Showing posts from April, 2020

BYOM - Build Your Own Methodology (in Mobile Forensics)

Last Friday I had the honour to present at " Life has no CTRL+ALT+DEL ", a DFIR online meetup organized by Heather Mahalik in this crazy COVID-19 period. I delivered a presentation titled "BYOM - Build Your Own Methodology (in Mobile Forensics)". If you are interested in taking a look at the presentation, it is available here During the presentation I shared some concepts I consider as "fundamentals" if you are working in this field. For each category, I provided some resources that can help building or improving your methodology. I decided then to share these resources in a blog post, with the hope that it could be a useful "starting point" for reading and studying, especially in this period. KNOWLEDGE Mobile OS Architecture and Security books Title Authors URL Android Internals Jonathan Levin http://newandroidb


Sometimes you need something open ... This post briefly introduces the teleparser script, whose goal is to parse the Telegram cache4.db . Honestly speaking, I would have done something else, but the coding (better, decoding ) job was born with a real case few months ago. Suppose you have a truly important cache4.db, a file containing every non-deleted and synced chat of the suspect, together with his encrypted p2p chats. Suppose that all the major well known commercial solutions are unable to properly parse that database: or, if able, they provide slightly different results. Again, the db content represents a crucial evidence. On which tools' outputs, if any, would you rely on to report evidences ? That's a classical example where the digital investigator must be able to explain every single bit there ( theoretically, he should always be ). Point is, the cache4.db is not just a simple SQLite database, but it's a SQLite database containing a lot of binaries