Leverage foundational concepts and practical skills in mobile device forensics to perform forensically sound criminal investigations involving the most complex mobile devices currently available on the market. Using modern tools and techniques, this book shows you how to conduct a structured investigation process to determine the nature of the crime and to produce results that are useful in criminal proceedings.
You’ll walkthrough the various phases of the mobile forensics process for both Android and iOS-based devices, including forensically extracting, collecting, and analyzing data and producing and disseminating reports. Practical cases and labs involving specialized hardware and software illustrate practical application and performance of data acquisition (including deleted data) and the analysis of extracted information. You'll also gain an advanced understanding of computer forensics, focusing on mobile devices and other devices not classifiable as laptops, desktops, or servers.
This book is your pathway to developing the critical thinking, analytical reasoning, and technical writing skills necessary to effectively work in a junior-level digital forensic or cybersecurity analyst role.
What You'll Learn- Acquire and investigate data from mobile devices using forensically sound, industry-standard tools
- Understand the relationship between mobile and desktop devices in criminal and corporate investigations
- Analyze backup files and artifacts for forensic evidence
Who This Book Is For
Forensic examiners with little or basic experience in mobile forensics or open source solutions for mobile forensics. The book will also be useful to anyone seeking a deeper understanding of mobile internals.
Author(s): Mohammed Moreb
Edition: 1
Publisher: Apress
Year: 2022
Language: English
Pages: 545
Tags: iOS; Android; Forensic; Mobile Devices; Mobile; Forensic Analysis
Table of Contents
About the Author
About the Technical Reviewer
Acknowledgments
What This Book Covers
Introduction
Chapter 1: Introduction to Mobile Forensic Analysis
The Importance of Mobile Forensic Analysis
Understanding Mobile Forensics
Digital Investigation Process
Evidence and Scene Security
Scene Documentation
Evidence Isolation
Prepare for Acquisition
The Identification Phase
The Collection Phase
Tools Used for Mobile Forensics in Examination Phase
iPhone Acquisition Using XRY
Using Belkasoft
Using FINALMobile
Using iTunes Backup
Using iBackup
Using iExplorer
SQLite Database
Evidence Extraction Process for Android Mobile Phone
The Collection Phase
The Examination Phase
Using XRY and XAMN
Using ADB Command
Using FINALMobile
Mobile Forensic Challenges on iOS and Android
Summary
References
Chapter 2: Introduction to iOS Forensics
iOS Boot Process
iOS Architecture
iOS Architecture Layers
The HFS Plus and APFS File Systems
iOS Security
iOS Data Extraction Techniques
Data Acquisition from Backup Devices
Data Acquisition from iOS Devices
Jailbreaking
iOS Forensic Tools
iOS Data Analysis and Recovery Using Belkasoft Tool
iOS Data Analysis and Recovery Using Axiom Tool
Mobile Forensics Investigation Challenges on iOS Devices
Summary
Practical Lab 2.1
References
Chapter 3: Introduction to Android Forensics
Introduction
Android File System
Flash Memory File Systems
Media-Based File Systems
Pseudo File Systems
Android System Architecture
Android System Permission Model
Harmony Operating System
HarmonyOS Architecture
Kernel Layer
System Service Layer
Framework Layer
Application Layer
Data Extraction Techniques on Android
Manuel Data Extraction
Logical Data Forensics
Screen Lock Bypassing Techniques
Rooting the Devices
Physical Forensics
Joint Test Action Group Data Extraction
Chip-Off Data Extraction
Mobile Forensics Investigation Challenges on Android Devices
Summary
Practical Lab 3.1
References
Chapter 4: Forensic Investigations of Popular Applications on Android and iOS Platforms
Extracting Data of the Activities of the Instant Artifacts
Implementation and Examination Details
Results and Analysis
Acquisition for iOS - iPhone 7
Acquisition for Android Device - OPPO Reno5 F
Gmail Application Artifacts
iOS Seizure Device Information
Android OS
Using Mobiledit and FINALMobile Forensic Software
Rooted Device
SQLite Viewer
Forensic Tools Comparisons
Mobile Forensics for Google Drive
Cloud Storage Services Artifacts
Summary
References
Chapter 5: Forensic Analysis of Telegram Messenger on iOS and Android Smartphones Case Study
Digital Forensics Process Steps for Telegram
Telegram App History
Ethical and Legal Compliance
Methodology and Experiment Setup
iOS Device Acquisition
Acquisition Using Belkasoft
Acquisition Using FINALMobile
Android Device Acquisition
Rooting Ulefone Note 9P Android Device
Acquisition Using FINALMobile
Acquisition Using Magnet AXIOM
iOS Evidence Analysis Using FINALMobile
iOS Evidence Analysis Using Elcomsoft Phone Viewer
iOS Evidence Analysis Using Magnet AXIOM
Android Evidence Analysis
Android Evidence Analysis Using FINALMobile
Android Evidence Analysis Using Magnet AXIOM
Android Evidence Analysis Using Belkasoft Evidence Center
Evidence Analysis Results
iOS Evidence Analysis Results
Android Evidence Analysis Results
Summary
References
Chapter 6: Detecting Privacy Leaks Utilizing Digital Forensics and Reverse Engineering Methodologies
Local Electronic Crimes Law and Mobile Forensics
Mobile Forensics and Reverse Engineering
Android Mobile Forensics and Private Data Leaks
Facebook as Mobile Application Advertising Platform
Reverse Engineering of Android Applications
Sensitive Information Transmissions in Mobile Applications
Data Acquisition Comparison: iOS Devices Image and iOS Backups
Acquire Data from an iOS Device
Acquire Data from an iOS Backup
Data Acquisition Comparison: Android Devices Image and ADB Backups
Understanding Android Data Extraction Techniques
Detailed Description of Steps Taken During Examination
Data Acquisition and Extraction
Facebook Information File Investigations (Account Artifacts)
Analysis of Facebook Source Code with Reverse Engineering
Case Analysis and Major Findings
Evaluating iOS Forensic Tools (Mobile Devices and Data Acquisition)
Summary
References
Chapter 7: Impact of Device Jailbreaking or Rooting on User Data Integrity in Mobile Forensics
User Data Integrity in Mobile Forensics
Jailbreaking’s Effect on iOS
Calc Data Integrity before Jailbreaking
Calc Data Integrity after Jailbreaking
Comparison for Data Integrity Using Hash Value before and after Jailbreaking
Data Acquisition from Android Device
Data Extraction
Other Unlock Techniques
Data Extraction Using Belkasoft and AXIOM
Android Rooting
Summary
References
Chapter 8: The Impact of Cryptocurrency Mining on Mobile Devices
Introduction to Cryptocurrency Mining
Measure of Cryptocurrency Mining
Tools, Programs, and Applications Used in Cryptocurrency Mining
Experiment and Analogy by iPhone 6s
Experiment and Analogy by LG g5 Mobile
Results and Analysis
The Result of the Experiments on Android Device
Summary
References
Chapter 9: Mobile Forensic Investigation for WhatsApp
WA Architecture
WA Experiment
Seizure Stage
Acquisition Stage
Tools Used in the Examination Process for iOS
iTunes Backup for iOS
iOS Acquisition Using Enigma Recovery Software
iOS Acquisition Using DB Browser for SQLite
iOS Acquisition Using iBackup Viewer Pro
iOS Acquisition Using Belkasoft Evidence Center
Tools Used in the Acquisition Process for Android
Android Acquisition Using ADB Command-Line Tools
Android Acquisition Using Belkasoft
Android Acquisition Using FINALMobile Forensic Software
Android Acquisition Using MOBILedit
WA Analysis Tools for iOS
iOS Analysis Using Belkasoft
iOS Analysis Using Magnet AXIOM Examine
iOS Analysis Using FINALMobile Forensic
iOS Analysis Using Enigma Recovery Tool
iOS Analysis Using iBackup Viewer Tool
WA Analysis Tools for Android
Forensic Tools Comparison on iOS Platform
Examination on a Backup Taken by iTunes
Examination on a Backup Taken from the Connected iPhone Device
Forensic Tools Comparison on Android Platform
Summary
References
Chapter 10: Cloud Computing Forensics: Dropbox Case Study
Forensic Artifacts in Cloud Storage
Cloud Computing Forensics
Android Acquisition Tools
Acquisition Using AXIOM Forensic Tool
Acquisition Using MOBILedit Express Tool
Acquisition Using ADB Tool
Physical Acquisition Using MOBILedit Tool
iOS Logical Acquisition Tools
iOS Logical Acquisition Using iTunes Tool
iBackup Viewer
iOS Logical Acquisition Using iTunes Tool
iExplorer Tool
DB Browser Tool
AXIOM Forensic Tool
Results and Analysis
Cloud Forensic Challenges
Summary
References
Chapter 11: Malware Forensics for Volatile and Nonvolatile Memory in Mobile Devices
Mobile Malware Forensics
Smartphone Volatile Memory
Mobile Device Case Details and Experiment
Logical Acquisition
iPhone Physical Acquisition
Android Physical Acquisition
iOS Analysis and Results
Evaluating Extraction Tools and Methods for Android and iOS Devices
Evaluating Android Extraction Techniques for Volatile and Nonvolatile Memory
Summary
References
Chapter 12: Mobile Forensic for KeyLogger Artifact
Introduction to Mobile KeyLogger
Seizure Phase
Android Acquisition Phase
Manual Backup via Android Debug Bridge
Reverse Engineering for Extracting an APK File
Steps Were Taken to Root LG V20 H990DS
Acquisition and Analysis Using FINALMobile Forensics Software
Acquisition and Analysis Using Magnet AXIOM Forensics Software
Results and Conclusions
References
Chapter 13: Evidence Identification Methods for Android and iOS Mobile Devices with Facebook Messenger
Introduction to FBM Application
Introduction to Mobile Messenger Application
Experiment Tools and Devices
iOS Device Identification
Device Identification Using Libimobiledevice
Device Identification Using Belkasoft Evidence Center
Device Identification Using Magnet AXIOM
Device Identification via IMEI Number
Android Device Connection Setup
Using Automated Tools
Gaining Root Access
Android Data Extraction Techniques
Manual Data Extraction
Logical Data Extraction
Physical Data Extraction
Practical Logical Data Extraction for iOS Devices
Logical Data Extraction Using iTunes
Logical Data Extraction Using Libimobiledevice Library
Logical Acquisition Using Belkasoft
Logical Acquisition Using Magnet AXIOM Process
Data Analyzing for FBM
FBM Data Analysis for Android
FBM Data Analysis Using Magnet AXIOM for iOS
FBM Data Analysis Using DB Browser for SQLite
Recovering Deleted Evidence from SQLite Property Lists
Reporting
Summary
References
Chapter 14: Mobile Forensics for iOS and Android Platforms: Chrome App Artifacts Depending on SQLite
iOS Chrome App Forensics Using SQLite
Seizure Phase
Acquisition Phase
Forensic Tools
Experimental Design
Acquisition by iTunes and Belkasoft
Examination/Analysis Phase
1. Using Belkasoft
2. Using FINALMobile
3. Using iBackUp
4. Using iExplorer
Android Chrome App Forensics Using SQLite
Before Rooting
Using ADB Command
Using AXIOM
Using Belkasoft
Using FINALMobile
Rooting
After Rooting
Examination and Analysis Phase for Android
1. Before Rooting
2. After Rooting
Results and Discussion
iOS
Android
Comparison between Tools Used for iOS
Summary
References
Index