第1页 / 共335页
第2页 / 共335页
第3页 / 共335页
第4页 / 共335页
第5页 / 共335页
第6页 / 共335页
第7页 / 共335页
第8页 / 共335页
Learning Android Forensics.pdf
Learning Android Forensics
Table of Contents
Learning Android Forensics
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Errata
Piracy
Questions
1. Introducing Android Forensics
Mobile forensics
The mobile forensics approach
Investigation Preparation
Seizure and Isolation
Acquisition
Examination and Analysis
Reporting
Challenges in mobile forensics
The Android architecture
The Linux kernel
Libraries
Dalvik virtual machine
The application framework
The applications layer
Android security
Security at OS level through Linux kernel
Permission model
Application sandboxing
SELinux in Android
Application Signing
Secure interprocess communication
Android hardware components
Core components
Central processing unit
Baseband processor
Memory
SD Card
Display
Battery
Android boot process
Boot ROM code execution
The boot loader
The Linux kernel
The init process
Zygote and Dalvik
System server
Summary
2. Setting Up an Android Forensic Environment
The Android forensic setup
The Android SDK
Installing the Android SDK
Android Virtual Device
Connecting and accessing an Android device from the workstation
Identifying the device cable
Installing device drivers
Accessing the device
Android Debug Bridge
Using adb to access the device
Detecting a connected device
Directing commands to a specific device
Issuing shell commands
Basic Linux commands
Installing an application
Pulling data from the device
Pushing data to the device
Restarting the adb server
Viewing log data
Rooting Android
What is rooting?
Why root?
Recovery and fastboot
Recovery mode
Accessing the recovery mode
Custom recovery
Fastboot mode
Locked and unlocked boot loaders
How to root
Rooting an unlocked boot loader
Rooting a locked boot loader
ADB on a rooted device
Summary
3. Understanding Data Storage on Android Devices
Android partition layout
Common partitions in Android
boot loader
boot
recovery
userdata
system
cache
radio
Identifying partition layout
Android file hierarchy
An overview of directories
acct
cache
d
data
dalvik-cache
data
dev
init
mnt
proc
root
sbin
misc
sdcard
system
build.prop
app
framework
ueventd.goldfish.rc and ueventd.rc
Application data storage on the device
Shared preferences
Internal storage
External storage
SQLite database
Network
Android filesystem overview
Viewing filesystems on an Android device
Common Android filesystems
Flash memory filesystems
Media-based filesystems
Pseudo filesystems
Summary
4. Extracting Data Logically from Android Devices
Logical extraction overview
What data can be recovered logically?
Root access
Manual ADB data extraction
USB debugging
Using ADB shell to determine if a device is rooted
ADB pull
Recovery mode
Fastboot mode
Determining bootloader status
Booting to a custom recovery image
ADB backup extractions
Extracting a backup over ADB
Parsing ADB backups
Data locations within ADB backups
ADB Dumpsys
Dumpsys batterystats
Dumpsys procstats
Dumpsys user
Dumpsys App Ops
Dumpsys Wi-Fi
Dumpsys notification
Dumpsys conclusions
Bypassing Android lock screens
Lock screen types
None/Slide lock screens
Pattern lock screens
Password/PIN lock screens
Smart Locks
Trusted Face
Trusted Location
Trusted Device
General bypass information
Cracking an Android pattern lock
Cracking an Android PIN/Password
Android SIM card extractions
Acquiring SIM card data
SIM security
SIM cloning
Issues and opportunities with Android Lollipop
Summary
5. Extracting Data Physically from Android Devices
Physical extraction overview
What data can be acquired physically?
Root access
Extracting data physically with dd
Determining what to image
Writing to an SD card
Writing directly to an examiner's computer with netcat
Installing netcat on the device
Using netcat
Extracting data physically with nanddump
Verifying a full physical image
Analyzing a full physical image
Autopsy
Issues with analyzing physical dumps
Imaging and analyzing Android RAM
What can be found in RAM?
Imaging RAM with LiME
Imaging RAM with mem
Output from mem
Acquiring Android SD cards
What can be found on an SD card?
SD card security
Advanced forensic methods
JTAG
Chip-off
Bypassing Android full-disk encryption
Summary
6. Recovering Deleted Data from an Android Device
An overview of data recovery
How can deleted files be recovered?
Recovering data deleted from an SD card
Recovering data deleted from internal memory
Recovering deleted data by parsing SQLite files
Recovering deleted data through file carving techniques
Analyzing backups
Summary
7. Forensic Analysis of Android Applications
Application analysis
Why do app analysis?
The layout of this chapter
Determining what apps are installed
Understanding Linux epoch time
Wi-Fi analysis
Contacts/call analysis
SMS/MMS analysis
User dictionary analysis
Gmail analysis
Google Chrome analysis
Decoding the WebKit time format
Google Maps analysis
Google Hangouts analysis
Google Keep analysis
Converting a Julian date
Google Plus analysis
Facebook analysis
Facebook Messenger analysis
Skype analysis
Recovering video messages from Skype
Snapchat analysis
Viber analysis
Tango analysis
Decoding Tango messages
WhatsApp analysis
Decrypting WhatsApp backups
Kik analysis
WeChat analysis
Decrypting the WeChat EnMicroMsg.db database
Application reverse engineering
Obtaining the application's APK file
Disassembling an APK file
Determining an application's permissions
Viewing the application's code
Summary
8. Android Forensic Tools Overview
ViaExtract
Backup extraction with ViaExtract
Logical extraction with ViaExtract
Examining data in ViaExtract
Other tools within ViaExtract
Autopsy
Creating a case in Autopsy
Analyzing data in Autopsy
ViaLab Community Edition
Setting up the emulator in ViaLab
Installing an application on the emulator
Analyzing data with ViaLab
Summary
Conclusion
Index
Learning Android Forensics
Table of Contents
Learning Android Forensics
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Errata
Piracy
Questions
1. Introducing Android Forensics
Mobile forensics
The mobile forensics approach
Investigation Preparation
Seizure and Isolation
Acquisition
Examination and Analysis
Reporting
Challenges in mobile forensics
The Android architecture
The Linux kernel
Libraries
Dalvik virtual machine
The application framework
The applications layer
Android security
Security at OS level through Linux kernel
Permission model
Application sandboxing
SELinux in Android
Application Signing
Secure interprocess communication
Android hardware components
Core components
Central processing unit
Baseband processor
Memory
SD Card
Display
Battery
Android boot process
Boot ROM code execution
The boot loader
The Linux kernel
The init process
Zygote and Dalvik
System server
Summary
The Android forensic setup
The Android SDK
Installing the Android SDK
Android Virtual Device
Identifying the device cable
Installing device drivers
Accessing the device
Android Debug Bridge
2. Setting Up an Android Forensic Environment
Connecting and accessing an Android device from the workstation
Using adb to access the device
Detecting a connected device
Directing commands to a specific device
Issuing shell commands
Basic Linux commands
Installing an application
Pulling data from the device
Pushing data to the device
Restarting the adb server
Viewing log data
Rooting Android
What is rooting?
Why root?
Recovery and fastboot
Recovery mode
Accessing the recovery mode
Custom recovery
Fastboot mode
Locked and unlocked boot loaders
How to root
Rooting an unlocked boot loader
Rooting a locked boot loader
ADB on a rooted device
Summary
3. Understanding Data Storage on Android Devices
Android partition layout
Common partitions in Android
Identifying partition layout
Android file hierarchy
An overview of directories
dalvik-cache
data
boot loader
boot
recovery
userdata
system
cache
radio
acct
cache
d
data
dev
init
mnt
proc
root
sbin
misc
sdcard
system
build.prop
app
framework
ueventd.goldfish.rc and ueventd.rc
Application data storage on the device
Shared preferences
Internal storage
External storage
SQLite database
Network
Android filesystem overview
Viewing filesystems on an Android device
Common Android filesystems
Flash memory filesystems
Media-based filesystems
Pseudo filesystems
Summary
4. Extracting Data Logically from Android Devices
Logical extraction overview
What data can be recovered logically?
Using ADB shell to determine if a device is rooted
Root access
Manual ADB data extraction
USB debugging
ADB pull
Recovery mode
Fastboot mode
Determining bootloader status
Booting to a custom recovery image
ADB backup extractions
Extracting a backup over ADB
Parsing ADB backups
Data locations within ADB backups
ADB Dumpsys
Dumpsys batterystats
Dumpsys procstats
Dumpsys user
Dumpsys App Ops
Dumpsys Wi-Fi
Dumpsys notification
Dumpsys conclusions
Bypassing Android lock screens
Lock screen types
None/Slide lock screens
Pattern lock screens
Password/PIN lock screens
Smart Locks
Trusted Face
Trusted Location
Trusted Device
General bypass information
Cracking an Android pattern lock
Cracking an Android PIN/Password
Android SIM card extractions
Acquiring SIM card data
SIM security
SIM cloning
Issues and opportunities with Android Lollipop
Summary
5. Extracting Data Physically from Android Devices
Physical extraction overview
What data can be acquired physically?
Root access
Extracting data physically with dd
Determining what to image
Writing to an SD card
Writing directly to an examiner's computer with netcat
Installing netcat on the device
Using netcat
Extracting data physically with nanddump
Verifying a full physical image
Analyzing a full physical image
Autopsy
Issues with analyzing physical dumps
Imaging and analyzing Android RAM
What can be found in RAM?
Imaging RAM with LiME
Imaging RAM with mem
Output from mem
Acquiring Android SD cards
What can be found on an SD card?
SD card security
Advanced forensic methods
JTAG
Chip-off
Bypassing Android full-disk encryption
Summary
6. Recovering Deleted Data from an Android Device
An overview of data recovery
How can deleted files be recovered?
Recovering data deleted from an SD card
Recovering data deleted from internal memory
Recovering deleted data by parsing SQLite files
Recovering deleted data through file carving techniques
Analyzing backups
Summary
7. Forensic Analysis of Android Applications
Application analysis
Why do app analysis?
The layout of this chapter
Determining what apps are installed
Understanding Linux epoch time
Wi-Fi analysis
Contacts/call analysis
SMS/MMS analysis
User dictionary analysis
Gmail analysis
Google Chrome analysis
Decoding the WebKit time format
Google Maps analysis
Google Hangouts analysis
Google Keep analysis
Converting a Julian date
Google Plus analysis
Facebook analysis
Facebook Messenger analysis
Skype analysis
Recovering video messages from Skype
Snapchat analysis
Viber analysis
Tango analysis
Decoding Tango messages
WhatsApp analysis
Decrypting WhatsApp backups
Kik analysis
WeChat analysis
Decrypting the WeChat EnMicroMsg.db database
Application reverse engineering
Obtaining the application's APK file
Disassembling an APK file
Determining an application's permissions
Viewing the application's code
8. Android Forensic Tools Overview
Summary
ViaExtract
Backup extraction with ViaExtract
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
