Reviewed by Scar de Courcier, Forensic Focus
Considering that there are separate books – indeed, whole genres – devoted to Android and iOS forensics specifically, writing a single tome that covers mobile forensics in a meaningful way is an ambitious task.
Not to be put off by the sheer amount of ground to cover, however, the authors of Practical Mobile Forensics have done just that. Satish Bommisetty, Rohit Tamma and Heather Mahalik have written a self-confessed “action-packed” guide to the mobile forensics world.
The book is aimed at forensic investigators who have only a very limited level of experience in mobile forensics. Like its sister book, Learning Android Forensics, it focuses primarily on open source and free solutions, which makes it all the more appropriate for those who are just starting out in a digital forensics career.Practical Mobile Forensics begins with a rundown of the various challenges associated with the extraction of data from mobile devices. Each challenge is presented in a realistic yet optimistic light, and the remainder of the first chapter deals with how to set up an examination: from device identification to documentation and reporting. An overview of each of the popular mobile operating systems is then given, along with a description of various ways of acquiring evidence.
One of the goals of the book is to ensure that investigators who are conducting forensic analyses of mobile devices understand what is going on, beyond simply pushing a button and receiving a list of results. With this in mind, the authors have devoted the first part of each section to a description of the internals of the various devices discussed.
The book is split into four sections: the first – and largest – two devoted to iOS and Android forensics. The last two sections look at Windows and BlackBerry devices; whilst these do not go into as much depth as the first half of the book, they are nonetheless useful and will be of great importance to anyone who is looking to examine one of these devices for the first time.
Of course, one of the most significant challenges facing digital forensic investigators today is the number and variation of devices, and how often things are updated. More than ever before, digital forensics tools need to be versatile and adaptable to a whole variety of situations. Upon discovering a mobile device as part of an investigation, the first hurdle is that of identification: with so many devices on the market, including the inevitable fake versions, it is necessary to be sure that you know what you are dealing with before attempting to extract any data.
Luckily Practical Mobile Forensics provides a field guide to identification of devices, including some of the salient features of legacy and current iPhone and Android models. Tablets are also dealt with in some detail.
The chapter on data acquisition from iOS devices thoroughly describes why it is important to understand the different operating modes of an iPhone or iPad, as well as giving a run-down of how to enter each mode. Physical acquisition and acquisition via a custom ramdisk are also covered.
Throughout the book there are step-by-step instructions regarding how to install the various Python modules and build the open-source tools recommended for the investigation. Only a basic knowledge of Linux is required to be able to follow these steps.
Obtaining deleted files is often a stated objective of a forensic investigation, and this is covered in some detail for all common operating systems throughout the book.
At times it is not possible to acquire data from a phone or tablet itself, but there may be backups available, for example in Apple iTunes or iCloud, or on Google Drive for Android devices. Data acquisition from these environments is covered in separate sections of Practical Mobile Forensics, including an understanding of the backup structure and a fairly in-depth look at plist files. For encrypted backups, several decryption options are also discussed.
If not understood properly, timestamps can foil an investigation and lead to incorrect conclusions being drawn. Luckily, the book contains sections on this subject, including converting between Unix and Mac absolute timestamps.
The Android section is structured in much the same way as the first part of the book, which dealt with iOS devices. Once again there is an overview of how the architecture is structured and the file systems and hierarchy.
JTAG and chip-off extraction are briefly covered in the book as well, although since these are not used as often as physical or logical extraction, they are not dealt with in so much detail.
The one area that is not covered in as much depth as I would have perhaps expected in a mobile forensics book is that of application data. There are sections on application analysis for the various devices, along with discussions of how to reverse engineer apps on Android devices, but these are very much just overviews of the theory behind application data extraction and a couple of examples, rather than providing a closer look at some of the more popular applications. However, there are books in the same series – such as Learning iOS Forensics and Learning Android Forensics, for instance – which talk about these subjects in more detail.
Windows and BlackBerry devices each receive a small chapter at the end of the book, providing a brief description of their salient features and data recovery options. Again, these could have been a little more detailed, but it makes sense particularly for an introductory book to focus predominantly on the most popular devices.
Overall, therefore, Practical Mobile Forensics can certainly be recommended as a good, solid introduction to the extraction of data from mobile devices – particularly iOS and Android systems – for the purposes of forensic investigation.
Learning Android Forensics, by Satish Bommisetty, Rohit Tamma and Heather Mahalik, is available for purchase via Packt Publishing.