Practical mobile forensics a hands-on guide to mastering mobile forensics for the iOS, Android, and the Windows Phone platforms
Investigate, analyze, and report iOS, Android, and Windows devices About This Book Get hands-on experience in performing simple to complex mobile forensics techniques. Retrieve and analyze data stored not only on mobile devices but also through the cloud and other connected mediums. A practical guid...
| Otros Autores: | |
|---|---|
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
Birmingham, England :
Packt Publishing
2018.
|
| Edición: | Third edition |
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009631369206719 |
Tabla de Contenidos:
- Cover
- Title Page
- Copyright and Credits
- Packt Upsell
- Contributors
- Table of Contents
- Preface
- Chapter 1: Introduction to Mobile Forensics
- Why do we need mobile forensics?
- Mobile forensics
- Challenges in mobile forensics
- The mobile phone evidence extraction process
- The evidence intake phase
- The identification phase
- The legal authority
- The goals of the examination
- The make, model, and identifying information for the device
- Removable and external data storage
- Other sources of potential evidence
- The preparation phase
- The isolation phase
- The processing phase
- The verification phase
- Comparing extracted data to the handset data
- Using multiple tools and comparing the results
- Using hash values
- The documenting and reporting phase
- The presentation phase
- The archiving phase
- Practical mobile forensic approaches
- Overview of mobile operating systems
- Android
- iOS
- Windows Phone
- Mobile forensic tool leveling system
- Manual extraction
- Logical extraction
- Hex dump
- Chip-off
- Micro read
- Data acquisition methods
- Physical acquisition
- Logical acquisition
- Manual acquisition
- Potential evidence stored on mobile phones
- Examination and analysis
- Rules of evidence
- Good forensic practices
- Securing the evidence
- Preserving the evidence
- Documenting the evidence and changes
- Reporting
- Summary
- Chapter 2: Understanding the Internals of iOS Devices
- iPhone models
- Identifying the correct hardware model
- iPhone hardware
- iPad models
- Understanding the iPad hardware
- Apple Watch models
- Understanding the Apple Watch hardware
- The filesystem
- The HFS Plus filesystem
- The HFS Plus volume
- The APFS filesystem
- The APFS structure
- Disk layout
- iPhone operating system
- The iOS architecture
- iOS security.
- Passcodes, Touch ID, and Face ID
- Code Signing
- Sandboxing
- Encryption
- Data protection
- Address Space Layout Randomization
- Privilege separation
- Stack-smashing protection
- Data execution prevention
- Data wipe
- Activation Lock
- The App Store
- Jailbreaking
- Summary
- Chapter 3: Data Acquisition from iOS Devices
- Operating modes of iOS devices
- The normal mode
- The recovery mode
- DFU mode
- Setting up the forensic environment
- Password protection and potential bypasses
- Logical acquisition
- Practical logical acquisition with libimobiledevice
- Practical logical acquisition with Belkasoft Acquisition Tool
- Practical logical acquisition with Magnet ACQUIRE
- Filesystem acquisition
- Practical jailbreaking
- Practical filesystem acquisition with Elcomsoft iOS Forensic Toolkit
- Physical acquisition
- Practical physical acquisition with Elcomsoft iOS Forensic Toolkit
- Summary
- Chapter 4: Data Acquisition from iOS Backups
- iTunes backup
- Creating backups with iTunes
- Understanding the backup structure
- info.plist
- manifest.plist
- status.plist
- manifest.db
- Extracting unencrypted backups
- iBackup Viewer
- iExplorer
- BlackLight
- Encrypted backup
- Elcomsoft Phone Breaker
- Working with iCloud backups
- Extracting iCloud backups
- Summary
- Chapter 5: iOS Data Analysis and Recovery
- Timestamps
- Unix timestamps
- Mac absolute time
- WebKit/Chrome time
- SQLite databases
- Connecting to a database
- SQLite special commands
- Standard SQL queries
- Accessing a database using commercial tools
- Key artifacts - important iOS database files
- Address book contacts
- Address book images
- Call history
- SMS messages
- Calendar events
- Notes
- Safari bookmarks and cache
- Photo metadata
- Consolidated GPS cache
- Voicemail
- Property lists.
- Important plist files
- The HomeDomain plist files
- The RootDomain plist files
- The WirelessDomain plist files
- The SystemPreferencesDomain plist files
- Other important files
- Cookies
- Keyboard cache
- Photos
- Thumbnails
- Wallpaper
- Recordings
- Downloaded applications
- Apple Watch
- Recovering deleted SQLite records
- Summary
- Chapter 6: iOS Forensic Tools
- Working with Cellebrite UFED Physical Analyzer
- Features of Cellebrite UFED Physical Analyzer
- Advanced logical acquisition and analysis with Cellebrite UFED Physical Analyzer
- Working with Magnet AXIOM
- Features of Magnet AXIOM
- Logical acquisition and analysis with Magnet AXIOM
- Working with Belkasoft Evidence Center
- Features of Belkasoft Evidence Center
- iTunes backup parsing and analysis with Belkasoft Evidence Center
- Working with Oxygen Forensic Detective
- Features of Oxygen Forensic Detective
- Logical acquisition and analysis with Oxygen Forensic Detective
- Summary
- Chapter 7: Understanding Android
- The evolution of Android
- The Android model
- The Linux kernel layer
- The Hardware Abstraction Layer
- Libraries
- Dalvik virtual machine
- Android Runtime (ART)
- The Java API framework layer
- The system apps layer
- Android security
- Secure kernel
- The permission model
- Application sandbox
- Secure inter-process communication
- Application signing
- Security-Enhanced Linux
- Full Disk Encryption
- Trusted Execution Environment
- The Android file hierarchy
- The Android file system
- Viewing file systems on an Android device
- Common file systems found on Android
- Summary
- Chapter 8: Android Forensic Setup and Pre-Data Extraction Techniques
- Setting up the forensic environment for Android
- The Android Software Development Kit
- The Android SDK installation
- An Android Virtual Device.
- Connecting an Android device to a workstation
- Identifying the device cable
- Installing the device drivers
- Accessing the connected device
- The Android Debug Bridge
- USB debugging
- Accessing the device using adb
- Detecting connected devices
- Killing the local adb server
- Accessing the adb shell
- Basic Linux commands
- Handling an Android device
- Screen lock bypassing techniques
- Using adb to bypass the screen lock
- Deleting the gesture.key file
- Updating the settings.db file
- Checking for the modified recovery mode and adb connection
- Flashing a new recovery partition
- Using automated tools
- Using Android Device Manager
- Smudge attack
- Using the Forgot Password/Forgot Pattern option
- Bypassing third-party lock screens by booting into safe mode
- Securing the USB debugging bypass using adb keys
- Securing the USB debugging bypass in Android 4.4.2
- Crashing the lock screen UI in Android 5.x
- Other techniques
- Gaining root access
- What is rooting?
- Rooting an Android device
- Root access - adb shell
- Summary
- Chapter 9: Android Data Extraction Techniques
- Data extraction techniques
- Manual data extraction
- Logical data extraction
- ADB pull data extraction
- Using SQLite Browser to view the data
- Extracting device information
- Extracting call logs
- Extracting SMS/MMS
- Extracting browser history
- Analysis of social networking/IM chats
- ADB backup extraction
- ADB dumpsys extraction
- Using content providers
- Physical data extraction
- Imaging an Android phone
- Imaging a memory (SD) card
- Joint Test Action Group
- Chip-off
- Summary
- Chapter 10: Android Data Analysis and Recovery
- Analyzing an Android image
- Autopsy
- Adding an image to Autopsy
- Analyzing an image using Autopsy
- Android data recovery
- Recovering deleted data from an external SD card.
- Recovering data deleted from internal memory
- Recovering deleted files by parsing SQLite files
- Recovering files using file-carving techniques
- Recovering contacts using your Google account
- Summary
- Chapter 11: Android App Analysis, Malware, and Reverse Engineering
- Analyzing Android apps
- Facebook Android app analysis
- WhatsApp Android app analysis
- Skype Android app analysis
- Gmail Android app analysis
- Google Chrome Android app analysis
- Reverse engineering Android apps
- Extracting an APK file from an Android device
- Steps to reverse engineer Android apps
- Android malware
- How does malware spread?
- Identifying Android malware
- Summary
- Chapter 12: Windows Phone Forensics
- Windows Phone OS
- Security model
- Chambers
- Encryption
- Capability-based model
- App sandboxing
- Windows Phone filesystem
- Data acquisition
- Commercial forensic tool acquisition methods
- Extracting data without the use of commercial tools
- SD card data extraction methods
- Key artifacts for examination
- Extracting contacts and SMS
- Extracting call history
- Extracting internet history
- Summary
- Chapter 13: Parsing Third-Party Application Files
- Third-party application overview
- Chat applications
- GPS applications
- Secure applications
- Financial applications
- Social networking applications
- Encoding versus encryption
- Application data storage
- iOS applications
- Android applications
- Windows Phone applications
- Forensic methods used to extract third-party application data
- Commercial tools
- Oxygen Detective
- Magnet IEF
- UFED Physical Analyzer
- Open source tools
- Autopsy
- Other methods of extracting application data
- Summary
- Other Books You May Enjoy
- Index.
