Learning iOS Forensics

By Mattia Epifani , Pasquale Stirparo
  • Instant online access to over 8,000+ books and videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Digital and Mobile Forensics

About this book

Mobile device forensics relates to the recovery of data from a mobile device. It has an impact on many different situations including criminal investigations and intelligence gathering. iOS devices, with their wide range of functionality and usability, have become one of the mobile market leaders. Millions of people often depend on iOS devices for storing sensitive information, leading to a rise in cybercrime. This has increased the need to successfully retrieve this information from these devices if stolen or lost.

Learning iOS Forensics will give you an insight into the forensics activities you can perform on iOS devices. You will begin with simple concepts such as identifying the specific iOS device and the operating system version and then move on to complex topics such as analyzing the different recognized techniques to acquire the content of the device. Throughout the journey, you will gain knowledge of the best way to extract most of the information by eventually bypassing the protection passcode. After that, you, the examiner, will be taken through steps to analyze the data. The book will give you an overview of how to analyze malicious applications created to steal user credentials and data.

Publication date:
March 2015
Publisher
Packt
Pages
220
ISBN
9781783553518

 

Chapter 1. Digital and Mobile Forensics

In this chapter, we will quickly go through the definition and principles of digital forensics and, more specifically, of mobile forensics. We will understand what digital evidence is and how to properly handle it and, last but not least, we will cover the methodology for the identification and preservation of mobile evidences.

 

Digital forensics


Not so long ago we would be talking mainly, if not solely, about computer forensics and computer crimes, such as an attacker breaking into a computer network system and stealing data. This would involve two types of offense: unlawful/unauthorized access and data theft. As cellphones became more popular, the new field of mobile forensics developed.

Nowadays, things have changed radically and are still changing at a quite fast pace as the technology evolves. Digital forensics, which includes all disciplines dealing with electronic evidences is also being applied to common crimes, to those that, at least by definition, are not strictly IT crimes. Today more than ever we live in a society that is fully digitalized, and people are equipped with any kind of device, which have different types of capabilities but all of them process, store, and transmit information (mainly over the Internet). This means that forensic investigators have to be able to deal with all these devices.

As defined at the first Digital Forensics Research Workshop (DFRWS) in 2001, digital forensics is stated as:

"The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations."

As Casey asserted in (Casey, 2011):

"In this modern age, it is hard to imagine a crime that does not have a digital dimension."

Criminals of all kinds use technology to facilitate their offenses, to communicate with their peers, to recruit other criminals, to launder money, commit credit card fraud, to gather information on their victims, and so on. This obviously creates new challenges for all the different actors involved such as attorneys, judges, law enforcement agents, as well as forensic examiners.

Among the cases solved in the last years, there were kidnappings where the kidnapper was caught thanks to the request for the ransom sent by e-mail from his mobile phone. There have been many cases of industrial espionage where unfaithful employees were hiding projects in the memory card of their smartphones, cases of drug dealing solved, thanks to evidence found in the backup of mobile phones that were on the computer, and many others. Even the largest robberies of our time are now being conducted via computer networks.

 

Mobile forensics


Mobile forensics is the digital forensics field of study, focusing on mobile devices. Among the different digital forensics fields, mobile forensics is without doubt the fastest growing and evolving area of study, having an impact on many different situations from corporate to criminal investigations, to intelligence gathering, which is every day higher. Moreover, the importance of mobile forensics is increasing exponentially due to the continuous and fast growth of the mobile market. One of the most interesting peculiarities of mobile forensics is that mobile devices, particularly mobile phones, usually belong to a single individual, while this is not always the case with a computer that may be shared among employees of a company or members of a family. For this reason, their analysis gives access to plenty of personal information.

Mobile devices present many new challenges from a forensics perspective. Additionally, new models of phones are being developed all around the world with new phones being released every week. Such variety of mobile devices makes it difficult, or almost impossible, to develop a single solution, whether a process or a tool, to address all possible scenarios.

Just think of all the applications people have installed in their smartphones: IM clients, web browsers, social networks clients, password managers, navigation systems, and much more, other than the "default" classic ones such as an address book, which can provide a lot more information other than just the phone number for each contact that has been saved. Moreover, syncing such devices with the computer has become a very easy and smooth process, and all user activities, schedules, to-do lists, and everything else is stored inside the smartphone. Isn't that enough to profile a person and reconstruct all their recent activities, other than building the network of contacts?

Finally, in addition to such a variety of smartphones and operating systems such as Apple iOS, Google Android, Blackberry OS, and Microsoft Windows Phone, there is a massive number of so-called "feature phones" using older mobile OS systems.

Therefore, it's pretty clear that when talking about mobile/smartphones forensics, there is so much more than just phone call printouts. In fact, with a complete examination, we can retrieve SMS/MMS, pictures, videos, installed applications, e-mails, geolocation data, and so on, both present and deleted information.

 

Digital evidence


Other than bringing a whole new series of challenges and complexity, the positive aspect to the increasing use of technology by criminals, and in particular, the involvement of mobile devices, has resulted in a high availability of digital evidence that can be used to track down and prosecute offenders. Moreover, while classical physical evidence may be destroyed, digital evidence, most of the time, leaves several traces.

Over the years, there have been several definitions of what digital evidence actually is, some of them focusing particularly on the evidentiary aspects of proof to be used in court, such as the one proposed by the Standard Working Group on Digital Evidence (SWGDE), stating that:

"Digital evidence is any information of probative value that is either stored or transmitted in a digital form."

The definition proposed by the International Organization of Computer Evidence (IOCE) states:

"Digital evidence is information stored or transmitted in binary form that may be relied on in court."

The definition given by E. Casey (Casey, 2000), refers to digital evidence as:

"Physical objects that can establish that a crime has been committed, can provide a link between a crime and its victim, or can provide a link between a crime and its perpetrator."

While all of them are correct, as previously said, all of these definitions focus mostly on proof and tend to disregard data that are simply useful to an investigation.

For this reason and for the purpose of this book, we will refer to the definition given by Carrier in 2006 (Carrier, 2006) where digital evidence is defined as:

"Digital data that supports or refutes a hypothesis about digital events or the state of digital data."

This definition is a more general one, but matches better with the current state of digital evidence and its value within the entire investigation process.

Also from a standardization point of view, there have been, and still are, many attempts to define guidelines and best practices for digital forensics on how to handle digital evidence. Other than several guidelines and special publications from NIST, there is a new standard from ISO/IEC that has been released in 2012, the ISO 27037 Guidelines for identification, collection and/or acquisition and preservation of digital evidence, which is not specific to mobile forensics but it's related to digital forensics in general, aiming to build a standard procedure for collecting and handling digital evidence, which will be legally recognized and accepted in court in different countries. This is a really important goal if you consider the "lack of borders" in the Internet era, particularly when it comes to digital crimes where illicit actions can be perpetrated by attackers from anywhere in the world.

 

Identification, collection, and preservation of evidence


In order to be useful in court, but also during the entire investigation phase, digital evidence must be collected, preserved, and analyzed in a forensically sound manner. This means that each single step, from the identification to the reporting, has to be carefully and strictly followed. Historically, we have used to refer to a methodology as forensically sound if and only if it would imply the original source of evidence to remain unmodified and unaltered. This was mostly true when talking about classical computer forensics, in scenarios where the forensic practitioner found the computer switched off or had to deal with external hard drives, although not completely true even in these situations. But since the rise of live forensics, this concept has become more and more untrue. In fact, methods and tools for acquiring memory from live systems inevitably alter, even if just a little bit, the target system where they are run on. The advent of mobile forensics stresses even more this concept, because mobile devices, smartphones in particular, are networked devices, continuously exchanging data through several communication protocols such as GSM/CDMA, Wi-Fi, Bluetooth, and so on. Moreover, in order to make an acquisition of a mobile device, forensic practitioners need to have some degree of interaction with the device. Based on the type, a smartphone can need more or less interaction, altering in this way the "original" state of the device.

All of this does not mean that preservation of the source evidence is useless, but that it is nearly impossible in the mobile field. Therefore, it becomes of extreme importance to thoroughly document every single step taken during the collection, preservation, and acquisition phases. Using this approach, forensic practitioners will be able to demonstrate that they have been as un-intrusive as possible. As stated in (Casey, 2011):

"One of the keys to forensic soundness is documentation. A solid case is built on supporting documentation that reports on where the evidence originated and how it was handled. From a forensic standpoint, the acquisition process should change the original evidence as little as possible and any changes should be documented and assessed in the context of the final analytical results."

When in the presence of mobile devices to be collected, it is good practice for the forensic practitioner to consider the following points:

  • Take note of the current location where the device has been found.

  • Report the device status (switched on or off, broken screen, and so on).

  • Report date, time, and other information visible on the screen in case the device is switched on, for example, by taking a picture of the screen.

  • Look very carefully for the presence of memory cards. Although it is not the case of the iOS devices, generally many mobile phones have a slot for an external memory card, where pictures and chat databases are usually stored and many other types of user data.

  • Look very carefully for the presence of cables related to the mobile phone that is being collected, especially if you don't have a full set of cables in your lab. Many mobile phones have their own cables to connect to the computer and to recharge the battery.

  • Search for the original Subscriber Identity Module (SIM) package, because that is where the PIN and PIN unblocking key (PUK) codes are written.

  • Take pictures of every item before collection.

But modifications in mobile devices can happen not only because of the interaction with the forensic practitioner but also due to interaction with the network, voluntary or not. In fact digital evidence in mobile devices can be lost completely as they are susceptible to being overwritten by new data, for example, the smartphone receiving an SMS while it is being collected, thus overwriting possible evidence previously stored in the same area of memory of the newly arrived SMS, or upon receiving a remote wiping command over a wireless network. Most of today's smartphone and iOS devices can be configured to be completely wiped remotely.

Note

From a real case

While searching inside the house of a person under investigation, law enforcement agents found and seized, among other things, computers and a smartphone. After cataloguing and documenting everything, they put all the material into boxes to bring them back to the barracks. Once back in their laboratory, when taking the smartphone to acquire it in order to proceed with the forensics analysis, they noticed the smartphone was "empty" and like "brand new". The owner had wiped it remotely.

Therefore, isolating the mobile device from all radio networks is a fundamental step in the process of preservation of the evidence. There are several ways to achieve this, all with their own pros and cons, as follows:

  • Airplane mode: Enabling Airplane mode on a device requires some sort of interaction, which may pose some risks of modification by the forensic practitioner. This is one of the best possible options since it implies that all wireless communication chips are switched off. In this case, it is always good to document the action taken also with pictures and/or videos. Normally, this is possible only if the phone is not password-protected or, in this case, the password is known. However, for iDevices with iOS 7 or higher, it is also possible to enable airplane mode by lifting the dock from the bottom, where there will be a button with the shape of a plane. This is possible only if the Access on Lock Screen option is enabled from Settings | Control Center.

  • Faraday's bag: This item is a sort of envelope made of conducting material, which blocks out static electric fields and electromagnetic radiations, completely isolating the device from communicating with external networks. It is based, as the name suggests, on Faraday's law. This is the most common solution, particularly useful when the device is being carried from the crime scene to the lab after the seizure. However, the use of Faraday's bag will make the phone continuously search for a network, which will cause the battery to quickly drain. Unfortunately, it is also risky to plug a power cable outside that will go inside the bag, because this may act as antenna. Moreover, it is important to keep in mind that when you remove it from the bag (once arrived in the lab) the phone will again be exposed to the network, so you would need either a shielded lab environment or a Faraday solution that would allow you to access the phone while it is still inside the shielded container, without the need for external power cables.

  • Jamming: A jammer is used to prevent a wireless device from communicating by sending out radio waves along the same frequencies of that device. In our case, it would jam the GSM/UMTS/LTE frequencies that mobile phones use to connect with cellular base stations to send/receive data. Beware that this practice may be considered illegal in some countries, since it will also create interferences to any other mobile device in the range of the jammer, disrupting their communications too.

  • Switching off the device: This is a very risky practice because it may activate authentication mechanisms, such as PIN codes or passcodes that are not available to the forensic practitioner, or encryption mechanisms, with the risk of delaying or even blocking the acquisition of the mobile device.

  • Removing the SIM card: Although in most mobile devices this operation implies removing the battery and therefore all the risks and consequences we just mentioned regarding switching off the device, in the iOS devices this task is quite straightforward and easy, and it does not imply removing the battery (in iOS devices this is not possible). Moreover, SIMs can have PIN protection enabled; by removing it from the phone it may lock the SIM, preventing its content from being displayed. However, bear in mind that removing the SIM card will isolate the device only from the cellular network while other networks, such as Wi-Fi or Bluetooth, may still be active and therefore need to be addressed.

The preceding image shows a SIM card extracted from an iPhone with just a clip, taken from http://www.maclife.com/.

Chain of custody

Talking about documenting and the preservation of digital evidence, one of the most important steps is the correct and comprehensive compilation of the chain of custody. The purpose of this document is twofold: on one hand, to keep record of each person who handled the evidence, enabling the identification of access and movement of potential digital evidence at any given point in time; and on the other hand, to maintain documentation demonstrating that the digital evidence has not been altered since it was collected while passing through the hands of the several analysts listed in the document.

Therefore, some of the information that the chain of custody should contain is as follows:

  • A unique evidence identifier

  • Who accessed the evidence and the time and location it took place

  • Who checked the evidence in and out from the evidence preservation facility and when

  • Motivations about why the evidence was checked out

  • It must provide the hash value(s) of the evidence in order to prove that it has not been tampered with since it was last assigned to the previous person listed in the chain of custody

  • Although the forensics investigation must never be performed directly on the original device/file, this can be done if any unavoidable changes to the potential digital evidence have to be performed and the justification for the introduction of such changes, as well as the name of the individual responsible

The following image shows a sample of chain custody proposed by NIST:

 

Going operational – from acquisition to reporting


Especially in mobile forensics, where information visible may be more volatile, but also in classical computer forensics, sometimes there may be the urgency to acquire the data available. Information may vanish before being able to isolate or properly handle the device. In such cases, effective on-scene triage processes and tools may preserve evidence that would otherwise be lost. Such processes may include taking immediate pictures or videos recording the screen of the device before proceeding with any other type of operation.

Having said that, once the mobile device has been handled correctly, forensic practitioners may proceed with the acquisition of the evidence from the device. In mobile forensics, and particularly for iOS devices, there are the following three different types of possible acquisition:

  • Physical: This is the optimal and most desired option. A physical acquisition consists of an exact "bit-to-bit" copy of the device. This is the most comprehensive option since it also allows you to recover potentially deleted files.

  • File System: This is the second best option when physical acquisition is not possible for whatever reason. This type of acquisition lets the forensic practitioner extract all the files visible at file system level. In this way, it will be possible to analyze all active files, those that would be visible by browsing the file system, but it will not be possible to recover potentially deleted files.

  • Logical: With this type of acquisition, it is possible to extract part of the file system. It consists of the data available by performing the backup of the device, via iTunes in the case of iOS devices. Unfortunately, on iOS, a logical/backup acquisition does not extract important files such as e-mails, geolocation databases, the app cache folder, and so on. Although it is the least comprehensive of the three, sometimes this may be the only option available.

The preceding three acquisition methods are the main methods for acquiring an iOS device, we will see more about this in detail later. In the next chapters, we will dive deep into each of the different methodologies, explaining how to behave in every different possible situation and we will see most of the different tools available for performing the acquisition and further analysis of a physical file system and logical acquisition.

Mobile forensics, however, may also include the need to adopt some "offensive security" techniques. Depending on the device model and iOS version, in order to make a physical acquisition we may need to jailbreak the device, hopefully with a tethered technique so that modifications will not be persistent on the device and it will be restored once restarted. Even in cases when we can only perform an untethered jailbreak, such modifications will affect only the iOS device system partition, leaving the user partition unchanged and therefore the evidence preserved.

Another offensive technique we may need to use is password cracking. As we will see later, often we may find ourselves in front of a password-protected device. Also according to the different models and iOS versions, it may be possible to perform brute force attacks at the passcode set by the user.

All of these more "invasive" techniques will need to be fully documented in the final report, detailing methodology, techniques, and tools used. It is very important, especially because of their invasiveness, to know very well the tools and techniques used in order to be able to explain what and where modifications have happened, and why they did not alter the evidence to the point of compromising it. Good reporting is the key.

Evidence integrity

It has been mentioned already multiple times that when handling mobile devices, it is basically always impossible not to interact with the device and therefore alter to some extent its current status. However, this does not mean that in mobile forensics there is no need or reason to put in place mechanisms of evidence integrity. In fact, once the acquisition has been completed, there must be in place some integrity verification mechanism for the data that has been extracted from the mobile device, be it an iTunes backup, a full physical acquisition, or simply a single file. In digital forensics, such a process of verifying the integrity of digital evidence is completed by comparing the digital fingerprint of the evidence taken at the time of acquisition with the digital fingerprint of the evidence in the current state. Such a fingerprint is also known as a hash value or message digest. Hashing functions are specific one-way mathematic functions such that given any input of arbitrary length, it will produce as result an output of a fixed given length. The same input will always produce the same output. This means that even if a single bit is changed, the new hash value will be completely different. The following table shows how simply by modifying only the case of two characters in the same sentence, the resulted hash value is completely different:

Input value

MD5 output

ios Forensics book

9effa61083b07a164c5471d020fa4306

iOS Forensics book

e6196e1b4f0d1535244eaab534428542

The two most common algorithms used to calculate hash values are MD5 and SHA-1. The MD5 algorithm produces an output value of 128-bit, while the SHA-1 algorithm produces an output of 160-bit. The other important characteristic of this type of algorithms is that it is computationally unfeasible and highly improbable to produce two messages with the same digest, or even less producing a message with a specified target digest. This problem is known as collision. Although researchers have found that two files that have the same hash value can be generated for both MD5 and SHA-1, this has been proved only under certain controlled conditions. Fortunately, this type of hash collision does not invalidate the use of MD5 or SHA-1 to document the integrity of digital evidence. Since it is basically impossible to produce two files that have the same MD5 and SHA-1 hash value (or in general two hash values generated by two different independent algorithms), it is a good practice to generate both MD5 and SHA-1 hash values for each piece of digital evidence produced or collected.

 

SIM cards


When conducting forensic examinations of mobile devices, it is also important to acquire and analyze the contents of associated SIM cards. The SIM is a type of smart card that allows the mobile device to connect to the cellular network through the cryptographic keys embedded in the SIM itself. The SIM is mainly characterized by the following two different codes that can be retrieved:

  • Integrated Circuit Card Identification (ICCID): This code is a 20 digit code that internationally and univocally identifies each SIM card

  • International Mobile Subscriber Identity (IMSI): This is a unique number 15 digits long (somewhere, like in South Africa, it's 14), which univocally identifies a user inside the mobile network

Although it is not the case with iOS devices, there might be multiple SIM cards that an individual uses within the same device for different purposes, since some mobile devices support functioning with dual SIM cards.

In addition, the storage capacity and utilization of SIM cards has increased a lot and may contain a big amount of relevant information. Just to give you an idea of the amount of data that could be possible to store (or hide) inside a SIM, consider that inside a 128 Kb standard SIM card, it is possible to write up to 17 Kb of data. The whole United States Declaration of Independence takes just 11 Kb.

Some of the useful information to recover from a SIM card may be the list of incoming/outgoing phone calls, contacts information, the SMS content, for which it is possible to recover even those that have been deleted, and the location of the last cell to which the device was connected.

Looking into the details of the SIM card (Gubian, 2007), it is possible to see the hierarchical n-ary structure of the file system that has three different kinds of files, with the content of each file defined in the following GSM technical specification (GSM 11.11):

  • 3F = Master File (MF): Its structure is composed just by a header and it is the root of the file system in the SIM card. Its address, which is the offset for every other file, is 3F00.

  • 7F/5F = Dedicated File (DF): As for the MF, its structure is composed just by a header plus EFs. A DF can be compared to a normal directory/folder in our PC.

  • 2F = Elementary file (EF) under the master file and 6F/4F = Elementary file under a dedicated file: Its structure is composed by a header plus a body, which represents itself (for example, the SMS).

The following diagram gives an example of this hierarchical structure (the file system structure of a SIM):

The GSM technical specification already provides some files with common names. Some of the most interesting among the standard ones may be the 3F00:7F10 directory, named DF_TELECOM, which contains service-related information, including user-created data such as SMS and last numbers dialed. The 3F00:7F20 directory, named DF_GSM, contains network-related information for GSM 900 MHz band operation (DF_DCS1800 contains information for 1800 MHz band operation). The ICCID and IMSI mentioned previously can be found at 3F00:2FE2, named EF_ICCID, and 3F00:7F20:6F07, named EFIMSI, respectively. The following table presents some of the well-known information that can be found inside the SIM card and their respective locations:

Description

Location

SMS

7F10:6F3C

MSISDN

7F10:6F40

Last Dialed Numbers (LDN)

7F10:6F44

Abbreviated Dial Numbers (AND)

7F10:6F3A

IMSI

7F10:6F07

In the SIM, the access to each file (EF) is ruled by a certain number of privilege levels, which allow or deny certain actions according to the "role" the user has (which is given from the privilege). Some of the "useful" privileges are ALWays, CHV1, and CHV2. Those are the privileges that allow the owner of the SIM card (or anyway the user who knows the codes) to access and modify the content of such files. For instance, any file that has one of these privileges related to the UPDATE command, allows those that know such codes (CHV1/CHV2) to modify the information inside that file. The following table summarizes the access conditions for the SIM cards:

Level

Access conditions

0

ALWays

1

CHV1

2

CHV2

3

Reserved for GSM future use

4 to 14

ADM

15

NEVer

SIM security

Other than ICCID and IMSI, mainly related to the SIM itself, the other two important codes useful to know (actually, almost indispensable) when conducting an analysis are the PIN code and the PUK code. The PIN code is used to authenticate the user to the system, while the PUK code is used to unlock the SIM card after three incorrect attempts to insert the PIN code. Therefore, brute forcing the PIN is generally ineffective, because three failed PIN attempts will result in the SIM being locked.

Fortunately, the SIM cards have a PUK and many network service providers (NSP) can provide, to law enforcements with a proper legal authorization signed by a judge (warrant), the PUK to get around the PIN or to access a locked SIM card.

If an incorrect PUK code is inserted 10 times, the SIM will block itself permanently, making its content completely inaccessible. This is something to keep in mind before starting a brute force guessing against those two codes.

 

Summary


In this chapter, we gave a general introduction to digital forensics for those relatively new to this area of study and a good recap to those already into the field, keeping the specificity of the mobile forensics field in mind. We have seen what digital evidence is and how it should be handled, presenting several techniques to isolate the mobile device from the network. You should always remember the importance of documenting any action taken (chain of custody, final report, and so on) and to put in place the mechanisms to verify the integrity of the evidence (hash values). We also talked about the different acquisitions techniques for the iOS devices, anticipating some terms and technologies that will be covered in full detail in the next chapters of this book, from A to Z. Last but not least, we talked about the SIM card, how it is structured, and what type of useful information we can expect to find inside.

In the next chapter, we will start focusing purely on the mobile forensics of Apple devices. In particular, you will have an introduction to the iOS devices, OS, and the file system.

 

Self-test questions


  1. What is the best option to isolate a mobile device before acquisition?

    1. Jammer

    2. Faraday's bag

    3. Airplane mode

    4. Switch off the device

  2. What is the most comprehensive acquisition method?

    1. Logical

    2. Advanced logical

    3. File system

    4. Physical

  3. How is the code that internationally and univocally identifies each SIM card called?

    1. IMSI

    2. ICCID

    3. PUK

    4. GSM

  4. How many PUK attempts do we have before the SIM card becomes completely inaccessible?

    1. 3

    2. 5

    3. 10

    4. 15

About the Authors

  • Mattia Epifani

    Mattia Epifani (@mattiaep) is the CEO at Reality Net-System Solutions, an Italian consulting company involved in InfoSec and digital forensics.

    He works as a digital forensics analyst for judges, prosecutors, lawyers, and private companies. He is a court witness and digital forensics expert.

    He obtained a university degree in computer science in Genoa, Italy, and a postgraduate specialization course in computer forensics and digital investigations in Milan, Italy. Over the last few years, he obtained several certifications in digital forensics and ethical hacking (GCFA, GREM, GNFA, GCWN, GMOB, CIFI, CEH, CHFI, ACE, AME, ECCE, CCE, and MPSC) and attended several SANS classes (computer forensics and incident response, Windows memory forensics, mobile device security and ethical hacking, reverse engineering malware, smartphone forensics, Mac forensics, securing Windows, and network forensics analysis).

    He speaks regularly on digital forensics at different Italian and European universities (Genoa, Milano, Roma, Bolzano, Pescara, Salerno, Campobasso, Camerino, Pavia, Savona, Catania, Lugano, Como, and Modena e Reggio Emilia) and events (DFRWS, SANS European Digital Forensics Summit, Security Summit, IISFA Forum, DEFT Conference, and DFA Open Day). He is a member of CLUSIT, DFA, IISFA, ONIF, and Tech and Law Center, and the author of various articles on scientific publications about digital forensics. More information is available on his LinkedIn profile (http://www.linkedin.com/in/mattiaepifani).

    Browse publications by this author
  • Pasquale Stirparo

    Pasquale Stirparo (@pstirparo) is currently working as a cyber threat intelligence and incident response engineer at a Fortune 500 company. Prior to this, among other positions, Pasquale has also worked at the Joint Research Centre (JRC) of the European Commission as a digital forensics and mobile security researcher, with particular interest in the security and privacy issues related to mobile device communication protocols, mobile applications, mobile malware, and cybercrime. Since 2016, he has been appointed to the Advisory Group on Internet Security at the European Cyber Crime Center (EC3) of Europol and is an incident handler with the SANS Internet Storm Center (ISC). Pasquale has also been involved in the standardization of Digital Forensics as a contributor (the first in Italy) to the development of the standard “ISO/IEC 27037: Guidelines for identification, collection and/or acquisition and preservation of digital evidence”, for which he led the WG ISO27037 for the Italian National Body in 2010.

    He is the author of many scientific publications and has also been invited as a speaker at several national and international conferences and seminars on Digital Forensics and as a lecturer on the same subject for the Polytechnic of Milano (CEFRIEL) and the United Nations (UNICRI). Pasquale holds a Ph.D. in Computer Security from the Royal Institute of Technology (KTH) of Stockholm and a M.Sc. in Computer Engineering from the Polytechnic of Torino, and is certified with GCFA, GREM, OPST, OWSE, and ECCE. More information is available on his LinkedIn personal profile (https://www.linkedin.com/in/pasqualestirparo).

    Browse publications by this author
Book Title
Access this book, plus 8,000 other titles for FREE
Access now