Mobile Forensics – Advanced Investigative Strategies
By Oleg Afonin and Vladimir Katalov
()
About this ebook
- A straightforward guide to address the roadblocks face when doing mobile forensics
- Simplify mobile forensics using the right mix of methods, techniques, and tools
- Get valuable advice to put you in the mindset of a forensic professional, regardless of your career level or experience
This book is for forensic analysts and law enforcement and IT security officers who have to deal with digital evidence as part of their daily job. Some basic familiarity with digital forensics is assumed, but no experience with mobile forensics is required.
Related to Mobile Forensics – Advanced Investigative Strategies
Related ebooks
Practical Mobile Forensics - Second Edition Rating: 0 out of 5 stars0 ratingsPractical Mobile Forensics Rating: 4 out of 5 stars4/5Learning Android Forensics Rating: 4 out of 5 stars4/5iPhone and iOS Forensics: Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices Rating: 4 out of 5 stars4/5iOS Forensics Cookbook Rating: 0 out of 5 stars0 ratingsLearning iOS Penetration Testing Rating: 0 out of 5 stars0 ratingsMastering Mobile Forensics Rating: 0 out of 5 stars0 ratingsPractical Digital Forensics Rating: 0 out of 5 stars0 ratingsAdvanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide Rating: 5 out of 5 stars5/5Learning Pentesting for Android Devices Rating: 5 out of 5 stars5/5Android Security Cookbook Rating: 0 out of 5 stars0 ratingsThe Mobile Application Hacker's Handbook Rating: 3 out of 5 stars3/5Hacking Android Rating: 4 out of 5 stars4/5Advanced Penetration Testing for Highly-Secured Environments - Second Edition Rating: 0 out of 5 stars0 ratingsMobile Device Exploitation Cookbook Rating: 0 out of 5 stars0 ratingsAndroid Application Security Essentials Rating: 0 out of 5 stars0 ratingsComputer Forensics: A Pocket Guide Rating: 4 out of 5 stars4/5Android Forensics: Investigation, Analysis and Mobile Security for Google Android Rating: 3 out of 5 stars3/5Digital Forensics with Open Source Tools Rating: 3 out of 5 stars3/5The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics Rating: 4 out of 5 stars4/5Malware Forensics Field Guide for Windows Systems: Digital Forensics Field Guides Rating: 4 out of 5 stars4/5Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides Rating: 4 out of 5 stars4/5Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit Rating: 0 out of 5 stars0 ratingsCloud Storage Forensics Rating: 4 out of 5 stars4/5Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet Rating: 4 out of 5 stars4/5Handbook of Digital Forensics and Investigation Rating: 4 out of 5 stars4/5Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research Rating: 0 out of 5 stars0 ratingsContemporary Digital Forensic Investigations of Cloud and Mobile Applications Rating: 0 out of 5 stars0 ratingsHands-On Network Forensics: Investigate network attacks and find evidence using common network forensic tools Rating: 0 out of 5 stars0 ratings
Internet & Web For You
How to Disappear and Live Off the Grid: A CIA Insider's Guide Rating: 0 out of 5 stars0 ratingsHow to Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life Rating: 4 out of 5 stars4/5Coding All-in-One For Dummies Rating: 4 out of 5 stars4/5Coding For Dummies Rating: 5 out of 5 stars5/5Six Figure Blogging Blueprint Rating: 5 out of 5 stars5/5The Gothic Novel Collection Rating: 5 out of 5 stars5/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5How To Make Money Blogging: How I Replaced My Day-Job With My Blog and How You Can Start A Blog Today Rating: 4 out of 5 stars4/5No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State Rating: 4 out of 5 stars4/5Get Rich or Lie Trying: Ambition and Deceit in the New Influencer Economy Rating: 0 out of 5 stars0 ratingsEverybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Rating: 4 out of 5 stars4/5The Beginner's Affiliate Marketing Blueprint Rating: 4 out of 5 stars4/5Podcasting For Dummies Rating: 4 out of 5 stars4/5The $1,000,000 Web Designer Guide: A Practical Guide for Wealth and Freedom as an Online Freelancer Rating: 5 out of 5 stars5/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5Stop Asking Questions: How to Lead High-Impact Interviews and Learn Anything from Anyone Rating: 5 out of 5 stars5/5The Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5Create Something Awesome: How Creators are Profiting from Their Passion in the Creator Economy Rating: 0 out of 5 stars0 ratingsPython QuickStart Guide: The Simplified Beginner's Guide to Python Programming Using Hands-On Projects and Real-World Applications Rating: 0 out of 5 stars0 ratingsCybersecurity For Dummies Rating: 4 out of 5 stars4/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5Six Figure Blogging In 3 Months Rating: 4 out of 5 stars4/5How To Start A Podcast Rating: 4 out of 5 stars4/5More Porn - Faster!: 50 Tips & Tools for Faster and More Efficient Porn Browsing Rating: 3 out of 5 stars3/5The Mega Box: The Ultimate Guide to the Best Free Resources on the Internet Rating: 4 out of 5 stars4/5How to Destroy Surveillance Capitalism Rating: 4 out of 5 stars4/5Grokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5The Logo Brainstorm Book: A Comprehensive Guide for Exploring Design Directions Rating: 4 out of 5 stars4/5Surveillance and Surveillance Detection: A CIA Insider's Guide Rating: 0 out of 5 stars0 ratings
Reviews for Mobile Forensics – Advanced Investigative Strategies
0 ratings0 reviews
Book preview
Mobile Forensics – Advanced Investigative Strategies - Oleg Afonin
Table of Contents
Mobile Forensics – Advanced Investigative Strategies
Credits
Foreword
About the Authors
About the Reviewer
www.PacktPub.com
Why subscribe?
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the color images of this book
Errata
Piracy
Questions
1. Introducing Mobile Forensics
Why we need mobile forensics
Available information
Mobile devices
Personal computers
Cloud storage
Stages of mobile forensics
Stage 1 - device seizure
Seizing - what and how should we seize?
The use of Faraday bags
Keeping the power on
Dealing with the kill switch
Mobile device anti-forensics
Stage 2 - data acquisition
Root, jailbreak, and unlocked bootloader
Android ADB debugging
SIM cloning
SIM card memory
Memory card
Stage 3 - data analysis
Summary
2. Acquisition Methods Overview
Over-the-air acquisition
Apple iCloud
Windows Phone 8, Windows 10 Mobile, and Windows RT/8/8.1/10
Google Android
Logical acquisition (backup analysis)
Apple iOS
BlackBerry 10
Android
Nandroid backups
Physical acquisition
Apple iOS
Android
Windows Phone 8 and Windows 10 Mobile
Limitations and availability
Tools for physical acquisition
JTAG
Chip-off
In-system programming
Summary
3. Acquisition – Approaching Android Devices
Android platform fragmentation
AOSP, GMS, and their forensic implications
Android logical acquisition
OEM software
Android acquisition – special considerations
Unallocated space
eMMC storage
Remapping and overprovisioning
Wear leveling
Trimming
What happens to the deleted data?
JTAG forensics
When to JTAG a device
Limitations of JTAG forensics
Step-by-step JTAG acquisition
Chip-off acquisition
Chip-off and encryption
In-system programming forensics
Summary
4. Practical Steps to Android Acquisition
Android physical acquisition
Encryption
Approaching physical acquisition
Encryption status – Is the data partition encrypted?
Service mode available
LG smartphones
Devices based on the Qualcomm reference platform
Mediatek-based Chinese phones
Bootloaded status
Root status
LG smartphones' LAF mode
MediaTek smartphones
Qualcomm bootloader exploit
Qualcomm-based smartphones – HS-USB 9006
Encryption
The Qualcomm 9006 mode
Tools for imaging via Qualcomm Download Mode 9006
Using custom recoveries
Imaging via custom recovery – making a Nandroid backup
Imaging via custom recovery – physical imaging via dd
Imaging the device
NANDroid backups
Is unlocked bootloader required?
Is root access required?
Producing a Nandroid backup
Analyzing Nandroid backups
Live imaging
Live imaging with root (via dd)
Live imaging without root (via ADB backup)
Live imaging using Oxygen Forensic Suite
Google Account acquisition – over-the-air
Why Google Account?
Google Account – what's inside?
A word on Android backups
Google Takeout
Google Account acquisition and analysis using Elcomsoft Cloud Explorer
Two-factor authentication
User alerts
Viewing, searching, and analyzing data
Summary
5. iOS – Introduction and Physical Acquisition
iOS forensics – introduction
Generations of Apple hardware
Is jailbreak required?
Geolocation information
Where is the information stored?
iOS acquisition methods overview
iOS acquisition methods compared
iOS advanced logical acquisition
iOS physical acquisition
Physical acquisition benefits
What's unique about physical acquisition?
The future of physical acquisition
Physical acquisition compatibility matrix
Unallocated space – unavailable since iOS 4
Sending device to Apple
The role of passcode
Physical acquisition of iOS 8 and 9
Tools for iOS physical acquisition
Tutorial – physical acquisition with Elcomsoft iOS Forensic Toolkit
What the does the tool do?
Prerequisites
Acquiring 64-bit Apple devices
Comparing 64-bit process and traditional physical acquisition
Supported devices and iOS versions
Performing physical acquisition on a 64-bit iOS device
What is available via 64-bit physical acquisition
Locked device with unknown passcode
Viewing and analyzing the image
Potential legal implications
Summary
6. iOS Logical and Cloud Acquisition
Understanding backups - local, cloud, encrypted and unencrypted
Encrypted versus unencrypted iTunes backups
Breaking backup passwords
Breaking the password - how long will it take?
A fast CPU and a faster video card
Breaking complex passwords
Knowing the user helps breaking the password
Tutorial - logical acquisition with Elcomsoft Phone Breaker
Breaking the password
Decrypting the backup
Dealing with long and complex passwords
Elcomsoft Phone Breaker on a Mac, inside a virtual PC, or via RDP
iOS Cloud forensics - over-the-air acquisition
About Apple iCloud
Getting started with iCloud Keychain
Getting started with iCloud Drive
Understanding iCloud forensics
Tutorial - cloud acquisition with Elcomsoft Phone Breaker
Downloading iCloud backups - using Apple ID and password
Downloading iCloud/iCloud Drive backups - using authentication tokens
Extracting authentication tokens
iCloud authentication tokens (iOS 6 through 9) - limitations
iCloud Drive authentication tokens (iOS 9 and newer) - a different beast altogether
Quick start - selective downloading
Two-factor authentication
Two-factor authentication is optional
Two-factor authentication versus two-step verification - understanding the differences
Two-step verification
Two-factor authentication
No app-specific passwords in two-factor authentication
Cloud acquisition with two-step verification and two-factor authentication
What next?
Summary
7. Acquisition – Approaching Windows Phone and Windows 10 Mobile
Windows Phone security model
Windows Phone physical acquisition
JTAG forensics on Windows Phone 8.x and Windows 10 Mobile
Windows Phone 8.x device encryption
Windows 10 Mobile device encryption
Windows Phone 8/8.1 and Windows 10 Mobile cloud forensics
Acquiring Windows Phone backups over the air
Summary
8. Acquisition – Approaching Windows 8, 8.1, 10, and RT Tablets
Windows 8, 8.1, 10, and RT on portable touchscreen devices
Acquisition of Windows tablets
Understanding Secure Boot
Connected Standby (InstantGo)
BitLocker device encryption
BitLocker and Encrypting File System
BitLocker and hibernation
BitLocker acquisition summary
Capturing a memory dump
Types of evidence available in volatile memory
Special case – Windows RT devices
SD cards and Windows File History
Imaging Built-in eMMC Storage
eMMC and deleted data recovery
Windows 8 and Windows 10 encryption – TRIM versus BitLocker
Booting Windows tablets from recovery media
Special case – recovery media for Windows RT
Steps to boot from recovery media
Configuring UEFI BIOS to boot from recovery media
Acquiring a BitLocker encryption key
Breaking into Microsoft Account to acquire the BitLocker Recovery Key
Using Elcomsoft Forensic Disk Decryptor to unlock BitLocker partitions
BitLocker keys and Trusted Platform Module
Imaging Windows RT tablets
BitLocker encryption
DISM – a built-in tool to image Windows RT
Must be logged in with an administrative account
Must be logged in
Booting to the WinRE command prompt
Entering BitLocker Recovery Key
Using DISM.exe to image the drive
Cloud Acquisition
Summary
9. Acquisition – Approaching BlackBerry
The history of the BlackBerry OS - BlackBerry 1.0-7.1
BlackBerry 7 JTAG, ISP, and chip-off acquisition
Acquiring BlackBerry desktop backups
Decrypting the backup
BlackBerry Password Keeper and BlackBerry Wallet
BlackBerry Password Keeper
BlackBerry Wallet
BlackBerry security model - breaking a device password
Acquiring BlackBerry 10
Getting started
BlackBerry 10 backups
BlackBerry 10 - considering ISP and chip-off forensics
Acquiring BlackBerry 10 backups
Using Elcomsoft Phone Breaker
Using Oxygen Forensic Suite
Analyzing BlackBerry backups
Summary
10. Dealing with Issues, Obstacles, and Special Cases
Cloud acquisition and two-factor authentication
Two-factor authentication – Apple, Google, and Microsoft
Online versus offline authentication
App passwords and two-factor authentication
Google's two-factor authentication
Microsoft's implementation
Apple's two-step verification
Apple's two-factor authentication
Bypassing Apple's two-factor authentication
Two-factor authentication – a real roadblock
Unallocated space
The issue of unallocated space
Accessing destroyed evidence in different mobile platforms
Apple iOS – impossible
BlackBerry – Iffy
SD cards
Android – possible with limitations
Android – built-in storage
Unencrypted storage
Encrypted storage
Encryption in different versions of Android
Android – SD cards
Android – SD card encryption
Windows Phone 8 and 8.1 – possible for end-user devices with limitations
Windows Phone BitLocker encryption
Windows Phone SD cards
Windows RT, Windows 8/8.1, and Windows 10
eMMC and deleted data
eMMC and SSD – similarities
eMMC and SSD – differences
Overprovisioning and remapping
User data in overprovisioned areas
Delete operations on non-encrypted eMMC drives
eMMC conclusion
SD cards
SD card encryption
Apple iOS
Android
Windows Phone 8/8.1
Windows 10 Mobile
Windows RT
Windows 8 through 10
BlackBerry OS 1 through 7
BlackBerry 10
SD cards conclusion
SQLite databases (access to call logs, browsing history, and many more)
Summary
11. Mobile Forensic Tools and Case Studies
Cellebrite
Micro Systemation AB
AccessData
Oxygen Forensic toolkit
Magnet ACQUIRE
BlackBag Mobilyze
ElcomSoft tools
Case studies
Mobile forensics
Data recovery
BlackBerry scenarios
Locked BlackBerry devices
Locked BlackBerry, not attached to BlackBerry Enterprise Server (BES)
Locked BlackBerry attached to BES
Locked BlackBerry attached to BES with Pretty Good Privacy (PGP) encryption
Locked BlackBerry, not attached to BES
Locked BlackBerry - completed successful chipoff
Locked BlackBerry - password does not work
Unlocked BlackBerry devices
Unlocked BlackBerry device with no password
Unlocked BlackBerry device with password
Summary
Mobile Forensics – Advanced Investigative Strategies
Mobile Forensics – Advanced Investigative Strategies
Copyright © 2016 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: September 2016
Production reference: 1260916
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-78646-448-4
www.packtpub.com
Credits
Foreword
Hello reader. I welcome you to a book of knowledge. When Vladimir Katalov offered me an opportunity to write a foreword for their book, I was surprised and also humbled. I have never written a foreword to a book, much less participated in the authoring of a book. I accepted Vladimir’s offer. So here goes.
In the field of digital forensics, there is an overwhelming amount of information to learn and comprehend. Many years ago a highly respected colleague said to me: No man is an island. What did he mean by this statement? From my perspective, this means that you cannot know it all. We as examiners and practitioners in the digital forensics field must learn to impart knowledge responsibly, and share so that we can all learn. In essence, a collective digital forensics knowledge hive, where the answers to our challenges lie within the knowledge hive. This book then is a part of this hive. It is important also not to focus only on the analysis tool, but also on the understanding of the devices and technologies and the methodology used to successfully get the data. This book will also help you understand the underlying technology and methodology.
In the end, I leave you to carry on your journey in this book. I hope you enjoy reading and learning from it as much as I have.
Shafik G. Punja
Police Officer, Digital Forensics Team
About the Authors
Oleg Afonin is a researcher and an expert in digital forensics. He is a frequent speaker at industry-known conferences such as CEIC, HTCIA, FT-Day, Techno Forensics, and others. Oleg has co-authored multiple publications on IT security and mobile forensics. With years of experience in the digital forensics and security domain, Oleg has led forensic training courses for law enforcement departments in multiple countries.
Vladimir Katalov is CEO, co-founder, and co-owner of ElcomSoft Co. Ltd. Vladimir manages all technical research and product development in the company. He regularly presents at various events and regularly runs security and computer forensics training both for foreign and domestic (Russian) computer investigative committees and other law enforcement organizations.
Special thanks to Oleg Davydov whose help and advice was truly invaluable. Without Oleg’s deep understanding of Android internals, this book would not be the same. Oleg Davydov is a co-founder and CTO of Oxygen Software. Since 2000, he has been involved in software development related to mobile forensics. For the last 10 years, Oleg has been busy developing mobile forensic tools. Oleg is an expert in cryptography, IT security, software development, mobile forensics, and reverse engineering. Oleg works in the mobile forensics industry, using his experience and understanding of smartphone internals to help law enforcement.
Special thanks to Shafik G. Punja who caught things that we missed. His expertise in acquiring BlackBerry devices was an invaluable help.
About the Reviewer
Shafik G. Punja is a police officer with the Calgary Police Service, having served for over 20 years. He has been working in digital forensics since 2003 and is currently assigned to the Digital Forensics Team (Cyber/Forensic Unit). He has qualified in the Canadian legal system as an expert in the area of digital forensics, and has previously served as guest instructor for the Technological Crimes Learning Institute (TCLI) at the Canadian Police College, in Ottawa, Ontario. His private sector work involves R&D partnerships with various law enforcement colleagues and digital forensics training.
www.PacktPub.com
For support files and downloads related to your book, please visit www.PacktPub.com.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at service@packtpub.com for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www.packtpub.com/mapt
Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career.
Why subscribe?
Fully searchable across every book published by Packt
Copy and paste, print, and bookmark content
On demand and accessible via a web browser
Preface
Smartphone and tablet technology has changed dramatically and rapidly in the last several years and continues to do so at an astounding pace. These smaller computing devices are so common, with the ability to replace their desktop counterparts in human-to-computer interactions. Sit in any café, airport, or public place that offers Wi-Fi and you will see humans with their faces ostensibly glued to their device screens, interacting on their device with such focus, seemingly oblivious to their own physical environment.
Smartphone and tablet devices have become large digital storage vaults that store our personal and professional secrets. Strangely enough, with little faith, we have also begun to allow ourselves to accept backup up of this data to the cloud so that important aspects of our local device storage are now also in cloud storage. Why did I mention cloud storage? Cloud backup data can be accessed outside of the device itself through other processes, when access to the device data itself may be obstructed due to security mechanisms. This book addresses cloud forensics from the various smartphone platforms.
Whilst this could be considered a highly technical book, it is an excellent read for both novices and experienced examiners alike. For those that have read any of the blog articles that have been published by Elcomsoft, you will find a comfortable approach to the way this book has been written.
The authors of this book strive to provide essential information about a number of concepts including the following:
NAND eMMC flash memory
A brief summary of JTAG forensics
NANDroid backups
iOS security and acquisition method
Password breaking on iOS backups
Windows Phones security and acquisition
BlackBerry 7 and BlackBerry data acquisition methods and password breaking
There are of course references to customized tools that are developed by the authors and their colleagues. What this highlights to anyone reading this is that in the field of mobile forensics, no one tool can do it all. I know and say this from experience because I have used all the tools mentioned in this book. All tools have their strengths and limitations. But to be effective, an examiner must have at least several tools to cover the broad range of technology in mobile forensics.
What this book covers
This book is written to represent a natural flow in the e-discovery process, covering the different stages of mobile forensics from seizing the device to acquiring the data and analyzing evidence. The book covers basic handling, acquisition, and analysis techniques for smartphones and tablets running the most popular operating systems: Android, iOS, Windows Phone, Windows 8, 8.1, and RT, and BlackBerry. The following topics are covered in detail:
Seizing techniques:
Shielding the device: the use of the Faraday bag
Preserving volatile memory and capturing memory dumps
Acquisition techniques:
Physical acquisition (via USB connection)
Logical acquisition via data backups
Over-the-air acquisition and cloud analysis
Evidence discovery and data analysis:
Finding, viewing, and analyzing evidence
Tools for mobile forensics:
Acquisition and analysis tools overview
Tools for acquiring iOS devices
Tools for acquiring Android, BlackBerry, and Windows Phone devices
Tools for discovering and analyzing evidence
It is important to note the bits that this book does not cover. These include:
JTAG acquisition
Chip-off imaging
Disk imaging tools
Tools for acquiring Windows 8 and 8.1 devices
We will not go into any technical detail, such as which hex code at what address means what, or how to calculate UDID, or how to use ADB to break through passcode protection on Android 2.1. We believe these things are meaningless for a law enforcement officer, and should only interest technicians working in an acquisition lab – and this book is not for them.
Chapter 1, Introducing Mobile Forensics, introduces the concept of mobile devices as a source of valuable evidence. The chapter describes what types of evidence are generally available in mobile devices. It also outlines acquisition options depending on whether the reader has access to the actual device, knows the user’s login and password (such as an Apple ID or Google Account password), or has access to the computer that was used to sync the mobile device. This chapter also discusses the various techniques used by suspects to counter forensic efforts, and suggests methods to overcome such efforts. This chapter is essential to understand what, why, and how the expert is trying to achieve when investigating mobile devices. After reading this chapter, you will understand the big picture of mobile forensics and realize that there is no single straightforward path to acquiring mobile evidence, and understand that available acquisition options strongly depend on various factors. You’ll get an idea of how to seize and store mobile devices and how to detect and counter anti-forensic efforts.
Chapter 2, Acquisition Methods Overview, gives an overview of the acquisition methods available for different mobile platforms. With the wide range of mobile devices around, multiple acquisition methods exist. There is no single universal acquisition method available for all models. Some acquisition methods depend on the phone’s lock and encryption status, OS version, type of available storage, and so on. Investigators have to work their way through the investigation to discover what acquisition methods are available for a particular device.
Chapter 3, Acquisition – Approaching Android Devices, discusses the options available for acquiring information from Android devices, providing a detailed outline of physical, logical, and over-the-air acquisition methods for Android smartphones and tablets. In this chapter, the reader will learn what acquisition methods are available for the Android platform, which acquisition techniques are available in what circumstances, and how to choose the appropriate acquisition method for a given device. This chapter also covers one of the most challenging aspects of mobile forensics: the ability to recover destroyed evidence. In this chapter, we discuss exactly how modern smartphones handle deleted data, depending on the operating system (Android, iOS, Windows) and encryption status. We’ll address the differences between internal (eMMC) and external (SD) storage of the device in the context of being able to recover information from unallocated areas.
Chapter 4, Practical Steps to Android Acquisition, discusses the massive amounts of information collected by Google, and explains how to extract this information from Google servers. We’ll be using forensic tools to download data from Google, view it, and examine obtained evidence. The acquisition of Google Accounts can provide a much deeper insight into user activities than what’s available in a single Android smartphone. This chapter offers a detailed discussion and demonstration of various physical acquisition methods available for a wide range of Android devices, including manufacturer-specific low-level service modes (LG, Qualcomm, and Mediatek), using custom recoveries (CWM, TWRP) for dumping the data partition, making NANDroid backups, and using command-line tools such as dd for live imaging the device. In addition, this chapter discusses the issue of encryption and its effect on physical acquisition.
Chapter 5, iOS – Introduction and Physical Acquisition, discusses the benefits and unique features of physical acquisition, and talks about stored passwords and Apple secure storage, the keychain. This chapter provides a detailed compatibility matrix for physical acquisition, discusses which locked devices can be acquired without knowing the correct passcode, and lists forensic tools that offer physical acquisition of Apple iOS devices. It discusses the differences between 32-bit and 64-bit Apple hardware, and explains how to install a jailbreak.
Chapter 6, iOS Logical and Cloud Acquisition, introduces the concept of the logical acquisition of iOS devices. Logical acquisition consists of extracting existing iTunes backups or making the device produce a backup and then extracting it. The differences between encrypted and unencrypted backups are explained, outlining the benefits of producing encrypted backups with a known password over unencrypted one. This chapter outlines the basics of recovering unknown backup passwords. In addition, this chapter provides step-by-step instructions on using Elcomsoft Phone Breaker to extract iOS backups. If the backup is protected with an unknown password, detailed instructions and recommendations on recovering the password are provided. This chapter explains the advantages and applicability of over-the-air acquisition, and demonstrates how to use Elcomsoft Phone Breaker for cloud acquisition. In addition, this chapter discusses the use of binary authentication tokens to bypass an Apple ID and password, as well as two-factor authentication.
Chapter 7, Acquisition – Approaching Windows Phone and Windows 10 Mobile, introduces Windows Phone forensics. It outlines the available methods and approaches to acquiring Windows Phone 8 and 8.1 and Windows 10 Mobile devices. Physical acquisition, bootloader exploits, invasive (advanced) acquisition via JTAG, and chip-off are explained. In this chapter, we discuss the differences in device encryption between generations of the Windows Phone platform, and provide a detailed walkthrough of over-the-air acquisition of Windows mobile devices using Elcomsoft Phone Breaker.
Chapter 8, Acquisition - Approaching Windows 8, 8.1, 10, and RT Tablets, covers major points that make tablet forensics different from the traditional PC and laptop acquisition approach. We’ll cover the new Connected Standby mode replacing traditional Sleep and Hibernate modes of Windows laptops, discuss Secure Boot on various Windows tablet platforms, review UEFI BIOS settings, and learn how to start the tablet from a bootable USB media. We’ll also cover techniques on capturing the content of the device’s RAM and imaging non-removable eMMC media. General acquisition steps for Windows RT devices are also described, as standard Windows recovery media cannot be used with RT devices.
Chapter 9, Acquisition - Approaching BlackBerry, provides an introduction, overview, and in-depth tutorials on acquiring BlackBerry smartphones running legacy (BB OS 1 through 7.1) and modern (BlackBerry 10) versions of the OS. BlackBerry backups and backup passwords (legacy BB OS) are explained. This chapter provides tutorials on how to extract and view legacy BlackBerry backups and recover passwords protecting these backups. The reader will learn how to use Elcomsoft Phone Breaker to decrypt BlackBerry 10 backups and view their content with Elcomsoft Phone Viewer or Oxygen Forensic Suite.
Chapter 10, Dealing with Issues, Obstacles, and Special Cases, covers some of the most challenging aspects of mobile forensics: the ability to recover destroyed evidence and the challenge presented by two-factor authentication. In this chapter, we discuss how exactly modern smartphones handle deleted data depending on the operating system (Android, iOS,