Mobile Forensic Investigations A Guide to Evidence Collection Analysis and Presentation 1st Edition by Lee Reiber 9780071843638 0071843639

CHAPTER 1 Introduction to the World of Mobile Device Forensics

A Brief History of the Mobile Device

Martin Cooper

Size Evolution

Data Evolution

Storage Evolution

Mobile Device Data: The Relevance Today

Mobile Devices in the Media

The Overuse of the Word “Forensic”

Write Blockers and Mobile Devices

Mobile Device Technology and Mobile Forensics

From Data Transfer to Data Forensics

Processes and Procedures

Examination Awareness and Progression

Data Storage Points

Mobile Technology Acronyms

Mobile Device

SIM

Media Storage Cards

Mobile Device Backups

Educational Resources

Phone Scoop

GSMArena

Forums

Preparing for Your Journey

Chapter Summary

CHAPTER 2 Mobile Devices vs. Computer Devices in the World of Forensics

Computer Forensics Defined

International Association of Computer Investigative Specialists (IACIS)

International Society of Forensic Computer Examiners (ISFCE)

Applying Forensic Processes and Procedures

Seizure

Collection

Analysis/Examination

Presentation

Approach to Mobile Device Forensics

NIST and Mobile Forensics

Process and Procedure

Standard Operating Procedure Document

Purpose and Scope

Definitions

Equipment/Materials

General Information

Procedure

References/Documents

Successful SOP Creation and Execution

Creation of a Workflow

Specialty Mobile Forensic Units

Forensic Software

Common Misconceptions

Seasoned Computer Forensics Examiners’ Misconceptions

First Responders’ Misconceptions

Chapter Summary

CHAPTER 3 Collecting Mobile Devices, USB Drives, and Storage Media at the Scene

Lawful Device Seizure

Before the Data Seizure

Fourth Amendment Rights

The Supreme Court and Mobile Device Data Seizure

Warrantless Searches

Location to Be Searched: Physical Location

Location to Be Searched: Mobile Device

Securing the Scene

Data Volatility at the Scene

Asking the Right Questions

Examining the Scene for Evidence

USB Drives

Chargers and USB Cables

SD Cards

SIM Cards

Older Mobile Devices

Personal Computers

Once You Find It, What’s Next?

Inventory and Location

Data Collection: Where and When

Chapter Summary

CHAPTER 4 Preparing, Protecting, and Seizing Digital Device Evidence

Before Seizure: Understanding Mobile Device Communication

Cellular Communication

Bluetooth Communication

Wi-Fi Communication

Near Field Communication

Understanding Mobile Device Security

Apple iOS Devices

Android Devices

Windows Mobile and Windows Phone

BlackBerry Devices

Photographing the Evidence at the Scene

Tagging and Marking Evidence

Documentating the Evidence at the Scene

Mobile Device

Mobile Device Accessories

SIM Card

Memory Cards

Dealing with Power Issues: The Device State

Bagging Sensitive Evidence

Types of Bagging Equipment

Properly Bagging Mobile Device Evidence

Transporting Mobile Device Evidence

To Storage

To the Lab

Establishing Chain of Custody

Chapter Summary

CHAPTER 5 Toolbox Forensics: Multiple-Tool Approach

Choosing the Right Tools

Analyzing Several Devices Collectively

Verifying and Validating Software

Using Multiple Tools to Your Advantage

Dealing with Challenges

Overcoming Challenges by Verification and Validation

Overcoming Challenges for Single- and Multiple-Tool Examinations

Chapter Summary

CHAPTER 6 Mobile Forensic Tool Overview

Collection Types

Logical Collection

Physical Collection

Collection Pyramid

Collection Additions

Nontraditional Tools

Traditional Tool Matrix

Tools Available

Open Source Tools

Freeware Tools

Commercial Tools

Chapter Summary

CHAPTER 7 Preparing the Environment for Your First Collection

Creating the Ideal System

Processor (CPU)

RAM

Input/Output (I/O)

Storage

External Storage

Operating System

Device Drivers and Multiple-Tool Environments

Understanding Drivers

Finding Mobile Device Drivers

Installing Drivers

Cleaning the Computer System of Unused Drivers and Ports

Chapter Summary

CHAPTER 8 Conducting a Collection of a Mobile Device: Considerations and Actions

Initial Considerations

Isolating the Device

Device Collection Type: Logical or Physical

Initial Documentation

Device

Battery

UICC

Memory Card

JTAG or Chip-Off

Isolation of the Mobile Device

Methods, Appliances, and Techniques for Isolating a Device

Mobile Device Processing Workflow

Feature Phone Collections

BlackBerry Collections

Windows Mobile and Windows Phone Examinations

Apple iOS Connections and Collections

Android OS Connections and Collections

Chapter Summary

CHAPTER 9 Analyzing SIM Cards

Smart Card Overview: SIM and UICC

SIM Card Analysis

File System UICC Structure

Network Information Data Locations

User Data Locations

Chapter Summary

CHAPTER 10 Analyzing Feature Phone, BlackBerry, and Windows Phone Data

Avoiding Tool Hashing Inconsistencies

Iceberg Theory

Feature Phones

Feature Phone “Tip of the Iceberg Data”

Parsing a Feature Phone File System

BlackBerry Devices

BlackBerry “Tip of the Iceberg Data”

Blackberry Database Breakdown

BlackBerry Data Formats and Data Types

BlackBerry 10 File System

Windows Phone

Windows Phone “Tip of the Iceberg Data”

Windows Phone File System

Chapter Summary

CHAPTER 11 Advanced iOS Analysis

The iOS File System

iOS “Tip of the Iceberg Data”

File System Structure

App Data

App Caches

Additional File System Locations

iOS Evidentiary File Types

SQLite Databases

Property Lists

Miscellaneous iOS Files

Chapter Summary

CHAPTER 12 Querying SQLite and Taming the Forensic Snake

Querying of the SQLite Database

What Is a SQL Query?

Building a Simple SQL Query

Automating Query Building

Analysis with Python

Python Terminology

Using Python Scripts

Hashing a Directory of Files

Using Regular Expressions

Chapter Summary

CHAPTER 13 Advanced Android Analysis

Android Device Information

Partitions

The File System

Predominate Android File Types

Artifacts

“Tip of the Iceberg Data”

Additional File System Locations

/data Folder

File Interrogation

Scripts

Android App Files and Malware

Analysis Levels

Chapter Summary

CHAPTER 14 Presenting the Data as a Mobile Forensics Expert

Presenting the Data

The Importance of Taking Notes

The Audience

Format of the Examiner’s Presentation

Why Being Technical Is Not Always Best

What Data to Include in the Report

To Include or Not to Include

Becoming a Mobile Forensic Device Expert

Importance of a Complete Collection

Conforming to Current Expectations May Not Be the Best Approach

Additional Suggestions and Advice