Contents
CHAPTER 1 Introduction to the World of Mobile Device Forensics
A Brief History of the Mobile Device
Mobile Device Data: The Relevance Today
The Overuse of the Word “Forensic”
Write Blockers and Mobile Devices
Mobile Device Technology and Mobile Forensics
From Data Transfer to Data Forensics
Examination Awareness and Progression
Mobile Technology Terminology and Acronyms
CHAPTER 2 Mobile Devices vs. Computer Devices in the World of Forensics
International Association of Computer Investigative Specialists (IACIS)
International Society of Forensic Computer Examiners (ISFCE)
Applying Forensic Processes and Procedures
Approach to Mobile Device Forensics
Standard Operating Procedure Document
Successful SOP Creation and Execution
Specialty Mobile Forensic Units
Seasoned Computer Forensics Examiners’ Misconceptions
First Responders’ Misconceptions
CHAPTER 3 New Era of Digital Devices: IoT, Infotainment, Wearables, and Drones
Categories of Connected Devices
Classification of Wearable Devices
Obtaining Evidence from Drones
CHAPTER 4 Living in the Cloud: The Place to Hide and Store Mobile Data
What Does This Mean to Investigators?
Date Ranges and Types of Records
Methods of Bypassing Cloud Services Security
Oxygen Forensics Cloud Extractor
Cellebrite UFED Cloud Analyzer
CHAPTER 5 Collecting Mobile Devices, USB Drives, and Storage Media at the Scene
The Supreme Court and Mobile Device Data Seizure
Location to Be Searched: Physical Location
Location to Be Searched: Cloud Location
Location to Be Searched: Mobile Device
Location to Be Searched: User Cloud Store
Examining the Scene for Evidence
Once You Find It, What’s Next?
Data Collection: Where and When
CHAPTER 6 Preparing, Protecting, and Seizing Digital Device Evidence
Before Seizure: Understanding Mobile Device Communication
Understanding Mobile Device Security
Windows Mobile and Windows Phone
Photographing the Evidence at the Scene
Documenting the Evidence at the Scene
Dealing with Power Issues: The Device State
Properly Bagging Mobile Device Evidence
Transporting Mobile Device Evidence
CHAPTER 7 Toolbox Forensics: Multiple-Tool Approach
Analyzing Several Devices Collectively
Verifying and Validating Software
Using Multiple Tools to Your Advantage
Overcoming Challenges by Verification and Validation
Overcoming Challenges for Single- and Multiple-Tool Examinations
CHAPTER 8 Mobile Forensic Tool Overview
CHAPTER 9 Preparing the Environment for Your First Collection
Device Drivers and Multiple-Tool Environments
Cleaning the Computer System of Unused Drivers and Ports
CHAPTER 10 Conducting a Collection of a Mobile Device: Considerations and Actions
Device Collection Type: Logical or Physical
Mobile Device Isolation Methods
Methods, Appliances, and Techniques for Isolating a Device
Mobile Device Processing Workflow
Windows Mobile and Windows Phone Examinations
Apple iOS Connections and Collections
Android OS Connections and Collections
CHAPTER 11 Analyzing SIM Cards
Smart Card Overview: SIM and UICC
Network Information Data Locations
CHAPTER 12 Analyzing Feature Phone, BlackBerry, and Windows Phone Data
Avoiding Tool Hashing Inconsistencies
Feature Phone “Tip of the Iceberg Data”
Parsing a Feature Phone File System
BlackBerry “Tip of the Iceberg Data”
BlackBerry Data Formats and Data Types
Windows Phone “Tip of the Iceberg Data”
CHAPTER 13 Advanced iOS Analysis
Additional File System Locations
CHAPTER 14 Querying SQLite and Taming the Forensic Snake
CHAPTER 15 Advanced Android Analysis
Predominant Android File Types
Additional File System Locations
CHAPTER 16 Advanced Device Analysis: IoT, Wearables, and Drones
CHAPTER 17 Presenting the Data as a Mobile Forensics Expert
The Importance of Taking Notes
Format of the Examiner’s Presentation
Why Being Technical Is Not Always Best
What Data to Include in the Report
Becoming a Mobile Forensic Device Expert
Importance of a Complete Collection
Conforming to Current Expectations May Not Be the Best Approach