Practical Mobile Forensics

Reviewed by Scar de Courcier, Forensic Focus

Considering that there are separate books – indeed, whole genres – devoted to Android and iOS forensics specifically, writing a single tome that covers mobile forensics in a meaningful way is an ambitious task.

Not to be put off by the sheer amount of ground to cover, however, the authors of Practical Mobile Forensics have done just that. Satish Bommisetty, Rohit Tamma and Heather Mahalik have written a self-confessed “action-packed” guide to the mobile forensics world.

The book is aimed at forensic investigators who have only a very limited level of experience in mobile forensics. Like its sister book, Learning Android Forensics, it focuses primarily on open source and free solutions, which makes it all the more appropriate for those who are just starting out in a digital forensics career.Practical Mobile Forensics begins with a rundown of the various challenges associated with the extraction of data from mobile devices. Each challenge is presented in a realistic yet optimistic light, and the remainder of the first chapter deals with how to set up an examination: from device identification to documentation and reporting. An overview of each of the popular mobile operating systems is then given, along with a description of various ways of acquiring evidence.

One of the goals of the book is to ensure that investigators who are conducting forensic analyses of mobile devices understand what is going on, beyond simply pushing a button and receiving a list of results. With this in mind, the authors have devoted the first part of each section to a description of the internals of the various devices discussed.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

The book is split into four sections: the first – and largest – two devoted to iOS and Android forensics. The last two sections look at Windows and BlackBerry devices; whilst these do not go into as much depth as the first half of the book, they are nonetheless useful and will be of great importance to anyone who is looking to examine one of these devices for the first time.

Of course, one of the most significant challenges facing digital forensic investigators today is the number and variation of devices, and how often things are updated. More than ever before, digital forensics tools need to be versatile and adaptable to a whole variety of situations. Upon discovering a mobile device as part of an investigation, the first hurdle is that of identification: with so many devices on the market, including the inevitable fake versions, it is necessary to be sure that you know what you are dealing with before attempting to extract any data.

Luckily Practical Mobile Forensics provides a field guide to identification of devices, including some of the salient features of legacy and current iPhone and Android models. Tablets are also dealt with in some detail.

The chapter on data acquisition from iOS devices thoroughly describes why it is important to understand the different operating modes of an iPhone or iPad, as well as giving a run-down of how to enter each mode. Physical acquisition and acquisition via a custom ramdisk are also covered.

Throughout the book there are step-by-step instructions regarding how to install the various Python modules and build the open-source tools recommended for the investigation. Only a basic knowledge of Linux is required to be able to follow these steps.

Obtaining deleted files is often a stated objective of a forensic investigation, and this is covered in some detail for all common operating systems throughout the book.

At times it is not possible to acquire data from a phone or tablet itself, but there may be backups available, for example in Apple iTunes or iCloud, or on Google Drive for Android devices. Data acquisition from these environments is covered in separate sections of Practical Mobile Forensics, including an understanding of the backup structure and a fairly in-depth look at plist files. For encrypted backups, several decryption options are also discussed.

If not understood properly, timestamps can foil an investigation and lead to incorrect conclusions being drawn. Luckily, the book contains sections on this subject, including converting between Unix and Mac absolute timestamps.

The Android section is structured in much the same way as the first part of the book, which dealt with iOS devices. Once again there is an overview of how the architecture is structured and the file systems and hierarchy.

JTAG and chip-off extraction are briefly covered in the book as well, although since these are not used as often as physical or logical extraction, they are not dealt with in so much detail.

The one area that is not covered in as much depth as I would have perhaps expected in a mobile forensics book is that of application data. There are sections on application analysis for the various devices, along with discussions of how to reverse engineer apps on Android devices, but these are very much just overviews of the theory behind application data extraction and a couple of examples, rather than providing a closer look at some of the more popular applications. However, there are books in the same series – such as Learning iOS Forensics and Learning Android Forensics, for instance – which talk about these subjects in more detail.

Windows and BlackBerry devices each receive a small chapter at the end of the book, providing a brief description of their salient features and data recovery options. Again, these could have been a little more detailed, but it makes sense particularly for an introductory book to focus predominantly on the most popular devices.

Overall, therefore, Practical Mobile Forensics can certainly be recommended as a good, solid introduction to the extraction of data from mobile devices – particularly iOS and Android systems – for the purposes of forensic investigation.

Learning Android Forensics, by Satish Bommisetty, Rohit Tamma and Heather Mahalik, is available for purchase via Packt Publishing.

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. 

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 11:44 am

Throughout the past few years, the way employees communicate with each other has changed forever.<br /><br />69% of employees note that the number of business applications they use at work has increased during the pandemic.<br /><br />Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.<br /><br />Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.<br /><br />Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.<br /><br />With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.<br /><br />Join Monica Harris, Product Business Manager, as she showcases how investigators can:<br /><br />- Manage multiple cloud collections through a web interface<br />- Cull data prior to collection to save time and money by gaining these valuable insights of the data available<br />- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box<br />- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee<br />- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 11:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...