Mobile Forensics – Advanced Investigative Strategies - Packt


Below is an outline of the eBook "Mobile Forensics – Advanced Investigative Strategies" by Packt. If you’re a member, then you can log into the Library and view it in your browser using the email address you signed up with. PS. Only members can successfully log in.

  • Click HERE to log into the library (Members only).
  • Folder: Books and Guides > Security eBooks

If you are having issues logging in, please check the following help guide, HERE.



1. Introducing Mobile Forensics

Why we need mobile forensics
Available information
Mobile devices
Personal computers
Cloud storage
Stages of mobile forensics
Stage 1 – device seizure
Seizing – what and how should we seize?
The use of Faraday bags
Keeping the power on
Dealing with the kill switch
Mobile device anti-forensics
Stage 2 – data acquisition
Root, jailbreak, and unlocked bootloader
Android ADB debugging
SIM cloning
SIM card memory
Memory card
Stage 3 – data analysis


2. Acquisition Methods Overview

Over-the-air acquisition
Apple iCloud
Windows Phone 8, Windows 10 Mobile, and Windows RT/8/8.1/10
Google Android
Logical acquisition (backup analysis)
Apple iOS
BlackBerry 10
Nandroid backups
Physical acquisition
Apple iOS
Windows Phone 8 and Windows 10 Mobile
Limitations and availability
Tools for physical acquisition
In-system programming


3. Acquisition – Approaching Android Devices

Android platform fragmentation
AOSP, GMS, and their forensic implications
Android logical acquisition
OEM software
Android acquisition – special considerations
Unallocated space
eMMC storage
Remapping and overprovisioning
Wear leveling
What happens to the deleted data?
JTAG forensics
When to JTAG a device
Limitations of JTAG forensics
Step-by-step JTAG acquisition
Chip-off acquisition
Chip-off and encryption
In-system programming forensics


4. Practical Steps to Android Acquisition

Android physical acquisition
Approaching physical acquisition
Encryption status – Is the data partition encrypted?
Service mode available
LG smartphones
Devices based on the Qualcomm reference platform
Mediatek-based Chinese phones
Bootloaded status
Root status
LG smartphones' LAF mode
MediaTek smartphones
Qualcomm bootloader exploit
Qualcomm-based smartphones – HS-USB 9006
The Qualcomm 9006 mode
Tools for imaging via Qualcomm Download Mode 9006
Using custom recoveries
Imaging via custom recovery – making a Nandroid backup
Imaging via custom recovery – physical imaging via dd
Imaging the device
NANDroid backups
Is unlocked bootloader required?
Is root access required?
Producing a Nandroid backup
Analyzing Nandroid backups
Live imaging
Live imaging with root (via dd)
Live imaging without root (via ADB backup)
Live imaging using Oxygen Forensic Suite
Google Account acquisition – over-the-air
Why Google Account?
Google Account – what's inside?
A word on Android backups
Google Takeout
Google Account acquisition and analysis using Elcomsoft CloudExplorer
Two-factor authentication
User alerts
Viewing, searching, and analyzing data


5. iOS – Introduction and Physical Acquisition

iOS forensics – introduction
Generations of Apple hardware
Is jailbreak required?
Geolocation information
Where is the information stored?
iOS acquisition methods overview
iOS acquisition methods compared
iOS advanced logical acquisition
iOS physical acquisition
Physical acquisition benefits
What's unique about physical acquisition?
The future of physical acquisition
Physical acquisition compatibility matrix
Unallocated space – unavailable since iOS 4
Sending device to Apple
The role of passcode
Physical acquisition of iOS 8 and 9
Tools for iOS physical acquisition
Tutorial – physical acquisition with Elcomsoft iOS Forensic Toolkit
What the does the tool do?
Acquiring 64-bit Apple devices
Comparing 64-bit process and traditional physical acquisition
Supported devices and iOS versions
Performing physical acquisition on a 64-bit iOS device
What is available via 64-bit physical acquisition
Locked device with unknown passcode
Viewing and analyzing the image
Potential legal implications


6. iOS Logical and Cloud Acquisition

Understanding backups – local, cloud, encrypted and unencrypted
Encrypted versus unencrypted iTunes backups
Breaking backup passwords
Breaking the password – how long will it take?
A fast CPU and a faster video card
Breaking complex passwords
Knowing the user helps breaking the password
Tutorial – logical acquisition with Elcomsoft Phone Breaker
Breaking the password
Decrypting the backup
Dealing with long and complex passwords
Elcomsoft Phone Breaker on a Mac, inside a virtual PC, or via RDP
iOS Cloud forensics – over-the-air acquisition
About Apple iCloud
Getting started with iCloud Keychain
Getting started with iCloud Drive
Understanding iCloud forensics
Tutorial – cloud acquisition with Elcomsoft Phone Breaker
Downloading iCloud backups – using Apple ID and password
Downloading iCloud/iCloud Drive backups – using authentication tokens
Extracting authentication tokens
iCloud authentication tokens (iOS 6 through 9) – limitations
iCloud Drive authentication tokens (iOS 9 and newer) – a different beast altogether
Quick start – selective downloading
Two-factor authentication
Two-factor authentication is optional
Two-factor authentication versus two-step verification – understanding the differences
Two-step verification
Two-factor authentication
No app-specific passwords in two-factor authentication
Cloud acquisition with two-step verification and two-factor authentication
What next?


7. Acquisition – Approaching Windows Phone and Windows 10 Mobile

Windows Phone security model
Windows Phone physical acquisition
JTAG forensics on Windows Phone 8.x and Windows 10 Mobile
Windows Phone 8.x device encryption
Windows 10 Mobile device encryption
Windows Phone 8/8.1 and Windows 10 Mobile cloud forensics
Acquiring Windows Phone backups over the air


8. Acquisition – Approaching Windows 8, 8.1, 10, and RT Tablets

Windows 8, 8.1, 10, and RT on portable touchscreen devices
Acquisition of Windows tablets
Understanding Secure Boot
Connected Standby (InstantGo)
BitLocker device encryption
BitLocker and Encrypting File System
BitLocker and hibernation
BitLocker acquisition summary
Capturing a memory dump
Types of evidence available in volatile memory
Special case – Windows RT devices
SD cards and Windows File History
Imaging Built-in eMMC Storage
eMMC and deleted data recovery
Windows 8 and Windows 10 encryption – TRIM versus BitLocker
Booting Windows tablets from recovery media
Special case – recovery media for Windows RT
Steps to boot from recovery media
Configuring UEFI BIOS to boot from recovery media
Acquiring a BitLocker encryption key
Breaking into Microsoft Account to acquire the BitLocker Recovery Key
Using Elcomsoft Forensic Disk Decryptor to unlock BitLocker partitions
BitLocker keys and Trusted Platform Module
Imaging Windows RT tablets
BitLocker encryption
DISM – a built-in tool to image Windows RT
Must be logged in with an administrative account
Must be logged in
Booting to the WinRE command prompt
Entering BitLocker Recovery Key
Using DISM.exe to image the drive
Cloud Acquisition


9. Acquisition – Approaching BlackBerry

The history of the BlackBerry OS – BlackBerry 1.0-7.1
BlackBerry 7 JTAG, ISP, and chip-off acquisition
Acquiring BlackBerry desktop backups
Decrypting the backup
BlackBerry Password Keeper and BlackBerry Wallet
BlackBerry Password Keeper
BlackBerry Wallet
BlackBerry security model – breaking a device password
Acquiring BlackBerry 10
Getting started
BlackBerry 10 backups
BlackBerry 10 – considering ISP and chip-off forensics
Acquiring BlackBerry 10 backups
Using Elcomsoft Phone Breaker
Using Oxygen Forensic Suite
Analyzing BlackBerry backups


10. Dealing with Issues, Obstacles, and Special Cases

Cloud acquisition and two-factor authentication
Two-factor authentication – Apple, Google, and Microsoft
Online versus offline authentication
App passwords and two-factor authentication
Google's two-factor authentication
Microsoft's implementation
Apple's two-step verification
Apple's two-factor authentication
Bypassing Apple's two-factor authentication
Two-factor authentication – a real roadblock
Unallocated space
The issue of unallocated space
Accessing destroyed evidence in different mobile platforms
Apple iOS – impossible
BlackBerry – Iffy
SD cards
Android – possible with limitations
Android – built-in storage
Unencrypted storage
Encrypted storage
Encryption in different versions of Android
Android – SD cards
Android – SD card encryption
Windows Phone 8 and 8.1 – possible for end-user devices with limitations
Windows Phone BitLocker encryption
Windows Phone SD cards
Windows RT, Windows 8/8.1, and Windows 10
eMMC and deleted data
eMMC and SSD – similarities
eMMC and SSD – differences
Overprovisioning and remapping
User data in overprovisioned areas
Delete operations on non-encrypted eMMC drives
eMMC conclusion
SD cards
SD card encryption
Apple iOS
Windows Phone 8/8.1
Windows 10 Mobile
Windows RT
Windows 8 through 10
BlackBerry OS 1 through 7
BlackBerry 10
SD cards conclusion
SQLite databases (access to call logs, browsing history, and many more)


11. Mobile Forensic Tools and Case Studies

Micro Systemation AB
Oxygen Forensic toolkit
BlackBag Mobilyze
ElcomSoft tools
Case studies
Mobile forensics
Data recovery
BlackBerry scenarios
Locked BlackBerry devices
Locked BlackBerry, not attached to BlackBerry Enterprise Server (BES)
Locked BlackBerry attached to BES
Locked BlackBerry attached to BES with Pretty Good Privacy (PGP) encryption
Locked BlackBerry, not attached to BES
Locked BlackBerry – completed successful chipoff
Locked BlackBerry – password does not work
Unlocked BlackBerry devices
Unlocked BlackBerry device with no password
Unlocked BlackBerry device with password



Next steps:

This article was contributed by Jason Jacobs from Guyana. Jason is a member of the Caribbean CSPA. 

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.