Mobile Forensics - Advanced Investigative Strategies
Posted Thursday May 10, 2018 (08:56:45)
by Oleg Afonin & Vladimir Katalov
Reviewed by Scar de Courcier, Forensic Focus
Mobile forensics is a growing subsection of digital forensic investigation. With the proliferation of devices, applications and operating systems available nowadays, it's increasingly becoming a vital and complex field. The skillset needed to accurately acquire evidence from mobile devices may seem dauntingly wide-ranging, especially when so many of us are dealing with backlogs in the first place. How are we supposed to keep up to date with this ever-evolving challenge?
Luckily we have books like this to help us out.
Mobile Forensics - Advanced Investigative Strategies begins with an overview of what 'mobile forensics' means and why it's vital for digital forensics practitioners to understand it. The very first sentence in chapter one sums it up perfectly:
The reason mobile forensics is of such vital importance is precisely this: mobile devices are no longer simply phones, they're portals into an individual's entire life.
Having set the scene, the authors share some data about the increased use of mobile phones and briefly discuss what should be seized from a scene. Basic security measures such as using Faraday bags and preventing devices from powering off are discussed, as well as what you'll be able to find even if you can't access the phone because you don't know the passcode.
Anti-forensics is briefly discussed in the first chapter, including a new technique being used by certain cybercriminals which makes the forensic analysis of the seized devices almost impossible.
With the seizure and chain of custody notices out of the way, we move on to data acquisition. The authors provide a brief description of common acquisition methods and talk about rooting or jailbreaking devices. In chapter two we start to see a more in-depth analysis of acquisition methods, beginning with over-the-air acquisition, aka acquiring data that has been stored in the cloud.
Physical acquisition is then discussed in detail, along with a list of tools you might want to use for this purpose.
From chapter three we get into the real meat of the book, with step-by-step guides and screenshots all the way through. Some of the information surprised me; just looking at the sheer degree of variance in Android platforms was stunning.
As shown in the image above, an entire book could be written just about the number of device models available, so in the interest of user-friendliness, the authors give a handy list of further resources for those who want to delve deeper into this topic.
We then see a step-by-step guide to acquiring Android devices, followed by a brief description of certain things investigators should take into consideration, such as unallocated space and eMMC storage. JTAG forensics and chip-off acquisition have their own section at the end of this chapter, in case this is something you need to perform.
The following section looks at Chinese phones, types of encryption, and the LAF mode on LG smartphones. Again there are simple guides to follow, which should allow anyone who has experience with smartphones to acquire evidence from these devices.
The book assumes a certain level of familiarity with the topic: it's not a basic introductory text, although the opening chapter does provide an overview of the subject. But the book's subtitle is 'Advanced Investigative Strategies', and like you'd expect, it therefore requires some level of familiarity with mobile forensics already.
Creating and analysing NANDroid backups is discussed in detail, including when and how you might want to create them. Likewise, you may sometimes need to live image a device, even though this isn't ideal as it's considered to be less forensically sound than other acquisition methods. If you do need to root your device, though, you can find the steps you need to take from page 108 onwards. As well as describing what you're doing each step of the way, the authors also give the exact commands you need to type in and tell you what to expect when each command is executed.
The iOS section of the book begins with chapter five. Similar in layout to the Android chapters, it starts with a brief description of the generations of Apple hardware, and talks about whether and when jailbreaking is required.
The table on page 148 is especially handy: it gives you a simple way of deciding which acquisition method you need, based on whether you have a physical device, a backup, or an Apple ID login, and so on.
This is followed by a comparison of acquisition methods based on the amount of time they take, whether they support keychain recovery, whether you can access deleted files and deleted SQLite records, whether you'll be able to see geolocation tracking data, and any possible issues you might encounter. Since many of us find triage to be a particularly challenging part of an investigation, this is really helpful: perhaps you only need a basic amount of information and you're most concerned about how long it'll take to acquire, or perhaps you want a much more comprehensive set of information but you're concerned about possible issues you might encounter. In any case, this book has you covered.
The subsection on physical acquisition not only provides a guide on how to perform this, but also talks about whether it's still worth the effort, and what the future of physical acquisition might be. Once again you'll find a handy compatibility matrix which demonstrates whether you should try physically acquiring a device, or whether another method might better suit your needs.
With mobile forensics, acquiring data from the device itself isn't the only way to gain access. Chapter six takes an in-depth look at iOS logical and cloud acquisition, i.e. how to acquire and analyse iTunes backups.
Breaking passwords is discussed at length, including what you need to know in order to crack a complex password and, of course, how knowing the user generally helps to break through the password. A guide is then given which shows the reader how to break a password, after which we move on to iCloud acquisition.
Chapter seven looks at Windows phones and Windows 10 Mobile, which are reasonably popular choices in Europe, but not very common in Asia. Physical acquisition and encryption are discussed, followed by a step-by-step guide to acquiring Windows phone backups over the air.
Of course 'mobile devices' as a topic doesn't only cover phones: tablets are included too. Chapter 8 looks at Windows 8, 8.1, 10, and RT tablet devices, including what to do when you encounter BitLocker.
Although BlackBerry now has less than 1% of the global market share, devices are still encountered in investigative contexts, so chapter nine looks at how to acquire evidence from these. BlackBerry Password Keeper and BlackBerry Wallet are of particular interest to investigators, so these have their own subsections describing what information you might find within them, and how to get to it.
We'd all love it if every investigation went exactly by the book, but of course that doesn't always happen. From time to time we will encounter a challenge or a special case that requires some extra attention. Chapter ten looks at some of these, including two-factor authentication, unallocated space, and SQLite databases. The book concludes with case studies, which are handy if you want some real-world applications of the methods you've just read about.
In summary, Mobile Forensics - Advanced Investigative Strategies will be of great use to any investigator who deals regularly with mobile devices. It's pitched at the more advanced reader, although the step-by-step nature of the guides means you don't have to know absolutely everything about the phone you're trying to analyse. A selection of tools are used throughout the book, which is helpful since not everyone uses the same tool set; and the penultimate section about issues and challenges will come in handy for those cases that just don't obey the normal rules.
You can find Mobile Forensics - Advanced Investigative Strategies on Amazon.
Article content received from: Forensic Focus,