Scribd
Upload
22 views7 pages

Lab Assignment 3

The document describes two mobile forensics practical exercises using MSAB XAMN software to analyze an iOS and Android device. In the first exercise, participants analyze an iOS device to identify information about illegal tiger smuggling, including a meeting time and location in the calendar and messages showing the cost of a tiger cub. The second exercise involves analyzing an Android device obtained in an arson investigation, identifying Wi-Fi network passwords, location history, and Gmail and Snapchat accounts associated with the device. Participants are instructed to tag any relevant artifacts in each exercise.

Uploaded by

Moussa Fatah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
22 views7 pages

Lab Assignment 3

The document describes two mobile forensics practical exercises using MSAB XAMN software to analyze an iOS and Android device. In the first exercise, participants analyze an iOS device to identify information about illegal tiger smuggling, including a meeting time and location in the calendar and messages showing the cost of a tiger cub. The second exercise involves analyzing an Android device obtained in an arson investigation, identifying Wi-Fi network passwords, location history, and Gmail and Snapchat accounts associated with the device. Participants are instructed to tag any relevant artifacts in each exercise.

Uploaded by

Moussa Fatah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Mobile Forensics

Practical Exercise Number 3.1


MSAB XAMN – iOS phone
Participant Learning Objective: To analyze an iOS device with MSAB XAMN.
Narrative: This exercise is created for participants to familiarize with the different artifacts found
on the device, as well as knowing the different ways to filter and sort in XAMN.
Scenario: The local fish and wildlife authorities have reached out for help. There is an illegal
tiger smuggling ring in the area. One of the local neighborhoods complained that a cub was
wandering the streets. When the cub was secured, authorities found an abandoned phone
nearby. They want to know if you can find anything of value regarding tiger smuggling. If not,
can you identify the owner for return. They have received a warrant for the case.

1. Import the iOS extraction (2021-07-13_15.51.xrycase) into MSAB XAMN.

2. Select Data sources, then View extraction log.

3. What type of extraction was used on this device?


Logical Extraction

4. Review the call log artifacts.

All rights reserved. No part of this document or the files contained within this assignment may be reproduced or
transmitted in any form or by any means whatsoever without express written permission from the author.
5. Who was the longest phone call from?
The longest phone call was from Johnny Good (1min, 6s)

6. Review the contacts artifacts.

7. How many contacts are associated with this device?


There are 19 contacts associated with this device.

8. When did the user connect to the “Publix-Customer” network? (Device -> Network
Information)
The user connected to the Publix-Customer network on 7/3/2021
9. Review and tag any pictures of interest. (Files & Media) Use the scenario for this
determination)

10. Where was the picture 5003.jpg (Original Name IMG_0027.HEIC) taken?
105 Veterans Memorial Ln, Safety Harbor FL 34695

11. What was the greatest number of steps the user had on July 9, 2021 (Health)?
The greatest number of steps the user had on July 9, 2021, was 216 steps.

12. What is the Latitude and Longitude of 8285 Bryan Dairy Rd (Locations)?
Latitude: 27.873655 and Longitude: -82.753846

13. Who found information about the cost of a tiger cub? (Messages)
Needa Sun

14. How much does a tiger cub cost?

All rights reserved. No part of this document or the files contained within this assignment may be reproduced or
transmitted in any form or by any means whatsoever without express written permission from the author.
According to “Needa Sun” a tiger cub cost $7,500.

15. When is the meeting with the vendors? (Organizer)


The meeting is on 9/1/2021 from 10:00 PM to 11:00 PM.

16. Review the notes and tasks. Tag any of interest.

17. What account is associated with Apple ID? (Security -> Accounts)
Justin Thyme account is associated with the Apple ID: [email protected]

18. According to google searches, what was the user looking to buy? (Web -> Searches)
Multiple searches show the user was looking to buy a tiger

19. Clear filter.

20. Now let us add a filter. Select the circle with the plus sign.
a. Select Deleted Artifacts.
b. Why are there no deleted files?

The extractor has recovered all files from the device (deleted or not). The forensic analyst must not alter
any files. There are no deleted artifacts because this section will only contain artifacts deleted by the
analyst.

21. Create a PDF report with tagged artifacts only.

All rights reserved. No part of this document or the files contained within this assignment may be reproduced or
transmitted in any form or by any means whatsoever without express written permission from the author.
Mobile Forensics
Practical Exercise Number 3.2
MSAB XAMN – Alcatel
Participant Learning Objective: To analyze an android device with MSAB XAMN.
Narrative: This exercise is created for participants to familiarize with the different artifacts found
on the device, as well as knowing the different ways to filter and sort in XAMN.
Scenario: This phone was obtained via a search warrant from a suspect thought to be part of
an arson case.

1. First let us open the Alcatel extraction.

2. How many Data Sources are there?

What do they appear to be from?

There are 4 sources. Two appear to be cloud storage data, 1 phone data, and one Disk or
memory card data.

3. Select All artifacts.

All rights reserved. No part of this document or the files contained within this assignment may be reproduced or
transmitted in any form or by any means whatsoever without express written permission from the author.
4. How many total artifacts do you have to view?

There are 218,647 artifacts to view

a. Under the display options, group duplicate artifacts.

b. How many artifacts are there now?

There are now 177476 artifacts.

5. Create the “Manipulated Files” filter. (Newer versions may call this “File

anomalies”)

a. Under pictures, there is a file named:


9ed8d390d29e88df61d74ffbc62cab371eeb529c1ec611057d3726f7f7dd8b51.0. (

b. What is the detected file format for this file?

The detected file format is Jpeg

c. Based on the file path, what app was likely used to create this image?

image_manager_disk_cache

d. Why was it marked “manipulated files” or “File anomalies”?

All rights reserved. No part of this document or the files contained within this assignment may be reproduced or
transmitted in any form or by any means whatsoever without express written permission from the author.
Because the file was modified.

6. When did team Snapchat send a welcome email message to the user?

On 8/24/2021 at 8:02:40 PM (Network) [8/25/2021 12:04:40 AM UTC]

7. Review Android System WIFI.

8. Which WIFI access points have password associated with them?

SSID PASSWORD
1 EEWifi 11111111
2 Ataraxias Cthulhu-24
3 Verizon-SM-G935V-DF89 iqmx298/

9. Review Locations/Bookmarks. What landmark is located near the recorded latitude and

longitude?

A bridge is located near the recorded latitude and longitude.

10. Review Locations/History. What landmark is located near the recorded latitude and

longitude?

unnamed road, Kananaskis Improvement District, AB, Canada

All rights reserved. No part of this document or the files contained within this assignment may be reproduced or
transmitted in any form or by any means whatsoever without express written permission from the author.
a. Click on the blue hyperlink next to Related Artifacts:

b. Where did this location history artifact come from?

userdata/data/com.android.chrome/cache/Cache/

c. Review the metadata for this file. What type of device created this file based on

the metadata?

iPhone 8

11. There are 4 videos that say “Carved_RAW” at the beginning.

a. Do these videos appear to play?

YES

b. Why are they labelled “carved files”?

When a file is deleted or a storage device is formatted, the data may still physically exist on the device until it is overwritte

12. Review Security/Accounts. What Gmail account is associated with the device?

[email protected]

13. What is the associated Snapchat ID?

96d50ace-1a4a-4f6e-87a6-8ce196b91107

14. Tag any artifacts related to the case (Use the scenario for this case).

15. Export an HTML report with tagged artifacts only.

All rights reserved. No part of this document or the files contained within this assignment may be reproduced or
transmitted in any form or by any means whatsoever without express written permission from the author.

You might also like