Mobile Forensics - secuguru/security-terms GitHub Wiki

Mobile forensics focuses on retrieving and analyzing data from mobile devices like smartphones and tablets. Unique characteristics, such as operating systems and data storage methods, distinguish mobile forensics from traditional computer forensics. Here’s an overview of key concepts in mobile forensics, including jailbreaking, differences between mobile and computer forensics, and specific considerations for Android vs. iPhone forensics.

  1. Jailbreaking Devices and Implications
  • Jailbreaking: Jailbreaking (on iOS) or rooting (on Android) is the process of bypassing a device’s built-in security controls to gain root or administrative access.
  • Purpose: Jailbreaking allows users or investigators to access parts of the device’s file system and settings that are typically restricted by the manufacturer.
  • Forensics Implications:
    • Increased Access: Jailbreaking can allow forensic tools to access a broader range of data, including system files, deleted data, and app data.
    • Potential Evidence Alteration: Jailbreaking modifies the device, which can compromise data integrity and lead to claims that evidence was tampered with.
    • Security Risks: Jailbroken devices are more vulnerable to malware, which may lead to compromised data and skewed forensic findings.
  • Best Practice: Only jailbreak or root devices as a last resort when traditional acquisition methods fail, and document all steps taken.
  1. Differences Between Mobile and Computer Forensics
  • Operating Systems and File Systems:
    • Computers: Run a wide range of OSs (e.g., Windows, macOS, Linux) and have more uniform file systems (NTFS, HFS, ext4).
    • Mobile Devices: Use OSs specifically for mobile platforms (e.g., iOS, Android) and file systems like APFS (iOS) or EXT4/F2FS (Android). Mobile file systems are structured differently, affecting how data is stored and retrieved.
  • Data Storage and Accessibility:
    • Computers: Store data on hard drives or SSDs with relatively accessible file structures.
    • Mobile Devices: Use flash memory, which has more wear-leveling and encryption practices, making data recovery more complex.
  • Data Sources:
    • Computers: Provide straightforward access to system logs, application data, and network traffic.
    • Mobile Devices: Have unique data sources like GPS data, text messages, call logs, app-specific data (e.g., WhatsApp, Facebook), and photos with metadata.
  • Forensics Tools: Mobile forensics tools are specialized to handle device-specific challenges, such as encrypted file systems, secured app containers, and the diversity of Android and iOS ecosystems.
  1. Android vs. iPhone Forensics

  • Android Forensics:

    • Operating System and File System: Android uses Linux-based systems with EXT4 or F2FS file systems.
    • File Access and Permissions: Android is generally more accessible due to its open-source nature. However, rooting (gaining superuser access) is often necessary for full data retrieval.
    • Data Extraction:
      • Logical Acquisition: Gathers accessible data (e.g., contacts, call logs) without rooting.
      • File System and Physical Acquisition: Full data retrieval may require rooting. Physical extraction allows full access, including deleted data.
    • Unique Data: Android devices often store data on both internal storage and removable SD cards, providing multiple evidence sources.
    • Encryption: Android encryption varies by version, but Android 10 and newer devices generally have strong encryption by default, complicating forensic analysis.

  • iPhone Forensics:

    • Operating System and File System: iPhones use iOS, with APFS as the primary file system.
    • File Access and Permissions: Apple’s closed ecosystem and strong security policies make direct access challenging, and jailbreaking may be necessary for full access.
    • Data Extraction:
      • Logical and Backup Extraction: iTunes or iCloud backups can often be accessed without jailbreaking. These methods can retrieve contacts, call history, messages, and photos.
      • File System and Physical Acquisition: Physical extraction for iOS is more limited, as Apple restricts deep-level access. However, specialized tools can sometimes bypass security measures.
    • Unique Data: iOS data includes unique elements like iMessages, Health data, and FaceTime logs.
    • Encryption: Apple’s end-to-end encryption, especially with Secure Enclave, poses challenges in accessing data on locked devices. Newer iPhones with iOS 8 and later are encrypted by default, and physical extraction without bypass tools is often difficult.

Forensic Tools for Android and iPhone

  • Android Tools: Cellebrite, Oxygen Forensic Detective, and ADB (Android Debug Bridge) for device commands and file extraction.
  • iPhone Tools: Cellebrite, GrayKey (for bypassing locks), and Magnet AXIOM for backup analysis.

Summary

  • Jailbreaking/rooting offers deeper access but must be approached cautiously due to evidence integrity concerns.
  • Differences between mobile and computer forensics highlight unique data sources and the complexities of handling flash memory and encryption on mobile devices.
  • Android and iPhone forensics differ mainly in OS structure, permissions, and encryption levels, requiring specialized techniques for effective data acquisition.

Mastering these areas equips forensic investigators to retrieve and analyze critical evidence from mobile devices while preserving data integrity and adhering to best practices.