BYOM - Build Your Own Methodology (in Mobile Forensics)

Last Friday I had the honour to present at "Life has no CTRL+ALT+DEL", a DFIR online meetup organized by Heather Mahalik in this crazy COVID-19 period.

I delivered a presentation titled "BYOM - Build Your Own Methodology (in Mobile Forensics)".

If you are interested in taking a look at the presentation, it is available here

https://www.dropbox.com/s/kxnhqyyyr8yk1h5/BYOM_Forensic.pdf?dl=0

During the presentation I shared some concepts I consider as "fundamentals" if you are working in this field.


For each category, I provided some resources that can help building or improving your methodology.

I decided then to share these resources in a blog post, with the hope that it could be a useful "starting point" for reading and studying, especially in this period.

KNOWLEDGE


Mobile OS Architecture and Security books

Title Authors URL
Android Internals Jonathan Levin http://newandroidbook.com/
MacOS and iOS Internals Jonathan Levin http://www.newosxbook.com/
Android Security Internals Nikolay Elenkov https://nostarch.com/androidsecurity
Hacking and Securing iOS Applications Jonathan Zdziarski http://shop.oreilly.com/product/0636920023234.do
The Mobile Application Hacker’s Handbook Dominic Chell
Tyrone Erasmus
Shaun Colley
Ollie Whitehouse
https://www.wiley.com/en-us/The+Mobile+Application+Hacker%27s+Handbook-p-9781118958506
iOS Hacker's Handbook Charlie Miller
Dion Blazakis
Dino DaiZovi
Stefan Esser
Vincenzo Iozzo
Ralf-Philip Weinmann
https://www.wiley.com/en-us/iOS+Hacker%27s+Handbook-p-9781118204122
Android Hacker's Handbook Joshua J. Drake
Zach Lanier
Collin Mulliner
Pau Oliva Fora
Stephen A. Ridley
Georg Wicherski
https://www.wiley.com/en-us/Android+Hacker's+Handbook-p-9781118608647
Hacking Exposed Mobile Neil Bergman
Mike Stanfield
Jason Rouse
Joel Scambray
Sarath Geethakumar
Swapnil Deshmukh
Scott Matsumoto
John Steven
Mike Price
https://www.oreilly.com/library/view/hacking-exposed-mobile/9780071817011/

Mobile Forensics Books and references

Title Authors URL
DFIR "Smart Forensic Analysis In-Depth" Poster SANS/td> https://digital-forensics.sans.org/media/DFPS_FOR585_v3.1_0420_R8.pdf
iPhone and iOS Forensics Andrew Hogg https://www.amazon.com/iPhone-iOS-Forensics-Investigation-Analysis/dp/1597496596
Android Forensics Andrew Hogg
Practical Mobile Forensics  Rohit Tamma
Oleg Skulkin
Heather Mahalik
https://www.packtpub.com/security/practical-mobile-forensics-fourth-edition
Mobile Forensics Investigations  Lee Reiber https://www.mheducation.com/highered/product/mobile-forensic-investigations-guide-evidence-collection-analysis-presentation-second-edition-reiber/9781260135091.html
Seeking the Truth from Mobile Evidence  John Bair https://www.elsevier.com/books/seeking-the-truth-from-mobile-evidence/bair/978-0-12-811056-0
Mobile Forensics – Advanced Investigative Services  Oleg Afonin
Vladimir Katalov
https://www.packtpub.com/networking-and-servers/mobile-forensics-advanced-investigative-strategies
Learning Android Forensics  Oleg Skulkin
Donnie Tindall
Rohit Tamma
hhttps://www.packtpub.com/networking-and-servers/learning-android-forensics-second-edition
Learning iOS Forensics Mattia Epifani
Pasquale Stirparo
https://www.packtpub.com/networking-and-servers/learning-ios-forensics-second-edition

File systems Books and references

Title Authors URL
File System Forensic Analysis  Brian Carrier https://www.pearson.com/us/higher-education/program/Carrier-File-System-Forensic-Analysis/PGM270599.html
EXT File System Reference
https://ext4.wiki.kernel.org/
APFS File System Reference 
https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf
exFAT File System Reference
https://docs.microsoft.com/en-us/windows/win32/fileio/exfat-specification
FAT32 File System Reference
http://www.cs.fsu.edu/~cop4610t/assignments/project3/spec/fatspec.pdf
HFS+ File System Reference 
https://developer.apple.com/library/archive/technotes/tn/tn1150.html

File formats Books and references

Title Authors URL
SQLite Forensics Paul Sanderson https://sqliteforensictoolkit.com/sqlite-forensics-book-3/
SQLite
https://www.sqlite.org/
Plist
https://web.archive.org/web/20090225194402/http://developer.apple.com/documentation/Cocoa/Conceptual/PropertyLists/Introduction/chapter_1_section_1.html
Protobuf
https://developers.google.com/protocol-buffers/docs/reference/proto3-spec
Realm
https://realm.io/

TOOLS

Mobile Forensics Commercial Tools (in alphabetical order)

Company URL
Belkasoft https://belkasoft.com/
Blackbag https://www.blackbagtech.com/
Cellebrite https://www.cellebrite.com/
Elcomsoft https://www.elcomsoft.com/
Grayshift https://graykey.grayshift.com/
Magnet Forensics https://www.magnetforensics.com/
MobilEdit https://www.mobiledit.com/
MSAB https://www.msab.com/
Oxygen Forensics https://www.oxygen-forensic.com/
Paraben https://paraben.com/
Susteen https://www.susteen.com/

Digital Forensics Commercial Tools (in alphabetical order)

Company URL
AccessData https://accessdata.com/
Guidance https://www.guidancesoftware.com/
Sanderson Forensics https://sqliteforensictoolkit.com/
X-Ways https://www.x-ways.net/

Opensource/Freeware/Shareware Tools (in alphabetical order)

Software URL
3UTools http://www.3u.com/
AFLogical https://github.com/nowsecure/android-forensics
ALEAPP https://github.com/abrignoni/ALEAPP
Andriller https://www.andriller.com/
Android ADB https://developer.android.com/studio/releases/platform-tools
APOLLO https://github.com/mac4n6/APOLLO
ArtEx https://www.doubleblak.com/
Autopsy https://www.sleuthkit.org/autopsy/
iBackupBot https://www.icopybot.com/itunes-backup-manager.htm
ILEAPP https://github.com/abrignoni/iLEAPP
iMobile Device http://docs.quamotion.mobi/docs/imobiledevice/
Libimobiledevice https://www.libimobiledevice.org/
MobileRevelator https://github.com/bkerler/MR
Smart Phone Flash Tool https://spflashtool.com/

File format specific Tools (in alphabetical order)

Company URL
Plist Editor Pro https://www.icopybot.com/plist-editor.htm
DB Browser for SQLite https://sqlitebrowser.org/
Realm Studio https://realm.io/products/realm-studio/
SQLite Miner https://github.com/threeplanetssoftware/sqlite_miner
SQLite Deleted Parser https://github.com/mdegrazia/SQLite-Deleted-Records-Parser
Sysdiagnose Scripts https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts

Hardware Tools (in alphabetical order)

Company URL
BST Dongle https://www.bstdongle.com/
Chimera Tool https://chimeratool.com/
Fone Fun Shop https://www.fonefunshop.com/
Furious Gold https://www.furiousgold.com/
GPG Industries https://www.gpgindustries.com/
GSM Server https://gsmserver.com/
MFC Dongle https://www.mfcbox.com/
Multi Com https://multi-com.pl/
NCK Dongle https://nckdongle.com/
Octoplus Box https://octoplusbox.com/
RIFF Box https://www.riffbox.org/
TeelTech http://www.teeltech.com
VR Table https://vr-table.com/
XPIN Clip https://xpinclip.com/
Z3X Box https://z3x-team.com/

TRAINING

Course URL
SANS FOR585 - Smartphone Forensic Analysis In-Depth https://www.sans.org/course/advanced-smartphone-mobile-device-forensics
Vendor Training https://articles.forensicfocus.com/2020/04/13/industry-roundup-online-digital-forensics-training/

UPDATES

Title URL
About DFIR https://aboutdfir.com/
DFIR Training https://www.dfir.training/
Forensic Focus https://www.forensicfocus.com/
This Week in 4N6 https://thisweekin4n6.com/

COMMUNITY

Title URL
Digital Forensics Discord Group https://discord.gg/kr7AFjf
Mobile Device Forensics and Analysis (MDFA) Group https://groups.google.com/forum/#!forum/mobile-device-forensics-and-analysis
XDA Developers https://www.xda-developers.com/

BLOGS

Person URL
Jon B https://www.ciofecaforensics.com/
Alexis Brignoni https://abrignoni.blogspot.com
Mari DeGrazia http://az4n6.blogspot.com
Sarah Edwards https://www.mac4n6.com
Mattia Epifani http://mattiaep.blogspot.com
Josh Hickman https://thebinaryhick.blog/
Andrew Hoog https://www.hack42labs.com
Adrian Leong http://cheeky4n6monkey.blogspot.com
Heather Mahalik https://smarterforensics.com
Ian Whiffin http://doubleblak.com/blogs.php

GUIDELINES

DocumentURL
Guidelines on Mobile Device Forensics https://www.nist.gov/publications/guidelines-mobile-device-forensics
INTERPOL Guidelines for Digital Forensics Laboratories https://www.interpol.int/content/download/13501/file/INTERPOL_DFL_GlobalGuidelinesDigitalForensicsLaboratory.pdf
SWGDE Best Practices for Mobile Devices https://www.swgde.org/documents/Current%20Documents/SWGDE%20Best%20Practices%20for%20Mobile%20Device%20Evidence%20Collection%20and%20Preservation,%20Handling,%20and%20Acquisition

DEVICE IDENTIFICATION/INFORMATION

Website URL
Firmware.mobi https://desktop.firmware.mobi/
GSM Arena https://www.gsmarena.com/
Hard Reset.info https://www.hardreset.info/
IMEI.INFO https://www.imei.info/
Numbering Plans https://www.numberingplans.com/
PhoneDB http://phonedb.net/
PhoneScoop https://www.phonescoop.com/
Sammobile https://www.sammobile.com/
The iPhone Wiki https://www.theiphonewiki.com/

Comments

Popular posts from this blog

A tale on RegRipper Plugins unnoticed

Huawei backup decryptor

Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"