Mobile Forensics Lecture Notes

Vocabulary flashcards related to mobile forensics.

Mobile Forensics

Deals with the acquisition and recovery of evidence from mobile devices.

Chain of Custody (NIST Definition)

A process that tracks the movement of evidence through its collection, safeguarding, and analysis life cycle by documenting each person who handled the evidence, date and time it was collected or transferred and purpose of the transfer.

Google Android

A Linux based operating system that is open source.

Apple iOS

A proprietary operating system (not Linux-based).

Physical Extraction

Provides deleted files from unallocated space.

Logical Analysis

Analysis of a mobile device provided by most digital forensic tools.

Forensic Hash

Used to ensure the integrity of an acquisition by calculating a cryptographically strong and non-reversible value of an image/data.

Reporting

The process of preparing a detailed summary of all the steps taken and conclusions reached as part of an examination.

Forensically Sound

A term used extensively in the digital forensics community to qualify and justify the use of a particular forensic technology or methodology; also must be tested, validated, and documented.

Fourth Amendment

Prevents any searching or seizure by a Government agent without having a proper search warrant.

Physical Extraction

A preferred method of data acquisition.

Android

The world’s most widely used operating system for cellular devices.

Physical Extraction

Achieved by connecting a device to a forensic workstation and pushing unsigned code or a boot loader onto the device; also referred to as a hex dump.

Logical Acquisition

Of a mobile device is about extracting logical storage objects such as files and directories that reside on a filesystem.

Authentic Evidence

Evidence that is tied to the incident in a relevant way to prove something.

Reliable Evidence

Evidence collected from a device that can be reproduced.

Seizure, Acquisition, Examination, Reporting

4 main categories of the mobile forensics process

iOs, Android, Blackberry, Windows

4 of the various mobile device operating systems:

Intake, Identification, Preparation, Isolation, Processing, Verification, Documentation, Reporting, Archiving

9 steps of the mobile phone evidence extraction process

Search Warrant, Consent

2 types of legal authority

Android, iOS, Windows

Name the 3 main operating systems that dominate the cellular device market:

SIM Card, External storage card, Phone Memory

Data on a mobile phone can be found in what 3 main places?

Address Book, SMS, MMS, Photos, Videos

Name 5 common areas of potential evidence that apply to digital forensics:

Admissible, Authentic, Complete, Reliable, Believable

List 5 general rules of evidence that apply to digital forensics:

APFS

The current file system used in an iPhone.

System Partition

Contains the OS and all of the preloaded applications used with the iPhone.

Passcodes, Closed-Source, Proprietary, End-to-end encryption, Passcode security

5 types of security Apple iOS has implemented on iOS devices

Jailbreaking

The process of removing limitations imposed by Apple’s mobile OS through the use of software and hardware exploits; permits unsigned code to run and gain root access on the OS.

Normal Mode, Recovery Mode, Device Firmware Update Mode

Three operating modes of iOS device

Normal Mode

Most regular activities (calling, texting, etc.) that are performed on an iPhone will be run in this mode.

Proprietary Synchronization

iTunes uses Apple’s protocol to copy data from the iOS device to a computer.

Manifest.plist

Contains details on applications, build version, device and display name, GUID, ICCID, IMEI, MEID, last backup date, phone number.

International Mobile Equipment Identity

The IMEI stands for

manifest.db

The SQLite database that contains a list of all the files and folders extracted from the iPhone via the backup mechanism.

Unix Timestamp, Mac absolute time format

Two types of timestamps found on an iOS device

SQLite

An open source, in-process library that implements a self-contained, zero-configuration, and transactional SQL database engine.

Messages, Calendar, Contacts, Safari, Call history

Five of the key artifacts - important iOS database files that can be extremely useful in an investigation.

Property list

A structured data format used to store, organize, and access various types of data on an iOS device as well as a macOS device; commonly referred to as a plist.

Deleted files, Cloud storage, Settings, Hidden files

4 of the 5 other important files or valuable source of information in an examination

DCIM

Every photo stored in the folder contains Exchangeable Image File Format data.

Exchangeable Image File Format

EXIF stands for

Cellebrite

Empowers law enforcement, antiterrorism, and security organizations to capture critical forensic evidence from mobile phones, smart phones, PDAs, and portable handset varieties, including updates for newly released models. Universal Forensic Extraction Device (UFED)

Validated

Forensically sound means tested and _

Belkasoft

supports damages iTunes backups

Journaling

Which file system does APFS Plus use by default?

Jailbreaking

An iOS device allows the user root access to the device, but voids the manufacturer warranty.

Android

A Linux-based mobile operating system developed for touchscreen mobile devices.

JAVA API Framework

The application framework is the layer responsible for handling the basic functioning of a phone.

Flash Memory

A type of constantly powered non-volatile memory (NVM) that retains data in the absence of a power supply.

Chip-off

Technique involves using advanced data acquisition techniques, which involve connecting to specific ports on the device and instructing the processor to transfer the data stored on the device. By using this method, a full physical image can be acquired.

JTAG

Joint Test Action Group is a technique where the NAND flash chips are removed from the device and examined to extract information

Data Recovery

The process of retrieving deleted data from a device when it cannot be accessed normally.

SQLite

Data related to text messages, emails, and certain app data is stored in files.

Pre-Installed Applications, User-Installed Applications

2 types of applications in an Android OS

Manual, Logical, Physical

Data extraction techniques on an Android device can be classified into three types.

Photos, Videos, Application Data, Documents

SD cards are capable of storing valuable information for an investigation. List 4 types of items that can be found on an SD card.

Bluetooth, USB, WiFi

The Android Linux Kernel layer contains drivers for Audio, Binder, Display, Keypad, , Camera, Shared Memory, and _.

Mandatory Access Control

Security Enhanced Linux Android uses _ which ensures that applications work in isolated environments.

Rooting

The process of gaining privileged access on an Android device.

Filesystem

The refers to the way data is stored, organized, and retrieved from a volume.

exFAT

The Microsoft proprietary file system that was created to be used on flash drives such as USB memory sticks and SD cards.

Android debug bridge (ADB)

The _ is a command-line tool that allows you to communicate with the Android device and control it.

Logical

Data extraction techniques extract the data present on the device by interacting with the operating system and accessing the filesystem.

mmssms.db

During the course of an investigation, you may be asked to retrieve the text messages that were sent and delivered to a particular mobile device. The data can be found in the _ file.

Physical extraction

Refers to the process of obtaining an exact bit-by-bit image of a device. It is an exact copy of the device’s memory and includes more information, such as the slack space and unallocated space.

Root

To obtain an image of an Android device, we need to _ the device.

exFAT

SD cards are typically using what file system to overcome size limitations?

USB debugging

When the SD card uses MTP/PTP and is not mounted as a drive, the recovery can be done by certain Android-specific data recovery tools that need the _ option to be turned on.

Carving

File is the process of reassembling computer files from fragments in the absence of filesystem metadata.

0xffd8

For JPEG files, the file header starts with ____ and the file ends with 0xffd9.

/data/data

All applications store their data in the _ folder by default

history.db

The file contains the user’s web history stores in various tables.