Mobile phone forensics is the science of retrieving data from a mobile phone under forensically sound conditions. This is the fourth edition of our successful Practical Mobile Forensics book that delves into the concepts of mobile forensics and its importance in today’s world.
This book focuses on teaching you the latest forensic techniques in the investigation of mobile devices across various mobile platforms. You will learn forensic techniques on multiple OS versions, including iOS 12, iOS 13, Android 9, Android 10, and Windows 10. You will delve into the latest open source and commercial mobile forensic tools, enabling you to analyze and retrieve data effectively. You will learn how to inspect the device, retrieve data from the cloud, and successfully document reports of your investigations. You will explore reverse engineering of applications and ways to identify malware. You will also come across parsing popular third-party applications such as Facebook and WhatsApp.

By the end of this book, you will have mastered various mobile forensic techniques to analyze and extract data from mobile devices with the help of open source solutions.

This book is intended for forensic examiners with little or only basic experience in mobile forensics or open source solutions for mobile forensics. This book will also be useful for computer security professionals, researchers, and anyone seeking a deeper understanding of mobile internals. Some understanding of digital forensics practices would be helpful.

Chapter 1, Introduction to Mobile Forensics, introduces you to the concepts of mobile forensics, its core values, and the challenges involved. This chapter also provides an overview of the practical approaches and best practices involved in performing mobile forensics.

Chapter 2, Understanding the Internals of iOS Devices, provides an insight into iOS forensics. You will learn about the filesystem layout, security features, and the way files are stored on an iOS device.

Chapter 3, Data Acquisition from iOS Devices, discusses tools that will help you obtain data from iOS devices to later examine forensically. Not all tools are created equal, so it's important to understand the best tools to get the job done properly.

Chapter 4, Data Acquisition from iOS Backups, discusses iOS device backup files in detail, including user, forensic, encrypted, and iCloud backup files, and the methods to conduct your forensic examination.

Chapter 5, iOS Data Analysis and Recovery, goes further into forensic investigation by showing the examiner how to analyze the data recovered from the backup files. Areas containing data of potential evidentiary value will be explained in detail.

Chapter 6, iOS Forensic Tools, for familiarity purposes, walks you through the use of a number of commercial tools, such as Elcomsoft iOS Forensic Toolkit, Cellebrite (UFED4PC, Touch, and Physical Analyzer), BlackLight, Oxygen Forensic Detective, AccessData MPE+, EnCase, Belkasoft Evidence Center, MSAB XRY, and many more, which are available for forensic acquisition and the analysis of iOS devices. This chapter provides details of the processes required to perform acquisitions and analysis of iOS devices.

Chapter 7, Understanding Android, introduces the fundamentals of the Android platform, its built-in security features, and its filesystem. This chapter establishes the basic forensic knowledge that will be helpful in the next chapters.

Chapter 8, Android Forensic Setup and Pre-Data Extraction Techniques, tells you what to consider when setting up a digital forensic examination environment. Step-by-step information about rooting an Android device and bypassing the screen lock feature is provided in this chapter.

Chapter 9, Android Data Extraction Techniques, helps you to identify the sensitive locations on an Android device and explains various logical and physical techniques that can be applied to the device in order to extract the necessary information.

Chapter 10, Android Data Analysis and Recovery, explains how to extract relevant data, such as call logs, text messages, and browsing history from an image file. We will also cover data recovery techniques, with which we can recover data that's been deleted from a device.

Chapter 11, Android App Analysis, Malware, and Reverse Engineering, explains that while the data extraction and data recovery techniques discussed in earlier chapters provide access to valuable data, app analysis in this chapter helps us to acquire information about the specifics of an application, such as preferences and permissions.

Chapter 12, Windows Phone Forensics, discusses Windows Phones, which do not occupy much of the mobile market space. Therefore, most forensic practitioners are unfamiliar with the data formats, embedded databases, and other artifacts that exist on the device. This chapter provides an overview of Windows Phone forensics, describing various methods of acquiring and examining data on Windows mobile devices.

Chapter 13, Parsing Third-Party Application Files, introduces you to the various applications seen on Android devices, iOS devices, and Windows Phones. Each application will vary due to versions and devices, but their underlying structures are similar. We will look at how the data is stored and why preference files are important to your investigation.

Ensure that you have a test mobile device on which you can experiment with the techniques explained in the book. Do not try these techniques on your personal phone.

Some of the techniques explained in the book, such as rooting a device, are specific to the brand and the OS running on the device. Ensure that you research and gather sufficient information before trying these techniques.

If you are using the digital version of this book, we advise you to type the commands yourself. Doing so will help you avoid any potential errors related to the copying and pasting of code.

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781838647520_ColorImages.pdf

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Mount the downloaded WebStorm-10*.dmg disk image file as another disk in your system."

A block of code is set as follows:

html, body, #map {
 height: 100%; 
 margin: 0;
 padding: 0
}

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

[default]
exten => s,1,Dial(Zap/1|30)
exten => s,2,Voicemail(u100)
exten => s,102,Voicemail(b100)
exten => i,1,Voicemail(s0)

Any command-line input or output is written as follows:

$ mkdir css
$ cd css

Bold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Select System info from the Administration panel."

The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing does not take any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with proper written authorization from the appropriate persons responsible.

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at customercare@packtpub.com.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at copyright@packt.com with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in, either writing or contributing to a book, please visit authors.packtpub.com.

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.