47,99 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
A hands-on guide to mastering mobile forensics for the iOS, Android, and the Windows Phone platforms
About This Book
- Get to grips with the basics of mobile forensics and the various forensic approaches
- Retrieve and analyze the data stored on mobile devices and on the cloud
- A practical guide to leverage the power of mobile forensics on the popular mobile platforms with lots of tips, tricks and caveats
Who This Book Is For
This book is for forensics professionals who are eager to widen their forensics skillset to mobile forensics and acquire data from mobile devices.
What You Will Learn
- Discover the new features in practical mobile forensics
- Understand the architecture and security mechanisms present in iOS and Android platforms
- Identify sensitive files on the iOS and Android platforms
- Set up the forensic environment
- Extract data on the iOS and Android platforms
- Recover data on the iOS and Android platforms
- Understand the forensics of Windows devices
- Explore various third-party application techniques and data recovery techniques
In Detail
Mobile phone forensics is the science of retrieving data from a mobile phone under forensically sound conditions. This book is an update to Practical Mobile Forensics and it delves into the concepts of mobile forensics and its importance in today's world.
We will deep dive into mobile forensics techniques in iOS 8 - 9.2, Android 4.4 - 6, and Windows Phone devices. We will demonstrate the latest open source and commercial mobile forensics tools, enabling you to analyze and retrieve data effectively. You will learn how to introspect and retrieve data from cloud, and document and prepare reports for your investigations.
By the end of this book, you will have mastered the current operating systems and techniques so you can recover data from mobile devices by leveraging open source solutions.
Style and approach
This book takes a very practical approach and depicts real-life mobile forensics scenarios with lots of tips and tricks to help acquire the required forensics skillset for various mobile platforms.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 394
Veröffentlichungsjahr: 2016
Ähnliche
Table of Contents
Practical Mobile Forensics - Second Edition
Practical Mobile Forensics - Second Edition
Copyright © 2016 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: July 2014
Second published: May 2016
Production reference: 1130516
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78646-420-0
www.packtpub.com
Credits
Authors
Heather Mahalik
Rohit Tamma
Satish Bommisetty
Copy Editor
Pranjali Chury
Reviewer
Donnie Tindall
Project Coordinator
Suzanne Coutinho
Commissioning Editor
Priya Singh
Proofreader
Safis Editing
Acquisition Editor
Rahul Nair
Indexer
Rekha Nair
Content Development Editors
Amey Varangaonkar
Merint Mathew
Production Coordinator
Manu Joseph
Technical Editor
Vivek Pala
Cover Work
Manu Joseph
About the Authors
Heather Mahalik is a principal forensic scientist with Oceans Edge, Inc., where she leads the forensic effort focusing on mobile and digital exploitation. She is a senior instructor and author for the SANS Institute, and she is also the course leader for the FOR585 Advanced Smartphone Forensics course. With over 13 years of experience in digital forensics, she continues to thrive on smartphone investigations, forensic course development and instruction, and research on application analysis and smartphone forensics.
Prior to joining Oceans Edge, Heather was the Mobile Exploitation Team Lead at Basis Technology. When starting her career, she worked at Stroz Friedberg and for the U.S. Department of State Computer Investigations and Forensics Lab as a contractor. Heather earned her bachelor's degree from West Virginia University. She co-authored Practical Mobile Forensics (First edition) and was the technical reviewer for Learning Android Forensics. She has authored white papers and forensic course material and has taught hundreds of courses worldwide to Law Enforcement, Military, Government, IT, eDiscovery, and other forensic professionals focusing on mobile device and digital forensics.
My first book was dedicated to the people who afforded me the opportunity to grow into the examiner I am today. This book is dedicated to those who push me to keep learning and allow me to share my knowledge – my students. Without you, I would not have had a reason to stay ahead of the curve, find those odd artifacts, and learn ways to outsmart the tools. You give me motivation to keep charging ahead. I would also like to thank metr0 for affording me opportunities to do things in my career that stretch far outside of what the norm is in forensics. I will be forever grateful.
To my husband, thank you for being such a great dad and for picking up the slack so that I can work as hard as I do. To Jack, always remember that your mama wants to be home with you and misses you while she's away. Remember that my work is important and teaching others the right way to conduct digital examinations may make your world a safer and better place. "The students" are happy you let them borrow your mommy. I would not be where I am today or able to travel and teach as much as I do without my amazing family and students.
Rohit Tamma is a security analyst currently working with Microsoft. With over 7 years of experience in the field of security, his background spans consulting/analyst roles in the areas of application security, mobile security, penetration testing, and security training. His past experiences include working with Accenture, ADP, and TCS, driving security programs for various client teams. Rohit has also coauthored Learning Android Forensics, which explains various techniques to perform forensics on the Android platform. You can contact him at [email protected] or on Twitter at @RohitTamma.
Writing this book has been a great experience as it has taught me several things, which could not have been possible otherwise . I would like to dedicate this book to my parents for helping me in every possible way throughout my life.
Satish Bommisetty is a security analyst working for a Fortune 500 company. His primary areas of interest include iOS forensics, iOS application security, and web application security. He has presented at international conferences, such as ClubHACK and C0C0n. He is also one of the core members of the Hyderabad OWASP chapter. He has identified and disclosed vulnerabilities within the websites of Google, Facebook, Yandex, PayPal, Yahoo!, AT&T, and more, and is listed in their hall of fame.
I would like to thank everyone who encouraged me while producing this book.
About the Reviewer
Donnie Tindall is an assistant vice president of cyber security and digital forensics at Deutsche Bank. He previously spent many years as a US government contractor focusing on mobile forensics and provided unique solutions to challenging forensic issues. He was also responsible for the development and teaching of various forensic courses to government and military users. Donnie has performed thousands of mobile device examinations, including on Nokia, BlackBerry, Android, and iPhone devices. He is also an IACIS Certified Forensic Computer Examiner, author of Learning Android Forensics, and instructor for FOR585 - the SANS Institute’s smartphone forensics course.
www.PacktPub.com
For support files and downloads related to your book, please visit www.PacktPub.com.
eBooks, discount offers, and more
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www2.packtpub.com/books/subscription/packtlib
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.
Why subscribe?
Free access for Packt account holders
Get notified! Find out when new books are published by following @PacktEnterprise on Twitter or the Packt Enterprise Facebook page.
Preface
The exponential growth of mobile devices has revolutionized many aspects of our lives. In what is called as the post-PC era, smartphones are engulfing desktop computers with their enhanced functionality and improved storage capacity. This rapid transformation has led to increased usage of mobile handsets across all the sectors.
Despite their small size, smartphones are capable of performing many tasks: sending private messages and confidential e-mails, taking photos and videos, making online purchases, viewing our salary slips, completing banking transactions, accessing social networking sites, managing business tasks, and more. Hence, a mobile device is now a huge repository of sensitive data that can provide a wealth of information about its owner. This has in turn led to the evolution of Mobile Device Forensics, a branch of digital forensics that deals with retrieving data from a mobile device. Today, there is huge demand for specialized forensic experts, especially given the fact that the data retrieved from a mobile device is court admissible.
Mobile forensics is all about utilizing scientific methodologies to recover data stored within a mobile phone for legal purposes. Unlike traditional computer forensics, mobile forensics has limitations in obtaining evidence due to rapid changes in the technology and the fast-paced evolution of mobile software. With different operating systems and with a wide range of models being released into the market, mobile forensics has expanded over the last few years. Specialized forensic techniques and skills are required in order to extract data under different conditions.
This book takes you through the challenges involved in mobile forensics and practically explains detailed methods of collecting evidence from different mobile devices with iOS, Android, and Windows mobile operating systems.
This book is organized in a manner that allows you to focus independently on chapters that are specific to your required platform.
What this book covers
Chapter 1, Introduction to Mobile Forensics, introduces you to the concepts of mobile forensics, its core values, and its limitations. This chapter also provides an overview of practical approaches and best practices involved in performing mobile forensics.
Chapter 2, Understanding the Internals of iOS Devices, provides an overview of the popular Apple iOS devices, including an outline of different models and their hardware. Throughout this book, we explain iOS security features and device security and its impact on the iOS forensics approaches. This chapter also gives an overview of the iOS file system and outlines the sensitive files that are useful for forensic examination.
Chapter 3, iOS Forensic Tools, gives an overview of existing open source and commercial iOS forensics tools. These tools differ in the range of mobile phones they support and the amount of data that they can recover. This chapter describes the advantages and limitations of those tools
Chapter 4, Data Acquisition from iOS Devices, covers various types of forensic acquisition methods that can be performed on iOS devices and guides you through preparing your desktop machine for forensic work. This chapter also discusses passcode bypass techniques and physical extraction of the devices and explains different ways in which the device can be imaged.
Chapter 5, Data Acquisition from iOS Backups, provides detailed explanations of different types of iOS backup and details what types of file are stored in the backup. This chapter also covers logical acquisition techniques of recovering data from the backups.
Chapter 6,iOS Data Analysis and Recovery, discusses the types of data that is stored on iOS devices and the general location of this data storage. Common file types used in iOS devices such as plist and SQLite are discussed in detail to provide an understanding of how the data is being stored on the device, which will help the forensic examiners to efficiently recover data from these files.
Chapter 7, Understanding Android, introduces you to the Android model, file system, and its security features. It provides an explanation of how data is stored in any Android device, which will be useful while carrying out forensic investigation.
Chapter 8, Android Forensic Setup and Pre Data Extraction Techniques, guides you through the Android forensic setup and other techniques to follow before extracting any information. Screen lock bypass techniques and gaining root access are also discussed in this chapter.
Chapter 9, Android Data Extraction Techniques, provides an explanation of physical, file system, and logical acquisition techniques for extracting relevant information from an Android device.
Chapter 10, Android Data Analysis and Recovery, talks about extracting and analyzing data from Anroid image files. This chapter also covers possibilities and limitations for recovering deleted data from Android devices.
Chapter 11, Android App Analysis, Malware, and Reverse Engineering, covers the analysis of some of the widely used Android apps to retrieve valuable data. This chapter also covers Android malware and techniques to reverse engineer an Android app.
Chapter 12, Windows Phone Forensics, provides a basic overview of forensic approaches when dealing with Windows Phones.
Chapter 13, Parsing Third-Party Application Files, covers forensic approaches to include acquisition and analysis techniques when dealing with BlackBerry devices. BlackBerry encryption and data protection is also addressed.
What you need for this book
This book provides practical forensic approaches and explains the techniques in a simple manner. The content is organized in a way that allows even a user with basic computer skills to examine the device and extract the required data. A Macintosh, Windows, or Linux computer will be helpful to successfully repeat the methods defined in this book. Where possible, methods for all computer platforms are provided.
Who this book is for
This book is intended for forensic examiners with little or basic experience in mobile forensics or with open source solutions for mobile forensics. This book will also be useful to computer security professionals, researchers, and anyone seeking a deeper understanding of mobile internals. This book will also come in handy for those who are trying to recover accidentally deleted data (photos, contacts, SMS, and more.).
Conventions
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: "The user data partition occupies most of the NAND memory and is mounted at /private/var on the device."
Any command-line input or output is written as follows:
$ git clone https://github.com/benvium/libimobiledevice-macosx.git ~/Desktop/libimobiledevice-macosx/New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "Every time an application is suspended to the background by pressing the Home button".
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.
To send us general feedback, simply e-mail [email protected], and mention the book's title in the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.
To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.
Piracy
Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at [email protected] with a link to the suspected pirated material.
We appreciate your help in protecting our authors and our ability to bring you valuable content.
Questions
If you have a problem with any aspect of this book, you can contact us at [email protected], and we will do our best to address the problem.
Chapter 1. Introduction to Mobile Forensics
There is no doubt that mobile devices have become part of our lives and revolutionized the way we do most of our activities. As a result, a mobile device is now a huge repository that holds sensitive information about its owner. This has in turn led to the rise of mobile device forensics, a branch of digital forensics that deals with retrieving data from a mobile device. This book will help you understand forensic techniques on three main platforms—Android, iOS, and Windows. We will practically go through various methods that can be followed to collect evidence from different mobile devices.
In this chapter, we will cover the following topics:
Why do we need mobile forensics?
In 2015, there were more than 7 billion mobile cellular subscriptions worldwide, up from less than 1 billion in 2000, says International Telecommunication Union (ITU). The world is witnessing technology and user migration from desktops to mobile phones. The following graph sourced from statista.com shows the actual and estimated growth of smartphones from the year 2009 to 2018.
Growth of smartphones from 2009 to 2018 in million units
Gartner Inc. reports that global mobile data traffic reached 52 million terabytes (TB) in 2015, an increase of 59 percent from 2014, and the rapid growth is set to continue through 2018, when mobile data levels are estimated to reach 173 million TB. Smartphones of today, such as the Apple iPhone, the Samsung Galaxy series, and BlackBerry phones, are compact forms of computers with high performance, huge storage, and enhanced functionalities. Mobile phones are the most personal electronic device that a user accesses. They are used to perform simple communication tasks, such as calling and texting, while still providing support for Internet browsing, e-mail, taking photos and videos, creating and storing documents, identifying locations with GPS services, and managing business tasks. As new features and applications are incorporated into mobile phones, the amount of information stored on the devices is continuously growing. Mobiles phones become portable data carriers, and they keep track of all your movements. With the increasing prevalence of mobile phones in peoples' daily lives and in crime, data acquired from phones become an invaluable source of evidence for investigations relating to criminal, civil, and even high-profile cases. It is rare to conduct a digital forensic investigation that does not include a phone. Mobile device call logs and GPS data were used to help solve the attempted bombing in Times Square, New York, in 2010.
The details of the case can be found at http://www.forensicon.com/forensics-blotter/cell-phone-email-forensics-investigation-cracks-nyc-times-square-car-bombing-case/.
The science behind recovering digital evidence from mobile phones is called mobile forensics. Digital evidence is defined as information and data that is stored on, received, or transmitted by an electronic device that is used for investigations. Digital evidence encompasses any and all digital data that can be used as evidence in a case.
Mobile forensics
Digital forensics is a branch of forensic science focusing on the recovery and investigation of raw data residing in electronic or digital devices. The goal of the process is to extract and recover any information from a digital device without altering the data present on the device. Over the years, digital forensics has grown along with the rapid growth of computers and various other digital devices. There are various branches of digital forensics based on the type of digital device involved such as computer forensics, network forensics, mobile forensics, and so on.
Mobile forensics is a branch of digital forensics related to the recovery of digital evidence from mobile devices. Forensically sound is a term used extensively in the digital forensics community to qualify and justify the use of particular a forensic technology or methodology. The main principle for a sound forensic examination of digital evidence is that the original evidence must not be modified. This is extremely difficult with mobile devices. Some forensic tools require a communication vector with the mobile device, thus a standard write protection will not work during forensic acquisition. Other forensic acquisition methods may involve removing a chip or installing a bootloader on the mobile device prior to extract data for forensic examination. In cases where the examination or data acquisition is not possible without changing the configuration of the device, the procedure and the changes must be tested, validated, and documented. Following proper methodology and guidelines is crucial in examining mobile devices as it yields the most valuable data. As with any evidence gathering, not following the proper procedure during the examination can result in loss or damage of evidence or render it inadmissible in court.
The mobile forensics process is broken down into three main categories: seizure, acquisition, and /examination/analysis. Forensic examiners face some challenges while seizing the mobile device as a source of evidence. At the crime scene, if the mobile device is found switched off, the examiner should place the device in a faraday bag to prevent changes should the device automatically power on. As shown in the following figure, Faraday bags are specifically designed to isolate the phone from the network.
If the phone is found switched on, switching it off has a lot of concerns attached to it. If the phone is locked by a PIN or password or encrypted, the examiner will be required to bypass the lock or determine the PIN to access the device. Mobile phones are networked devices and can send and receive data through different sources, such as telecommunication systems, Wi-Fi access points, and Bluetooth. So, if the phone is in a running state, a criminal can securely erase the data stored on the phone by executing a remote wipe command. When a phone is switched on, it should be placed in a faraday bag. If possible, prior to placing the mobile device in the faraday bag, disconnect it from the network to protect the evidence by enabling the flight mode and disabling all network connections (Wi-Fi, GPS, Hotspots, and so on). This will also preserve the battery, which will drain while in a faraday bag and protect against leaks in the faraday bag. Once the mobile device is seized properly, the examiner may need several forensic tools to acquire and analyze the data stored on the phone.
Mobile device forensic acquisition can be performed using multiple methods, which are defined later. Each of these methods affects the amount of analysis required, which will be discussed in greater detail in the upcoming chapters. Should one method fail, another must be attempted. Multiple attempts and tools may be necessary in order to acquire the maximum data from the mobile device.
Mobile phones are dynamic systems that present a lot of challenges to the examiner in extracting and analyzing digital evidence. The rapid increase in the number of different kinds of mobile phones from different manufacturers makes it difficult to develop a single process or tool to examine all types of devices. Mobile phones are continuously evolving as existing technologies progress and new technologies are introduced. Furthermore, each mobile is designed with a variety of embedded operating systems. Hence, special knowledge and skills are required from forensic experts to acquire and analyze the devices.
Challenges in mobile forensics
One of the biggest forensic challenges when it comes to the mobile platform is the fact that data can be accessed, stored, and synchronized across multiple devices. As the data is volatile and can be quickly transformed or deleted remotely, more effort is required for the preservation of this data. Mobile forensics is different from computer forensics and presents unique challenges to forensic examiners.
Law enforcement and forensic examiners often struggle to obtain digital evidence from mobile devices. The following are some of the reasons:
The mobile phone evidence extraction process
Evidence extraction and forensic examination of each mobile device may differ. However, following a consistent examination process will assist the forensic examiner to ensure that the evidence extracted from each phone is well documented and that the results are repeatable and defendable. There is no well-established standard process for mobile forensics. However, the following figure provides an overview of process considerations for extraction of evidence from mobile devices. All methods used when extracting data from mobile devices should be tested, validated, and well documented.
Note
A great resource for handling and processing mobile devices can be found at http://digital-forensics.sans.org/media/mobile-device-forensic-process-v3.pdf.
As shown in the preceding figure, forensics on a mobile device includes several phases starting from evidence intake phase to Archiving phase. The following sections provide an overview of various considerations across all the phases.
The evidence intake phase
The evidence intake phase is the starting phase and entails request forms and paperwork to document ownership information and the type of incident the mobile device was involved in, and it outlines the type of data or information the requester is seeking. Developing specific objectives for each examination is the critical part of this phase. It serves to clarify the examiner's goals. Also, while seizing the device, care should be taken not to modify any data present on the device. At the same time, any opportunity that might help the investigation should not be missed. For example, at the time of seizing the device, if the device is unlocked, then try to disable the passcode.
The identification phase
The forensic examiner should identify the following details for every examination of a mobile device:
We will discuss each of them in the following sections.
The legal authority
It is important for the forensic examiner to determine and document what legal authority exists for the acquisition and examination of the device as well as any limitations placed on the media prior to the examination of the device. For example, if the mobile device is being searched pursuant to a warrant, the examiner should be mindful of confining the search to the limitations of the warrant.
The goals of the examination
The examiner will identify how in-depth the examination needs to be based upon the data requested. The goal of the examination makes a significant difference in selecting the tools and techniques to examine the phone and increases the efficiency of the examination process.
The make, model, and identifying information for the device
As part of the examination, identifying the make and model of the phone assists in determining what tools would work with the phone. For all phones, the manufacturer, model number, carrier and the current phone number associated with the cellular phone should be identified and documented.
Removable and external data storage
Many mobile phones provide an option to extend the memory with removable storage devices, such as the Trans Flash Micro SD memory expansion card. In cases when such a card is found in a mobile phone that is submitted for examination, the card should be removed and processed using traditional digital forensic techniques. It is wise to also acquire the card while in the mobile device to ensure that data stored on both the handset memory and card are linked for easier analysis. This will be discussed in detail in upcoming chapters.
Other sources of potential evidence
Mobile phones act as good sources of fingerprint and other biological evidence. Such evidence should be collected prior to the examination of the mobile phone to avoid contamination issues unless the collection method will damage the device. Examiners should wear gloves when handling the evidence.
The preparation phase
Once the mobile phone model is identified, the preparation phase involves research regarding the particular mobile phone to be examined and the appropriate methods and tools to be used for acquisition and examination. This is generally done based on the device model, underlying operating system, its version, and so on. Also, choosing tools for examination of a mobile device will be determined by factors such as the goal of the examination, resources available, the type of cellular phone to be examined and the presence of any external storage capabilities.
The isolation phase
Mobile phones are, by design intended to communicate via cellular phone networks, Bluetooth, Infrared, and wireless (Wi-Fi) network capabilities. When the phone is connected to a network, new data is added to the phone through incoming calls, messages, and application data, which modifies the evidence on the phone. Complete destruction of data is also possible through remote access or remote wiping commands. For this reason, isolation of the device from communication sources is important prior to the acquisition and examination of the device. Network isolation can be done by placing the phone in radio frequency shielding cloth and then putting the phone in airplane or flight mode. The airplane mode disables a device's communication channels such as cellular radio, Wi-Fi, and Bluetooth. However, if the device is screen locked, then this is not possible. Also, since Wi-Fi is now available in airplanes, some devices have Wi-Fi access now enabled in airplane mode. An alternate solution is isolation of the phone through the use of faraday bags, which block the radio signals to or from the phone. Faraday bags contain materials that block external static electrical fields (including radio waves). Thus, Faraday bags shield seized mobile devices from external interference to prevent wiping and tracking. To work more conveniently with the seized devices, Faraday tents and rooms also exist.
The processing phase
Once the phone has been isolated from communication networks, the actual processing of the mobile phone begins. The phone should be acquired using a tested method that is repeatable and is as forensically sound as possible. Physical acquisition is the preferred method as it extracts the raw memory data and the device is commonly powered off during the acquisition process. On most devices, the smallest amount of changes occur to the device during physical acquisition. If physical acquisition is not possible or fails, an attempt should be made to acquire the file system of the mobile device. A logical acquisition should always be obtained as it may contain only the parsed data and provide pointers to examine the raw memory image. These acquisition methods are discussed in detail in the later chapters.
The verification phase
After processing the phone, the examiner needs to verify the accuracy of the data extracted from the phone to ensure that data has not been modified. The verification of the extracted data can be accomplished in several ways.
Comparing extracted data to the handset data
Check if the data extracted from the device matches the data displayed by the device. The data extracted can be compared to the device itself or a logical report, whichever is preferred. Remember, handling the original device may make changes to the only evidence—the device itself.
Using multiple tools and comparing the results
To ensure accuracy, use multiple tools to extract the data and compare results.
Using hash values
All image files should be hashed after acquisition to ensure that data remains unchanged. If file system extraction is supported, the examiner extracts the file system and then computes hashes for the extracted files. Later, any individually extracted file hash is calculated and checked against the original value to verify the integrity of it. Any discrepancy in a hash value must be explainable (for example, the device was powered on and then acquired again, thus the hash values are different).
The document and reporting phase
The forensic examiner is required to document throughout the examination process in the form of contemporaneous notes relating to what was done during the acquisition and examination. Once the examiner completes the investigation, the results must go through some form of peer review to ensure that the data is checked and the investigation is complete. The examiner's notes and documentation may include information such as the following:
The presentation phase
Throughout the investigation, it is important to make sure that the information extracted and documented from a mobile device can be clearly presented to any other examiner or to a court. Creating a forensic report of data extracted from the mobile device during acquisition and analysis is important. This may include data in both paper and electronic formats. Your findings must be documented and presented in a manner that the evidence speaks for itself when in court. The findings should be clear, concise, and repeatable. Timeline and link analysis, features offered by many commercial mobile forensics tools, will aid in reporting and explaining findings across multiple mobile devices. These tools allow the examiner to tie together the methods behind the communication of multiple devices.
The archiving phase
Preserving the data extracted from the mobile phone is an important part of the overall process. It is also important that the data is retained in a usable format for the ongoing court process, for future reference, should the current evidence file become corrupt, and for record keeping requirements. Court cases may continue for many years before the final judgment is arrived at, and most jurisdictions require that data be retained for long periods of time for the purposes of appeals. As the field and methods advance, new methods for pulling data out of a raw, physical image may surface, and then the examiner can revisit the data by pulling a copy from the archives.
Practical mobile forensic approaches
Similar to any forensic investigation, there are several approaches that can be used for the acquisition and examination/analysis of data from mobile phones. The type of mobile device, the operating system, and the security setting generally dictate the procedure to be followed in a forensic process. Every investigation is distinct with its own circumstances, so it is not possible to design a single definitive procedural approach for all cases. The following details outline the general approaches followed in extracting data from mobile devices.
Mobile operating systems overview
One of the major factors in the data acquisition and examination/analysis of a mobile phone is the operating system. Starting from low-end mobile phones to smartphones, mobile operating systems have come a long way with a lot of features. Mobile operating systems directly affect how the examiner can access the mobile device. For example, Android OS gives terminal-level access whereas iOS does not give such an option. A comprehensive understanding of the mobile platform helps the forensic examiner make sound forensic decisions and conduct a conclusive investigation. While there is a large range of smart mobile devices, three main operating systems dominate the market, namely, Google Android, Apple iOS and Windows Phone. More information can be found at https://www.idc.com/prodserv/smartphone-os-market-share.jsp. This book covers forensic analysis of these three mobile platforms. We will cover a brief overview of leading mobile operating systems.
Android
Android is a Linux-based operating system, and it's a Google open source platform for mobile phones. Android is the world's most widely used smartphone operating system. Sources show that Apple's iOS stands second (https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=8&qpcustomd=1). Android has been developed by Google as an open and free option for hardware manufacturers and phone carriers. This makes Android the software of choice for companies who require a low-cost, customizable, lightweight operating system for their smart devices without developing a new OS from scratch. Android's open nature has further encouraged the developers to build a large number of applications and upload them onto Google Play later, end users can download the application from Android Market, which makes Android a powerful operating system. It is estimated that Google Play Store has more than 2 million apps at the time of writing this book. More details on Android are covered in Chapter 7, Understanding Android.
