This book is written to represent a natural flow in the e-discovery process, covering all mobile forensics stages from seizing the device to acquiring the data and analyzing evidence using different tools. The book covers basic handling, acquisition, and analysis techniques for the most popular mobile iOS and Android devices. The following topics are covered in detail:

Chapter 1, “Introduction to Mobile Forensic Analysis.” This chapter introduces the reader to practical mobile forensic analysis by explaining challenges for the use of different models, and how forensically sound investigations are applied in the forensic community to select tools for the forensic process.

Chapter 2, “Introduction to iOS Forensics.” This chapter provides an overview of iOS devices such as iPhones and iPads, as well as an overview of the operating systems and file systems they run. Many forensic tools are used in forensic science; these tools are concerned to handle all forensic process activities. Digital forensics has three types: manual (i.e., opening a PC, removing storage), logical, and physical. After completing this chapter, you will have learned about various third-party tools used for iOS forensics, and will be able to answer three questions: the difference between acquisition and backup, how to measure and check the effect of jailbreaking on an iOS device, and the differences between third-party tools used in the forensic analysis process.

Chapter 3, “Introduction to Android Forensics.” This chapter covers everything you need to know about practical forensics on Android devices. We will start by understanding the Android platform and its file system and then cover the topics of setup, acquisition, extraction, and recovery. We will also learn how to connect devices using ADB tools and back them up and how to use SQLite files for the acquisition process.

Chapter 4, “Forensic Investigations of Popular Applications on Android and iOS Platforms.” Since the last century, because of the growth in social media, online resources, and websites such as Facebook, there has been a huge number of users who have been sharing huge amounts of private data such as texts, pictures, videos, and calls on the Android and iOS platforms through instant messaging applications like Messenger, WhatsApp, and so on. In this chapter, we’ll investigate how much privacy these applications can provide for users, and how much information can we get through forensic investigation using digital forensic programs like FINALMobile forensics.

Chapter 5, “Forensic Analysis of Telegram Messenger on iOS and Android Smartphones Case Study.” Mobile digital forensics science is developing daily, and every day there is a new tool introduced and a new challenge as well. This chapter is to get hands-on with all available forensics tools, to identify the benefits of using each tool, to practice with them to get results faster, and to determine the most suitable tool to get accurate results in a relatively short time in different situations. The chapter uses two images of evidence to assess the ability of different tools to extract the results and build a strong case when it comes to Telegram Messenger investigation on iOS devices.

This chapter discusses in detail the set of user tools for each operating system. While they can be used interchangeably in most cases, it’s still up to the investigator to know which tool to use.

Chapter 6, “Detecting Privacy Leaks Utilizing Digital Forensics and Reverse Engineering Methodologies.” Most commercial iOS forensic & data acquisition tools will effectively do the job in general, but in cases of data leaks as presented in this chapter, we need to look between the lines to extract all related logs and API communication that occurred inside the mobile system. Thus, we need to investigate the most recent updated tools and use more and more tools to have better evidence about our case.

Chapter 7, “Impact of Device Jailbreaking or Rooting on User Data Integrity in Mobile Forensics.” This chapter covers with practical uses cases how jailbreaking techniques affect user data integrity by comparing the hash values for extracted data before and after jailbreak. It was found that the hash values are the same, hence data integrity is not affected by jailbreaking an iPhone device, and investigators can use the jailbreaking technique to acquire data for suspected iPhone devices, which allows a deeper level of data acquisition, which can be used to support the case.

Chapter 8, “The Impact of Cryptocurrency Mining on Mobile Devices.” This chapter analyzes the cryptocurrency mining application installed on the mobile device and how it affects the tools to use. Our experiment uses two devices: iOS and Android.

Chapter 9, “Mobile Forensic Investigation for WhatsApp.” The rapid and exponential development in communication technology and the Internet also accelerated development in smartphones and their data connectivity (e.g., 3G and 4G). Social networking and instant messaging (IM) companies developed their mobile applications. Other IM mobile applications were developed, such as WhatsApp (WA), Viber, and IMO. WA is considered the most popular IM application.

While the messages, exchanged files, and call logs are stored in smartphone memory, WA usage leaves different types of artifacts that can be extracted and analyzed to determine the digital evidence. Besides, the iOS platform is one of the most used smartphones. Therefore, forensic investigation tools and methods are required for the investigation process.

Chapter 10, “Cloud Computing Forensics: Dropbox Case Study.” In our digital world and with many services provided through the Internet, many consumers use online services to store their data or share it online, which means that important data is still stored online and it still at risk to be affected by criminal activities. One of these online services is cloud computing, which provides a set of services including storage. This chapter will illustrate more about cloud computing forensic artifacts, especially with Dropbox cloud storage service analysis as a case study. Dropbox analysis will indicate the forensics artifacts that can be acquired from the cloud and also from mobiles to find the different artifacts that may be acquired using different evidence sources and different forensic tools. In this chapter, we will use iOS and Android mobile to experiment and find results. This analysis and study of new versions of the Dropbox app with different versions of Android OS and iOS will increase the knowledge pertaining to cloud storage forensics artifacts. In addition, it will help investigators to use it in investigations of criminal activity that took place on them.

Chapter 11, “Malware Forensics for Volatile and Nonvolatile Memory in Mobile Devices.” Day after day, malware and malicious programs are spreading continuously, especially for unprotected mobile devices. Malware in the mobile device can reside in the nonvolatile memory, or it can hide behind some process in the RAM, and so, in the latter case, there is no need for any file in the mobile storage to perform its tasks. Mobile memory forensics tasks can help investigators to extract interesting information from the two types of mobile memory, such as detecting some of the resident malware and its related details, which traditional techniques (like antivirus software) might or might not be able to detect. There are several approaches used by different investigators in analyzing mobile memory to detect malware, such as static memory analysis, dynamic memory analysis, hybrid memory analysis, and automated systems for detecting mobile malware. This chapter depends on iTunes and 3uTools for the iOS device backup process, and FINALMobile, Magnet AXIOM, MOBILedit, and Belkasoft forensic tools for logical and physical acquisition and malware analysis. Also, a bootable copy of Checkra1n is used to jailbreak the iPhone device

Chapter 12, “Mobile Forensic for KeyLogger Artifact.” This chapter investigates mobile forensic investigation for the KeyLogger application installed on iOS or Android, and introduces and helps the investigator to discover traces of a spy application case, to determine which tools were used to investigate and search for various spy programs, and to learn how to report results obtained from the iPhone spy program that was installed and used for espionage and gaining access to sensitive data.

Chapter 13, “Evidence Identification Methods for Android and iOS Mobile Devices with Facebook Messenger.” Facebook Messenger (FBM) is widely used by most mobile users. FBM is used for normal communication in addition to its involvement in criminal cases. Following a scientific mobile forensic analysis approach keeps the evidence admissible. This chapter follows the NIST mobile forensic process to retrieve data from FBM. Students will provide several methods for device identification, data acquisition, and analysis of FBM data. Several tools are used for acquisition, including Libimobiledevice, iTunes, Belkasoft, and AXIOM. Additionally, several tools are used for data analysis, including AXIOM Examine, Belkasoft, and DB Viewer for SQLite. This study concludes that the appropriate forensic tool for FBM analysis is AXIOM based on the results of analyzing encrypted iTunes images for iPhone 6s with iOS 14.6 and Android 10.

Chapter 14, “Mobile Forensics for iOS and Android Platforms: Chrome App Artifacts Depending on SQLite.” This chapter firstly compares and contrasts the architectures of Android and iOS as discussed in the first chapter; as a result, we implement and utilize mobile forensics methodology to analyze SQLite files from the application that installs on the mobile device, and we discuss some of the techniques and tools used to extract information, as well as a case study of Chrome application. In terms of forensic analysis, the chapter will also emphasize the necessity of examining all SQLite files that come under the apps to extract the most digital evidence feasible. We investigated practical forensic analysis for the Chrome app for iOS and Android, and forensic procedures were carried out using the three phases (seizure, acquisition, examination & analysis) methodology. This chapter aims to extract artifacts from Chrome applications using many tools such as iBackup, iExplorer, iTunes, Belkasoft, and FINALMobile software for iOS. We use ADB, Belkasoft, Axiom, FINALMobile and MOBILedit for Android. SQLiteStudio is used to view SQLite database files extracted from both Android and iOS.

This book is intended for forensic examiners with little or basic experience in mobile forensics or open source solutions for mobile forensics. The book will also be useful to researchers who have previous experience in information security, and anyone seeking a deeper understanding of mobile internals. This book will provide you with the knowledge and core skills necessary for trying to recover accidentally deleted data (photos, contacts, SMS, and more).

The book includes practical cases and labs that will involve certain specialized hardware and software to perform data acquisition (including deleted data) and the analysis of extracted information.

This book is designed as an advanced book in computer forensics focusing on mobile devices and other devices not classifiable as laptops, desktops, or servers. The goal of practical forensic analysis of artifacts on iOS and Android devices is to develop the critical thinking, analytical reasoning, and technical writing skills that are necessary to effectively work in a junior-level digital forensic or cybersecurity analyst role. This is accomplished through utilizing industry-standard tools and techniques to investigate labs and cases based upon real-world investigations.

This book takes a hands-on approach to provide students with foundational concepts and practical skills in practical mobile device forensics using case studies, which can be leveraged to perform forensically sound investigations against crimes involving the most complex mobile devices currently available in the market. Using modern tools and techniques, students will learn how to conduct a structured investigation process to determine the nature of the crime and to produce results that are useful in criminal proceedings. The book will provide a walkthrough on various phases of the mobile forensics process for both Android- and iOS-based devices, including forensically extracting, collecting, and analyzing data and producing and disseminating reports. The book includes practical cases and labs that will involve certain specialized hardware and software to perform data acquisition (including deleted data) and the analysis of extracted information.