Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Practical Mobile Forensics

You're reading from   Practical Mobile Forensics A hands-on guide to mastering mobile forensics for the iOS, Android, and the Windows Phone platforms

Arrow left icon
Product type Paperback
Published in Jan 2018
Publisher
ISBN-13 9781788839198
Length 402 pages
Edition 3rd Edition
Tools
Concepts
Arrow right icon
Authors (4):
Arrow left icon
Oleg Skulkin Oleg Skulkin
Author Profile Icon Oleg Skulkin
Oleg Skulkin
Satish Bommisetty Satish Bommisetty
Author Profile Icon Satish Bommisetty
Satish Bommisetty
Rohit Tamma Rohit Tamma
Author Profile Icon Rohit Tamma
Rohit Tamma
Heather Mahalik Heather Mahalik
Author Profile Icon Heather Mahalik
Heather Mahalik
Arrow right icon
View More author details
Toc

Table of Contents (14) Chapters Close

1. Introduction to Mobile Forensics FREE CHAPTER 2. Understanding the Internals of iOS Devices 3. Data Acquisition from iOS Devices 4. Data Acquisition from iOS Backups 5. iOS Data Analysis and Recovery 6. iOS Forensic Tools 7. Understanding Android 8. Android Forensic Setup and Pre-Data Extraction Techniques 9. Android Data Extraction Techniques 10. Android Data Analysis and Recovery 11. Android App Analysis, Malware, and Reverse Engineering 12. Windows Phone Forensics 13. Parsing Third-Party Application Files 14. Other Books You May Enjoy

Examination and analysis

This is the ultimate step in the investigation, which aims to uncover data that is present on the device. Examination is done by applying well-tested and scientific methods to conclusively establish the results. The analysis phase is focused on separating relevant data from the rest and to probe data which is of value to the underlying case. The examination process starts with a copy of the evidence acquired using some of the techniques described above, which will be covered in detail in the next chapters. Examination and analysis using third-party tools is generally performed by importing the device's memory dump into a mobile forensics tool which will automatically retrieve the results. Understanding the case is also crucial to perform a targeted analysis of the data. For example, a case about child pornography may require focusing on all of the images present on the device rather than looking at other artifacts.

It is important that the examiner has fair knowledge of how the forensic tools which are used for examination work. Proficient use of the features and options available in the tool will drastically speed up the examination process. Sometimes, due to programming flaws in the software, the tool may not be able to recognize or convert bits into a format comprehensible by the examiner. Hence, it is crucial that the examiner has the necessary skills to identify such situations and use alternate tools or software to construct the results. In some cases, the individual may purposefully tamper with the device information or may delete/hide some of the crucial data. Forensic analysts should understand the limitations of the tool and sometimes compensate for them to achieve the best possible results. To analyze the extracted data, the US Department of Justice has published the following suggestions (referenced directly from: https://www.ncjrs.gov/pdffiles1/nij/199408.pdf) in the publication Forensic Examination of Digital Evidence - A Guide for Law Enforcement:

  • Ownership and possession: Identify the individuals who created, modified, or accessed a file, and the ownership and possession of questioned data by placing the subject with the device at a particular time and date, locating files of interest in non-default locations, recovering passwords that indicate possession, and identifying contents of files that are specific to a user.
  • Application and file analysis: Identify information relevant to the investigation by examining file content, correlating files to installed applications, identifying relationships between files (for example, email files to email attachments), determining the significance of unknown file types, examining system configuration settings, and examining file metadata (for example, documents containing authorship identification).
  • Timeframe analysis: Determine when events occurred on the system to associate usage with an individual by reviewing any logs present and the date-/timestamps in the filesystem, such as the last modified time. Besides call logs, the date/time and content of messages and email can prove useful. Such data can also be corroborated with billing and subscriber records kept by the service provider.
  • Data hiding analysis: Detect and recover hidden data that may indicate knowledge, ownership, or intent by correlating file headers to file extensions to show intentional obfuscation; gaining access to password-protected, encrypted, and compressed files; and gaining access to steganographic information detected in images.
You have been reading a chapter from
Practical Mobile Forensics - Third Edition
Published in: Jan 2018
Publisher:
ISBN-13: 9781788839198
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime