Showing posts from April, 2020

BYOM - Build Your Own Methodology (in Mobile Forensics)

Last Friday I had the honour to present at " Life has no CTRL+ALT+DEL ", a DFIR online meetup organized by Heather Mahalik in this crazy COVID-19 period. I delivered a presentation titled "BYOM - Build Your Own Methodology (in Mobile Forensics)". If you are interested in taking a look at the presentation, it is available here During the presentation, I shared some concepts I consider as "fundamentals" if you are working in this field. For each category, I provided some resources that can help building or improving your methodology. I decided then to share these resources in a blog post, with the hope that it could be a useful "starting point" for reading and studying, especially in this period. KNOWLEDGE Mobile OS Architecture and Security books Title Authors URL Android Internals Jonathan Levin


Sometimes you need something open ... This post briefly introduces the teleparser script, whose goal is to parse the Telegram cache4.db . Honestly speaking, I would have done something else, but the coding (better, decoding ) job was born with a real case few months ago. Suppose you have a truly important cache4.db, a file containing every non-deleted and synced chat of the suspect, together with his encrypted p2p chats. Suppose that all the major well known commercial solutions are unable to properly parse that database: or, if able, they provide slightly different results. Again, the db content represents a crucial evidence. On which tools' outputs, if any, would you rely on to report evidences ? That's a classical example where the digital investigator must be able to explain every single bit there ( theoretically, he should always be ). Point is, the cache4.db is not just a simple SQLite database, but it's a SQLite database containing a lot of binaries