New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BYOM Build Your Own Methodology (in Mobile Forensics)
1. BYOM
Build Your Own Methodology
(in Mobile Forensics)
24 APRIL 2020
SOMEWHERE ONLINE…
2. BYOM (BUILD YOUR OWN METHODOLOGY)
NEEDS
Knowledge Tools Training/Updates
Workflow Case history Standardization
3. KNOWLEDGE
Mobile OS
Architecture
(Android and iOS)
Versions
Security
Rooting/Jailbreaking
Encryption
Partitions layout
Cloud
File system(s)
EXT4
APFS
exFAT
FAT32
HFS+
F2FS
JFFS2/YAFFS2
File format
SQLite
Plist
XML
Protobuf
Realm
Programming
Python
SQL
Powershell
Forensic
Acquisition
Methods
Manual
Logical
Backup
File System
Physical
Cloud
4. SUGGESTED READINGS
MOBILE OS AND SECURITY BOOKS
Android Internals by Jonathan Levin
Android Security Internals by Nikolay Elenkov
Mac OS X and iOS Internals: to the Apple’s Core by Jonathan Levin
Hacking and Securing iOS Applications by Jonathan Zdziarski
The Mobile Application Hacker’s Handbook by Shaun Colley and others
iOS Hacker’s Handbook by Stefen Esser and others
Android Hacker’s Handbook by Joshua Drake and others
Hacking Exposed Mobile by Neil Bergman and others
5. SUGGESTED READINGS
FILE SYSTEMS
File System Forensic Analysis by Brian Carrier
EXT https://ext4.wiki.kernel.org/
APFS https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf
exFAT https://docs.microsoft.com/en-us/windows/win32/fileio/exfat-specification
FAT32 http://www.cs.fsu.edu/~cop4610t/assignments/project3/spec/fatspec.pdf
HFS+ https://developer.apple.com/library/archive/technotes/tn/tn1150.html
6. SUGGESTED READINGS
FILE FORMAT
SQLite Forensics by Paul Sanderson
SQLite https://www.sqlite.org/
Plist https://web.archive.org/web/20090225194402/http://developer.apple.com/documentation/Cocoa/Conceptual/PropertyLists/Introduction/chapter_1_section_1.html
Protobuf https://developers.google.com/protocol-buffers/docs/reference/proto3-spec
Realm https://realm.io/
7. SUGGESTED READINGS
MOBILE FORENSICS BOOKS
iPhone and iOS Forensics by Andrew Hogg
Android Forensics by Andrew Hogg
Practical Mobile Forensics by Rohit Tamma, Oleg Skulkin and Heather Mahalik
Mobile Forensics Investigations by Lee Reiber
Seeking the Truth from Mobile Evidence by John Bair
Mobile Forensics – Advanced Investigative Services by Oleg Afonin and Vladimir Katalov
Learning Android Forensics by Rohit Tamma, Oleg Skulkin and Donnie Tindall
Learning iOS Forensics by Mattia Epifani and Pasquale Stirparo
10. TOOLS FOR SPECIFIC FILE FORMAT
Plist Editor Pro https://www.icopybot.com/plist-editor.htm
DB Browser for SQLite https://sqlitebrowser.org/
Realm Studio https://realm.io/products/realm-studio/
SQLite Miner https://github.com/threeplanetssoftware/sqlite_miner
SQLite Deleted Parser https://github.com/mdegrazia/SQLite-Deleted-Records-Parser
Sysdiagnose Scripts https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts
MobileRevelator https://github.com/bkerler/MR
12. Mobile Device Forensics and Analysis (MDFA)
Digital Forensics Discord Group
XDA Developers
Online Meetings
COMMUNITY
13. This Week in 4N6 https://thisweekin4n6.com/
About DFIR https://aboutdfir.com/
DFIR Training https://www.dfir.training/
Forensic Focus https://www.forensicfocus.com/
UPDATES
14. Sarah Edwards https://www.mac4n6.com
Heather Mahalik https://smarterforensics.com
Mattia Epifani http://mattiaep.blogspot.com
Adrian Leong http://cheeky4n6monkey.blogspot.com
Alexis Brignoni https://abrignoni.blogspot.com
Jon B https://www.ciofecaforensics.com
Mari DeGrazia http://az4n6.blogspot.com
Andrew Hoog https://www.hack42labs.com
Ian Whiffin http://doubleblak.com/blogs.php
Josh Hickman https://thebinaryhick.blog
BLOGS
15. SANS FOR 585
Smartphone Forensic Analysis In-Depth
Vendor training
• https://articles.forensicfocus.com/2020/04/13/industry-
roundup-online-digital-forensics-training/
TRAINING
17. BEST PRACTICES FOR MOBILE DEVICE EVIDENCE COLLECTION,
PRESERVATION AND ACQUISTION
https://www.swgde.org/
18. INTAKE
Is it turned on or off?
(If it is on) Is it disconnected from external networks?
(If it is on) Is it protected with a passcode/pattern lock?
External physical state? (Ok/Broken/Damaged/Destroyed)
When was the device seized?
Did the user/suspect provided any code?
Does it contain SIM Card(s) and/or SD Card(s)?
19. IDENTIFICATION
First step: what is that??
Some methods to identify devices
• IMEI
• Model number
• Serial number
Where/how to find the IMEI number?
• Packaging box
• Rear of the device
• Under the battery
• In the SIM card tray
• *#06#
• Android Settings -> About Phone -> Status -> IMEI Information
• iPhone Settings -> General -> IMEI
22. PREPARATION
DEFINE THE EXTRACTION METHOD
Check your «Case History» [NEXT SLIDE]
Check what was requested during the intake
•If you need just only a specific SMS/Picture/WhatsApp chat, do you really need to acquire everything?
Check support by your Mobile Forensics Toolkit(s)
Ask the community
Check for custom recoveries/engineering bootloader/flasher boxes
Verify support by specific external services
Identify specific vulnerabilities
A physical approach is feasible?
Think outside the box…
•Cloud
•Local backup
•Provider requests
•Connected/synced devices (Smartwatch, Smart TV, Home Assistants, …)
23. CASE HISTORY
Start building it ASAP!
Learn from your experience and errors
• When
• Device brand and model
• Device chipset brand and model
• Used tool / tecnhique
• Obtained acquisition
• Lock bypass (yes/no)
• Encryption (yes/no)
• Case reference
• Person
• Result
• Notes
25. ANALYSIS
Parsing with different tools has pros and cons ☺
Pros
• Different support for different OS/Apps
• Verifying the results
Cons
• Processing time
• Duplication
• Cost
Often you need to add manual parsing and investigation!
• SQL queries
• Parsing scripts
28. STANDARDIZATION
Cyber-investigation Analysis Standard Expression
(CASE) is a community-developed specification
language
https://caseontology.org/
It is intended to serve the needs of the broadest
possible range of cyber-investigation domains,
including digital forensic science
The primary motivation for CASE is interoperability -
to advance the exchange of cyber-investigation
information between tools and organizations.
29. CREDITS AND CONTACTS
@RN Team
Mattia Epifani
Francesco Picasso
Claudia Meda
Fabio Massimo Ceccarelli
mattia.epifani@realitynet.it
@mattiaep