Practical Mobile Forensics

封面

Title Page

Copyright and Credits

Practical Mobile Forensics Fourth Edition

About Packt

Why subscribe?

Contributors

About the authors

About the reviewers

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Disclaimer

Get in touch

Reviews

Introduction to Mobile Forensics

The need for mobile forensics

Understanding mobile forensics

Challenges in mobile forensics

The mobile phone evidence extraction process

The evidence intake phase

The identification phase

The legal authority

Data that needs to be extracted

The make model and identifying information for the device

Data storage media

Other sources of potential evidence

The preparation phase

The isolation phase

The processing phase

The verification phase

The documenting and reporting phase

The archiving phase

Practical mobile forensic approaches

Understanding mobile operating systems

Android

iOS

Windows Phone

Mobile forensic tool leveling system

Manual extraction

Logical analysis

Hex dump

Chip-off

Micro read

Data acquisition methods

Physical acquisition

Logical acquisition

Manual acquisition

Potential evidence stored on mobile phones

Examination and analysis

Rules of evidence

Good forensic practices

Securing the evidence

Preserving the evidence

Documenting the evidence and changes

Reporting

Summary

Section 1: iOS Forensics

Understanding the Internals of iOS Devices

iPhone models and hardware

Identifying the correct hardware model

Understanding the iPhone hardware

iPad models and hardware

Understanding the iPad hardware

The HFS Plus and APFS filesystems

The HFS Plus filesystem

The HFS Plus volume

The APFS filesystem

The APFS structure

Disk layout

The iPhone OS

The iOS architecture

iOS security

Passcodes Touch ID and Face ID

Code signing

Sandboxing

Encryption

Data protection

Address Space Layout Randomization (ASLR)

Privilege separation

Stack-smashing protection

Data Execution Prevention (DEP)

Data wiping

Activation Lock

The App Store

Jailbreaking

Summary

Data Acquisition from iOS Devices

Operating modes of iOS devices

Normal mode

Recovery mode

DFU mode

Setting up the forensic environment

Password protection and potential bypasses

Logical acquisition

Practical logical acquisition with libimobiledevice