Practical Mobile Forensics
Rohit Tamma Oleg Skulkin Heather Mahalik Satish Bommisetty更新时间:2021-06-24 16:39:54
最新章节:Leave a review - let other readers know what you think封面
Title Page
Copyright and Credits
Practical Mobile Forensics Fourth Edition
About Packt
Why subscribe?
Contributors
About the authors
About the reviewers
Packt is searching for authors like you
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Disclaimer
Get in touch
Reviews
Introduction to Mobile Forensics
The need for mobile forensics
Understanding mobile forensics
Challenges in mobile forensics
The mobile phone evidence extraction process
The evidence intake phase
The identification phase
The legal authority
Data that needs to be extracted
The make model and identifying information for the device
Data storage media
Other sources of potential evidence
The preparation phase
The isolation phase
The processing phase
The verification phase
The documenting and reporting phase
The archiving phase
Practical mobile forensic approaches
Understanding mobile operating systems
Android
iOS
Windows Phone
Mobile forensic tool leveling system
Manual extraction
Logical analysis
Hex dump
Chip-off
Micro read
Data acquisition methods
Physical acquisition
Logical acquisition
Manual acquisition
Potential evidence stored on mobile phones
Examination and analysis
Rules of evidence
Good forensic practices
Securing the evidence
Preserving the evidence
Documenting the evidence and changes
Reporting
Summary
Section 1: iOS Forensics
Understanding the Internals of iOS Devices
iPhone models and hardware
Identifying the correct hardware model
Understanding the iPhone hardware
iPad models and hardware
Understanding the iPad hardware
The HFS Plus and APFS filesystems
The HFS Plus filesystem
The HFS Plus volume
The APFS filesystem
The APFS structure
Disk layout
The iPhone OS
The iOS architecture
iOS security
Passcodes Touch ID and Face ID
Code signing
Sandboxing
Encryption
Data protection
Address Space Layout Randomization (ASLR)
Privilege separation
Stack-smashing protection
Data Execution Prevention (DEP)
Data wiping
Activation Lock
The App Store
Jailbreaking
Summary
Data Acquisition from iOS Devices
Operating modes of iOS devices
Normal mode
Recovery mode
DFU mode
Setting up the forensic environment
Password protection and potential bypasses
Logical acquisition
Practical logical acquisition with libimobiledevice
Practical logical acquisition with the Belkasoft Acquisition Tool
Practical logical acquisition with Magnet ACQUIRE
Filesystem acquisition
Practical jailbreaking
Practical filesystem acquisition with free tools
Practical filesystem acquisition with Elcomsoft iOS Forensic Toolkit
Summary
Data Acquisition from iOS Backups
Working with iTunes backups
Creating and analyzing backups with iTunes
Understanding the backup structure
info.plist
manifest.plist
status.plist
manifest.db
Extracting unencrypted backups
iBackup Viewer
iExplorer
Handling encrypted backup files
Elcomsoft Phone Breaker
Working with iCloud backups
Extracting iCloud backups
Summary
iOS Data Analysis and Recovery
Interpreting iOS timestamps
Unix timestamps
Mac absolute time
WebKit/Chrome time
Working with SQLite databases
Connecting to a database
Exploring SQLite special commands
Exploring standard SQL queries
Accessing a database using commercial tools
Key artifacts – important iOS database files
Address book contacts
Address book images
Call history
Short Message Service (SMS) messages
Calendar events
Notes
Safari bookmarks and history
Voicemail
Recordings
Device interaction
Phone numbers
Property lists
Important plist files
Other important files
Local dictionary
Photos
Thumbnails
Wallpaper
Downloaded third-party applications
Recovering deleted SQLite records
Summary
iOS Forensic Tools
Working with Cellebrite UFED Physical Analyzer
Features of Cellebrite UFED Physical Analyzer
Advanced logical acquisition and analysis with Cellebrite UFED Physical Analyzer
Working with Magnet AXIOM
Features of Magnet AXIOM
Logical acquisition and analysis with Magnet AXIOM
Working with Belkasoft Evidence Center
Features of Belkasoft Evidence Center
Logical acquisition and analysis with Belkasoft Evidence Center
Working with Elcomsoft Phone Viewer
Features of Elcomsoft Phone Viewer
Filesystem analysis with Elcomsoft Phone Viewer
Summary
Section 2: Android Forensics
Understanding Android
The evolution of Android
The Android architecture
The Linux kernel layer
The Hardware Abstraction Layer
Libraries
Dalvik Virtual Machine (DVM)
ART
The Java API framework layer
The system apps layer
Android security
Secure kernel
The permission model
Application sandbox
Secure IPC
Application signing
Security-Enhanced Linux (SELinux)
FDE
Android Keystore
TEE
Verified Boot
The Android file hierarchy
The Android filesystem
Viewing filesystems on an Android device
Common filesystems found on Android
Flash memory filesystems
Media-based filesystems
Pseudo filesystems
Summary
Android Forensic Setup and Pre-Data Extraction Techniques
Setting up a forensic environment for Android
Installing the software
Installing the Android platform tools
Creating an Android virtual device
Connecting an Android device to a workstation
Identifying the device cable
Installing device drivers
Accessing the connected device
The Android debug bridge
USB debugging
Accessing the device using adb
Detecting connected devices
Killing the local ADB server
Accessing the adb shell
Basic Linux commands
Handling an Android device
Screen lock bypassing techniques
Using ADB to bypass the screen lock
Deleting the gesture.key file
Updating the settings.db file
Checking for the modified recovery mode and ADB connection
Flashing a new recovery partition
Using automated tools
Using Android Device Manager
Bypass using Find My Mobile (for Samsung phones only)
Smudge attack
Using the forgot password/forgot pattern option
Bypassing third-party lock screens by booting into safe mode
Secure USB debugging bypass using ADB keys
Secure USB debugging bypass in Android 4.4.2
Crashing the lock screen UI in Android 5.x
Other techniques
Gaining root access
What is rooting?
Understanding the rooting process
Rooting an Android device
Root access - ADB shell
Summary
Android Data Extraction Techniques
Understanding data extraction techniques
Manual data extraction
Logical data extraction
ADB pull data extraction
Using SQLite Browser to view the data
Extracting device information
Extracting call logs
Extracting SMS/MMS
Extracting browser history information
Analysis of social networking/IM chats
ADB backup extraction
ADB dumpsys extraction
Using content providers
Physical data extraction
Imaging an Android phone
Imaging a memory (SD) card
Joint Test Action Group
The chip-off technique
Summary
Android Data Analysis and Recovery
Analyzing and extracting data from Android image files using the Autopsy tool
The Autopsy platform
Adding an image to Autopsy
Analyzing an image using Autopsy
Understanding techniques to recover deleted files from the SD card and the internal memory
Recovering deleted data from an external SD card
Recovering data deleted from the internal memory
Recovering deleted files by parsing SQLite files
Recovering files using file-carving techniques
Recovering contacts using your Google account
Summary
Android App Analysis Malware and Reverse Engineering
Analyzing widely used Android apps to retrieve valuable data
Facebook Android app analysis
WhatsApp Android app analysis
Skype Android app analysis
Gmail Android app analysis
Google Chrome Android app analysis
Techniques to reverse engineer an Android application
Extracting an APK file from an Android device
Steps to reverse engineer Android apps
Android malware
Types of Android malware
How does Android malware spread?
Identifying Android malware
Summary
Section 3: Windows Forensics and Third-Party Apps
Windows Phone Forensics
Windows Phone OS
Windows 10 Mobile security model
Chambers
Encryption
Capability-based model
App sandboxing
Windows Phone filesystem
Data acquisition
Commercial forensic tool acquisition methods
Extracting data without the use of commercial tools
SD card data extraction methods
Key artifacts for examination
Extracting contacts and SMS
Extracting call history
Extracting internet history
Summary
Parsing Third-Party Application Files
Introduction to third-party applications
Chat applications
GPS applications
Secure applications
Financial applications
Social networking applications
Encoding versus encryption
iOS Android and Windows Phone application data storage
iOS applications
Android applications
Windows Phone applications
Forensic methods used to extract third-party application data
Commercial tools
Oxygen Forensic Detective
Magnet AXIOM
UFED Physical Analyzer
Open source/free tools
Working with Autopsy
Other methods of extracting application data
Summary
Other Books You May Enjoy
Leave a review - let other readers know what you think
更新时间:2021-06-24 16:39:54