4-2 Windows and Unix Forensics

Digital Forensics (MU) Investigatio

Deleted Files

The PhotoRec (www.cgsecurity.org/wiki/PhotoRec) programme is a free, open-solu

application that may be used as a standaloneapplication to recover files from various dink

media devices such as HDDs, USB drives, SD cards (such as those found in smartphones

digital cameras), and CD-ROMs.

PhotoRec can be used in conjunction with TestDisk (www.cgsecurity.org/wiki/TestDig

developed by the same person); this is anotheropen-source tool that specialises in recoverin.

missing partitions and/or repairing nonbooting drives, making them bootableagain.

A instruction for using TestDisk may be found a

step-by-step

www.cgsecurity.org/wiki/TestDisk Step By Step. Another PhotoRec lesson may be found

www.cgsecurity.org/wiki/PhotoRec Step by Step.

4.1.2 Windows Recycle Bin Forensics

The Windows recycle bin, which was initially introduced in Windows 95, stores files that have

been deleted by users but remain on the system. When a user deletes a file, for example (using

the conventional delete button on the keyboard after selecting the target file OR picking a fle

right-clicking it, and selecting "Delete" from the pop-up menu), Windows transfers the file to

the recycle bin without permanentlyremoving it.

This is the default behaviourof Windows; however, auser can configure the recycle bin settings

to permanently delete files without moving them into the recycle bin; additionally, when

deleting a file, some users press and hold the Shift key to permanently delete it without

moving it into the recycle bin. In practise, few people use permanent deletion of recycled files

(or are aware of it); this allows the recycle bin to store key recycled artefacts, which are

regarded as a vital sourceof digital evidence.

As previously stated,when a user deletes a file, Windows' normal behaviouris to move it to the

recycle bin. The file names and locations in the recycle bin vary depending on the version of

Windows. Deleted files in Windows XP (formatted using the FAT file system) are stored in the

"Recycler" folder in the root directory where Windows is installed (typically the C: disc), which

holds anothersignificant file entitled "INFO2."Both "Recycler" and "INFO2" are hidden files: to

view them, you must first display hidden files (including OS files).

We can see one or more folders inside the "Recycler" folder;these folders are named according

to each user's specific security identifier (SID) (e.g., S-1-5-21- 2602240047-739648611*

3566628919-501);if a system has more than one user, each will have its own folder that store

the deleted files belonging to that user account.

Puatiratteas

Meet M.
Digital Forensics (MU) 4-3 Windows and Unix Forensics Investigation

Another significant item inside each user's recycle bin folder is called "INFO2,"and it provides
an index of all the files that the user has previously deleted. It also includes metadata about
oach deleted file, such as the original location, file size, and date/time of deletion.

Windows Vistaand later (7, 8, 8.1, and 10) modified both the primaryrecycle bin folder and the
Way deleted items are structured. For example, deleted are saved
files in a folder called

"GRecycle.Bin," which has a subfolderfor each user on the system named after the user's SID.
The "$Recycle.Bin" file is located on the C: disc (assuming Windows is installed there). When a
file is destroyed in these recent versions of Windows, it is moved to the recycle bin as two files:
one containing the recycled file's actual data (its name begins with "$R"), and the other
containing the deleted file's metadata (its name begins with "$I").This obviously eliminates the
necessity for the "INFO2" file.

The recycle bin is in the root of the Os drive which is typically CA and it is called $Recycle.Bin in

Windows 10.

Each deleted file will result in two files placed within the path. Firstly, $I file which will contain

meta-data specific to that file which is the original file name and path of the file prior to

deletion, the size of the file and the time at which it was deleted. Secondly, the actual file

contents themselves will be stored within a $R file. Both files will be renamed to some random
six-character value and then $I and $R will be prepended to each one of the respectively

creating an 8-character file name.

$I Meta-data File (Windows Vista and Later)

CASRecycle.Bin\SID\$IXxXXX

File name and fullpath of the deleted file

Size of the deleted file

Date/time at which the file was deleted.

$R File (VWindows \Vista and Later)

C\$Recycle.Bin\SID\$RxXXxXx

$R File contains the contents of the deleted file.

The SID sub-folder corresponds to the SID of the user that deleted the file. The sub-folder is

ofa that is sent to the Recycle Bin.

created fora given user upon first deletion file

data representing the contents of the original file.

So, $I is meta-data,$R is the actual recovery

Let's have an example:

Ihere are docx and txt and png files on the desktop.
Meet M.
TechKnouteds:
PutIEatans
 4-4 Windows and Unix Forensics
Digital Forensics (MU) Investigation

W
file1.docx file2.txt file3.png
Recycle Bin

Let's delete them and then look at the contents of the recycle bin and see those files that I iue

deleted.

Size Item type Date modified

Name Ong nal Location Date Deleted

19 Mar 3:37 AM 12 KB Microsoft Vwora Docu.. 19 Mar 3:34 AM

filel.doox CUsers\ Guinness\ Desktop

19 Mar 3:37 AM K3 Text Document 19 Mar 3:4 AM

C\Users\Guinness\ Desktop

1
file2bt

19 Mar 3:37 AM 43 K3 PNG File 19 Mar 3:35 AM

file3.png CUsersiGuinnessDesktop

We see that their original locations, deletion dates and times and sizes. This information is

stored within the $I meta-data files.

Let's take a look at this in the file system.

Run the command prompt as administrator and view hidden files by typing dir /a and we can

see that $Recycle.Bin folder on the second line.

C:\>dir/a
Volume in drive C is OS
Volume Serial Number is 4CD3-FBO6

Directory of C:\

16 Sep 05:47 PM <DIR> $GetCurrent

16 Sep 11:21 AM <DIR> SRecycle.Bin

Enter into the folder, do dir /a again and then we see the SID folders.
C:\>cd $Recycle Bin .
C:\SRecycle.Bin>dir /a
Volume in drive C is 05
Volume Serial Mumber is 4CD3-FB

Directory of C:\$Recycle Bin .

16 Sep 11:21 AM <DIR>

16 Sep 11:21 AM <DIR>

16 Sep 11:21 AM <DIR> S-1-5-18

19 Mar 03:37 AM <DIR> S-1-5-21-3954386123- 3477195644-2237217235-1001

We can see the users and their associated SIDS by entering

wmic useraccount getname, sid

C:\SRecycle.Bin>umicuseraccount get name,sid
Name SID
Adwínistrator S-1-5-21-3954386123- 3477195644- 2237217235-500
S-1-5-21 -3954386123-3477195644-2237217235-1001
latalay

Punirati

Meet M.
 Digital Forensics (MU) 4-5
Windows and Unix Forensics Investigation

We can see the users and their associated SIDS by enterina

wmic useraccount get name,sid

I'm currently logged in as at alay, so that is the folder which my recycle bin should be stored

under.

Let's go into it by

cd S-1-5-21-3954386123-3477195644-2237217235-1001
19 Mar 03:34 AM 11,861 SRJIETQY.docx
19 Mar 03:34 AM 13 $R7GLYIA.txt
19 Mar 03:35 AM 43,697 SRSITV6E.png
19 Mar 03:37 AM 102 $IJIETOY.docx
19 Mar 03:37 AM 100 $I7GLYIA.txt
19 Mar 03:37 AM 100
$ISITV6E.png
92 File(s) 68,419 bytes
2 Dir(s) 397,528,186,880 bytes free

C:\$Recycie .Bin\S-1-5-21-3954386123-3477195644-2237217235-1001>

So, we see the files as expected. There are 3 $R files containing actual recovery data for those

files and 3 $I files containing the meta-data for 3 files I just deleted.

For example, if I take $RSJTV6E.png file and copy it on to RecFor folder we will see that it is

indeed the original file that was deleted.

$RSJTV6E. png "C:\Users\Guinness\RecFor\"

C:\$Recycle.Bin\S-1-5-21-3954386123-3477195644-2237217235-1001>copy
1 file(s) copied.

front ofthat the $R has been prepended.

It has been renamed witha random 6 character in

SRSJTV6E.png

up with notepad
two $I files by opening it

Now let's look at one of the

piosepa
S151tvh

Et Format Vie Hep

Frie
Teck Knouledni
PutIE at tans

Meet M.
 4-6 Windows and Unix Forensics
Digital Forensics (MU) Investi

see the path and the file

We can see that it's not easy to parse, but we can original
name
tool that makes this much easier
toparse
above. However, there is a
was deleted as shown
You can download the tool here.
tool is called $I Parse written by Jason Hale.

called Recycle Bin $I Files and Windows 10,

You can also read his research that
is

Let's copy the $I meta-data files on to RecFor folder.

-2237217235-1001>copy $IJIETQY.docx "C:\Users\Guinness\Bac

- 3477195644
C:\SRecycle. Bin \S-1-5-21-3954386123
1 file(s) copied.

Bin\s-1-5-21-3954386123-3477195644-223 7217235-1001>copy $I7GLYIA,txt "C:\Users\Guinness\ReCEonis

C:\SRecycle.
1 file(s) copied.

k:\SRecycle. Bin\S-1-5-21-3954386123-3477195644-2237217235-1081> copy $ISITVÓE .png "C:\Users \Guinness\ RecFor'

1 file(s) copied.

Open the $I Parse tool, specify the directory of $I files and calloutput file as the-output.

SI Parse vi.1

Mode Help

Directory of $I Files

C:Users\Guinness\RecFor Browse

Output File

C:Users\Guinness\RecForthe-output.tsv Browse

Parse!

That is it. Click parse.

Finally, if we open the tsv file that has been generated, will see the deletion date, original
name as full path, and their sizes, and the version.
Deleted Date File Nanme
File Size (bytes Version
03 19 2019 00:37:01 UTC
C:\Users\Guinness\Desktop\file2.txt 13 Windows 10
03 19 2019 00:37:01 UTC
03 19 2019 00:37:01 UTC C\Users\Guinness\Desktop\filel.docx 11861 Windows 10
CAUsers\Guinness\Desktop\file3.png 43697 Windows 10
4.1.3 Data Carving

Carving is the process of extracting data (file) from undifferentiated chunks of

data' (raw Q0
File carving is the process of identifying and recovering
based on file format anay
files
Carving is a useful technique in Cyber Forensics for locating hidden or
deleted data on d9"
media.

Meet M. PubttatigL
 Digital Forensics (MU) 4-11
Windows and Unix Forensics Investigation

Root Key
Description

HKEY CLASSES_ROOT (HKCR) It describes file type, file extension, and Object Linking and
Embedding (OLE)information.

HKEY_CURRENT_USER (HKCU) This key contains the information of currently logged users into

Windows and their settings.

HKEY_LOCAL_MACHINE (HKLM) This key Contains computer-specific information about the

hardware installed, software settings, and other information.
This information is used for who
all users log on to this

Computer and is one of the more commonly accessed areas in

the Registry.

HKEY_USERS(HKU) This key contains information about all the users who log on to

the computer, including both generic and user-specific

information.

HKEY_CURRENT_CONFIG This key contains the details about the current configuration of

(HKCO) hardware attached to the computer.

HKEY_DYN_ DATA(HKDD) This key is oniy used in Windows 95, 98, and NT this key

contained the dynamic status information and Plug-and-Play

information. This information may change as devices are added

to or removed from the computer.The information for each

device includes the related hardware key and the device's

current status, including problems.

4.1.5 USB Device Forensics

Windows preserves a history log of all previously connected USB devices, including their

Connection timings and the user account that instals them. In addition, the Windows registry

Saves critical technical information for each connected USB device, such as the vendor ID,

product ID, revision, and serial number.

registry keys, each of which provides a

Windows maintains USB history information in five

piece of information about the connected device. By combining this information,

unique

have a better understanding of how an otfender employed removable

Investigators will

devices, Such as a USB, to conduct/facilitate his/her actions.

Tesh Knowledyi

Meet M.
 Windows and Unix Forensics
4-12
Digital Forensics (MU) Investigatio

Enum\USBSTOR
1. HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\

been inserted into the operating system since its installation

All USB devices that have
ID, and device sa:
listed here. It displays the USB vendor ID (manufacturername), product
number is "&" the conne.
the second character of thedevice
serial
number (notice that if

device lacks a serial number and the system produced the device ID).

2. HKEY_LOCAL_ MACHINE\SYSTEM\Mounted Devices

the drive letter allocations; associates a USB devic.

The Mounted Devices subkey maintains it

or volume that was mounted when the USB device we.

serial number with a specific drive letter

introduced.

3. HKEY_CURRENT_ USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints?

This key will keep track of which user was logged into Windows at the time a particular US8

device was attached. The "Last Write Time" for each device connected to the system is also

included in the key.

4. HKEY_LOCAL_ MACHINE\SYSTEM\Currentcontrolset\Enum\ Usb

This key contains technical information about each connected USB device, as well as the last

time the subject USB was connected to the machine under investigation.

5. ldentify the first-time device was connected

This file can be found at \Windows\inf\setupapi.dev.log for Windows Vista, 7, and 8, and

\Windows\inf\setupapi.upgrade.log for Windows 10. On Windows XP, this file is called

|Windows\setupapi. log. Find the serial number of a certain USB device in this file to

understand when it was first connected to the relevant system (in local time).

To automate the process of obtaining information about current and prior USB-connected
devices, you can download a free tool called USBDeview from Nirsoft that can perform al
of the tasks we just performed manually. After running this utility on the target machine
detailed information about each connected USB device (e.g., device name/descriptiO1
device type, serial number, and much more) will be
displayed.

Unfortunately, not ll USB deice types will leave traces in the Windows registry, such
USB devices that employ media transfer protocol (MTP) when connecting to compute
The MTP protocol is used by devices equipped with modern Android OS versions, as wel
as Windows phones and Blackberry; this protocol does not leave traces in the Window
registry when a USB device is connected to a Windows PC. This needs the use of d
specialist instrument to investigate such objects.

TechKnewledg!

Meet M.
 Digital Forensics (MU) 4-13 Windows and Unix Forensics Investigation

USB Detective (https://usbdetective.com) can detect USB devices that connect to Windows
via the MTP protocol. It also has comprehensive tools for thoroughlyresearching linked
USB devices, such as constructing timelines of every unique connection/disconnection and
deletion timestamps for each device; however, to use these features, you must subscribe
to the professional paying version.

4.1.6 File Format Identification

A signature analysis is a procedure that compares headers and extensions

file to a known
database of file headers and extensions to determine whether an attempt to disguise the
original file type was made (changing the file extension to something else to hide it from the
investigators' sight). As we all know, each file in Windows has its own unique signature, which is

typically contained in the first 20 bytes of the file. We can verify the original file signature of

any file by inspecting it with Notepad or a Hex editor.

Using a free application called HexBrowser, the process of determining the file type is

automated.

HexBrowser is a Windows application that recognises over 1,000 distinct file types and displays

comprehensive information about each one. Follow these simple steps to use this tool:

1 Download Hex Browser from www.hexbrowser.com.

2. Inthe main software menu, click the "Open" button, select the suspect file, and you're

done!

3. Examine the results in the program's right pane

mismatches; to use this capability, activate the "Extension

Autopsy can detect file extension

mismatch search options by heading to the

Mismatch Detector" module. You may fine-tune file

- Options - Extension Mismatch.From here, you can add or remove extensions

Tools menu File

results are given the Results tree under "Extension

on your case need, and the
in
based

Mismatch Detected.

4.1.7 Windows Features Forensics Analysis

users to optimize or customize some of its

numerous tools that allow
Windows OS includes
be
be investigated because they can
to make them more user friendly. Such features must
unctions Windows
look for unusual artefacts in some typical
In this part,we will
d SOurce of diaital evidence.

features.

Tech Knowledge
PuhEaLa
Meet M.
n
 Forensics (MU)
Digital
4-23 Windows and Unix Forensics Investigation

4.1.8
Windows 10Forensics
WindowS 10has numerous new features. In this section, we'Il look into two them:

of
1 Notification area database

2 Cortana forensics

4.1.8(A) Notification Area Database

This is a new feature that began with Windows 8 and will be continued in Windows 10. Any

programme that may generate a systray notice will record this notification in a centralised

database. The database of notification areas can be found at

\Users\\AppData\Local\Microsoft\Windows\Notifications under the name wpndatabase.db.

The notification database stores numerous notification kinds that Windows users see in the

bottom right corner of the screen, such as pop-up messages from various portions of the O5
(e.g, backup and restore), e-mail alerts, and messages relating to specificapps, such as Torent

downloads. Windows notification has forensic relevance since it can show earlier user

behaviours on the target machine.

to
SQLite is the database type used in the notification area (.db extension). Follow these steps

analyse the contents of this database:

Browser for SQLite; choose the version that

Go to http://sqlitebrowser.org and download DB

Correspondsto your operating system.

to
click File > Open Database.,navigate
Launch the software,
and select wpndatabase.db.
UsersUserName>AppDataLocalMicrosoftWindowsNotifications,
is shown in Fig.
4.1.2 (wpndatabase.db).
schema of the Windows notification area
The database
Notification table :
can be found in the
The following attributes
notification (the programme
indicates which
programme generated the
"Handlerld," which
the table "NotificationHandler").
name can be found
in

(see Fig. 4.1.2).

notice information
"Payload"contains
the notification was
received.
when
"ArrivalTime":
the date and time
the database.
will be erased from
at which the notice
"ExpiryTime":
the date and time

Tech Knowledgi
PutCaktanS

Meet M.
 Digital Forensics (MU) 4-24 Windows and Unix Forensics
Investigation

Drabe Dpen Debbn AChanges vetCarges

Sthure oe Dtabe Cl
Catabase
Dute
Ceate be y nbe DotteTa

Schema

Tactes (
Nandkets
CREATE TABE (nslerksses andendt NTEGERCONSTRAT
NundlerSettings
CREAFE TABE Handlesetingst Handet] NTGER cONSTRP

CREATE TABNoiceoonkOd NTEGaR NOT NUL. NA

NTIGA
NIEGER NO NLL UNNOE
Mandertd NIIGER
Actei Acttyd GUID
oe 0teéss

Paloed
esote

Group

byTe ExpiryTine Nts

6
Aiai
Dtanern NT StaeAON NI DIAAI
Notftonta <REATE TASNE tonaaN (tSCtoR TEGRCON
Nothatonandier <REAIE ASANosbcaontndier iRersrd NTEER PRAMs

CREATE UNIU NOEX (tyNsietaeeONCcatoM

dhannelBto
hann
CREATE NDEXCNneEpen ON NNDsChanoe (bp?

SqLLDg Rerae

Fig. 4.1.2: DB Browsercan be used to browse the Windows notification area database.

The "ArrivalTime" and "ExpiryTime" values are stored in decimal format; to convert them to a
readable format, we must first convert the number to Hex, then use the DCode tool to

transform the number to a readable date/time.

4.1.8(B) Cortana Forensics

Cortana is a personal assistant that responds to voice commands (similar to Siri developed by
Apple Inc. for its iOS).

Cortana is a new
relatively feature that was initially released in Windows Phone version .1and
later migrated into Windows desktop with the release of Windows 10.

Its primary function is to deliver a personalised experience for Windows 10 users by suggesting
searches, remembering events, sending e-mails on the user's behalf (when correctly

configured), searching the Web, checking weather predictions, and many other usetul
functions.

Cortana employs cumulative learning. When a as the user talks with

result, it more (through the
PC microphone or by typing), jt will gain a better understanding of the user's particular habits
and attitudes, resulting in more accurate outcomes in future interactions.

attens
PuhtLr

Meet M.
 (MU)
Digital
Forensics 4-25
Windows and Unix
Forensics
a lnvestigation
can provide plethora of
Cortana informationabout a user's
in addition to web searches
previous activity
on thetarget
system and geolocation data

location-based

Keep

to be
in mind

active
|
on
reminders)in terms of

that,

all
regardless

Windows
of

devices,
digital

how useful the

forensics.

asthis tool has a

Cortana function
(latitude/longitude

is, we cannot always

of thetriggered

expect it
reputation for being a
WindowS users, and many of them have already privacy invader for
deactivated it owing to privacy
concerns.
Cortana
stores certain information about its work in two Extensible
databases,
which are located | at thefollowing addresses:
Storage Engine (ESE)

UJsers\\AppData\Local\Packages\Microsoft.Windows.Cortana_xoox\AppData\Indexed
D\IndexedDB.edb

Users\\AppData\Local\Packages\Microsoft.Windows.Cortana_xxo\ LocalStatel
\ CortanaCoreDb.dat.
ESEDatabase_CortanaCorelnstance
The "CortanaCoreDb.dat"
file contains forensically useful information
on user geolocation data
as as remindersset by a user and where
well
and when these reminders have been
triggered.
Please keep in mind that Cortana can
collect a lot of personal information about its
users:
however, it appears that Microsoft has moved a
lot of Cortana interactions to Microsoft cloud
servers.

Another location on the local machine where some Cortana-related artefacts can be discovered
is

\Users\<UserName>\AppData\LocalNPackages\Microsoft. Windows\Cortana_ yooo

LocalState\LocalRecorder\Speech

This folder contains recordings of voice commands (WAV audio files) made by a user to

Cortana to accomplish a task.

riease keep in mind that not all computer forensic suites allow decoding the Cortana database:

always read the manual or check the tool features before purchasing. EnCase, for example.

phrases from user-specified IndexedDB.edb

files.
includesa ia script that decodes Cortana search

4.2
Innvestigating Live Unix System

Wte downthe stepsin Unix system investigationr

The The Unix operating

Unix
flexible, powerful, and extremely functional.
operating system is

System a challenge to protect

andinvestigate.
well as makes it
functionality t makes it so useful as
You
will use the theinitial response forthe investigative step.

data you collected during

Tech Anouledod
Punratians
Meet M.
 Mobile Forensics
Module 5

Syllabus
c1 Android Forensics, Mobile Device Forensic Investigation - Storage location, Acquisition

methods, Data Analysis

E2 GPS forensics -GPS Evidentiary data, GPS Exchange Format (GPX), GPX Files, Extraction of

Waypoints and TrackPoints, Display the Tracks on a Map.

53 SIM Cards Forensics- The Subscriber Identification Module (SIM), SIM Architecture,

Security, Evidence Extraction.

5.1 Android Forensics

Cell phone and mobile device forensics is a fast-changing field as maximum work is done by
mobile device.

In cell phone people save lots and lots of data, so if in case you lose your mobile phone, the

data stored in the cell phone also get lost and it may be used for wrong purposes. It is

observed that many people do not secure their cell phones, though they regularly lock and

secure laptops or desktops.

Now a day's maximum transactions are done via mobile like people log into their bank

accounts and transfer the funds and perform other banking work. Your mobile phone contains

the following information.

(Incoming calls, outgoing calls,and missed calls

Text and Short Message Service (SMS)messages

E-mail

Instant Messaging (IM)logs like messenger and whatsapp messaging

Web pages
Photosand yideos

Meet M.
 5-2 Mobile
Digital Forensics (MU) Forensie

Personal calendars

Address books

Songs

Voice recording

Banking details.

people are storing more information on their cell phones than

Now a day's maximum
cases. Recent days the mobile phone data is
computers, and is resulting in crimes or
usedin
it
very challenging to investigate the cell phones and mal
many cases as evidence. But it is

devices in computer forensics. The following are the challenges while investigating the mohi.

devices and cellphones:

1. For storing the message no single standard id exist although many of the phones uge

same storage scheme.

2 As technology is changing new phones are coming in the market about every 5 to 6

months and they are merely compatible with the previous model of the phone. In nea

future the cables and accessories may become obsolete in a short time.

3. As cell phones are often combined with PDAs, which can make forensics investigations

more complex.

Mobile Phone Fundamentals

Mobile Computing Platform

iCloud

GPS
receive
CPS

External Storage
Camera

128%8
SIM Card

Internal Storage
files
(NAND lash memory)
Evidentiary
Locations

SOLite files

speaker
Fig. 5.1.1 :
Structureof smartphone

IechAneuloly
PuttratiaRY

Meet M.
 (MU) 5-3
Digital
Forensics
Mobile Forensics
are growing more powerful(e.g.,
Smartphones increased CPU
built in, and a user--friendly processing power, a wide
of sensors touchscreeninterface), range
as a result,
accessible for such devices is
the number of
applications increasing, altering
our lives. A typical
as shown in Fig. 5.1.1, has thefollowing smartphone
today, logical structure
and comprises of:

Processor

is regarded as the smartphone's brain. Apple's

It A8, Qualcomm's Snapdragon 810, and
Exynosrange are examples of mobile
Samsung's processors.

StorageMemory
..ndarm smartphones come with a variety of
memory storage options. For example, the
Android device Samsung Galaxy S7 supports both built-in
memory and microsD cards. In
Jdition the internal memory of a
smartphone is often divided into two sections: system
storage and phone storage.

SVstem storage, also known as System Memory, is where the Android operating system and
System Applications are kept. It also saves all app data and cache.

You set it up. This section of storageis inaccessible to regular users.

Phone storage is the space that usersS can directly access. Users, for example, can instal

downloadabie programmes and save their own photos, as well as download music, pictures.

and videos. When the phone islinked to a computer through USB, this portion of the storage

area functions similarly to an SD card. This is why it isoften known as internal SD, desoite the

fact that it is not an SD card. It's just a non-removable storage device in the phone.

Sensors

Unlike traditional computers,a rising number of smartphones include advanced sensors such

as an accelerometer, digital compass, gravity, gyroscope, GPS,fingerprint sensor, and temperature.

These sensors enable cellphones to gather diverse users' input as well as the surrounding

environment in which they are located. As a result,a smartphone stores an increasing amount af

sensitive information about its owner.

SIM Card

most phones, particularly GSM phones, require a SIM

locommunicate with a cellular carrier,

used to uniquely identify and authenticate a mobile service

00Scriber ldentity Module) card. It is

connects a phone to a subscription or user.

POvider or carrier's subscriber. To put it another way, it

Network
Connectivity
of networked apps is

Because available on smartphones,the number

Wi-Fi is now widely
apps (such as
with social networking
increasing. Most smartphones, for example,come pre-installed
Tech Kneuledga
PuhiLALans

Meet M.
 Digital Forensics (MU) 5-4 Mobile
Foreny

Facebook and Twitter). Furthermore, cloud computing is becoming increasingly

Common
and data storage are delivered as services to mobile users via the
cellphones. Applications
Intere
in cloud computing.

Speakers and cameras

Smartphones nowadays include digital cameras and speakers.

models available today. Although their

However, there are numerous smartphone
underijing
store data in proprietary
designs are essentially same, phone manufacturers may
formatsta
their mobile phones, making forensic examination of mobile phones extremely dik.

Nonetheles,the number of mobile operating systems is decreasing. Android and ios are h
most popular.

5.2 Mobile Device Forensic Investigation

To ensure that evidence collected from a suspect's cell phone is acceptable in court, pronar

protocol must be followed. It is more difficult with mobile phones since they are equipped wih

many wireless technologies such as Wi-Fi (short for Wireless-Fidelity), Bluetooth, and cellulat F

a mobile phone is still turned on and linked to the network, it is critical toseparate the phone

from all wireless networks and devices inorder to protect the integrity of data saved on the
phone. Place the phone, for example, in a "FaradayBag," which inhibits Radio Frequengy (RF

transnissions such as cell signals, satellite signals, Wifi, and Bluetooth frequencies.

Mobile phones that are connected to a computer, such as via a USB Connection

or
cradle/docking station, should also be unplugged from the computer immediately.

A mobile device forensic investigation consists of three major components: data storage

iocation(s), data extraction, anddata analysis. Before any type of extraction can be performed

it is necessary to understand where data is kept, how it is saved, and any associated fil

permissions. The data must be extracted once this information is known.

This is such an important component of a forensic investigation that using the wrong

procedure might completely derail the investigation. There are numerous extraction methods

each with advantages and disadvantages. Finally, access to application data is available n
order to make sense of it, it must be analysed, aggregated,and contextualised.

5.2.1 Storage Location

To extract and analyse smartphone stored data, one must first know where to look for data

relevance. We'll now go over common storage places for Android devices. It should be ot

that the file-system structure differs amongst Android devices. However. some locations o

quite
consistent (for example, app data is kept in the "/data/data/" directory). 5.2.1
depicts
Fig.

ahierarchical representation of Android storage.

Meet M. Tech Knoule

Pubtiratid
 Digital Forensics (MU) 5-6 Mobile
Foren

in "data/data/com.tencent.mm/ MicroMsg/MD
Notably, WeChat messages are preserved
of 32 characters)
of the WeChat
where MDSD) is the MD5 hash (with a total
account
higher than 4.5 use encrypted storage). Tet
registered onthesmartphone (Versions
messan
however voice, image, and video
are directly kept in the database EnMicroMsg.db, are
on
Voice
as illustrated in Fig. 5.2.1.
through their storage path metadata,
captured
"amr".
messages, t
"voice2" with the extension
example, are saved in the subdirectory
file
Images are
subdirectory, and videos in the "video" subfolder.
in the "image2"
useful data. This
point "/sdcard") may hold
Second,the "sdcard" partition (mount informatios

for example, pictures/videos captured by the smartphone's camera

may include,
This location is unsecured, which
downloaded files, and public application storage. means ha

theinformation stored there. It's yet anotherplace to explore for

anyone can access forensical

system,kernel, and application logs can be a rich

important information. Finally,
SOurce o

information. This data "provides an insight into the apps as well as the system operating them

There are numerous utilities available for recovering logs.

5.2.2 Acquisition Methods

We've proven that smartphone storage has the ability to hold massive amounts of data th

could be useful in a forensic inquiry. Some of this data is the result of an application keeping

information locally on a smartphone,while others are the result of system,kernel, and application

logs.We must now figure out how to obtain this info from a smartphone. First, we must identify the

many sorts of smartphone storage photographs that can be collected, as theyy will be uset

throughout the next sections.

Logical Image

A logical image is a copy of files and folders from the device's storage. This means that when

the data is replicated, it makes sense; it is in a recognisable format.The files have the correct

headers. The file system is complete. This does not mean that any deleted files or ostensibly

"unused space" would be replicated. This isnot a complete copy of a partition, but rather a copyo

the partition's present logical contents (or set of folders). A logical image has the advantage o

being simple to work with. All current files are listed and ready tobe evaluated. The disadvantage. 5
previously stated, is that some information, such as deleted files, will not be recoverable.

Physical Image

A physical image is a datadump or bit-by-bit copy of a storage device or partition. This me31lb

that all data (whether it is part of the current logical image, deleted files, or "empty space")w
be duplicated, with nodata lost. The advantage is obvious: the recovered material is greale

taa!

Meet M.
Pubtiral
 (MU) 5-7
Forensics
Digital
Mobile
Forensics
that
oof a logical image. As a result,
more
than potentially important data
is that it may be could berecovered.
The disadvantage
difficult to recreate this data,for
example, using a
carving. process
such asfile
w go over several data gathering methods,
highlighting their advantages and
including a mix of hardware and
software methods.
disadvantages,

Data Acquisition Methods

Different

1. Chip-Off
Thic method of data extractionis demanding, requiring a high level of
technical
,asledge, dexterity, and confidenceto disassemblea
mobile device. The term "chip-off"
fove to the remnoval of NAND flash chips from circuit boards and their direct interface
with hardware tools via their pins. Because these chips are connected to the circuit board.
tools like asoldering iron are required to physically detach the flash chips.

The risk of harming the flash chips while taking them from the PCB is a disadvantage of
this procedure. Second, meticulously disassembling a smartphone can take some time.
This strategy may not be appropriate if there is a hard time limit on an investigation.

One key advantage of the chip-off procedure is that it may be able to recover data from a

damaged smartphone (as long as the flash chips are not damaged). Other "necessary"

electronics required for the smartphone to function may be damaged, but the flash chips

themselves may be unharmed. In contrast, software acquisition methods necessitate that

the device be bootable and functional.

2. JTAG (JointTest Action Group)

JTAG is a communications protocol that CPUs frequently implement in order to allow

access to their debug/emulation functionalities. By attaching leads to specific JTAG pads

on the printed circuit board, you can connect directly to the device's CPU. This connection

(Data IN, Data OUT, Control, Clock; collectivelytermed the Test Access Port) allows JTAG

to communicate directly with the CPU, and offer commands that are abie to
software

complete memory dump of the NAND flash. As a result,a comprehensive

obtain "a binary

bit-by-bit physical image of flash memory is produced.

that less physical alteration of the device

is

One advantage of JTAG Versus chip-off is

flash chips are less likely to be damaged. This solution,

necessary, which means that the
be harmed. Even if the CPU is damaged and JTAG
is

nowever, requires that the CPU not

work
may still work. JTAG, on the other hand, may
still

Inoperable, the chip-off approach

of the device's
damaged and unable to boot up. The
level

even if the device is somewhat

damage will influence which extraction method is used.
TechKnowledya
PubIraians

Meet M.
 5-14 Mobile
Foren
Digital Forensics (MU)
a partition dump. When
a partition
to recover
acquiring
to mount
not essential (for example, "userdata")
iS The partition
must be exercised.
however, great
caution
be mounted in read-only
mode)must
scenario. "The partition should
mounted in this can be obtained fromthe
stated, data
As previously
it is critical. state
data integrity,"
device to its former obtain mourtes
To return the target the
partition
via ADB pull.
of the origing

overwriting the boot partition device

witlh
boot image and subsequently this

original boot image.

(all of the preceding procedures) and concs

The final stage is to take their results
suite dubbed "Android Extractor" to
interface software
automated graphical user carry ou
is a key part of digital forensic
this operation. The device's data integrity examinations.

drawbacks. To begin, unique

method of acquisition has significant recovery
This Images

devices must be created. This is a time-consuming task.

that support various This

for each device. Second, device

however, only needsto be done once storage is
slighty

limited to the recovery partition and does not affoc

altered. This update, however, is

saved the boot-loader of a device may be

locked,
programme data. Finally,
making

extraction more difficult.

The following are the advantagesof this method: It is relatively simple to carry out. Oncea

custom recovery image has been created, the methods for extracting information are

straightforward. The level of device alteration is reduced as compared toother extraction

methods (e.g., backup apps, forensic software packages). It is possible to obtain both

physical and logical pictures. This adaptability is fantastic. An investigator could begin by

studying a logical image and then go on to a physical image if necessary. Finally, no

understanding of screen-lock credentials is required.

5.2.3 Data Analysis

Following the extraction of data from the phone, the data is analysed for forensic purposes
Data analysis methodologiesdiffer amongst Android applications such as instant messaging
phone calls, and web browsers. In other words, each
application necessitates an own forensk
analysis process. Because instant messaging and social networking applications are the mos
popular mobile phone applícations.
The primary emphasis is on surveying data analya"
methods in Android social networking
programmes such as Facebook,
Whatsapp, WeCha, ae
others. Most of these publications evaluate data and investigate users' activities or habits Ti
the following (butnot limited to)
perspectives:

Contact information
analysis : Contact
information analysis helps an
to
establish who the user investigator
communicated with. The date of a to the
contact has been added

Tech Knoulely

Meet M.
PubuLath
 (MU) 5-15
Forensics
Digital Mobile
Forensics
or the blocked status of a certain
database, contact, the
user's activity,or his/her
information is
exposedto the investigators contact

: by examining thelist of contacts.

analysis By determining the timing

Message of an
exchanged message, the
the set of people involved in the data it
carried, discussion, and whether or not it was
receivers, the chronology actually
received by
its of exchanged
messages may be
help the investigators reconstructed.
These details understand thesender's and
receiver's
relationship.
ed record analysis :In some applications, deleted records are preserved on the
for a period of time. For
device example, with SQLite
databases, deletions can be
eredfrom so-called unallocated cells, which are slack space saved in the database's
associated
file. These deletions providesome direction for the
research.

cocial networking applications are built into contemporarysmartphones,so in situations

L cocial networks, detectives
may be able to uncover relevant evidence on a suspect's

smartphone.

5.2.3(A) Facebook

InFacebook's Android forensic investigation, The "com.facebook.katana 4130.zip" file has three

subdirectories: databases, files, and lib. Each directory contains a collection of files. There are three

sQute files in the databases folder: "fb.db", "webview.db",and "webviewCache.db". The firstfile.

fo.db, contains tables that store records of the Android Facebook application user's activities, such

as created albums, chat messages, list of friends, friend data, mailbox messages, and uploaded

photographs. These records provide important information for the forensic investigator, such as

user IDs, message contents, URL links to uploaded photographs, and timestamps of conducted

activities.

5.2.3(B) WhatsApp

tests and analysing

rorensic WhatsApp Messenger on Android involves running
analysis of

determine what kind of data and information can be found on the device's internal
08ta to

messenger applications, such as chat logs and history, sent and

miernory that is related to social
study the application's chat
ved mage or video files, and so on. These works simply

database.

of all
In a detailed explanation
order to cover more WhatsApp Messenger artefacts, provides

the artefacts to decode and comprehend

It is necessary
generated by WhatsApp Messenger. of
sorts
to derive various
the be connected together
message, as well as how they might

information that cannot be gained by considering each one separately.

Tech Knouledge
Pubkrattans

Meet M.
 5-16 Mobile
Digital Forensics (MU)
Forensies

be to recreate the list contacts as

the results, an investigator

of
will able well
Using asthe
Furthermore, he/she will
chronology of the communications exchanged by users. be
ableto
deleted
infer information such as when a specific contact was added, recover contacts
and
their
have been deleted, when these
time of deletion, determine which messages messages were

and the users who exchanged them, thanks to the correlation of

multiple
exchanged,
artefacts

data artefacts from several apps of the same

In contrast to an overview of recoverable
type, this

is a very in-depth investigation of one application.

Unlike the previous methods, which deal with the identification and analysis of all
artefacts

generated by WhatsApp Messenger, this method focuses on the analysis of several u

applications (including WhatsApp Messenger) on various smartphone platforms, includios

Android, with the goal of identifying the encryption algorithms used by them. Additionlvy à

providesa
decryption method for WhatsAppnetwork traffic, as well as extraction and analvtics

technology for the associated çommunication data.

5.2.3(C) WeChat

WeChat is one of the world's most popular instant-messaging smartphone programmes,and

all conversation messages are saved in the local installation folder. As the text message is saved in

an encrypted SQLite database, the data forensics of WeChat messages is studied in a local

encrypted database. This paper examines its cryptographic method, key derivation principles, and

database decryption procedure several practical forensic scenarios. They

in also make use of data

recovery for voice and deleted texts, which is useful in data forensics for criminal investigations.The

proposed forensic approaches can successfully recover encrypted and deleted messages when
tested, providing a solution for WeChat data forensics.
solid Makes an in-depth examination of the

structure of the volatile Android memory in order to extract an encrypted and erased WeChat chat

history. ADB is used in the works to extract WeChat data.

5.3 GPS Forensics

The law enforcementcommunity has

observed a growing use of Global Positioning Syste
(GPS) gadget as an instrument of crime, or as a "witness
device", due to a function t
autonomously collects and logs positional data throughoutthe crime. GPS gadgets are increasing
being used in numerous investigations.

GPS System

The Global Positioning a

System (GPS) is a global radio
of
navigation system comprised
constellation of 27 satellites (24 operational and three spares in case one fails) and associated
ground stations that operate the satellites.

Meet M.
Pubtirattats
 (MU) 5-17
orensics
Digital

of uses, the most common Mobile

a variety of
which
GPShas being GPS Forensics

satellites
to work on the trilateration tracking and GPS
use principle. The
Both
GPS navigation
by transmitting high-frequency,low-power device
radio signals communicates
satellite with a
The device can measure its distance fromthe
device.
from the satellite to the
time; RADAR utilises thesame satellite by
travel precisely
signal's techniqueto detect measuring the
distant objects.
is straightforward. Assume, forthesake
The theory of
simplicity,that
exact clocks. A both
devices
have satellite is constantly satellites and GPS
broadcasting
a transmission
signals to GPS
in includes the satellite's devices,andthe
information
identification
and the current date and time (orthe time information, the current
location, the signal is
sent). When
the GPS device computes the time difference
a signal is
received, between when the
Then signal was
when was received. it knows how long it takes for
sent and
the signal
it
from the satellite to
reach
the receiver.

can calculate the distance between

We a satellite and a GPS device by multiplying the signal
transit time by the speed of light.

The GPS works based on trilateration from satellites.

GPS device forensics, or GPS forshort, can give critical evidence in both criminal and civil cases.

Personal GPS devices, as well as auto, aviation, and marine devices, are examples of current
GPS equipment. GPS programmes, such as Google Maps, have also become common on
today's smartphones.A typical GPS device nowadays, as shown in Fig. 5.3.1, has the following

logical structure and consists of :

Internet
Cloud

Map GPS
receiver
CPO)

SD Card

(0)
Bluetooth
320B

Internal Flash
Momory

Fig. 5.3.1 : Structureof GPS

device
Tech Aneule
PubtEAltans
dae

Meet M.
 5-18 Mobile
Forensies
Digital Forensics (MU)
the user's present

GPS receiver
: This is an electrical
device that can detect
\ocation by

waves transmitted by GPS satellites.

analysing radio determined

by mappingthe position
Built-in map : t provides a map viewtothe
user

in the world.
It can also determine
based on
the user
signals relayed
to a physical location s
satellite
driving behaviour.
motion. It can also predict drivers'
velocity based on its
wireless
of
variety
Network connectivity : GPS gadgets are now available with a

in today's smartphones.It
technologies

becoming increasingly prevalent enables

Bluetooth, for example, is GPS devices can be
s aAs a result,

of GPS devices with the user's

phone. As connected
the pairing
Such as
range of cloud services, automated
wide map
nternet and used to access a
to the
However, having optional.
updating. it is

and TomTom units are byf.

portable GPSsystems, but Garmin
There have been numerous
most widely utilised by the general public.

5.3.1 GPS Evidentiary Data

investigators can use. Depending on the

GPS devices now offer a wealth of data that forensic

a variety of valuable evidentiary data:
manufacturer and model,GPS devices can recover

Track Logs

Trackpoints

Waypoints

Routes

Videos, Photos, Audio

Stored location, including Home and Favourite locations

Recent destinations :The addresses of the trips that GPS device users have made.

Paired device history

via Bluetooth.
: History of all devices (e.g., mobile phone) connected toGPS devices

Call history, contact phone numbers and SMS messages : Call history, contactphone

numbers and SMS messages from the connected phone.

5.3.2 GPS Exchange Format (GPX)

The GPS exchange format (GPX) is a lightweight XML data format for exchanging Gs
is
(waypoints, routes, and tracks) over the Internet between
apps and online services..GPX
intended to be the industry standard XML GPS data
format for recording and transferring

PabtEaian1

Meet M.
 5-19
(MU)
Mobile
WForensics devices). It is
capable of Forensics
GPS describing even
(and complex
aPPs to expand over time.
Because GPX is an geographical
open objects.
standard,
Nween there are no fees or

1sntended
requirements Track Log are all
wencing Track Point, and important
Route. components in Garmin GPX
the ones with which the user
Route are can engage. files

WOypoint Track
and Point and Track Log
Waypoint -level features.

reSystem-

Garmin nüvi 1350 by

1Wypointcan saveinformation in establishing
waypoints,for
user example. In
The is a location on Earth that the user has
saved inthe
a waypoint GPS.
Waypoints
situation,
entries. The presence of
this
address book a
waypoint does not imply
that the user
incude
be a location entered by the user that
opically
area. A waypoint could he or she wishes to
that
Wasin It could also be a saved location where the user was
the future. physically
to in
present.
rOute

) Route
when a user wants to navigate a collection of waypoints in a certain
created order. In
is
A route
creates a route. The unit directs the user to the next
the user waypoint after
words.
other

reaching a waypoint.

Point
1 Track

the GPS unit's recorded location, assuming the unit was turned on and
The track pointdisplays
and are
had established satellite communications. The timestamp, latitude, longitude, elevation

GPS
this record. The track point extension also includes speed information. The
allinduded in

and the user has no control over what is

equipment generates the track points automatically,

with which these track point data are
generated. Again, the GPS apps determine the frequency
allow you to control the
1350 that
generated. There are no settings in the Garmin nüvi
This is not to say that such traits do
generation or switch off recording.
eqUency of track point

not exist in other models.

Track
Lo9
when it is
and stores
This the GPS device creates
the points that
is
whole list of track a
of leaving

is the electronic equivalent

locked It
onto a satellite signal and moving. his or her steps.
the user to retrace
allowS
"breadcrumb trail" to markthe path taken. This between a
track and a
In time. The distinction
other
terms, it allows the user to go back in Track, on
the other

inthe future.
route is that mighttravel points to
a
route suggests where the user
number of
track
a large
hand, is arecord of the user's movements. Track features

ech Kneuledess
Construct the path's fine details. PubtiEALian

Meet M.
 5-20 Mobile
Digital Forensics (MU) Forens
each track point
time are recorded,
Fig. 5.3.2. Asa place and may
in to contatn
As illustrated
hand, are unlikely have
points, the other
on
timestamp. The route is 50 imestanp
between two track sites
metres
distance

or
the average
Furthermore, more apart.
could be a kilometre or
Nonetheless, the route locations
WPO297
WPO298
WPO299
WPO300
WPO301
WPO302

WPO303
WPO304

WPO305

WPO306
WP Waypoint

Route

Track
WPO307
Fig. 5.3.2:Thedistinction between route and track

5. Track Segment

A track is a collection of track points that are listed in the order inwhich they are generated

This list can be separated into two or more track parts that are listed in chronological order. Fo

the investigator,the track points and tracks are a gold mine.

5.3.3 GPX Files

The GPX that contain the track point

archived
files
information are found in the GPX folder, We
files are found in the GPXArchive folder. The most recent
and
one is called "Current.gpx
may be found in the GPX folder. It has the most recent tracks archived
as well as favourites. The
ones have numerical file names ranging from "19.gpx" to "38.gpx", The files in the "GPXArchive
folder contain previous
information aboutthe track, time,
location, and so on.

Pubtir

Meet M.