BYOM - Build Your Own Methodology (in Mobile Forensics)

Last Friday I had the honour to present at "Life has no CTRL+ALT+DEL", a DFIR online meetup organized by Heather Mahalik in this crazy COVID-19 period.

I delivered a presentation titled "BYOM - Build Your Own Methodology (in Mobile Forensics)".

If you are interested in taking a look at the presentation, it is available here

During the presentation I shared some concepts I consider as "fundamentals" if you are working in this field.

For each category, I provided some resources that can help building or improving your methodology.

I decided then to share these resources in a blog post, with the hope that it could be a useful "starting point" for reading and studying, especially in this period.

Mobile OS Architecture and Security books
TitleAuthorsURLAndroid InternalsJonathan Levin and iOS InternalsJonathan Levin Se…


Sometimes you need something open... This post briefly introduces the teleparser script, whose goal is to parse the Telegram cache4.db. Honestly speaking, I would have done something else, but the coding (better, decoding) job was born with a real case few months ago.
Suppose you have a truly important cache4.db, a file containing every non-deleted and synced chat of the suspect, together with his encrypted p2p chats. Suppose that all the major well known commercial solutions are unable to properly parse that database: or, if able, they provide slightly different results. Again, the db content represents a crucial evidence. On which tools' outputs, if any, would you rely on to report evidences?
That's a classical example where the digital investigator must be able to explain every single bit there (theoretically, he should always be). Point is, the cache4.db is not just a simple SQLite database, but it's a SQLite database containing a lotof binaries blobs. Guess what? All …

Checkra1n Era - Ep 5 - Automating extraction and processing (aka "Merry Xmas!")

After my third post on how to automate an extraction BFU, my great friend, colleague and fellow citizen Giovanni 'sug4r' Rattaro, Tsurugi Linux team leader and core developer, wrote me a message saying: "Belin Mattia! You had a great idea! But we can quickly improve your script!" And I answered: "Yes, why not. How is it going for you in the next couple of weeks? Do you have time?". And Giovanni: "No, I have to deliver the newest version of Tsurugi before Christmas. But still, we can do it!". And I said: "I am also very busy. But yes, we can do it!".
Starting from my original idea, we completely redesigned and organized the script, both in terms of "user interface" (thanks Giovanni for the idea of using ncurses menu!) and functions.

Still, our script is a PoC and must be used just for testing, studying, developing and learning purposes. It is not meant to be a "forensic tool", but we decided in any case to create log …

Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

I spent the last couple of weeks investigating iOS 13 acquisitions "Before First Unlock".

I want to start this blog post with an important point: USB Restricted Mode.

Since iOS 11.4.1, Apple introduced a new security measure called "USB Restricted Mode" that, basically, disables USB data connection under certain conditions.

The effects of USB Restricted Mode on an iOS device and possible ways to overcome it in a non-jailbroken device were intensively discussed on various blogs.

Some references on this topic are:
iOS 11.4 to Disable USB Port After 7 Days: What It Means for Mobile Forensics on Elcomsoft BlogiOS 11.4.1 Beta: USB Restricted Mode Has Arrived on Elcomsoft BlogThis $39 Device Can Defeat iOS USB Restricted Mode on Elcomsoft BlogiOS 11.4.1 Second Beta Extends USB Restricted Mode with Manual Activation on Elcomsoft BlogUSB Restricted Mode Inside Out on Elcomsoft BlogiOS 12 Enhances USB Restricted Mode on Elcomsoft BlogiOS 11.4.1 Follow-up: Delaying USB Restri…