchy
	The Android filesystem
		Viewing filesystems on an Android device
		Common filesystems found on Android
			Flash memory filesystems
			Media-based filesystems
			Pseudo filesystems
	Summary
Chapter 08: Android Forensic Setup and Pre-Data Extraction Techniques
	Setting up a forensic environment for Android
		Installing the software
		Installing the Android platform tools
		Creating an Android virtual device
	Connecting an Android device to a workstation
		Identifying the device cable
		Installing device drivers
		Accessing the connected device
		The Android debug bridge
			USB debugging
		Accessing the device using adb
			Detecting connected devices
			Killing the local ADB server
			Accessing the adb shell
			Basic Linux commands
		Handling an Android device
	Screen lock bypassing techniques
		Using ADB to bypass the screen lock
		Deleting the gesture.key file
		Updating the settings.db file
		Checking for the modified recovery mode and ADB connection
		Flashing a new recovery partition
		Using automated tools
		Using Android Device Manager
		Bypass using Find My Mobile (for Samsung phones only)
		Smudge attack
		Using the forgot password/forgot pattern option
		Bypassing third-party lock screens by booting into safe mode
		Secure USB debugging bypass using ADB keys
		Secure USB debugging bypass in Android 4.4.2
		Crashing the lock screen UI in Android 5.x
		Other techniques
	Gaining root access
		What is rooting?
		Understanding the rooting process
		Rooting an Android device
		Root access - ADB shell
	Summary
Chapter 09: Android Data Extraction Techniques
	Understanding data extraction techniques
	Manual data extraction
	Logical data extraction
		ADB pull data extraction
		Using SQLite Browser to view the data
			Extracting device information
			Extracting call logs
			Extracting SMS/MMS
			Extracting browser history information
		Analysis of social networking/IM chats
		ADB backup extraction
		ADB dumpsys extraction
		Using content providers
	Physical data extraction
		Imaging an Android phone
		Imaging a memory (SD) card
		Joint Test Action Group
		The chip-off technique
	Summary
Chapter 10: Android Data Analysis and Recovery
	Analyzing and extracting data from Android image files using the Autopsy tool
		The Autopsy platform
			Adding an image to Autopsy
			Analyzing an image using Autopsy
	Understanding techniques to recover deleted files from the SD card and the internal memory
		Recovering deleted data from an external SD card
		Recovering data deleted from the internal memory
		Recovering deleted files by parsing SQLite files
		Recovering files using file-carving techniques
		Recovering contacts using your Google account
	Summary
Chapter 11: Android App Analysis, Malware, and Reverse Engineering
	Analyzing widely used Android apps to retrieve valuable data
		Facebook Android app analysis
		WhatsApp Android app analysis
		Skype Android app analysis
		Gmail Android app analysis
		Google Chrome Android app analysis
	Techniques to reverse engineer an Android application
		Extracting an APK file from an Android device
			Steps to reverse engineer Android apps
	Android malware
		Types of Android malware
		How does Android malware spread?
		Identifying Android malware
	Summary
Section 3: Windows Forensics and Third-Party Apps
Chapter 12: Windows Phone Forensics
	Windows Phone OS
	Windows 10 Mobile security model
		Chambers
		Encryption
		Capability-based model
		App sandboxing
	Windows Phone filesystem
	Data acquisition
	Commercial forensic tool acquisition methods
	Extracting data without the use of commercial tools
		SD card data extraction methods
	Key artifacts for examination
		Extracting contacts and SMS
		Extracting call history
		Extracting internet history
	Summary
Chapter 13: Parsing Third-Party Application Files
	Introduction to third-party applications
		Chat applications
		GPS applications
		Secure applications
		Financial applications
		Social networking applications
		Encoding versus encryption
	iOS, Android, and Windows Phone application data storage
		iOS applications
		Android applications
		Windows Phone applications
	Forensic methods used to extract third-party application data
		Commercial tools
			Oxygen Forensic Detective
			Magnet AXIOM
			UFED Physical Analyzer
		Open source/free tools
			Working with Autopsy
			Other methods of extracting application data
	Summary
Other Books You May Enjoy
Index