BYOM - Build Your Own Methodology (in Mobile Forensics)

By -
Last Friday I had the honour to present at "Life has no CTRL+ALT+DEL", a DFIR online meetup organized by Heather Mahalik in this crazy COVID-19 period.

I delivered a presentation titled "BYOM - Build Your Own Methodology (in Mobile Forensics)".

If you are interested in taking a look at the presentation, it is available here

https://www.slideshare.net/realitynet/byom-build-your-own-methodology-in-mobile-forensics

During the presentation, I shared some concepts I consider as "fundamentals" if you are working in this field.


For each category, I provided some resources that can help building or improving your methodology.

I decided then to share these resources in a blog post, with the hope that it could be a useful "starting point" for reading and studying, especially in this period.

KNOWLEDGE


Mobile OS Architecture and Security books

Title Authors URL
Android Internals Jonathan Levin http://newandroidbook.com/
MacOS and iOS Internals Jonathan Levin http://www.newosxbook.com/
Android Security Internals Nikolay Elenkov https://nostarch.com/androidsecurity
Hacking and Securing iOS Applications Jonathan Zdziarski http://shop.oreilly.com/product/0636920023234.do
The Mobile Application Hacker’s Handbook Dominic Chell
Tyrone Erasmus
Shaun Colley
Ollie Whitehouse		 https://www.wiley.com/en-us/The+Mobile+Application+Hacker%27s+Handbook-p-9781118958506
iOS Hacker's Handbook Charlie Miller
Dion Blazakis
Dino DaiZovi
Stefan Esser
Vincenzo Iozzo
Ralf-Philip Weinmann		 https://www.wiley.com/en-us/iOS+Hacker%27s+Handbook-p-9781118204122
Android Hacker's Handbook Joshua J. Drake
Zach Lanier
Collin Mulliner
Pau Oliva Fora
Stephen A. Ridley
Georg Wicherski		 https://www.wiley.com/en-us/Android+Hacker's+Handbook-p-9781118608647
Hacking Exposed Mobile Neil Bergman
Mike Stanfield
Jason Rouse
Joel Scambray
Sarath Geethakumar
Swapnil Deshmukh
Scott Matsumoto
John Steven
Mike Price		 https://www.oreilly.com/library/view/hacking-exposed-mobile/9780071817011/

Mobile Forensics Books and references

Title Authors URL
DFIR "Smart Forensic Analysis In-Depth" Poster SANS/td> https://digital-forensics.sans.org/media/DFPS_FOR585_v3.1_0420_R8.pdf
iPhone and iOS Forensics Andrew Hogg https://www.amazon.com/iPhone-iOS-Forensics-Investigation-Analysis/dp/1597496596
Android Forensics Andrew Hogg
Practical Mobile Forensics  Rohit Tamma
Oleg Skulkin
Heather Mahalik		 https://www.packtpub.com/security/practical-mobile-forensics-fourth-edition
Mobile Forensics Investigations  Lee Reiber https://www.mheducation.com/highered/product/mobile-forensic-investigations-guide-evidence-collection-analysis-presentation-second-edition-reiber/9781260135091.html
Seeking the Truth from Mobile Evidence  John Bair https://www.elsevier.com/books/seeking-the-truth-from-mobile-evidence/bair/978-0-12-811056-0
Mobile Forensics – Advanced Investigative Services  Oleg Afonin
Vladimir Katalov		 https://www.packtpub.com/networking-and-servers/mobile-forensics-advanced-investigative-strategies
Learning Android Forensics  Oleg Skulkin
Donnie Tindall
Rohit Tamma		 hhttps://www.packtpub.com/networking-and-servers/learning-android-forensics-second-edition
Learning iOS Forensics Mattia Epifani
Pasquale Stirparo		 https://www.packtpub.com/networking-and-servers/learning-ios-forensics-second-edition

File systems Books and references

Title Authors URL
File System Forensic Analysis  Brian Carrier https://www.pearson.com/us/higher-education/program/Carrier-File-System-Forensic-Analysis/PGM270599.html
EXT File System Reference
https://ext4.wiki.kernel.org/
APFS File System Reference 
https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf
exFAT File System Reference
https://docs.microsoft.com/en-us/windows/win32/fileio/exfat-specification
FAT32 File System Reference
http://www.cs.fsu.edu/~cop4610t/assignments/project3/spec/fatspec.pdf
HFS+ File System Reference 
https://developer.apple.com/library/archive/technotes/tn/tn1150.html

File formats Books and references

Title Authors URL
SQLite Forensics Paul Sanderson https://sqliteforensictoolkit.com/sqlite-forensics-book-3/
SQLite
https://www.sqlite.org/
Plist
https://web.archive.org/web/20090225194402/http://developer.apple.com/documentation/Cocoa/Conceptual/PropertyLists/Introduction/chapter_1_section_1.html
Protobuf
https://developers.google.com/protocol-buffers/docs/reference/proto3-spec
Realm
https://realm.io/

TOOLS

Mobile Forensics Commercial Tools (in alphabetical order)

Company URL
Belkasoft https://belkasoft.com/
Blackbag https://www.blackbagtech.com/
Cellebrite https://www.cellebrite.com/
Elcomsoft https://www.elcomsoft.com/
Grayshift https://graykey.grayshift.com/
Magnet Forensics https://www.magnetforensics.com/
MobilEdit https://www.mobiledit.com/
MSAB https://www.msab.com/
Oxygen Forensics https://www.oxygen-forensic.com/
Paraben https://paraben.com/
Susteen https://www.susteen.com/

Digital Forensics Commercial Tools (in alphabetical order)

Company URL
AccessData https://accessdata.com/
Guidance https://www.guidancesoftware.com/
Sanderson Forensics https://sqliteforensictoolkit.com/
X-Ways https://www.x-ways.net/

Opensource/Freeware/Shareware Tools (in alphabetical order)

Software URL
3UTools http://www.3u.com/
AFLogical https://github.com/nowsecure/android-forensics
ALEAPP https://github.com/abrignoni/ALEAPP
Andriller https://www.andriller.com/
Android ADB https://developer.android.com/studio/releases/platform-tools
APOLLO https://github.com/mac4n6/APOLLO
ArtEx https://www.doubleblak.com/
Autopsy https://www.sleuthkit.org/autopsy/
iBackupBot https://www.icopybot.com/itunes-backup-manager.htm
ILEAPP https://github.com/abrignoni/iLEAPP
iMobile Device http://docs.quamotion.mobi/docs/imobiledevice/
Libimobiledevice https://www.libimobiledevice.org/
MobileRevelator https://github.com/bkerler/MR
Smart Phone Flash Tool https://spflashtool.com/

File format specific Tools (in alphabetical order)

Company URL
Plist Editor Pro https://www.icopybot.com/plist-editor.htm
DB Browser for SQLite https://sqlitebrowser.org/
Realm Studio https://realm.io/products/realm-studio/
SQLite Miner https://github.com/threeplanetssoftware/sqlite_miner
SQLite Deleted Parser https://github.com/mdegrazia/SQLite-Deleted-Records-Parser
Sysdiagnose Scripts https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts

Hardware Tools (in alphabetical order)

Company URL
BST Dongle https://www.bstdongle.com/
Chimera Tool https://chimeratool.com/
Fone Fun Shop https://www.fonefunshop.com/
Furious Gold https://www.furiousgold.com/
GPG Industries https://www.gpgindustries.com/
GSM Server https://gsmserver.com/
MFC Dongle https://www.mfcbox.com/
Multi Com https://multi-com.pl/
NCK Dongle https://nckdongle.com/
Octoplus Box https://octoplusbox.com/
RIFF Box https://www.riffbox.org/
TeelTech http://www.teeltech.com
VR Table https://vr-table.com/
XPIN Clip https://xpinclip.com/
Z3X Box https://z3x-team.com/

TRAINING

Course URL
SANS FOR585 - Smartphone Forensic Analysis In-Depth https://www.sans.org/course/advanced-smartphone-mobile-device-forensics
Vendor Training https://articles.forensicfocus.com/2020/04/13/industry-roundup-online-digital-forensics-training/

UPDATES

Title URL
About DFIR https://aboutdfir.com/
DFIR Training https://www.dfir.training/
Forensic Focus https://www.forensicfocus.com/
This Week in 4N6 https://thisweekin4n6.com/

COMMUNITY

Title URL
Digital Forensics Discord Group https://discord.gg/kr7AFjf
Mobile Device Forensics and Analysis (MDFA) Group https://groups.google.com/forum/#!forum/mobile-device-forensics-and-analysis
XDA Developers https://www.xda-developers.com/

BLOGS

Person URL
Jon B https://www.ciofecaforensics.com/
Alexis Brignoni https://abrignoni.blogspot.com
Mari DeGrazia http://az4n6.blogspot.com
Sarah Edwards https://www.mac4n6.com
Mattia Epifani http://mattiaep.blogspot.com
Josh Hickman https://thebinaryhick.blog/
Andrew Hoog https://www.hack42labs.com
Adrian Leong http://cheeky4n6monkey.blogspot.com
Heather Mahalik https://smarterforensics.com
Ian Whiffin http://doubleblak.com/blogs.php

GUIDELINES

DocumentURL
Guidelines on Mobile Device Forensics https://www.nist.gov/publications/guidelines-mobile-device-forensics
INTERPOL Guidelines for Digital Forensics Laboratories https://www.interpol.int/content/download/13501/file/INTERPOL_DFL_GlobalGuidelinesDigitalForensicsLaboratory.pdf
SWGDE Best Practices for Mobile Devices https://www.swgde.org/documents/Current%20Documents/SWGDE%20Best%20Practices%20for%20Mobile%20Device%20Evidence%20Collection%20and%20Preservation,%20Handling,%20and%20Acquisition

DEVICE IDENTIFICATION/INFORMATION

Website URL
Firmware.mobi https://desktop.firmware.mobi/
GSM Arena https://www.gsmarena.com/
Hard Reset.info https://www.hardreset.info/
IMEI.INFO https://www.imei.info/
Numbering Plans https://www.numberingplans.com/
PhoneDB http://phonedb.net/
PhoneScoop https://www.phonescoop.com/
Sammobile https://www.sammobile.com/
The iPhone Wiki https://www.theiphonewiki.com/

Comments

Post a Comment

Popular posts from this blog

A first look at Android 14 forensics

By -
Android 14 was released to the public by the Open Handset Alliance on October 4, 2023, and is now available on various smartphones, including the Google Pixel. This blog post aims to explore a list of the majr oartifacts you can find on this version of the Android OS.  For testing and review, I set up a Google Pixel 7A and used it for about a month, with a SIM card and various native and third-party apps installed. The blog post is organized by sections: Device information and general settings User accounts Information on Cellular, Wi-Fi, and Bluetooth connections Native Android applications Google applications Analysis of the use of native and third-party applications Other relevant information As always, I'll try to update this blog post as I test and research. Device information and general settings build.prop TXT format Stored in the root directory of the system partition  Among other things, it contains the device manufacturer, the device model, the operating system version, a
Keep reading

Huawei backup decryptor

By -
When doing Mobile Forensics the first and usually the hardest step is to get access to user's data . It depends on the case type, but the so called physical  acquisition is the analyst object of desire. The reason is simple: iOS and Android native backups, respectively adb  and iTunes , contain a subset of user data, because they respect the various apps configurations where they can specify " you can't include me in backups ". Which leads to inconsistent situations like, for example, having WhatsApp data in iTunes backups and not having it in Android adb backups. Not considering WhatsApp, the majority of apps in iOS and Android do not allow their data to be included in backups . In the scenario where  device is unlocked or the lock  code is known (the only scenario considered in this post), the analyst could use the device itself to make the analysis of the installed applications. Anyone who did that at least once knows how uncomfortable is this approach. Al
Keep reading

WhatsApp Xtract

By -
I don’t want to bore you explaining what is WhatsApp . If you have this serious gap, you can fill it here .  Forensically speaking, WhatsApp was a very cool app until the last June. After that, someone had decided to add the extension “crypt” to such excellent source of information which was msgstore.db . This database stores information about contacts and also entire conversations. But simply opening it with SQLite Browser , you can have some troubles in extracting a single chat session with a desired contact, or in reordering the messages. My last python script wants to overcome these problems, avoiding to deal with complex SQL queries. Now, you need only to decrypt that file! Go to the repo.
Keep reading