logo资料库

Practical Mobile Forensics 3rd Edition Jan 2018.pdf

第1页 / 共392页
第2页 / 共392页
第3页 / 共392页
第4页 / 共392页
第5页 / 共392页
第6页 / 共392页
第7页 / 共392页
第8页 / 共392页
资料共392页,剩余部分请下载后查看
Cover
Title Page
Copyright and Credits
Packt Upsell
Contributors
Table of Contents
Preface
Chapter 1: Introduction to Mobile Forensics
Why do we need mobile forensics?
Mobile forensics
Challenges in mobile forensics
The mobile phone evidence extraction process
The evidence intake phase
The identification phase
The legal authority
The goals of the examination
The make, model, and identifying information for the device
Removable and external data storage
Other sources of potential evidence
The preparation phase
The isolation phase
The processing phase
The verification phase
Comparing extracted data to the handset data
Using multiple tools and comparing the results
Using hash values
The documenting and reporting phase
The presentation phase
The archiving phase
Practical mobile forensic approaches
Overview of mobile operating systems 
Android
iOS
Windows Phone
Mobile forensic tool leveling system
Manual extraction
Logical extraction
Hex dump
Chip-off
Micro read
Data acquisition methods
Physical acquisition
Logical acquisition
Manual acquisition
Potential evidence stored on mobile phones
Examination and analysis
Rules of evidence
Good forensic practices
Securing the evidence
Preserving the evidence
Documenting the evidence and changes
Reporting
Summary
Chapter 2: Understanding the Internals of iOS Devices
iPhone models
Identifying the correct hardware model
iPhone hardware
iPad models
Understanding the iPad hardware
Apple Watch models
Understanding the Apple Watch hardware
The filesystem
The HFS Plus filesystem
The HFS Plus volume
The APFS filesystem
The APFS structure
Disk layout
iPhone operating system
The iOS architecture
iOS security
Passcodes, Touch ID, and Face ID
Code Signing
Sandboxing
Encryption
Data protection
Address Space Layout Randomization
Privilege separation
Stack-smashing protection
Data execution prevention
Data wipe
Activation Lock
The App Store
Jailbreaking
Summary
Chapter 3: Data Acquisition from iOS Devices
Operating modes of iOS devices
The normal mode
The recovery mode
DFU mode
Setting up the forensic environment
Password protection and potential bypasses
Logical acquisition
Practical logical acquisition with libimobiledevice
Practical logical acquisition with Belkasoft Acquisition Tool
Practical logical acquisition with Magnet ACQUIRE
Filesystem acquisition
Practical jailbreaking
Practical filesystem acquisition with Elcomsoft iOS Forensic Toolkit
Physical acquisition
Practical physical acquisition with Elcomsoft iOS Forensic Toolkit
Summary
Chapter 4: Data Acquisition from iOS Backups
iTunes backup
Creating backups with iTunes
Understanding the backup structure
info.plist
manifest.plist
status.plist
manifest.db
Extracting unencrypted backups
iBackup Viewer
iExplorer
BlackLight
Encrypted backup
Elcomsoft Phone Breaker
Working with iCloud backups
Extracting iCloud backups
Summary
Chapter 5: iOS Data Analysis and Recovery
Timestamps
Unix timestamps
Mac absolute time
WebKit/Chrome time
SQLite databases
Connecting to a database
SQLite special commands
Standard SQL queries
Accessing a database using commercial tools
Key artifacts – important iOS database files
Address book contacts
Address book images
Call history
SMS messages
Calendar events
Notes
Safari bookmarks and cache
Photo metadata
Consolidated GPS cache
Voicemail
Property lists
Important plist files
The HomeDomain plist files
The RootDomain plist files
The WirelessDomain plist files
The SystemPreferencesDomain plist files
Other important files
Cookies
Keyboard cache
Photos
Thumbnails
Wallpaper
Recordings
Downloaded applications
Apple Watch
Recovering deleted SQLite records
Summary
Chapter 6: iOS Forensic Tools
Working with Cellebrite UFED Physical Analyzer
Features of Cellebrite UFED Physical Analyzer
Advanced logical acquisition and analysis with Cellebrite UFED Physical Analyzer
Working with Magnet AXIOM
Features of Magnet AXIOM
Logical acquisition and analysis with Magnet AXIOM
Working with Belkasoft Evidence Center
Features of Belkasoft Evidence Center
 iTunes backup parsing and analysis with Belkasoft Evidence Center
Working with Oxygen Forensic Detective
Features of Oxygen Forensic Detective
Logical acquisition and analysis with Oxygen Forensic Detective
Summary
Chapter 7: Understanding Android
The evolution of Android
The Android model
The Linux kernel layer
The Hardware Abstraction Layer
Libraries
Dalvik virtual machine
Android Runtime (ART)
The Java API framework layer
The system apps layer
Android security
Secure kernel
The permission model
Application sandbox
Secure inter-process communication
Application signing
Security-Enhanced Linux
Full Disk Encryption
Trusted Execution Environment
The Android file hierarchy
The Android file system
Viewing file systems on an Android device
Common file systems found on Android
Summary
Chapter 8: Android Forensic Setup and Pre-Data Extraction Techniques
Setting up the forensic environment for Android
The Android Software Development Kit
The Android SDK installation
An Android Virtual Device
Connecting an Android device to a workstation
Identifying the device cable
Installing the device drivers
Accessing the connected device
The Android Debug Bridge
USB debugging
Accessing the device using adb
Detecting connected devices
Killing the local adb server
Accessing the adb shell
Basic Linux commands
Handling an Android device
Screen lock bypassing techniques
Using adb to bypass the screen lock
Deleting the gesture.key file
Updating the settings.db file
Checking for the modified recovery mode and adb connection
Flashing a new recovery partition
Using automated tools
Using Android Device Manager
Smudge attack
Using the Forgot Password/Forgot Pattern option
Bypassing third-party lock screens by booting into safe mode
Securing the USB debugging bypass using adb keys
Securing the USB debugging bypass in Android 4.4.2
Crashing the lock screen UI in Android 5.x
Other techniques
Gaining root access
What is rooting?
Rooting an Android device
Root access - adb shell
Summary
Chapter 9: Android Data Extraction Techniques
Data extraction techniques
Manual data extraction
Logical data extraction
ADB pull data extraction
Using SQLite Browser to view the data
Extracting device information
Extracting call logs
Extracting SMS/MMS
Extracting browser history
Analysis of social networking/IM chats
ADB backup extraction
ADB dumpsys extraction
Using content providers
Physical data extraction
Imaging an Android phone
Imaging a memory (SD) card
Joint Test Action Group
Chip-off
Summary
Chapter 10: Android Data Analysis and Recovery
Analyzing an Android image
Autopsy
Adding an image to Autopsy
Analyzing an image using Autopsy
Android data recovery
Recovering deleted data from an external SD card
Recovering data deleted from internal memory
Recovering deleted files by parsing SQLite files
Recovering files using file-carving techniques
Recovering contacts using your Google account
Summary
Chapter 11: Android App Analysis, Malware, and Reverse Engineering
Analyzing Android apps
Facebook Android app analysis
WhatsApp Android app analysis
Skype Android app analysis
Gmail Android app analysis
Google Chrome Android app analysis
Reverse engineering Android apps
Extracting an APK file from an Android device
Steps to reverse engineer Android apps
Android malware
How does malware spread?
Identifying Android malware
Summary
Chapter 12: Windows Phone Forensics
Windows Phone OS
Security model
Chambers
Encryption
Capability-based model
App sandboxing
Windows Phone filesystem
Data acquisition
Commercial forensic tool acquisition methods
Extracting data without the use of commercial tools
SD card data extraction methods
Key artifacts for examination
Extracting contacts and SMS
Extracting call history
Extracting internet history
Summary
Chapter 13: Parsing Third-Party Application Files
Third-party application overview
Chat applications
GPS applications
Secure applications
Financial applications
Social networking applications
Encoding versus encryption
Application data storage
iOS applications
Android applications
Windows Phone applications
Forensic methods used to extract third-party application data
Commercial tools
Oxygen Detective
Magnet IEF
UFED Physical Analyzer
Open source tools
Autopsy
Other methods of extracting application data
Summary
Other Books You May Enjoy
Index
Practical Mobile Forensics Third Edition A hands-on guide to mastering mobile forensics for the iOS, Android, and the Windows Phone platforms Rohit Tamma Oleg Skulkin Heather Mahalik Satish Bommisetty BIRMINGHAM - MUMBAI
Practical Mobile Forensics Third Edition Copyright © 2018 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Commissioning Editor: Vijin Boricha Acquisition Editor: Rohit Rajkumar Content Development Editor: Devika Battike Technical Editor: Aditya Khadye Copy Editor: Safis Editing Project Coordinator: Judie Jose Proofreader: Safis Editing Indexer: Rekha Nair Graphics: Tania Dutta Production Coordinator: Arvindkumar Gupta First published: July 2014 Second edition: May 2016 Third edition: January 2018 Production reference: 1220118 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78883-919-8 www.packtpub.com
mapt.io Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website. Why subscribe? Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals Improve your learning with Skill Plans built especially for you Get a free eBook or video every month Mapt is fully searchable Copy and paste, print, and bookmark content PacktPub.com Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at service@packtpub.com for more details. At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.
Contributors About the authors Rohit Tamma is a security program manager currently working with Microsoft. With over 8 years of experience in the field of security, his background spans management and technical consulting roles in the areas of application and cloud security, mobile security, penetration testing, and security training. Rohit has also coauthored couple of books, such as Practical Mobile Forensics and Learning Android Forensics, which explain various ways to perform forensics on the mobile platforms. You can contact him on Twitter at @RohitTamma. Writing this book has been a great experience because it has taught me several things, which could not have been otherwise possible. I would like to dedicate this book to my parents for helping me in every possible way throughout my life. Oleg Skulkin is a digital forensics "enthusional" (enthusiast and professional) from Russia with more than 6 years of experience, and is currently employed by Group-IB, one of the global leaders in preventing and investigating high-tech crimes and online fraud. He holds a number of certifications, including GCFA, MCFE, and ACE. Oleg is a coauthor of Windows Forensics Cookbook, and you can find his articles about different aspects of digital forensics both in Russian and foreign magazines. Finally, he is a very active blogger, and he updates the Cyber Forensicator blog daily. I would like to thank my mom and wife for their support and understanding, my friend, Igor Mikhaylov, and my teammates from Group-IB Digital Forensics Lab: Valeriy Baulin, Sergey Nikitin, Vitaliy Trifonov, Roman Rezvuhin, Artem Artemov, Alexander Ivanov, Alexander Simonyan, Alexey Kashtanov, Pavel Zevahin, Vladimir Martyshin, Nikita Panov, Anastasiya Barinova, and Vesta Matveeva.
Heather Mahalik is the director of forensic engineering with ManTech CARD, where she leads the forensic effort focusing on mobile and digital exploitation. She is a senior instructor and author for the SANS Institute, and she is also the course leader for the FOR585 Advanced Smartphone Forensics course. With over 15 years of experience in digital forensics, she continues to thrive on smartphone investigations, digital forensics, forensic course development and instruction, and research on application analysis and smartphone forensics. Satish Bommisetty is a security analyst working for a Fortune 500 company. His primary areas of interest include iOS forensics, iOS application security, and web application security. He has presented at international conferences, such as ClubHACK and C0C0n. He is also one of the core members of the Hyderabad OWASP chapter. He has identified and disclosed vulnerabilities within the websites of Google, Facebook, Yandex, PayPal, Yahoo!, AT&T, and more, and they are listed in their hall of fame.
About the reviewer Igor Mikhaylov has been working as a forensics expert for 21 years. During this time, he has attended a lot of seminars and training classes in top forensic companies and forensic departments of government organizations. He has experience and skills in cellphones forensics, chip-off forensics, malware forensics, and other fields. He has worked on several thousand forensic cases. He is the reviewer of Windows Forensics Cookbook by Oleg Skulkin and Scar de Courcier, Packt Publishing, 2017. He is the author of Mobile Forensics Cookbook, Packt Publishing, 2017. Packt is searching for authors like you If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.
Table of Contents Chapter 1: Introduction to Mobile Forensics Why do we need mobile forensics? Mobile forensics Challenges in mobile forensics The mobile phone evidence extraction process The evidence intake phase The identification phase The legal authority The goals of the examination The make, model, and identifying information for the device Removable and external data storage Other sources of potential evidence The preparation phase The isolation phase The processing phase The verification phase Comparing extracted data to the handset data Using multiple tools and comparing the results Using hash values The documenting and reporting phase The presentation phase The archiving phase Practical mobile forensic approaches Overview of mobile operating systems Mobile forensic tool leveling system Android iOS Windows Phone Manual extraction Logical extraction Hex dump Chip-off Micro read Data acquisition methods Physical acquisition Logical acquisition Manual acquisition 6 7 8 10 12 13 14 14 14 14 15 15 15 16 16 16 17 17 17 17 18 18 18 19 19 20 20 20 22 22 22 23 23 24 24 24 25
分享到:
收藏