Apple operating system (IOS) devices started growing popular in the mobile world. IPhone and iPad are the game-changer products launched by Apple. Windows Phone Backup Windows Phone 8 JTAG Image UFED backup/image.Day by day, smartphones and tablets are becoming ever more popular, and as a result, the technology used in development to add new features or improve the security of such devices is advancing too fast. Use of advanced proprietary protocols and phone APIs makes it possible to pull much more data than can be extracted by forensic tools utilizing standard logical protocols, especially for smart phones.Oxygen Forensic Suite is a forensic software that is used to acquire data from. Oxygen Forensic Suite 2010 is mobile forensic software that goes beyond standard logical analysis of cell phones, smart phones, and PDAs.
There are well-defined procedures to extract and analyze data from IOS devices which are included in this paper. From the forensics perspective, such devices could present lots of useful artifacts during the investigation. Oxygen Forensic Detective v.14.0 has introduced a new, but familiar, extraction method.IOS devices provide larger storage space that could store emails, browsing histories, chat histories, Wi-Fi data and GPS data and more. Oxygen Forensics - Mobile forensic software for mobile devices. Oxygen Forensic Detective can also find and extract a vast range of artifacts, system files as well as.
P2 EXPLORER unified workflow to allow examiners, investigators P2 explorer 24 is a forensic picture mounting and first responders to acquire, defend and act tool which pursuits to assist investigating officials decisively on mobile statistics with the speed and with. CELLEBRITE UFED Cellebrite’s UFED 28 solution presents a R. Introduction to the forensic processes focused towards mobile forensics, extracting logical and physical data from the IOS devices, IOS file system and storage analysis, analysis of logical data, data from the iTunes and iCloud back up, Wi-Fi and GPS data.V.
Due to the exponential growth of the mobile market, the importance of mobile forensics has also increased. Mobile forensics is a field of digital forensics which is focused on mobile devices which are growing very fast. 64 Usage of Oxygen Forensic Detective 65 Working with Cellebrite UFED.
CollectionBelow steps are recommended to follow during the collection of mobile device One could extract data like SMS, contacts, installed applications, GPS data and emails, deleted data. With these challenges in mobile forensics, syncing mobiles phone to a computer using software becomes easy. Each case or investigation of the new model needs to be considered differently and requires following steps that could be different and unique to the case. The ratio of new models designed and launched is very high which makes it very difficult to follow similar procedures.
Search for the SIM package and if any cables are located aroundPreservation of evidence is a very crucial step in digital forensics. Check where the screen is locked. If it is power on then, check the battery status, network status. Whether it’s powered off or on. Note the status of the device. It is good practice to take a picture using the camera of the location and mobile phone before starting any progress.
Chain of Custody – Chain of custody is the document to maintain each record of the Digital evidence from the collection to presentation. There are several ways that could be followed according to the scenario, So, the first step should be to isolate the mobile device from the network. It is possible that attackers could remotely wipe data or any new activity could override the existing data. For mobile forensics below steps are good practices to follow:
As previously mentioned it is almost impossible to interact with mobile devices without altering them. MD5 or SHA are widely used algorithms to calculate the Hash values of the evidence. Hashing – Hashing is the method used to prove the integrity of the evidence. It is crucial because it keeps track of the Digital evidence. Investigator’s name, time and date of each step, Details of evidence transportation.
Unfortunately, with mobile forensic always it is not possible to use this method. Physical – It is a bit-to-bit copy of the device and allows recovering deleted data. Below overview has been given about each.
HFS+ file systemApple developed Hierarchical File System (HFS) which provides large data sets. Devices running on IOS operating system are called IOS devices. Logical – This method allows to extract particular files from the file system like backup taken using iTunesSometimes needs to perform offensive techniques like password cracking, Jail Breaking.Apple developed an operating system for iPhone, iPad and iPod Touch which is known as the IOS operating system.
It uses B * tree (Balanced tree) structure to organize data. Allocation blocks are further grouped together called clumps to reduce fragmentation on volume.HFS uses both absolute time (Local time) as well as UNIX time so one can identify the location of the system.HFS files system uses catalog file system to organize data. They are also the size of 512 bytes same as physical blocks.Allocation blocks are a group of logical blocks used to track data.
It keeps track of Catalog ID Numbering and increases it one each time file added. Volume Header: This contains information about the structure of HFS Volume. As seen in above figure, first 1024 bytes are reserved boot blocks. When data are added or deleted, it runs the algorithm to keep balance.
Extent Overflow file: This consists of a pointer to the extent of the. If it is set to 1, that means Allocation block is used, and if it is 0, that means allocation block is not used. Each bit represents the status of the allocation block. It basically includes a bitmap. Allocation file: This keeps track of allocation blocks used by the file system.
It is 512 bytes long.HFSX file system is a variation of HFS+ file system which is used in the Apple mobile devices. Alternate Volume Header: This is a Backup Volume header located at the last 1024 bytes of the volume. Actual data is stored in the file system and tracked by the file system. Startup File: This assists the booting system which does not have built-in ROM support.
The system partition is Disk0s1, and Data Partition is Disk0s2.We can find the user-configured password from the /private/etc./passwd file as shown below.As seen in above screenshot, mobile and root password hashes can be retrieved from the passwd file. The system partition is a Read-only as visible in below output of Private/etc./fstab.An iPhone has a single disk, hence it is denoted as Disk0. System partition and Data Partition System PartitionSystem partition does not contain more artifacts related to the investigation as it contains mostly system-related information like IOS operating system and pre-installed applications. PartitionsIOS Devices have two types of partitions.
It is a Read/Write partition. Data PartitionData partition contains user data and can provide lots of artifacts during the investigation. The root password is “Alpine” and which is the default for all the IOS devices.
Logs – General.log: The OS version and Serial number, Lockdown.log – Lockdown Daemon log Keychains – Keychain.db, which contains user password from various applications Below is the screenshot from the IOS device which is running on IOS 7.The below directories are listed which could be of interest for the artifacts.
Oxygen Forensics Vs Cellebrite Download From The
SQLite Database Browser Acquisition of iOS devices Phone identificationDuring search and seizure, it is necessary that the examiner identifies the Phone model. These files could be open to the simple text editor to view the contents.Logical extraction of the iPhone could provide lots of SQLite database files as it uses SQLite databases to store user data, the tool SQLite browser is used to explore and read SQLite database which can be download from The main three databases are Call History, Address Book, and SMS databases.These databases could be extracted through applications available like SQLite database Browser as seen in the screenshot below.Figure 6. These files contain useful artifacts related to web cookies, email accounts, GPS Map routes and searches system configuration preferences, browsing history and bookmarks.
0 kommentar(er)
