Practical Mobile Forensics

Practical Mobile Forensics
eBook: $35.99
Formats: PDF, PacktLib, ePub and Mobi formats
save 20%!
Print + free eBook + free PacktLib access to the book: $95.98    Print cover: $59.99
save 37%!
Free Shipping!
UK, US, Europe and selected countries in Asia.
Also available on:
Table of Contents
Sample Chapters
  • Clear and concise explanations for forensic examinations of mobile devices
  • Master the art of extracting data, recovering deleted data, bypassing screen locks, and much more
  • The first and only guide covering practical mobile forensics on multiple platforms

Book Details

Language : English
Paperback : 328 pages [ 235mm x 191mm ]
Release Date : July 2014
ISBN : 1783288310
ISBN 13 : 9781783288311
Author(s) : Satish Bommisetty, Rohit Tamma, Heather Mahalik
Topics and Technologies : All Books, Open Source

Table of Contents

Chapter 1: Introduction to Mobile Forensics
Chapter 2: Understanding the Internals of iOS Devices
Chapter 3: Data Acquisition from iOS Devices
Chapter 4: Data Acquisition from iOS Backups
Chapter 5: iOS Data Analysis and Recovery
Chapter 6: iOS Forensic Tools
Chapter 7: Understanding Android
Chapter 8: Android Forensic Setup and Pre Data Extraction Techniques
Chapter 9: Android Data Extraction Techniques
Chapter 10: Android Data Recovery Techniques
Chapter 11: Android App Analysis and Overview of Forensic Tools
Chapter 12: Windows Phone Forensics
Chapter 13: BlackBerry Forensics
  • Chapter 1: Introduction to Mobile Forensics
    • Mobile forensics
      • Mobile forensic challenges
    • Mobile phone evidence extraction process
      • The evidence intake phase
      • The identification phase
        • The legal authority
        • The goals of the examination
        • The make, model, and identifying information for the device
        • Removable and external data storage
        • Other sources of potential evidence
      • The preparation phase
      • The isolation phase
      • The processing phase
      • The verification phase
        • Comparing extracted data to the handset data
        • Using multiple tools and comparing the results
        • Using hash values
      • The document and reporting phase
      • The presentation phase
      • The archiving phase
    • Practical mobile forensic approaches
      • Mobile operating systems overview
        • Android
        • iOS
        • Windows phone
        • BlackBerry OS
      • Mobile forensic tool leveling system
        • Manual extraction
        • Logical extraction
        • Hex dump
        • Chip-off
        • Micro read
      • Data acquisition methods
        • Physical acquisition
        • Logical acquisition
        • Manual acquisition
    • Potential evidence stored on mobile phones
    • Rules of evidence
      • Admissible
      • Authentic
      • Complete
      • Reliable
      • Believable
    • Good forensic practices
      • Securing the evidence
      • Preserving the evidence
      • Documenting the evidence
      • Documenting all changes
    • Summary
  • Chapter 2: Understanding the Internals of iOS Devices
    • iPhone models
    • iPhone hardware
    • iPad models
    • iPad hardware
    • File system
    • The HFS Plus file system
      • The HFS Plus volume
    • Disk layout
    • iPhone operating system
      • iOS history
        • 1.x – the first iPhone
        • 2.x – App Store and 3G
        • 3.x – the first iPad
        • 4.x – Game Center and multitasking
        • 5.x – Siri and iCloud
        • 6.x – Apple Maps
        • 7.x – the iPhone 5S and beyond
      • The iOS architecture
        • The Cocoa Touch layer
        • The Media layer
        • The Core Services layer
        • The Core OS layer
      • iOS security
        • Passcode
        • Code signing
        • Sandboxing
        • Encryption
        • Data protection
        • Address Space Layout Randomization
        • Privilege separation
        • Stack smashing protection
        • Data execution prevention
        • Data wipe
        • Activation Lock
      • App Store
      • Jailbreaking
    • Summary
  • Chapter 3: Data Acquisition from iOS Devices
    • Operating modes of iOS devices
      • Normal mode
      • Recovery mode
      • DFU mode
    • Physical acquisition
    • Acquisition via a custom ramdisk
      • The forensic environment setup
        • Downloading and installing the ldid tool
        • Verifying the codesign_allocate tool path
        • Installing OSXFuse
        • Installing Python modules
        • Downloading iPhone Data Protection Tools
        • Building the IMG3FS tool
        • Downloading redsn0w
      • Creating and loading the forensic toolkit
        • Downloading the iOS firmware file
        • Modifying the kernel
        • Building a custom ramdisk
        • Booting the custom ramdisk
      • Establishing communication with the device
      • Bypassing the passcode
      • Imaging the data partition
      • Decrypting the data partition
      • Recovering the deleted data
    • Acquisition via jailbreaking
    • Summary
  • Chapter 4: Data Acquisition from iOS Backups
    • iTunes backup
      • Pairing records
      • Understanding the backup structure
        • info.plist
        • manifest.plist
        • status.plist
        • manifest.mbdb
      • Unencrypted backup
        • Extracting unencrypted backups
        • Decrypting the keychain
      • Encrypted backup
        • Extracting encrypted backups
        • Decrypting the keychain
    • iCloud backup
      • Extracting iCloud backups
    • Summary
  • Chapter 5: iOS Data Analysis and Recovery
    • Timestamps
      • Unix timestamps
      • Mac absolute time
    • SQLite databases
      • Connecting to a database
      • SQLite special commands
      • Standard SQL queries
      • Important database files
        • Address book contacts
        • Address book images
        • Call history
        • SMS messages
        • SMS Spotlight cache
        • Calendar events
        • E-mail database
        • Notes
        • Safari bookmarks
        • The Safari web caches
        • The web application cache
        • The WebKit storage
        • The photos metadata
        • Consolidated GPS cache
        • Voicemail
    • Property lists
      • Important plist files
        • The HomeDomain plist files
        • The RootDomain plist files
        • The WirelessDomain plist files
        • The SystemPreferencesDomain plist files
    • Other important files
      • Cookies
      • Keyboard cache
      • Photos
      • Wallpaper
      • Snapshots
      • Recordings
      • Downloaded applications
    • Recovering deleted SQLite records
    • Summary
  • Chapter 6: iOS Forensic Tools
    • Elcomsoft iOS Forensic Toolkit
      • Features of EIFT
      • Usage of EIFT
        • Guided mode
        • Manual mode
      • EIFT-supported devices
        • Compatibility notes
    • Oxygen Forensic Suite 2014
      • Features of Oxygen Forensic Suite
      • Usage of Oxygen Forensic Suite
      • Oxygen Forensic Suite 2014 supported devices
    • Cellebrite UFED Physical Analyzer
      • Features of Cellebrite UFED Physical Analyzer
      • Usage of Cellebrite UFED Physical Analyzer
      • Supported devices
    • Paraben iRecovery Stick
      • Features of Paraben iRecovery Stick
      • Usage of Paraben iRecovery Stick
      • Devices supported by Paraben iRecovery Stick
    • Open source or free methods
    • Summary
  • Chapter 7: Understanding Android
    • The Android model
      • The Linux kernel layer
      • Libraries
      • Dalvik virtual machine
      • The application framework layer
      • The applications layer
    • Android security
      • Secure kernel
      • The permission model
      • Application sandbox
      • Secure interprocess communication
      • Application signing
    • Android file hierarchy
    • Android file system
      • Viewing file systems on an Android device
      • Extended File System – EXT
    • Summary
  • Chapter 8: Android Forensic Setup and Pre Data Extraction Techniques
    • A forensic environment setup
      • Android Software Development Kit
      • Android SDK installation
      • Android Virtual Device
      • Connecting an Android device to a workstation
        • Identifying the device cable
        • Installing the device drivers
      • Accessing the connected device
      • Android Debug Bridge
      • Accessing the device using adb
        • Detecting connected devices
        • Killing the local adb server
        • Accessing the adb shell
      • Handling an Android device
    • Screen lock bypassing techniques
      • Using adb to bypass the screen lock
      • Deleting the gesture.key file
      • Updating the settings.db file
      • Checking for the modified recovery mode and adb connection
      • Flashing a new recovery partition
      • Smudge attack
      • Using the primary Gmail account
      • Other techniques
    • Gaining root access
      • What is rooting?
      • Rooting an Android device
      • Root access – adb shell
    • Summary
  • Chapter 9: Android Data Extraction Techniques
    • Imaging an Android Phone
    • Data extraction techniques
      • Manual data extraction
      • Using root access to acquire an Android device
      • Logical data extraction
        • Using the adb pull command
        • Extracting the /data directory on a rooted device
        • Using SQLite Browser
        • Extracting device information
        • Extracting call logs
        • Extracting SMS/MMS
        • Extracting browser history
        • Analysis of social networking/IM chats
        • Using content providers
      • Physical data extraction
        • JTAG
        • Chip-off
      • Imaging a memory (SD) card
    • Summary
  • Chapter 10: Android Data Recovery Techniques
    • Data recovery
      • Recovering the deleted files
        • Recovering deleted data from an SD card
        • Recovering data deleted from internal memory
        • Recovering deleted files by parsing SQLite files
        • Recovering files using file-carving techniques
    • Summary
  • Chapter 11: Android App Analysis and Overview of Forensic Tools
    • Android app analysis
    • Reverse engineering Android apps
      • Extracting an APK file from an Android device
      • Steps to reverse engineer Android apps
    • Forensic tools overview
      • The AFLogical tool
      • AFLogical Open Source Edition
      • AFLogical Law Enforcement (LE)
    • Cellebrite – UFED
      • Physical extraction
    • MOBILedit
    • Autopsy
      • Analyzing an Android in Autopsy
    • Summary
  • Chapter 12: Windows Phone Forensics
    • Windows Phone OS
      • Security model
      • Windows chambers
      • Capability-based model
    • Windows Phone file system
    • Data acquisition
      • Sideloading using ChevronWP7
      • Extracting the data
        • Extracting SMS
        • Extracting e-mail
        • Extracting application data
    • Summary
  • Chapter 13: BlackBerry Forensics
    • BlackBerry OS
      • Security features
    • Data acquisition
      • Standard acquisition methods
      • Creating a BlackBerry backup
    • BlackBerry analysis
      • BlackBerry backup analysis
      • BlackBerry forensic image analysis
      • Encrypted BlackBerry backup files
      • Forensic tools for BlackBerry analysis
    • Summary

Satish Bommisetty

Satish Bommisetty is a security analyst working for a Fortune 500 company. His primary areas of interest include iOS forensics, iOS application security, and web application security. He has presented at international conferences, such as ClubHACK and C0C0n. He is also one of the core members of the Hyderabad OWASP chapter. He has identified and disclosed vulnerabilities within the websites of Google, Facebook, Yandex, PayPal, Yahoo!, AT&T, and more, and is listed in their hall of fame.

Rohit Tamma

Rohit Tamma is a security analyst working for a Fortune 500 company. His interests lie in mobile forensics, Android application security, and web application security. He is experienced in performing vulnerability assessments and penetration testing of a range of applications, including web and mobile applications. He lives in Hyderabad, India, where he spends time with his parents and friends.

Heather Mahalik

Heather Mahalik is the Mobile Exploitation Team Lead at Basis Technology and the Course Lead for the SANS Smartphone Forensics course. With over 11 years' experience in digital forensics, she currently focuses her energy on mobile device investigations, forensic course development and instruction, and research on smartphone forensics.

Prior to joining Basis Technology, Heather worked at Stroz Friedberg and as a contractor for the U.S. Department of State Computer Investigations and Forensics Lab. She earned her Bachelor's degree from West Virginia University. She has authored white papers and forensic course material, and has taught hundreds of courses worldwide for law enforcement, Government, IT, eDiscovery, and other forensic professionals focusing on mobile devices and digital forensics.

Sorry, we don't have any reviews for this title yet.

Code Downloads

Download the code and support files for this book.

Submit Errata

Please let us know if you have found any errors not listed on this list by completing our errata submission form. Our editors will check them and add them to this list. Thank you.

Sample chapters

You can view our sample chapters and prefaces of this title on PacktLib or download sample chapters in PDF format.

Frequently bought together

Practical Mobile Forensics +    Oracle 11g R1 / R2 Real Application Clusters Handbook =
50% Off
the second eBook
Price for both: £37.00

Buy both these recommended eBooks together and get 50% off the cheapest eBook.

What you will learn from this book

  • Learn different approaches to practical mobile forensics
  • Understand the architecture and security mechanisms present in iOS and Android platforms
  • Identify sensitive files on iOS and Android platforms
  • Set up the forensic environment
  • Extract data on iOS and Android platforms
  • Recover data on iOS and Android platforms
  • Understand the forensics of Windows and BlackBerry devices

In Detail

With the advent of smartphones, the usage and functionality of mobile devices has grown enormously along with the sensitive information contained in these devices. Law enforcement agencies around the world have realized the importance of evidence present on a mobile device and how it can influence the outcome of an investigation.

Practical Mobile Forensics explains mobile forensic techniques on the iOS, Android, Windows, and BlackBerry platforms. You will learn the fundamentals of mobile forensics, and different techniques to extract data from a device, recover deleted data, bypass the screen lock mechanisms, and various other tools that aid in a forensic examination.

This book will teach you everything you need to know to forensically examine a mobile device. The techniques described are not only useful for budding forensic investigators, but will also come in handy for those who may want to recover accidentally deleted data.


The book is an easy-to-follow guide with clear instructions on various mobile forensic techniques. The chapters and the topics within are structured for a smooth learning curve, which will swiftly empower you to master mobile forensics.

Who this book is for

If you are a budding forensic analyst, consultant, engineer, or a forensic professional wanting to expand your skillset, this is the book for you. The book will also be beneficial to those with an interest in mobile forensics or wanting to find data lost on mobile devices. It will be helpful to be familiar with forensics in general but no prior experience is required to follow this book.

Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software