Mobile Forensic Webinar by Forensic Academy
salesforensicacademy
273 views
28 slides
Aug 21, 2024
Slide 1 of 28
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
About This Presentation
Mobile forensics is a branch of digital forensics that involves the recovery and examination of digital evidence from a device under forensically sound conditions. The acquisition procedure involves the examination of cellular data, SIM data, internal memory of the device, and SD card (if connected)...
Slide Content
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
Mobile Forensics
-FORENSIC ACADEMY
Mobile Forensic Webinar Presented by -Forensic Academy
Mobile Forensics
-FORENSIC ACADEMY
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
~About Speaker
About Me
Myself Heramb Patil
I am Computer Engineer graduate, CEHv10 certified
Working in digital forensics field since 3yrs, worked along
with govt agencies as well as private organization
Mobile Forensic Webinar Presented by -Forensic Academy
~About Speaker
About Me
Myself Heramb Patil
I am Computer Engineer graduate, CEHv10 certified
Working in digital forensics field since 3yrs, worked along
with govt agencies as well as private organization
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
What is Mobile Forensics ?
1. Mobile forensics is a branch of digital forensics that involves the recovery and
examination of digital evidence from a device under forensically sound conditions. The
acquisition procedure involves the examination of cellular data, SIM data, internal
memory of the device, and SD card (if connected), among others
2. The investigators use forensic tools such as MOBILedit, Cellibrite PREMIUM,
OxygenForensic to acquire data from devices and examine it. Here we will discuss the
steps involved in the forensic examination process of both Android and iOS devices
Device data can also be acquired using command line interface in windows usind ADB or
some open source tools such as Avilla Forensics
Mobile Forensic Webinar Presented by -Forensic Academy
What is Mobile Forensics ?
1. Mobile forensics is a branch of digital forensics that involves the recovery and
examination of digital evidence from a device under forensically sound conditions. The
acquisition procedure involves the examination of cellular data, SIM data, internal
memory of the device, and SD card (if connected), among others
2. The investigators use forensic tools such as MOBILedit, Cellibrite PREMIUM,
OxygenForensic to acquire data from devices and examine it. Here we will discuss the
steps involved in the forensic examination process of both Android and iOS devices
Device data can also be acquired using command line interface in windows usind ADB or
some open source tools such as Avilla Forensics
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
Let’s start with some terms that are used in mobile forensics
Each of the following terms may refer to different things dependent on an individual’s area of expertise:
• Device
• Collection
• Acquisition
• Extraction
• Analysis
1. Device is referred to as target mobile phone, tablet of accuse/custodian which we will be acquiring data from
2. Collection implies seizure of a device from crime scene/raids/premises for process of physically obtaining device
form scene
3. Acquisition is process of acquiring data from device in raw format using single/multiple methods used for acquiring
data from device with help of proprietary software, types of acquisition in detail would be explained further
4. Once the raw data dump is acquired it is loaded in software for viewing and exporting it as required by the examiner
5. After the viewer is ready for raw data examiners use software’s such as Cellebrite Physical Analyzer or Oxygen
Forensic to analyse data and find key evidences as per the case and generating a report out of it
Mobile Forensic Webinar Presented by -Forensic Academy
Let’s start with some terms that are used in mobile forensics
Each of the following terms may refer to different things dependent on an individual’s area of expertise:
• Device
• Collection
• Acquisition
• Extraction
• Analysis
1. Device is referred to as target mobile phone, tablet of accuse/custodian which we will be acquiring data from
2. Collection implies seizure of a device from crime scene/raids/premises for process of physically obtaining device
form scene
3. Acquisition is process of acquiring data from device in raw format using single/multiple methods used for acquiring
data from device with help of proprietary software, types of acquisition in detail would be explained further
4. Once the raw data dump is acquired it is loaded in software for viewing and exporting it as required by the examiner
5. After the viewer is ready for raw data examiners use software’s such as Cellebrite Physical Analyzer or Oxygen
Forensic to analyse data and find key evidences as per the case and generating a report out of it
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
Process of collection and preserving mobile device
1.Maintaing a chain of custody form from collection of device to further handover of device back to investigating officer
or the custodian
2.When you collect the device from the premise, put the phone into flight mode so as no tampering happens with the
evidence such as remote wipe if enabled by user or any sorts of further changes in evidence
3.In the COC form fill in all the details of the device including its Model no, IMEI, sim card details, chipset, OS, time you
collected the phone etc as required
4.If device is not supposed to be acquired on site collect device name it and conceal it into a Faraday Bag
Faraday Bag – Prevents signals from being sent or receiving by mobile phone, which may affect the forensic evidence
basically blocks all the communivation of device GSM, Wifi so no wireless tampering happens
In some cases mobile devices are wrapped with three layers of aluminium foil to prevent incoming signals and secure
mobile data
Mobile Forensic Webinar Presented by -Forensic Academy
Process of collection and preserving mobile device
1.Maintaing a chain of custody form from collection of device to further handover of device back to investigating officer
or the custodian
2.When you collect the device from the premise, put the phone into flight mode so as no tampering happens with the
evidence such as remote wipe if enabled by user or any sorts of further changes in evidence
3.In the COC form fill in all the details of the device including its Model no, IMEI, sim card details, chipset, OS, time you
collected the phone etc as required
4.If device is not supposed to be acquired on site collect device name it and conceal it into a Faraday Bag
Faraday Bag – Prevents signals from being sent or receiving by mobile phone, which may affect the forensic evidence
basically blocks all the communivation of device GSM, Wifi so no wireless tampering happens
In some cases mobile devices are wrapped with three layers of aluminium foil to prevent incoming signals and secure
mobile data
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
Getting details about device and pre-requisite to be enabled from settings for further proceeding with the acquisition
1.Getting the IMEI details
What is IMEI ?
a. IMEI is a 15-digit number that denotes the manufacturer, model type and country of approval for GSM devices
b. The first eight digits, known as Type Allocation Code(TAC), denotes the model and origin of the device
c. The IMEI number can be obtained by keying in *#06#
d. In some cases the IMEI number can be found on the SIM tray or back of the mobile case, in older device with removable
battery IMEI number can be seen under battery
e. In few android phones IMEI number can be found in about phone as well
The following demonstration is for ios
Mobile Forensic Webinar Presented by -Forensic Academy
Getting details about device and pre-requisite to be enabled from settings for further proceeding with the acquisition
1.Getting the IMEI details
What is IMEI ?
a. IMEI is a 15-digit number that denotes the manufacturer, model type and country of approval for GSM devices
b. The first eight digits, known as Type Allocation Code(TAC), denotes the model and origin of the device
c. The IMEI number can be obtained by keying in *#06#
d. In some cases the IMEI number can be found on the SIM tray or back of the mobile case, in older device with removable
battery IMEI number can be seen under battery
e. In few android phones IMEI number can be found in about phone as well
The following demonstration is for ios
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
For Android following are the steps as demonstrated to get IMEI number and enable developer options and USB debugging
Mobile Forensic Webinar Presented by -Forensic Academy
For Android following are the steps as demonstrated to get IMEI number and enable developer options and USB debugging
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
For Android following are the steps as demonstrated to get IMEI number and enable developer options and USB debugging
Mobile Forensic Webinar Presented by -Forensic Academy
For Android following are the steps as demonstrated to get IMEI number and enable developer options and USB debugging
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
Getting the chipset details and enabling developer options to proceed with the acquisition
after getting the IMEI number for the device examiner can use these websites for getting further details from it as well
1) IMEI CHECK - Free Online IMEI Number Checker | IMEI.info
2) GSMArena.com - mobile phone reviews, news, specifications and more...
Enabling Developer options in android phones
go to settings>about phone> click on build number until you receive popup developer option has been enabled
Once enabled open developer options and enable USB debugging
USB debugging
USB Debugging Mode (in Android) It is an Android developer feature that can be activated from the Developer Options
menu. USB debugging allows an Android device to establish communication with a computer/workstation that runs
Android Software Developer Kit (SDK). Therefore, the investigators should enable the USB debugging mode during
evidence acquisition.
Mobile Forensic Webinar Presented by -Forensic Academy
Getting the chipset details and enabling developer options to proceed with the acquisition
after getting the IMEI number for the device examiner can use these websites for getting further details from it as well
1) IMEI CHECK - Free Online IMEI Number Checker | IMEI.info
2) GSMArena.com - mobile phone reviews, news, specifications and more...
Enabling Developer options in android phones
go to settings>about phone> click on build number until you receive popup developer option has been enabled
Once enabled open developer options and enable USB debugging
USB debugging
USB Debugging Mode (in Android) It is an Android developer feature that can be activated from the Developer Options
menu. USB debugging allows an Android device to establish communication with a computer/workstation that runs
Android Software Developer Kit (SDK). Therefore, the investigators should enable the USB debugging mode during
evidence acquisition.
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
Types of acquisitions methods in mobile forensics
Data Acquisition Methods Effective data collection is a critical early step in the forensic process because it requires
thorough investigation along with the documentation and mapping of all potentially relevant data. Different methods are
used for mobile data acquisition, such as cellular data acquisition, SIM file system acquisition, logical acquisition of
device, physical acquisition of device, and cloud data acquisition. These methods are forensically sound, invasive, and
technical. Therefore, an expert investigator may also require more time to perform data acquisition and analysis.
Selecting the appropriate data acquisition method depends upon various factors:
Time constraints for performing data extraction
The data acquisition types supported by the device
Required live data
Recovery of deleted data
Third party application data
Available tools
Mobile Forensic Webinar Presented by -Forensic Academy
Types of acquisitions methods in mobile forensics
Data Acquisition Methods Effective data collection is a critical early step in the forensic process because it requires
thorough investigation along with the documentation and mapping of all potentially relevant data. Different methods are
used for mobile data acquisition, such as cellular data acquisition, SIM file system acquisition, logical acquisition of
device, physical acquisition of device, and cloud data acquisition. These methods are forensically sound, invasive, and
technical. Therefore, an expert investigator may also require more time to perform data acquisition and analysis.
Selecting the appropriate data acquisition method depends upon various factors:
Time constraints for performing data extraction
The data acquisition types supported by the device
Required live data
Recovery of deleted data
Third party application data
Available tools
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
1. Logical/Advance logical acquisition
Logical acquisition captures data (files/folders) that can be accessed by users. The deleted data, system files, etc.
cannot be captured during logical acquisition. To perform logical acquisition on a mobile device, the forensic
investigators must bypass the passcode of the device.
In this section, we elaborate on the commands and procedure involved in performing logical acquisition in both Android
and iOS devices.
Logical Acquisition In mobile forensics, logical acquisition refers to the creation of a bit-by-bit copy of the logical storage
on a mobile device. The logical storage contains objects such as directories and files that are accessible to the user.
Logical acquisition generally recovers data that is not deleted. System files and deleted data cannot be captured under
logical acquisition.
. A full device back-up can also be considered as logical acquisition. For Android devices, logical acquisition can be
performed manually by running adb commands in a terminal window; however, for iOS devices, it can be performed
through iTunes backup if the investigator can determine or bypass the device passcode
Mobile Forensic Webinar Presented by -Forensic Academy
1. Logical/Advance logical acquisition
Logical acquisition captures data (files/folders) that can be accessed by users. The deleted data, system files, etc.
cannot be captured during logical acquisition. To perform logical acquisition on a mobile device, the forensic
investigators must bypass the passcode of the device.
In this section, we elaborate on the commands and procedure involved in performing logical acquisition in both Android
and iOS devices.
Logical Acquisition In mobile forensics, logical acquisition refers to the creation of a bit-by-bit copy of the logical storage
on a mobile device. The logical storage contains objects such as directories and files that are accessible to the user.
Logical acquisition generally recovers data that is not deleted. System files and deleted data cannot be captured under
logical acquisition.
. A full device back-up can also be considered as logical acquisition. For Android devices, logical acquisition can be
performed manually by running adb commands in a terminal window; however, for iOS devices, it can be performed
through iTunes backup if the investigator can determine or bypass the device passcode
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
Live data that can be acquired using logical acquisition includes call logs and text messages, passwords to active social
media accounts, IMEI and ESN (Electronic Serial Number) data, contact lists, data from installed applications, and
saved photos and videos
Logical acquisition methods interact with mobile devices using protocols such as AT commands and Object Exchange
It extracts data that is accessible through the operating system
2. ADB Backup
Android Debug Bridge (ADB) When an Android device is used as a digital evidence in the court of law, the forensic
investigator must perform data acquisition on the device to extract useful artifacts that could help solve the case.
Android Debug Bridge (ADB) is a command line utility that establishes a connection between a mobile device and
computer over a USB. The ADB commands facilitate device actions such as copying files back and forth, installing and
uninstalling applications, and running shell commands on a device.
These commands allow investigators to acquire the device root shell that can be used to run various commands on the
device. ADB is a client-server program that contains three components
Mobile Forensic Webinar Presented by -Forensic Academy
Live data that can be acquired using logical acquisition includes call logs and text messages, passwords to active social
media accounts, IMEI and ESN (Electronic Serial Number) data, contact lists, data from installed applications, and
saved photos and videos
Logical acquisition methods interact with mobile devices using protocols such as AT commands and Object Exchange
It extracts data that is accessible through the operating system
2. ADB Backup
Android Debug Bridge (ADB) When an Android device is used as a digital evidence in the court of law, the forensic
investigator must perform data acquisition on the device to extract useful artifacts that could help solve the case.
Android Debug Bridge (ADB) is a command line utility that establishes a connection between a mobile device and
computer over a USB. The ADB commands facilitate device actions such as copying files back and forth, installing and
uninstalling applications, and running shell commands on a device.
These commands allow investigators to acquire the device root shell that can be used to run various commands on the
device. ADB is a client-server program that contains three components
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
Client: The client runs on the forensic workstation and issues adb commands to install or uninstall applications and
acquire data from the device
Daemon: It is a background process that runs commands on a device.
Server: It runs as a background process on a forensic workstation and manages the communication between the client
and daemon.
Forensics investigators can use the adb pull command to perform data acquisition on Android devices.
Note: To use ADB commands to control an Android device over USB, the investigator should first enable the USB
debugging feature
Mobile Forensic Webinar Presented by -Forensic Academy
Client: The client runs on the forensic workstation and issues adb commands to install or uninstall applications and
acquire data from the device
Daemon: It is a background process that runs commands on a device.
Server: It runs as a background process on a forensic workstation and manages the communication between the client
and daemon.
Forensics investigators can use the adb pull command to perform data acquisition on Android devices.
Note: To use ADB commands to control an Android device over USB, the investigator should first enable the USB
debugging feature
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
3. Android Backup(ADB) with APK Downgrade
In this method regular data that we get using ADB backup is acquired along with that
APK Downgrade is a method where we downgrade the application version. This method is always a bit risky and will
modify the phone. UFED will back up the application and the data and pull it off the device. Next, UFED will push a lower
version of the application, which is available to be pulled via a backup and push the data to it.
This method is used to acquire third part application data such as
Whatsapp, LinkedIn, Snapchat, Instagram etc
4. Full File system
This data collection method generally pulls file system data via ADB, or backup.
Full File System Extraction (FFS) is a specialized digital forensics technique used to obtain a complete copy of the file
system from a digital device, such as a computer, smartphone, or tablet. It allows investigators to access a vast array of
data, includingactive files, deleted files, system files, application data, and metadata.
FFS is performed using specialized software and hardware tools designed to ensure the integrity and admissibility of the
extracted data in legal proceedings.
Advantages
Comprehensive Data Access, Recover Deleted Data, Support for Third-Party Apps
Mobile Forensic Webinar Presented by -Forensic Academy
3. Android Backup(ADB) with APK Downgrade
In this method regular data that we get using ADB backup is acquired along with that
APK Downgrade is a method where we downgrade the application version. This method is always a bit risky and will
modify the phone. UFED will back up the application and the data and pull it off the device. Next, UFED will push a lower
version of the application, which is available to be pulled via a backup and push the data to it.
This method is used to acquire third part application data such as
Whatsapp, LinkedIn, Snapchat, Instagram etc
4. Full File system
This data collection method generally pulls file system data via ADB, or backup.
Full File System Extraction (FFS) is a specialized digital forensics technique used to obtain a complete copy of the file
system from a digital device, such as a computer, smartphone, or tablet. It allows investigators to access a vast array of
data, includingactive files, deleted files, system files, application data, and metadata.
FFS is performed using specialized software and hardware tools designed to ensure the integrity and admissibility of the
extracted data in legal proceedings.
Advantages
Comprehensive Data Access, Recover Deleted Data, Support for Third-Party Apps
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
Mobile Forensic Webinar Presented by -Forensic Academy
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
5.Physical Acquisition
Physical acquisition refers to the bit-by-bit replication of all data stored within a mobile device; it includes hidden and
deleted files. Performing physical acquisition on mobile phone data is challenging because the mobile device
manufacturers do not allow the arbitrary reading of the device memory.
If performed successfully, physical acquisition can help forensic investigators in obtaining information such as deleted
text messages, contacts, call logs, deleted passwords, location tags, GPS information, deleted files, photos, and
videos.
Physical acquisition can be performed manually on rooted (Android)/jailbroken(iOS) mobile devices. Physical data
acquisition is advantageous because it eliminates the risk of compromising the data integrity by allowing the use of a
write-blocker mechanism on the interface that is used for creating a copy of the original data. Upon successful
completion, physical data acquisition does not leave behind any trace of investigation on the mobile phone data.
Investigators should use tools such as Cellebrite PREMIUM, MOBILedit Forensic
Mobile Forensic Webinar Presented by -Forensic Academy
5.Physical Acquisition
Physical acquisition refers to the bit-by-bit replication of all data stored within a mobile device; it includes hidden and
deleted files. Performing physical acquisition on mobile phone data is challenging because the mobile device
manufacturers do not allow the arbitrary reading of the device memory.
If performed successfully, physical acquisition can help forensic investigators in obtaining information such as deleted
text messages, contacts, call logs, deleted passwords, location tags, GPS information, deleted files, photos, and
videos.
Physical acquisition can be performed manually on rooted (Android)/jailbroken(iOS) mobile devices. Physical data
acquisition is advantageous because it eliminates the risk of compromising the data integrity by allowing the use of a
write-blocker mechanism on the interface that is used for creating a copy of the original data. Upon successful
completion, physical data acquisition does not leave behind any trace of investigation on the mobile phone data.
Investigators should use tools such as Cellebrite PREMIUM, MOBILedit Forensic
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
It produces a low-level, bit-by-bit, copy of the phone’s storage device (flash memory). In some devices, this extracts the
block-device data as abstracted in the operating system. In older phones, an extraction may provide raw access to flash
pages. Device file systems can be reconstructed and carved to search for deleted items in unallocated space.
Physical Extraction bypasses the device’s Operating System (OS). This is carried out just before the OS of device starts
to set in. The stage is called the Bootloader which is the first thing that starts up when a device is turned on. At its most
fundamental level, a Bootloader is a low-level software enabling the OS to run. In the absence of bootloaders, the OS
will not run and you won’t see the Graphic User Interface (GUI) on your mobile.
An extraction method that combines both the logical and file system extractions into a single extraction method. This
method helps users overcome long and complex extractions, saving time and effort while maintaining forensically
sound data.
The challenge today for law enforcement is that data extraction is becoming tougher. Manufacturers of Apple and
Android devices are responding to consumers' requirements for increased privacy by creating much tougher data
encryption and security.
Cellebrite UFED 'advanced logical extraction' combines the logical and file system extractions for iOS and Android
devices. It is an alternative when physical extraction is not possible.
Mobile Forensic Webinar Presented by -Forensic Academy
It produces a low-level, bit-by-bit, copy of the phone’s storage device (flash memory). In some devices, this extracts the
block-device data as abstracted in the operating system. In older phones, an extraction may provide raw access to flash
pages. Device file systems can be reconstructed and carved to search for deleted items in unallocated space.
Physical Extraction bypasses the device’s Operating System (OS). This is carried out just before the OS of device starts
to set in. The stage is called the Bootloader which is the first thing that starts up when a device is turned on. At its most
fundamental level, a Bootloader is a low-level software enabling the OS to run. In the absence of bootloaders, the OS
will not run and you won’t see the Graphic User Interface (GUI) on your mobile.
An extraction method that combines both the logical and file system extractions into a single extraction method. This
method helps users overcome long and complex extractions, saving time and effort while maintaining forensically
sound data.
The challenge today for law enforcement is that data extraction is becoming tougher. Manufacturers of Apple and
Android devices are responding to consumers' requirements for increased privacy by creating much tougher data
encryption and security.
Cellebrite UFED 'advanced logical extraction' combines the logical and file system extractions for iOS and Android
devices. It is an alternative when physical extraction is not possible.
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
6. JTAG Forensics
JTAG(Joint Test Action Group) forensics refers to the forensic technique
were an examiner directly connects to the Test Access Ports(TAPs) of a
mobile device and instructs the processor to transfer all the data stored in
memory chips
This enables examiners to extract data from pattern/pin locked devices
JTAG forensics is another method of physical data extraction for mobile
devices, it is applied when there are no compatible or appropriate tools
support a particular device
7.Chip-off Forensics
In the chip-off procedure, the flash memory of mobile devices is physically
removed for data acquisition. Investigators can make a binary image of
removed chip and perform chip-off forensics
This enables examiners to extract data from pattern/pin locked devices
It refers to complete bit-streaming imaging of device containing
embedded flash memory (NAND,eMMC)
Mobile Forensic Webinar Presented by -Forensic Academy
6. JTAG Forensics
JTAG(Joint Test Action Group) forensics refers to the forensic technique
were an examiner directly connects to the Test Access Ports(TAPs) of a
mobile device and instructs the processor to transfer all the data stored in
memory chips
This enables examiners to extract data from pattern/pin locked devices
JTAG forensics is another method of physical data extraction for mobile
devices, it is applied when there are no compatible or appropriate tools
support a particular device
7.Chip-off Forensics
In the chip-off procedure, the flash memory of mobile devices is physically
removed for data acquisition. Investigators can make a binary image of
removed chip and perform chip-off forensics
This enables examiners to extract data from pattern/pin locked devices
It refers to complete bit-streaming imaging of device containing
embedded flash memory (NAND,eMMC)
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
IOS acquisition methods
1) iTunes backup
The most convenient way to acquire a iphone is the way people use it to backup as well
If the examiner gets access to apple id password one can create a itunes backup and later load the acquisition
importing
manifest.plist file getting all present data displayed along with third party apps
Mobile Forensic Webinar Presented by -Forensic Academy
IOS acquisition methods
1) iTunes backup
The most convenient way to acquire a iphone is the way people use it to backup as well
If the examiner gets access to apple id password one can create a itunes backup and later load the acquisition
importing
manifest.plist file getting all present data displayed along with third party apps
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
2.Advanced logical file system extraction
The advanced logical file system extraction is equivalent to the iTunes backup. Thismethod of data extraction
is available for all iOS devices, regardless of the version of the iOS installed, and regardless of the hardware
platform.
The recent iOS releases versions 15 and 16 are also supported in the advanced logical file system extraction.
To performextractions on devices with the latest iOS version, always keep yourUFEDsoftware version up-to-
date.
Mobile Forensic Webinar Presented by -Forensic Academy
2.Advanced logical file system extraction
The advanced logical file system extraction is equivalent to the iTunes backup. Thismethod of data extraction
is available for all iOS devices, regardless of the version of the iOS installed, and regardless of the hardware
platform.
The recent iOS releases versions 15 and 16 are also supported in the advanced logical file system extraction.
To performextractions on devices with the latest iOS version, always keep yourUFEDsoftware version up-to-
date.
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
3) Checkm8 extraction
Checkm8 is an exploit that allows forensic examiners to perform iosfull file system extractions on a wide range of iphones
It exploits a vulnerability in the bootloader of many Apple devices, allowing breaking into a device regardless of the version
of iosinstalled
This method do requires passcode but incase examiners doesn’t knows password we can get a BFU(Before first unlock)
dump through which some data which isn’t encrypted while DFU can be acquired
If the examiner has the password we can get entire data with this method decrypted AFU (After first unlock) along with
deleted data
Mobile Forensic Webinar Presented by -Forensic Academy
3) Checkm8 extraction
Checkm8 is an exploit that allows forensic examiners to perform iosfull file system extractions on a wide range of iphones
It exploits a vulnerability in the bootloader of many Apple devices, allowing breaking into a device regardless of the version
of iosinstalled
This method do requires passcode but incase examiners doesn’t knows password we can get a BFU(Before first unlock)
dump through which some data which isn’t encrypted while DFU can be acquired
If the examiner has the password we can get entire data with this method decrypted AFU (After first unlock) along with
deleted data
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
CLOUD Data Extraction from Android and IOS devices
Mobile Forensic Webinar Presented by -Forensic Academy
CLOUD Data Extraction from Android and IOS devices
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
Practical Demonstration of acquiring data using oxygen forensic detective
method used Oxy Agent(It uses ADB to communicate with OS to get data from device)
Mobile Forensic Webinar Presented by -Forensic Academy
Practical Demonstration of acquiring data using oxygen forensic detective
method used Oxy Agent(It uses ADB to communicate with OS to get data from device)
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
Mobile Forensic Webinar Presented by -Forensic Academy
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
Mobile Forensic Webinar Presented by -Forensic Academy
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
Mobile Forensic Webinar Presented by -Forensic Academy
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
Avilla Forensics (Open source free tool)
Mobile Forensic Webinar Presented by -Forensic Academy
Avilla Forensics (Open source free tool)
©Cyber Security & Intelligence Training Academy in INDIA
Mobile Forensic Webinar Presented by -Forensic Academy
Questions n Answers (QnA)
Mobile Forensic Webinar Presented by -Forensic Academy
Questions n Answers (QnA)
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 273
- Slides 28
- Age 467 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views