Practical Mobile Forensics -- Table of Contents -- Practical Mobile Forensics -- Credits -- About the Authors -- About the Reviewers -- www.PacktPub.com -- Support files, eBooks, discount offers, and more -- Why subscribe? -- Free access for Packt account holders -- Preface -- What this book covers -- What you need for this book -- Who this book is for -- Conventions -- Reader feedback -- Customer support -- Downloading the example code -- Downloading the color images of the book -- Errata -- Piracy -- Questions -- 1. Introduction to Mobile Forensics -- Mobile forensics -- Mobile forensic challenges -- Mobile phone evidence extraction process -- The evidence intake phase -- The identification phase -- The legal authority -- The goals of the examination -- The make, model, and identifying information for the device -- Removable and external data storage -- Other sources of potential evidence -- The preparation phase -- The isolation phase -- The processing phase -- The verification phase -- Comparing extracted data to the handset data -- Using multiple tools and comparing the results -- Using hash values -- The document and reporting phase -- The presentation phase -- The archiving phase -- Practical mobile forensic approaches -- Mobile operating systems overview -- Android -- iOS -- Windows phone -- BlackBerry OS -- Mobile forensic tool leveling system -- Manual extraction -- Logical extraction -- Hex dump -- Chip-off -- Micro read -- Data acquisition methods -- Physical acquisition -- Logical acquisition -- Manual acquisition -- Potential evidence stored on mobile phones -- Rules of evidence -- Admissible -- Authentic -- Complete -- Reliable -- Believable -- Good forensic practices -- Securing the evidence -- Preserving the evidence -- Documenting the evidence -- Documenting all changes -- Summary -- 2. Understanding the Internals of iOS Devices.

iPhone models -- iPhone hardware -- iPad models -- iPad hardware -- File system -- The HFS Plus file system -- The HFS Plus volume -- Disk layout -- iPhone operating system -- iOS history -- 1.x - the first iPhone -- 2.x - App Store and 3G -- 3.x - the first iPad -- 4.x - Game Center and multitasking -- 5.x - Siri and iCloud -- 6.x - Apple Maps -- 7.x - the iPhone 5S and beyond -- The iOS architecture -- The Cocoa Touch layer -- The Media layer -- The Core Services layer -- The Core OS layer -- iOS security -- Passcode -- Code signing -- Sandboxing -- Encryption -- Data protection -- Address Space Layout Randomization -- Privilege separation -- Stack smashing protection -- Data execution prevention -- Data wipe -- Activation Lock -- App Store -- Jailbreaking -- Summary -- 3. Data Acquisition from iOS Devices -- Operating modes of iOS devices -- Normal mode -- Recovery mode -- DFU mode -- Physical acquisition -- Acquisition via a custom ramdisk -- The forensic environment setup -- Downloading and installing the ldid tool -- Verifying the codesign_allocate tool path -- Installing OSXFuse -- Installing Python modules -- Downloading iPhone Data Protection Tools -- Building the IMG3FS tool -- Downloading redsn0w -- Creating and loading the forensic toolkit -- Downloading the iOS firmware file -- Modifying the kernel -- Building a custom ramdisk -- Booting the custom ramdisk -- Establishing communication with the device -- Bypassing the passcode -- Imaging the data partition -- Decrypting the data partition -- Recovering the deleted data -- Acquisition via jailbreaking -- Summary -- 4. Data Acquisition from iOS Backups -- iTunes backup -- Pairing records -- Understanding the backup structure -- info.plist -- manifest.plist -- status.plist -- manifest.mbdb -- Header -- Record -- Unencrypted backup -- Extracting unencrypted backups -- iPhone Backup Extractor.

iPhone Backup Browser -- iPhone Data Protection Tools -- Decrypting the keychain -- Encrypted backup -- Extracting encrypted backups -- iPhone Data Protection Tools -- Decrypting the keychain -- iPhone Password Breaker -- iCloud backup -- Extracting iCloud backups -- Summary -- 5. iOS Data Analysis and Recovery -- Timestamps -- Unix timestamps -- Mac absolute time -- SQLite databases -- Connecting to a database -- SQLite special commands -- Standard SQL queries -- Important database files -- Address book contacts -- Address book images -- Call history -- SMS messages -- SMS Spotlight cache -- Calendar events -- E-mail database -- Notes -- Safari bookmarks -- The Safari web caches -- The web application cache -- The WebKit storage -- The photos metadata -- Consolidated GPS cache -- Voicemail -- Property lists -- Important plist files -- The HomeDomain plist files -- The RootDomain plist files -- The WirelessDomain plist files -- The SystemPreferencesDomain plist files -- Other important files -- Cookies -- Keyboard cache -- Photos -- Wallpaper -- Snapshots -- Recordings -- Downloaded applications -- Recovering deleted SQLite records -- Summary -- 6. iOS Forensic Tools -- Elcomsoft iOS Forensic Toolkit -- Features of EIFT -- Usage of EIFT -- Guided mode -- Manual mode -- EIFT-supported devices -- Compatibility notes -- Oxygen Forensic Suite 2014 -- Features of Oxygen Forensic Suite -- Usage of Oxygen Forensic Suite -- Oxygen Forensic Suite 2014 supported devices -- Cellebrite UFED Physical Analyzer -- Features of Cellebrite UFED Physical Analyzer -- Usage of Cellebrite UFED Physical Analyzer -- Supported devices -- Paraben iRecovery Stick -- Features of Paraben iRecovery Stick -- Usage of Paraben iRecovery Stick -- Devices supported by Paraben iRecovery Stick -- Open source or free methods -- Summary -- 7. Understanding Android -- The Android model.

The Linux kernel layer -- Libraries -- Dalvik virtual machine -- The application framework layer -- The applications layer -- Android security -- Secure kernel -- The permission model -- Application sandbox -- Secure interprocess communication -- Application signing -- Android file hierarchy -- Android file system -- Viewing file systems on an Android device -- Extended File System - EXT -- Summary -- 8. Android Forensic Setup and Pre Data Extraction Techniques -- A forensic environment setup -- Android Software Development Kit -- Android SDK installation -- Android Virtual Device -- Connecting an Android device to a workstation -- Identifying the device cable -- Installing the device drivers -- Accessing the connected device -- Android Debug Bridge -- Accessing the device using adb -- Detecting connected devices -- Killing the local adb server -- Accessing the adb shell -- Handling an Android device -- Screen lock bypassing techniques -- Using adb to bypass the screen lock -- Deleting the gesture.key file -- Updating the settings.db file -- Checking for the modified recovery mode and adb connection -- Flashing a new recovery partition -- Smudge attack -- Using the primary Gmail account -- Other techniques -- Gaining root access -- What is rooting? -- Rooting an Android device -- Root access - adb shell -- Summary -- 9. Android Data Extraction Techniques -- Imaging an Android Phone -- Data extraction techniques -- Manual data extraction -- Using root access to acquire an Android device -- Logical data extraction -- Using the adb pull command -- Extracting the /data directory on a rooted device -- Using SQLite Browser -- Extracting device information -- Extracting call logs -- Extracting SMS/MMS -- Extracting browser history -- Analysis of social networking/IM chats -- Using content providers -- Physical data extraction -- JTAG -- Chip-off.

Imaging a memory (SD) card -- Summary -- 10. Android Data Recovery Techniques -- Data recovery -- Recovering the deleted files -- Recovering deleted data from an SD card -- Recovering data deleted from internal memory -- Recovering deleted files by parsing SQLite files -- Recovering files using file-carving techniques -- Summary -- 11. Android App Analysis and Overview of Forensic Tools -- Android app analysis -- Reverse engineering Android apps -- Extracting an APK file from an Android device -- Steps to reverse engineer Android apps -- Forensic tools overview -- The AFLogical tool -- AFLogical Open Source Edition -- AFLogical Law Enforcement (LE) -- Cellebrite - UFED -- Physical extraction -- MOBILedit -- Autopsy -- Analyzing an Android in Autopsy -- Summary -- 12. Windows Phone Forensics -- Windows Phone OS -- Security model -- Windows chambers -- Capability-based model -- App sandboxing -- Windows Phone file system -- Data acquisition -- Sideloading using ChevronWP7 -- Extracting the data -- Extracting SMS -- Extracting e-mail -- Extracting application data -- Summary -- 13. BlackBerry Forensics -- BlackBerry OS -- Security features -- Data acquisition -- Standard acquisition methods -- Creating a BlackBerry backup -- BlackBerry analysis -- BlackBerry backup analysis -- BlackBerry forensic image analysis -- Encrypted BlackBerry backup files -- Forensic tools for BlackBerry analysis -- Summary -- Index.