🐉 neospace ~

📝 Latest Posts

Week 3 DFEH Before Class

Jan 17, 20253 min read

Chapter about Mobile Forensics

Mobile Forensics Summary

  • Mobile forensics is a branch of digital forensics focused on acquiring and analysing data from mobile devices to recover evidence.
  • There are some special considerations for mobile acquisition, such as:
    • Always wearing gloves to avoid leaving fingerprints.
    • Noting all open applications and clipboard contents.
    • Using a Faraday bag to prevent remote wiping or communication.
    • Recording device details (name, IMEI, serial number) in a chain of custody form.
  • Device encryption poses a challenge for investigators, as manufacturers may not cooperate with law enforcement to unlock devices, citing user privacy.
    • Even with a warrant, suspects cannot be forced to unlock devices via biometrics like Face ID or Touch ID due to the Fifth Amendment protection against self-incrimination.
  • Android is an open-source, Linux-based operating system developed by Google for mobile devices.
    • Forensic investigators can obtain various data from Android devices, including call records, contacts, messages, app information, GPS locations, passwords, and Wi-Fi networks.
    • Rooting an Android device grants root privileges, allowing access to protected areas of the device.
      • However, rooting can modify the device’s state and may render evidence inadmissible in court.
    • Android Debug Bridge (ADB) is a command-line tool that allows communication with an Android device connected to a computer via USB.
      • It enables tasks like installing, debugging, and removing apps.
    • There are various methods for screen lock bypass, including:
      • Commercial tools offering high success rates and minimal data loss.
      • Flashing custom recovery/ROM, which carries the risk of data destruction or device bricking.
  • Manual extraction is a non-invasive technique that allows investigators to select and extract specific data.
  • Physical acquisition involves creating a forensic image of the mobile device using specialized tools.
    • Tools for image extraction include BusyBox, Ncat, dd, and KingoRoot.
  • JTAG (Joint Test Action Group) is an advanced data extraction method that allows communication with the device’s chipboard through its Test Access Port (TAP).
    • It is a non-invasive method that can be used with many mobile devices, including Windows phones.
  • Chip-off is a last-resort technique that involves removing the memory chip for data acquisition.
    • It is useful for damaged devices and offers a high probability of data acquisition from locked devices.
  • Micro-read utilizes a high-powered electron microscope to examine the memory chip at the gate level.
    • It is a highly sophisticated and expensive technique reserved for high-profile cases.
  • Challenges in mobile forensics include:
    • Rapid evolution of smartphones and security improvements.
    • Device encryption.
    • Cloud storage.
    • Complexity and cost of advanced forensic techniques.
  • iOS is a mobile operating system developed by Apple Inc., known for its advanced security features.
    • iOS devices have three boot modes: normal, recovery, and DFU (Device Firmware Upgrade).
    • Jailbreaking removes software restrictions imposed by Apple, granting root access and allowing installation of unauthorized apps.
    • All Apple devices use the HFSX file system.
    • iPhones logically have two partitions: one for iOS-specific files and another for user data.
  • iTunes backups can be used for data acquisition from iOS devices.
    • Forensic tools like iPhone Backup Extractor and Dr. Fone can extract data from iTunes backups, including encrypted ones.
    • Extracted data can include photos, contacts, messages, WhatsApp chats, call history, app data, and device information.
  • The sources conclude by emphasizing the ongoing challenges and possibilities in the field of mobile forensics as technology continues to advance.

Graph View

Backlinks