product iamge

Mobile Forensics – The File Format Handbook: Common File Formats and File Systems Used in Mobile Devices

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Download
Search on Amazon

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

This open access book summarizes knowledge about several file systems and file formats commonly used in mobile devices. In addition to the fundamental description of the formats, there are hints about the forensic value of possible artefacts, along with an outline of tools that can decode the relevant data.

The book is organized into two distinct parts:

Part I describes several different file systems that are commonly used in mobile devices. 

·       APFS is the file system that is used in all modern Apple devices including iPhones, iPads, and even Apple Computers, like the MacBook series.

·       Ext4 is very common in Android devices and is the successor of the Ext2 and Ext3 file systems that were commonly used on Linux-based computers.

·       The Flash-Friendly File System (F2FS) is a Linux system designed explicitly for NAND Flash memory, common in removable storage devices and mobile devices, which Samsung Electronics developed in 2012.

·       The QNX6 file system is present in Smartphones delivered by Blackberry (e.g. devices that are using Blackberry 10) and modern vehicle infotainment systems that use QNX as their operating system. 

Part II describes five different file formats that are commonly used on mobile devices.

·       SQLite is nearly omnipresent in mobile devices with an overwhelming majority of all mobile applications storing their data in such databases.

·       The second leading file format in the mobile world are Property Lists, which are predominantly found on Apple devices.

·       Java Serialization is a popular technique for storing object states in the Java programming language. Mobile application (app) developers very often resort to this technique to make their application state persistent.

·       The Realm database format has emerged over recent years as a possible successor to the now ageing SQLite format and has begun to appear as part of some modern applications on mobile devices.

·       Protocol Buffers provide a format for taking compiled data and serializing it by turning it into bytes represented in decimal values, which is a technique commonly used in mobile devices.

The aim of this book is to act as a knowledge base and reference guide for digital forensic practitioners who need knowledge about a specific file system or file format.  It is also hoped to provide useful insight and knowledge for students or other aspiring professionals who want to work within the field of digital forensics. The book is written with the assumption that the reader will have some existing knowledge and understanding about computers, mobile devices, file systems and file formats.

Author(s): Christian Hummert (editor), Dirk Pawlaszczyk (editor)
Edition: 1
Publisher: Springer
Year: 2022

Language: English
Pages: 282
Tags: Mobile Forensics; File Formats; File Systems; APFS; Ext4; Ext3; F2FS; QNX6; SQLite; Java Serialization;

Preface
Roadmap
Scope of the Book
Conventions Used in This Book
Acknowledgements
Contents
Part I Mobile File System Formats
Chapter 1 APFS
1.1 Introduction
1.2 APFS File system category
1.2.1 Finding the APFS container
1.2.2 Object header
Object type, some examples
Object type masks
Object type flags
Ephemeral Objects
Physical Objects
Virtual Objects
1.2.3 Superblocks
1.2.4 Checkpoint mapping
1.2.5 Volumes
Finding the Volume
Showing the Volume (APSB)
Volume Object mapping
1.3 APFS Metadata Category
1.4 APFS File Name category
1.5 APFS Content Category
1.6 APFS Application Category
1.7 Comparing our results with a commercial tool
Chapter 2 Ext4
2.1 Introduction
2.2 Ext4 File system category
2.3 Superblock
2.3.1 Temporary data about the File system
2.3.2 Supported features
Compatible features
Incompatible features
Read only compatible features
2.3.3 The group descriptor
Universal Unique Identifier
2.4 Ext4 Metadata Category
2.4.1 The inode
2.4.2 User privileges and type of file
2.4.3 Temporary metadata describing inodes
2.4.4 Temporary metadata manipulations
2.4.5 Links count
Blocks used by a file
Inode flags
Block map, Extent tree or inline data
File version
Operating System Descriptor 2
Project ID
2.5 Ext4 File Name category
2.6 Ext4 Content Category
2.6.1 Recovery of files
Inode Carving using extent magic signature
2.6.2 Generic metadata time carving
2.6.3 Additional file content
2.7 Ext4 Application Category
Chapter 3 The Flash-Friendly File System (F2FS)
3.1 Introduction
3.1.1 NAND (Not And) Flash Memory
NAND flash memory
NOR flash memory
3.1.2 Flash Translation Layer (FTL)
3.2 Flash Filesystems
3.2.1 The Log-Structured File System (LSFS) or (LFS)
3.2.2 Flash-Friendly File System (F2FS): Enter F2FS
3.2.3 Wandering Tree Problem
3.3 On-Disk Layout of F2FS
Sector
Partitions
3.3.1 Creation of F2FS partitions with Mkfs.f2fs
3.3.2 F2FS on Disk
Superblock
Zone
Section and Segment
Check Point (CP)
Segment Information Table (SIT)
Node Address Table (NAT)
Segment Summary Area (SSA)
Updates to the SIT and NAT
Shadow Copy
Main Area
3.4 File Structure of F2FS
3.4.1 Node Structure
3.4.2 File Creation and Management
Directory Structure
3.4.3 Fsck.f2fs Identifying Files
3.4.4 Metadata
3.4.5 Multi-Head Logging
3.4.6 Cleaning
Adaptive Logging
Roll-Back Recovery
Important
3.5 Forensic Analysis
3.5.1 F2FS Sample Dataset
3.5.2 F2FS andWindows
3.5.3 Data-Extraction with XRY
3.5.4 Superblock Examination
3.5.5 Examine NAT, SIT & SSA with Linux
Node Allocation Table (NAT) Data
Show the Segment Info Table (SIT) Data
Look inside the Segment Summary Area (SSA) Data
Obtain a file by it’s node ID
3.5.6 Carving for artefacts with XAMN
PNG File Signature Analysis
3.5.7 Node Allocation Table (NAT) Comparisons
Additional Data Structure
3.6 F2FS Application fields
3.7 Conclusion
Chapter 4 QNX6
4.1 Introduction
4.2 QNX6 Filesystem Structure
4.2.1 Superblock
4.2.2 Bitmap
4.2.3 Inode
4.2.4 Directories
4.2.5 Long Filenames Inode
4.3 Example: Construction of a file
4.4 Deleted Files
4.5 Forensic Tools supporting QNX6 filesystems
Part II Mobile File Formats
Chapter 5 SQLite
5.1 Introduction
5.2 The SQLite File Structure
5.2.1 The Database Header
5.2.2 Storage Classes, Serial Types and Varint-Encoding
5.2.3 Decoding The SQLite_Master Table
5.2.4 Page Structure
5.2.5 Recovering Data Records
5.3 Accessing The Freelist
5.4 More Artefacts
5.4.1 Temporary File Types
5.4.2 Rollback Journals
5.4.3 Write-Ahead Logs
5.5 Conclusions
Chapter 6 Property Lists
6.1 Introduction
6.2 Binary plist Structure
6.3 Example
6.4 Forensic Tools Supporting plists
6.5 Conclusions
Chapter 7 Java Serialization
7.1 Introduction
7.2 Object Serialization in Java
7.2.1 Serialization Techniques in Java
7.2.2 Serialization by Example
7.3 Java Object Serialization Protocol Revealed
7.4 Pitfalls and Security Issues
7.4.1 Hands on Serialized Objects
7.4.2 Beware of Gadget Chains
7.5 Conclusions
Chapter 8 Realm
8.1 Organisation of this Chapter
8.2 Introduction
8.3 SQLite, It is Not!
8.3.1 Relational Databases
8.3.2 SQLite as a Relational Database
8.3.3 SQLite Schema
8.3.4 Temporary SQLite Files
8.3.5 SQLite File Format
8.4 How Realm Works
8.4.1 Realm Database Fundamentals
8.4.2 Common Concepts and Terminology
Basic Object-Oriented Programming Concepts
Top-level Objects
Object Types
Group
Arrays
8.5 File Storage and Structures
8.5.1 Realm Files and Folders
8.5.2 The Realm File
The Lock File
The Management Directory
Stateless Realm Instances
8.5.3 Creating Realm Test Instance
Step 1: Launch the Task Application
Step 2: Open a CMD Window
Step 3: Create an Output Folder
Step 4: Start ADB
Step 5: Get ADB Root
Step 6: Find the Application Data
Step 7: Use the “pull” Command
8.5.4 The Realm Database File Structure
8.5.5 Realm File Header
“Top Ref” Bytes 0x00 to 0x0F (d0–d15)
“Mnemonic” Bytes 0x10 to 0x13 (d16–d19)
“File Format” Bytes 0x14 to 0x15 (d20–d21)
“Reserved” Byte 0x16 (d22)
“Flags” Byte 0x17 (d23)
8.5.6 Realm File Arrays
8.5.7 Realm Array Header
8.5.8 Checksum
8.5.9 Flags
Bit Group 1: is_inner_bptree_node
Bit Group 2: has_refs
Bit Group 3: context_flag
Bit Group 4: width_scheme
Bit Group 5: width_ndx
8.5.10 Size
8.5.11 Realm Array Payload
8.5.12 Size Calculation Example
8.5.13 Array Example Header
8.5.14 Array Example Flags
8.5.15 Array Example Size
8.6 Conclusion
Chapter 9 Protocol Buffers
9.1 Introduction
9.1.1 What is a Protocol Buffer?
9.1.2 Why are Protocol Buffers Used?
9.2 Using Protocol Buffers
Messages
Services
The Proto File
Define the Syntax
Message Type
Fields
Scalar Values
9.2.1 The Schema Defintion
Field Type
Field Names
Enums
Nesting
Importing & Packages
9.2.2 Compiling Your Protocol Buffer
Analysing the Python Protobuf-Code
A 2nd Example The FormobileChat message
Formobilechat_pb2.py
9.2.3 Creation of a Protobufs with Python
Writing the Object to a Binary File
Remember Size = Speed
The Raw Binary Data
9.2.4 Reversing Proto Buffer Messages
Data Conversion
Timestamp
Pictures or other files represented by octal data
9.3 Practical Analysis of different Proto Buffers
9.3.1 Mobile Device Artifact Examples
Example Waze Navigation App
BASE64 Encoding
Example: Apple Web Cache file
Identifying Base64 Encoded Data
9.3.2 Yet another example: Apply Property List (PLIST) Files
9.3.3 Suggested Examination Process of a File
9.3.4 Tools
9.4 Conclusion
References
Index