Table Of ContentPractical Mobile Forensics
Third Edition
A hands-on guide to mastering mobile forensics for the iOS,
Android, and the Windows Phone platforms
Rohit Tamma
Oleg Skulkin
Heather Mahalik
Satish Bommisetty
BIRMINGHAM - MUMBAI
Practical Mobile Forensics
Third Edition
Copyright © 2018 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form
or by any means, without the prior written permission of the publisher, except in the case of brief quotations
embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented.
However, the information contained in this book is sold without warranty, either express or implied. Neither the
authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to
have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products
mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy
of this information.
Commissioning Editor: Vijin Boricha
Acquisition Editor: Rohit Rajkumar
Content Development Editor: Devika Battike
Technical Editor: Aditya Khadye
Copy Editor: Safis Editing
Project Coordinator: Judie Jose
Proofreader: Safis Editing
Indexer: Rekha Nair
Graphics: Tania Dutta
Production Coordinator: Arvindkumar Gupta
First published: July 2014
Second edition: May 2016
Third edition: January 2018
Production reference: 1220118
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-78883-919-8
www.packtpub.com
mapt.io
Mapt is an online digital library that gives you full access to over 5,000 books and videos, as
well as industry leading tools to help you plan your personal development and advance
your career. For more information, please visit our website.
Why subscribe?
Spend less time learning and more time coding with practical eBooks and Videos
from over 4,000 industry professionals
Improve your learning with Skill Plans built especially for you
Get a free eBook or video every month
Mapt is fully searchable
Copy and paste, print, and bookmark content
PacktPub.com
Did you know that Packt offers eBook versions of every book published, with PDF and
ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a
print book customer, you are entitled to a discount on the eBook copy. Get in touch with us
at service@packtpub.com for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a
range of free newsletters, and receive exclusive discounts and offers on Packt books and
eBooks.
Contributors
About the authors
Rohit Tamma is a security program manager currently working with Microsoft. With over
8 years of experience in the field of security, his background spans management and
technical consulting roles in the areas of application and cloud security, mobile security,
penetration testing, and security training. Rohit has also coauthored couple of books, such
as Practical Mobile Forensics and Learning Android Forensics, which explain various ways to
perform forensics on the mobile platforms. You can contact him on Twitter at
@RohitTamma.
Writing this book has been a great experience because it has taught me several things,
which could not have been otherwise possible. I would like to dedicate this book to my
parents for helping me in every possible way throughout my life.
Oleg Skulkin is a digital forensics "enthusional" (enthusiast and professional) from Russia
with more than 6 years of experience, and is currently employed by Group-IB, one of the
global leaders in preventing and investigating high-tech crimes and online fraud. He holds
a number of certifications, including GCFA, MCFE, and ACE. Oleg is a coauthor of Windows
Forensics Cookbook, and you can find his articles about different aspects of digital forensics
both in Russian and foreign magazines. Finally, he is a very active blogger, and he updates
the Cyber Forensicator blog daily.
I would like to thank my mom and wife for their support and understanding, my friend,
Igor Mikhaylov, and my teammates from Group-IB Digital Forensics Lab: Valeriy Baulin,
Sergey Nikitin, Vitaliy Trifonov, Roman Rezvuhin, Artem Artemov, Alexander Ivanov,
Alexander Simonyan, Alexey Kashtanov, Pavel Zevahin, Vladimir Martyshin, Nikita
Panov, Anastasiya Barinova, and Vesta Matveeva.
Heather Mahalik is the director of forensic engineering with ManTech CARD, where she
leads the forensic effort focusing on mobile and digital exploitation. She is a senior
instructor and author for the SANS Institute, and she is also the course leader for the
FOR585 Advanced Smartphone Forensics course. With over 15 years of experience in digital
forensics, she continues to thrive on smartphone investigations, digital forensics, forensic
course development and instruction, and research on application analysis and smartphone
forensics.
Satish Bommisetty is a security analyst working for a Fortune 500 company. His primary
areas of interest include iOS forensics, iOS application security, and web application
security. He has presented at international conferences, such as ClubHACK and C0C0n. He
is also one of the core members of the Hyderabad OWASP chapter. He has identified and
disclosed vulnerabilities within the websites of Google, Facebook, Yandex, PayPal, Yahoo!,
AT&T, and more, and they are listed in their hall of fame.
About the reviewer
Igor Mikhaylov has been working as a forensics expert for 21 years. During this time, he
has attended a lot of seminars and training classes in top forensic companies and forensic
departments of government organizations. He has experience and skills in cellphones
forensics, chip-off forensics, malware forensics, and other fields. He has worked on several
thousand forensic cases.
He is the reviewer of Windows Forensics Cookbook by Oleg Skulkin and Scar de Courcier,
Packt Publishing, 2017.
He is the author of Mobile Forensics Cookbook, Packt Publishing, 2017.
Packt is searching for authors like you
If you're interested in becoming an author for Packt, please visit authors.packtpub.com and
apply today. We have worked with thousands of developers and tech professionals, just
like you, to help them share their insight with the global tech community. You can make a
general application, apply for a specific hot topic that we are recruiting an author for, or
submit your own idea.
Table of Contents
Chapter 1: Introduction to Mobile Forensics
6
Why do we need mobile forensics? 7
Mobile forensics 8
Challenges in mobile forensics 10
The mobile phone evidence extraction process 12
The evidence intake phase 13
The identification phase 14
The legal authority 14
The goals of the examination 14
The make, model, and identifying information for the device 14
Removable and external data storage 15
Other sources of potential evidence 15
The preparation phase 15
The isolation phase 16
The processing phase 16
The verification phase 16
Comparing extracted data to the handset data 17
Using multiple tools and comparing the results 17
Using hash values 17
The documenting and reporting phase 17
The presentation phase 18
The archiving phase 18
Practical mobile forensic approaches 18
Overview of mobile operating systems 19
Android 19
iOS 20
Windows Phone 20
Mobile forensic tool leveling system 20
Manual extraction 22
Logical extraction 22
Hex dump 22
Chip-off 23
Micro read 23
Data acquisition methods 24
Physical acquisition 24
Logical acquisition 24
Manual acquisition 25
Table of Contents
Potential evidence stored on mobile phones 25
Examination and analysis 26
Rules of evidence 28
Good forensic practices 29
Securing the evidence 29
Preserving the evidence 29
Documenting the evidence and changes 30
Reporting 30
Summary 31
Chapter 2: Understanding the Internals of iOS Devices
32
iPhone models 33
Identifying the correct hardware model 33
iPhone hardware 41
iPad models 42
Understanding the iPad hardware 44
Apple Watch models 45
Understanding the Apple Watch hardware 46
The filesystem 48
The HFS Plus filesystem 48
The HFS Plus volume 49
The APFS filesystem 50
The APFS structure 51
Disk layout 52
iPhone operating system 53
The iOS architecture 54
iOS security 55
Passcodes, Touch ID, and Face ID 56
Code Signing 56
Sandboxing 56
Encryption 57
Data protection 57
Address Space Layout Randomization 57
Privilege separation 57
Stack-smashing protection 57
Data execution prevention 58
Data wipe 58
Activation Lock 58
The App Store 58
Jailbreaking 59
Summary 60
[ ii ]
Table of Contents
Chapter 3: Data Acquisition from iOS Devices
61
Operating modes of iOS devices 62
The normal mode 62
The recovery mode 64
DFU mode 67
Setting up the forensic environment 70
Password protection and potential bypasses 70
Logical acquisition 71
Practical logical acquisition with libimobiledevice 72
Practical logical acquisition with Belkasoft Acquisition Tool 73
Practical logical acquisition with Magnet ACQUIRE 78
Filesystem acquisition 81
Practical jailbreaking 82
Practical filesystem acquisition with Elcomsoft iOS Forensic Toolkit 83
Physical acquisition 83
Practical physical acquisition with Elcomsoft iOS Forensic Toolkit 84
Summary 87
Chapter 4: Data Acquisition from iOS Backups
88
iTunes backup 89
Creating backups with iTunes 92
Understanding the backup structure 94
info.plist 95
manifest.plist 96
status.plist 96
manifest.db 97
Extracting unencrypted backups 99
iBackup Viewer 99
iExplorer 101
BlackLight 103
Encrypted backup 105
Elcomsoft Phone Breaker 105
Working with iCloud backups 107
Extracting iCloud backups 109
Summary 110
Chapter 5: iOS Data Analysis and Recovery
111
Timestamps 112
Unix timestamps 112
Mac absolute time 113
[ iii ]
