What this book covers

This book is written to represent a natural flow in the e-discovery process, covering the different stages of mobile forensics from seizing the device to acquiring the data and analyzing evidence. The book covers basic handling, acquisition, and analysis techniques for smartphones and tablets running the most popular operating systems: Android, iOS, Windows Phone, Windows 8, 8.1, and RT, and BlackBerry. The following topics are covered in detail:

Seizing techniques:

• Shielding the device: the use of the Faraday bag
• Preserving volatile memory and capturing memory dumps

Acquisition techniques:

• Physical acquisition (via USB connection)
• Logical acquisition via data backups
• Over-the-air acquisition and cloud analysis

Evidence discovery and data analysis:

• Finding, viewing, and analyzing evidence

Tools for mobile forensics:

• Acquisition and analysis tools overview
• Tools for acquiring iOS devices
• Tools for acquiring Android, BlackBerry, and Windows Phone devices
• Tools for discovering and analyzing evidence

It is important to note the bits that this book does not cover. These include:

• JTAG acquisition
• Chip-off imaging
• Disk imaging tools
• Tools for acquiring Windows 8 and 8.1 devices

We will not go into any technical detail, such as which hex code at what address means what, or how to calculate UDID, or how to use ADB to break through passcode protection on Android 2.1. We believe these things are meaningless for a law enforcement officer, and should only interest technicians working in an acquisition lab – and this book is not for them.

Chapter 1, Introducing Mobile Forensics, introduces the concept of mobile devices as a source of valuable evidence. The chapter describes what types of evidence are generally available in mobile devices. It also outlines acquisition options depending on whether the reader has access to the actual device, knows the user’s login and password (such as an Apple ID or Google Account password), or has access to the computer that was used to sync the mobile device. This chapter also discusses the various techniques used by suspects to counter forensic efforts, and suggests methods to overcome such efforts. This chapter is essential to understand what, why, and how the expert is trying to achieve when investigating mobile devices. After reading this chapter, you will understand the big picture of mobile forensics and realize that there is no single straightforward path to acquiring mobile evidence, and understand that available acquisition options strongly depend on various factors. You’ll get an idea of how to seize and store mobile devices and how to detect and counter anti-forensic efforts.

Chapter 2, Acquisition Methods Overview, gives an overview of the acquisition methods available for different mobile platforms. With the wide range of mobile devices around, multiple acquisition methods exist. There is no single universal acquisition method available for all models. Some acquisition methods depend on the phone’s lock and encryption status, OS version, type of available storage, and so on. Investigators have to work their way through the investigation to discover what acquisition methods are available for a particular device.

Chapter 3, Acquisition – Approaching Android Devices, discusses the options available for acquiring information from Android devices, providing a detailed outline of physical, logical, and over-the-air acquisition methods for Android smartphones and tablets. In this chapter, the reader will learn what acquisition methods are available for the Android platform, which acquisition techniques are available in what circumstances, and how to choose the appropriate acquisition method for a given device. This chapter also covers one of the most challenging aspects of mobile forensics: the ability to recover destroyed evidence. In this chapter, we discuss exactly how modern smartphones handle deleted data, depending on the operating system (Android, iOS, Windows) and encryption status. We’ll address the differences between internal (eMMC) and external (SD) storage of the device in the context of being able to recover information from unallocated areas.

Chapter 4, Practical Steps to Android Acquisition, discusses the massive amounts of information collected by Google, and explains how to extract this information from Google servers. We’ll be using forensic tools to download data from Google, view it, and examine obtained evidence. The acquisition of Google Accounts can provide a much deeper insight into user activities than what’s available in a single Android smartphone. This chapter offers a detailed discussion and demonstration of various physical acquisition methods available for a wide range of Android devices, including manufacturer-specific low-level service modes (LG, Qualcomm, and Mediatek), using custom recoveries (CWM, TWRP) for dumping the data partition, making NANDroid backups, and using command-line tools such as dd for live imaging the device. In addition, this chapter discusses the issue of encryption and its effect on physical acquisition.

Chapter 5, iOS – Introduction and Physical Acquisition, discusses the benefits and unique features of physical acquisition, and talks about stored passwords and Apple secure storage, the keychain. This chapter provides a detailed compatibility matrix for physical acquisition, discusses which locked devices can be acquired without knowing the correct passcode, and lists forensic tools that offer physical acquisition of Apple iOS devices. It discusses the differences between 32-bit and 64-bit Apple hardware, and explains how to install a jailbreak.

Chapter 6, iOS Logical and Cloud Acquisition, introduces the concept of the logical acquisition of iOS devices. Logical acquisition consists of extracting existing iTunes backups or making the device produce a backup and then extracting it. The differences between encrypted and unencrypted backups are explained, outlining the benefits of producing encrypted backups with a known password over unencrypted one. This chapter outlines the basics of recovering unknown backup passwords. In addition, this chapter provides step-by-step instructions on using Elcomsoft Phone Breaker to extract iOS backups. If the backup is protected with an unknown password, detailed instructions and recommendations on recovering the password are provided. This chapter explains the advantages and applicability of over-the-air acquisition, and demonstrates how to use Elcomsoft Phone Breaker for cloud acquisition. In addition, this chapter discusses the use of binary authentication tokens to bypass an Apple ID and password, as well as two-factor authentication.

Chapter 7, Acquisition – Approaching Windows Phone and Windows 10 Mobile, introduces Windows Phone forensics. It outlines the available methods and approaches to acquiring Windows Phone 8 and 8.1 and Windows 10 Mobile devices. Physical acquisition, bootloader exploits, invasive (advanced) acquisition via JTAG, and chip-off are explained. In this chapter, we discuss the differences in device encryption between generations of the Windows Phone platform, and provide a detailed walkthrough of over-the-air acquisition of Windows mobile devices using Elcomsoft Phone Breaker.

Chapter 8, Acquisition - Approaching Windows 8, 8.1, 10, and RT Tablets, covers major points that make tablet forensics different from the traditional PC and laptop acquisition approach. We’ll cover the new Connected Standby mode replacing traditional Sleep and Hibernate modes of Windows laptops, discuss Secure Boot on various Windows tablet platforms, review UEFI BIOS settings, and learn how to start the tablet from a bootable USB media. We’ll also cover techniques on capturing the content of the device’s RAM and imaging non-removable eMMC media. General acquisition steps for Windows RT devices are also described, as standard Windows recovery media cannot be used with RT devices.

Chapter 9, Acquisition - Approaching BlackBerry, provides an introduction, overview, and in-depth tutorials on acquiring BlackBerry smartphones running legacy (BB OS 1 through 7.1) and modern (BlackBerry 10) versions of the OS. BlackBerry backups and backup passwords (legacy BB OS) are explained. This chapter provides tutorials on how to extract and view legacy BlackBerry backups and recover passwords protecting these backups. The reader will learn how to use Elcomsoft Phone Breaker to decrypt BlackBerry 10 backups and view their content with Elcomsoft Phone Viewer or Oxygen Forensic Suite.

Chapter 10, Dealing with Issues, Obstacles, and Special Cases, covers some of the most challenging aspects of mobile forensics: the ability to recover destroyed evidence and the challenge presented by two-factor authentication. In this chapter, we discuss how exactly modern smartphones handle deleted data depending on the operating system (Android, iOS, Windows) and encryption status. We’ll address the differences between internal (eMMC) and external (SD) storage of the device in the context of being able to recover information from unallocated areas. This chapter also covers the issue of two-factor authentication during over-the-air acquisition. Experts face a serious roadblock when attempting to acquire information from the suspect’s cloud account over the air if two-factor authentication is enabled on their account. Cloud acquisition becomes more challenging if there is no access to the secondary authentication factor. However, there are ways to bypass two-factor authentication. These methods are outlined in this chapter, to be discussed in more detail in the more technical chapters of this book.

Chapter 11, Mobile Forensic Tools and Case Studies, outlines several mobile forensic tools that can be used for acquiring mobile devices. Cellerbrite UFED, Micro Systemation XRY, AccessData MPE+, Oxygen Forensic Toolkit, Magnet ACQUIRE, BlackBag Mobilyze, and the range of ElcomSoft tools for mobile forensics are listed and briefly reviewed. In addition, this chapter has several case studies on using mobile forensic tools for corporate investigations and data recovery.