Practical Mobile Forensics Third Edition A hands-on guide to mastering mobile forensics for the iOS, Android, and the Windows Phone platforms Rohit Tamma Oleg Skulkin Heather Mahalik Satish Bommisetty BIRMINGHAM - MUMBAI Practical Mobile Forensics Third Edition Copyright © 2018 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Commissioning Editor: Vijin Boricha Acquisition Editor: Rohit Rajkumar Content Development Editor: Devika Battike Technical Editor: Aditya Khadye Copy Editor: Safis Editing Project Coordinator: Judie Jose Proofreader: Safis Editing Indexer: Rekha Nair Graphics: Tania Dutta Production Coordinator: Arvindkumar Gupta First published: July 2014 Second edition: May 2016 Third edition: January 2018 Production reference: 1220118 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78883-919-8 www.packtpub.com mapt.io Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website. Why subscribe? Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals Improve your learning with Skill Plans built especially for you Get a free eBook or video every month Mapt is fully searchable Copy and paste, print, and bookmark content PacktPub.com Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. Contributors About the authors Rohit Tamma is a security program manager currently working with Microsoft. With over 8 years of experience in the field of security, his background spans management and technical consulting roles in the areas of application and cloud security, mobile security, penetration testing, and security training. Rohit has also coauthored couple of books, such as Practical Mobile Forensics and Learning Android Forensics, which explain various ways to perform forensics on the mobile platforms. You can contact him on Twitter at @RohitTamma. Writing this book has been a great experience because it has taught me several things, which could not have been otherwise possible. I would like to dedicate this book to my parents for helping me in every possible way throughout my life. Oleg Skulkin is a digital forensics "enthusional" (enthusiast and professional) from Russia with more than 6 years of experience, and is currently employed by Group-IB, one of the global leaders in preventing and investigating high-tech crimes and online fraud. He holds a number of certifications, including GCFA, MCFE, and ACE. Oleg is a coauthor of Windows Forensics Cookbook, and you can find his articles about different aspects of digital forensics both in Russian and foreign magazines. Finally, he is a very active blogger, and he updates the Cyber Forensicator blog daily. I would like to thank my mom and wife for their support and understanding, my friend, Igor Mikhaylov, and my teammates from Group-IB Digital Forensics Lab: Valeriy Baulin, Sergey Nikitin, Vitaliy Trifonov, Roman Rezvuhin, Artem Artemov, Alexander Ivanov, Alexander Simonyan, Alexey Kashtanov, Pavel Zevahin, Vladimir Martyshin, Nikita Panov, Anastasiya Barinova, and Vesta Matveeva. Heather Mahalik is the director of forensic engineering with ManTech CARD, where she leads the forensic effort focusing on mobile and digital exploitation. She is a senior instructor and author for the SANS Institute, and she is also the course leader for the FOR585 Advanced Smartphone Forensics course. With over 15 years of experience in digital forensics, she continues to thrive on smartphone investigations, digital forensics, forensic course development and instruction, and research on application analysis and smartphone forensics. Satish Bommisetty is a security analyst working for a Fortune 500 company. His primary areas of interest include iOS forensics, iOS application security, and web application security. He has presented at international conferences, such as ClubHACK and C0C0n. He is also one of the core members of the Hyderabad OWASP chapter. He has identified and disclosed vulnerabilities within the websites of Google, Facebook, Yandex, PayPal, Yahoo!, AT&T, and more, and they are listed in their hall of fame. About the reviewer Igor Mikhaylov has been working as a forensics expert for 21 years. During this time, he has attended a lot of seminars and training classes in top forensic companies and forensic departments of government organizations. He has experience and skills in cellphones forensics, chip-off forensics, malware forensics, and other fields. He has worked on several thousand forensic cases. He is the reviewer of Windows Forensics Cookbook by Oleg Skulkin and Scar de Courcier, Packt Publishing, 2017. He is the author of Mobile Forensics Cookbook, Packt Publishing, 2017. Packt is searching for authors like you If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea. Table of Contents Chapter 1: Introduction to Mobile Forensics 6 Why do we need mobile forensics? 7 Mobile forensics 8 Challenges in mobile forensics 10 The mobile phone evidence extraction process 12 The evidence intake phase 13 The identification phase 14 The legal authority 14 The goals of the examination 14 The make, model, and identifying information for the device 14 Removable and external data storage 15 Other sources of potential evidence 15 The preparation phase 15 The isolation phase 16 The processing phase 16 The verification phase 16 Comparing extracted data to the handset data 17 Using multiple tools and comparing the results 17 Using hash values 17 The documenting and reporting phase 17 The presentation phase 18 The archiving phase 18 Practical mobile forensic approaches 18 Overview of mobile operating systems 19 Android 19 iOS 20 Windows Phone 20 Mobile forensic tool leveling system 20 Manual extraction 22 Logical extraction 22 Hex dump 22 Chip-off 23 Micro read 23 Data acquisition methods 24 Physical acquisition 24 Logical acquisition 24 Manual acquisition 25 Table of Contents Potential evidence stored on mobile phones 25 Examination and analysis 26 Rules of evidence 28 Good forensic practices 29 Securing the evidence 29 Preserving the evidence 29 Documenting the evidence and changes 30 Reporting 30 Summary 31 Chapter 2: Understanding the Internals of iOS Devices 32 iPhone models 33 Identifying the correct hardware model 33 iPhone hardware 41 iPad models 42 Understanding the iPad hardware 44 Apple Watch models 45 Understanding the Apple Watch hardware 46 The filesystem 48 The HFS Plus filesystem 48 The HFS Plus volume 49 The APFS filesystem 50 The APFS structure 51 Disk layout 52 iPhone operating system 53 The iOS architecture 54 iOS security 55 Passcodes, Touch ID, and Face ID 56 Code Signing 56 Sandboxing 56 Encryption 57 Data protection 57 Address Space Layout Randomization 57 Privilege separation 57 Stack-smashing protection 57 Data execution prevention 58 Data wipe 58 Activation Lock 58 The App Store 58 Jailbreaking 59 Summary 60 [ ii ] Table of Contents Chapter 3: Data Acquisition from iOS Devices 61 Operating modes of iOS devices 62 The normal mode 62 The recovery mode 64 DFU mode 67 Setting up the forensic environment 70 Password protection and potential bypasses 70 Logical acquisition 71 Practical logical acquisition with libimobiledevice 72 Practical logical acquisition with Belkasoft Acquisition Tool 73 Practical logical acquisition with Magnet ACQUIRE 78 Filesystem acquisition 81 Practical jailbreaking 82 Practical filesystem acquisition with Elcomsoft iOS Forensic Toolkit 83 Physical acquisition 83 Practical physical acquisition with Elcomsoft iOS Forensic Toolkit 84 Summary 87 Chapter 4: Data Acquisition from iOS Backups 88 iTunes backup 89 Creating backups with iTunes 92 Understanding the backup structure 94 info.plist 95 manifest.plist 96 status.plist 96 manifest.db 97 Extracting unencrypted backups 99 iBackup Viewer 99 iExplorer 101 BlackLight 103 Encrypted backup 105 Elcomsoft Phone Breaker 105 Working with iCloud backups 107 Extracting iCloud backups 109 Summary 110 Chapter 5: iOS Data Analysis and Recovery 111 Timestamps 112 Unix timestamps 112 Mac absolute time 113 [ iii ]