Scribd
Upload
322 views21 pages

Open Source Mobile Device Forensics

This document discusses open source mobile device forensics tools and techniques for acquiring data from iOS and Android devices. It covers topics like acquisition methods, analytical tools, examining contacts, messages, files and more. Commercial tools are limited so the document promotes open source options like Autopsy, Lime and custom scripts.

Uploaded by

safataldeen
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
322 views21 pages

Open Source Mobile Device Forensics

This document discusses open source mobile device forensics tools and techniques for acquiring data from iOS and Android devices. It covers topics like acquisition methods, analytical tools, examining contacts, messages, files and more. Commercial tools are limited so the document promotes open source options like Autopsy, Lime and custom scripts.

Uploaded by

safataldeen
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

Open Source Mobile Device Forensics

Heather Mahalik

2014, Basis Technology

Device Acquisition
iOS Devices

Android Devices

Zdziarski Methods
Boot Rom
Vulnerability Exploits
Custom Ramdisk via
SSH
The iPhone Data
Protection Tools

iTunes

viaLogical
ADB Backup
OSAF Toolkit
Santoku
DD
Not supported for all
devices

JTAG/Chip-off
2014, Basis Technology

Considerations
How old is the
device?
Is the device locked?
Is the device
damaged?
Are you Law
Enforcement?

2014, Basis Technology

Android Memory Capture


LiME (Linux Memory
Extractor)
First tool to support full
memory captures of
Android smartphones!
TCP dump or saved to
SD card
Uses ADB

2014, Basis Technology

Analytical Toolsto Name a Few


Android Devices

iOS Devices

iPhone Backup Analyzer


iExplorer
iBackupBot
Scalpel
SQLite Browser
Plist Editor
WhatsApp Extract
Contacts.sqlite and
ChatStorage.sqlite
Manual examination
Customized scripts

Autopsy
Android Module
WhatsApp Extract
wa.db and msgstore.db
Scalpel
SQLite Browser
Hex Editor
Anything capable of mounting
EXT
FTK Imager
Customized scripts
Manual examination

2014, Basis Technology

Reality Check!
Commercial tools are expensive
They still miss data
They dont parse third party applications
completely
They omit relevant databases when extracting
data
They dont support all devices
Open Source tools
See above!

2014, Basis Technology

Example iOS Examination


/private/var/mobile/library/Spotlight/com.apple.mobilesms/
smssearchindex.sqlite

Provides SMS message data


Active and deleted messages
Should be compared to sms.db
May show traces of attachments (metadata)
*Not commonly parsed by any tool!
2014, Basis Technology

Autopsy
GUI built on The Sleuth Kit
Next version (v3.1.1) will include Android
module
Customizable
Complete analytical platform
Android dumps can be loaded as normal disk
images or file folders

2014, Basis Technology

Android Examination

2014, Basis Technology

Examining Contacts
Parsed from Contacts2.db file
Raw_contacts and ABPerson

2014, Basis Technology

10

Examining the Raw Contacts (1)

2014, Basis Technology

11

Examining the Raw Contacts (2)

2014, Basis Technology

12

Parsing Messages and Chats


Parses messages and chats from SMS, MMS
and some third party applications

2014, Basis Technology

13

Encoding Built into Autopsy


Encryption vs. Encoding
Base64 decoder built into Autopsy Android
module

2014, Basis Technology

14

Geolocation Support
Google Maps, Browser, Cache and EXIF
location parsing

2014, Basis Technology

15

Geolocation Reporting

2014, Basis Technology

16

Examining Multimedia Files


EXIF Parser

Graphics and Videos

2014, Basis Technology

17

Recovering Deleted SQLite Data


Active files shown in viewer

Deleted must be examined/recovered in Hex

2014, Basis Technology

18

Custom Scripts
Mari DeGrazias SQLite Parser

2014, Basis Technology

19

References, Sources and Suggested Reading

http://www.zdziarski.com/blog/wpcontent/uploads/2013/05/iOS-ForensicInvestigative-Methods.pdf
www.az4n6.blogspot.com
https://viaforensics.com/blog/
http://www.sleuthkit.org/
Practical Mobile Forensics Bommisetty,
Mahalik, Tamma
www.smarterforensics.com
https://code.google.com/p/lime-forensics/
2014, Basis Technology

20

Questions
Heather Mahalik
Basis Technology
www.basistech.com
[email protected]
Twitter: @heathermahalik

2014, Basis Technology

21

You might also like