第1页 / 共392页
第2页 / 共392页
第3页 / 共392页
第4页 / 共392页
第5页 / 共392页
第6页 / 共392页
第7页 / 共392页
第8页 / 共392页
Practical Mobile Forensics 3rd Edition Jan 2018.pdf
Cover
Title Page
Copyright and Credits
Packt Upsell
Contributors
Table of Contents
Preface
Chapter 1: Introduction to Mobile Forensics
Why do we need mobile forensics?
Mobile forensics
Challenges in mobile forensics
The mobile phone evidence extraction process
The evidence intake phase
The identification phase
The legal authority
The goals of the examination
The make, model, and identifying information for the device
Removable and external data storage
Other sources of potential evidence
The preparation phase
The isolation phase
The processing phase
The verification phase
Comparing extracted data to the handset data
Using multiple tools and comparing the results
Using hash values
The documenting and reporting phase
The presentation phase
The archiving phase
Practical mobile forensic approaches
Overview of mobile operating systems
Android
iOS
Windows Phone
Mobile forensic tool leveling system
Manual extraction
Logical extraction
Hex dump
Chip-off
Micro read
Data acquisition methods
Physical acquisition
Logical acquisition
Manual acquisition
Potential evidence stored on mobile phones
Examination and analysis
Rules of evidence
Good forensic practices
Securing the evidence
Preserving the evidence
Documenting the evidence and changes
Reporting
Summary
Chapter 2: Understanding the Internals of iOS Devices
iPhone models
Identifying the correct hardware model
iPhone hardware
iPad models
Understanding the iPad hardware
Apple Watch models
Understanding the Apple Watch hardware
The filesystem
The HFS Plus filesystem
The HFS Plus volume
The APFS filesystem
The APFS structure
Disk layout
iPhone operating system
The iOS architecture
iOS security
Passcodes, Touch ID, and Face ID
Code Signing
Sandboxing
Encryption
Data protection
Address Space Layout Randomization
Privilege separation
Stack-smashing protection
Data execution prevention
Data wipe
Activation Lock
The App Store
Jailbreaking
Summary
Chapter 3: Data Acquisition from iOS Devices
Operating modes of iOS devices
The normal mode
The recovery mode
DFU mode
Setting up the forensic environment
Password protection and potential bypasses
Logical acquisition
Practical logical acquisition with libimobiledevice
Practical logical acquisition with Belkasoft Acquisition Tool
Practical logical acquisition with Magnet ACQUIRE
Filesystem acquisition
Practical jailbreaking
Practical filesystem acquisition with Elcomsoft iOS Forensic Toolkit
Physical acquisition
Practical physical acquisition with Elcomsoft iOS Forensic Toolkit
Summary
Chapter 4: Data Acquisition from iOS Backups
iTunes backup
Creating backups with iTunes
Understanding the backup structure
info.plist
manifest.plist
status.plist
manifest.db
Extracting unencrypted backups
iBackup Viewer
iExplorer
BlackLight
Encrypted backup
Elcomsoft Phone Breaker
Working with iCloud backups
Extracting iCloud backups
Summary
Chapter 5: iOS Data Analysis and Recovery
Timestamps
Unix timestamps
Mac absolute time
WebKit/Chrome time
SQLite databases
Connecting to a database
SQLite special commands
Standard SQL queries
Accessing a database using commercial tools
Key artifacts – important iOS database files
Address book contacts
Address book images
Call history
SMS messages
Calendar events
Notes
Safari bookmarks and cache
Photo metadata
Consolidated GPS cache
Voicemail
Property lists
Important plist files
The HomeDomain plist files
The RootDomain plist files
The WirelessDomain plist files
The SystemPreferencesDomain plist files
Other important files
Cookies
Keyboard cache
Photos
Thumbnails
Wallpaper
Recordings
Downloaded applications
Apple Watch
Recovering deleted SQLite records
Summary
Chapter 6: iOS Forensic Tools
Working with Cellebrite UFED Physical Analyzer
Features of Cellebrite UFED Physical Analyzer
Advanced logical acquisition and analysis with Cellebrite UFED Physical Analyzer
Working with Magnet AXIOM
Features of Magnet AXIOM
Logical acquisition and analysis with Magnet AXIOM
Working with Belkasoft Evidence Center
Features of Belkasoft Evidence Center
iTunes backup parsing and analysis with Belkasoft Evidence Center
Working with Oxygen Forensic Detective
Features of Oxygen Forensic Detective
Logical acquisition and analysis with Oxygen Forensic Detective
Summary
Chapter 7: Understanding Android
The evolution of Android
The Android model
The Linux kernel layer
The Hardware Abstraction Layer
Libraries
Dalvik virtual machine
Android Runtime (ART)
The Java API framework layer
The system apps layer
Android security
Secure kernel
The permission model
Application sandbox
Secure inter-process communication
Application signing
Security-Enhanced Linux
Full Disk Encryption
Trusted Execution Environment
The Android file hierarchy
The Android file system
Viewing file systems on an Android device
Common file systems found on Android
Summary
Chapter 8: Android Forensic Setup and Pre-Data Extraction Techniques
Setting up the forensic environment for Android
The Android Software Development Kit
The Android SDK installation
An Android Virtual Device
Connecting an Android device to a workstation
Identifying the device cable
Installing the device drivers
Accessing the connected device
The Android Debug Bridge
USB debugging
Accessing the device using adb
Detecting connected devices
Killing the local adb server
Accessing the adb shell
Basic Linux commands
Handling an Android device
Screen lock bypassing techniques
Using adb to bypass the screen lock
Deleting the gesture.key file
Updating the settings.db file
Checking for the modified recovery mode and adb connection
Flashing a new recovery partition
Using automated tools
Using Android Device Manager
Smudge attack
Using the Forgot Password/Forgot Pattern option
Bypassing third-party lock screens by booting into safe mode
Securing the USB debugging bypass using adb keys
Securing the USB debugging bypass in Android 4.4.2
Crashing the lock screen UI in Android 5.x
Other techniques
Gaining root access
What is rooting?
Rooting an Android device
Root access - adb shell
Summary
Chapter 9: Android Data Extraction Techniques
Data extraction techniques
Manual data extraction
Logical data extraction
ADB pull data extraction
Using SQLite Browser to view the data
Extracting device information
Extracting call logs
Extracting SMS/MMS
Extracting browser history
Analysis of social networking/IM chats
ADB backup extraction
ADB dumpsys extraction
Using content providers
Physical data extraction
Imaging an Android phone
Imaging a memory (SD) card
Joint Test Action Group
Chip-off
Summary
Chapter 10: Android Data Analysis and Recovery
Analyzing an Android image
Autopsy
Adding an image to Autopsy
Analyzing an image using Autopsy
Android data recovery
Recovering deleted data from an external SD card
Recovering data deleted from internal memory
Recovering deleted files by parsing SQLite files
Recovering files using file-carving techniques
Recovering contacts using your Google account
Summary
Chapter 11: Android App Analysis, Malware, and Reverse Engineering
Analyzing Android apps
Facebook Android app analysis
WhatsApp Android app analysis
Skype Android app analysis
Gmail Android app analysis
Google Chrome Android app analysis
Reverse engineering Android apps
Extracting an APK file from an Android device
Steps to reverse engineer Android apps
Android malware
How does malware spread?
Identifying Android malware
Summary
Chapter 12: Windows Phone Forensics
Windows Phone OS
Security model
Chambers
Encryption
Capability-based model
App sandboxing
Windows Phone filesystem
Data acquisition
Commercial forensic tool acquisition methods
Extracting data without the use of commercial tools
SD card data extraction methods
Key artifacts for examination
Extracting contacts and SMS
Extracting call history
Extracting internet history
Summary
Chapter 13: Parsing Third-Party Application Files
Third-party application overview
Chat applications
GPS applications
Secure applications
Financial applications
Social networking applications
Encoding versus encryption
Application data storage
iOS applications
Android applications
Windows Phone applications
Forensic methods used to extract third-party application data
Commercial tools
Oxygen Detective
Magnet IEF
UFED Physical Analyzer
Open source tools
Autopsy
Other methods of extracting application data
Summary
Other Books You May Enjoy
Index
Practical Mobile Forensics
Third Edition
A hands-on guide to mastering mobile forensics for the iOS,
Android, and the Windows Phone platforms
Rohit Tamma
Oleg Skulkin
Heather Mahalik
Satish Bommisetty
BIRMINGHAM - MUMBAI
Practical Mobile Forensics
Third Edition
Copyright © 2018 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form
or by any means, without the prior written permission of the publisher, except in the case of brief quotations
embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented.
However, the information contained in this book is sold without warranty, either express or implied. Neither the
authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to
have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products
mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy
of this information.
Commissioning Editor: Vijin Boricha
Acquisition Editor: Rohit Rajkumar
Content Development Editor: Devika Battike
Technical Editor: Aditya Khadye
Copy Editor: Safis Editing
Project Coordinator: Judie Jose
Proofreader: Safis Editing
Indexer: Rekha Nair
Graphics: Tania Dutta
Production Coordinator: Arvindkumar Gupta
First published: July 2014
Second edition: May 2016
Third edition: January 2018
Production reference: 1220118
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-78883-919-8
www.packtpub.com
mapt.io
Mapt is an online digital library that gives you full access to over 5,000 books and videos, as
well as industry leading tools to help you plan your personal development and advance
your career. For more information, please visit our website.
Why subscribe?
Spend less time learning and more time coding with practical eBooks and Videos
from over 4,000 industry professionals
Improve your learning with Skill Plans built especially for you
Get a free eBook or video every month
Mapt is fully searchable
Copy and paste, print, and bookmark content
PacktPub.com
Did you know that Packt offers eBook versions of every book published, with PDF and
ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a
print book customer, you are entitled to a discount on the eBook copy. Get in touch with us
at service@packtpub.com for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a
range of free newsletters, and receive exclusive discounts and offers on Packt books and
eBooks.
Contributors
About the authors
Rohit Tamma is a security program manager currently working with Microsoft. With over
8 years of experience in the field of security, his background spans management and
technical consulting roles in the areas of application and cloud security, mobile security,
penetration testing, and security training. Rohit has also coauthored couple of books, such
as Practical Mobile Forensics and Learning Android Forensics, which explain various ways to
perform forensics on the mobile platforms. You can contact him on Twitter at
@RohitTamma.
Writing this book has been a great experience because it has taught me several things,
which could not have been otherwise possible. I would like to dedicate this book to my
parents for helping me in every possible way throughout my life.
Oleg Skulkin is a digital forensics "enthusional" (enthusiast and professional) from Russia
with more than 6 years of experience, and is currently employed by Group-IB, one of the
global leaders in preventing and investigating high-tech crimes and online fraud. He holds
a number of certifications, including GCFA, MCFE, and ACE. Oleg is a coauthor of Windows
Forensics Cookbook, and you can find his articles about different aspects of digital forensics
both in Russian and foreign magazines. Finally, he is a very active blogger, and he updates
the Cyber Forensicator blog daily.
I would like to thank my mom and wife for their support and understanding, my friend,
Igor Mikhaylov, and my teammates from Group-IB Digital Forensics Lab: Valeriy Baulin,
Sergey Nikitin, Vitaliy Trifonov, Roman Rezvuhin, Artem Artemov, Alexander Ivanov,
Alexander Simonyan, Alexey Kashtanov, Pavel Zevahin, Vladimir Martyshin, Nikita
Panov, Anastasiya Barinova, and Vesta Matveeva.
Heather Mahalik is the director of forensic engineering with ManTech CARD, where she
leads the forensic effort focusing on mobile and digital exploitation. She is a senior
instructor and author for the SANS Institute, and she is also the course leader for the
FOR585 Advanced Smartphone Forensics course. With over 15 years of experience in digital
forensics, she continues to thrive on smartphone investigations, digital forensics, forensic
course development and instruction, and research on application analysis and smartphone
forensics.
Satish Bommisetty is a security analyst working for a Fortune 500 company. His primary
areas of interest include iOS forensics, iOS application security, and web application
security. He has presented at international conferences, such as ClubHACK and C0C0n. He
is also one of the core members of the Hyderabad OWASP chapter. He has identified and
disclosed vulnerabilities within the websites of Google, Facebook, Yandex, PayPal, Yahoo!,
AT&T, and more, and they are listed in their hall of fame.
About the reviewer
Igor Mikhaylov has been working as a forensics expert for 21 years. During this time, he
has attended a lot of seminars and training classes in top forensic companies and forensic
departments of government organizations. He has experience and skills in cellphones
forensics, chip-off forensics, malware forensics, and other fields. He has worked on several
thousand forensic cases.
He is the reviewer of Windows Forensics Cookbook by Oleg Skulkin and Scar de Courcier,
Packt Publishing, 2017.
He is the author of Mobile Forensics Cookbook, Packt Publishing, 2017.
Packt is searching for authors like you
If you're interested in becoming an author for Packt, please visit authors.packtpub.com and
apply today. We have worked with thousands of developers and tech professionals, just
like you, to help them share their insight with the global tech community. You can make a
general application, apply for a specific hot topic that we are recruiting an author for, or
submit your own idea.
Table of Contents
Chapter 1: Introduction to Mobile Forensics
Why do we need mobile forensics?
Mobile forensics
Challenges in mobile forensics
The mobile phone evidence extraction process
The evidence intake phase
The identification phase
The legal authority
The goals of the examination
The make, model, and identifying information for the device
Removable and external data storage
Other sources of potential evidence
The preparation phase
The isolation phase
The processing phase
The verification phase
Comparing extracted data to the handset data
Using multiple tools and comparing the results
Using hash values
The documenting and reporting phase
The presentation phase
The archiving phase
Practical mobile forensic approaches
Overview of mobile operating systems
Mobile forensic tool leveling system
Android
iOS
Windows Phone
Manual extraction
Logical extraction
Hex dump
Chip-off
Micro read
Data acquisition methods
Physical acquisition
Logical acquisition
Manual acquisition
6
7
8
10
12
13
14
14
14
14
15
15
15
16
16
16
17
17
17
17
18
18
18
19
19
20
20
20
22
22
22
23
23
24
24
24
25
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
