Book Review: "Practical Mobile Forensics"
"Practical Mobile Forensics, Second Edition", by Heather Mahalik, Rohit Tamma, and Satish Bommisetty is an excellent practitioners guide to mobile forensics. It covers everything from acquisition to analysis on iOS, Android, and Windows Phones. The book does a decent job at highlighting the inner-workings of various smartphone operating systems in regards to how they each store forensic evidence, that is to say it lists the various models of the phones, which models have which capabilities, and extra details like where the encryption keys are located or where they store application data. However, the book spends a lot more time looking at tools that practitioners use, mostly advanced proprietary acquisition and analysis tools, showing walkthroughs of how to use the tools and analyze key files, relative to the systems being analyzed and the investigation at hand. This edition of the book sits at 412 pages, published in May 2016, and costs between $40-$55 on Amazon. The book includes a ton of screenshots and reads relatively fast as the topics are pretty high level. Overall, I give the book 7 out of 10 stars, namely for it's relevance to practitioners using industry standard forensics tools, that said I thought the book could have had a more logical layout, as well as dug deeper into the theory and interworking of the operating systems. One of the most annoying parts of the book is that the layout seemingly jumps all around, between iOS and Android, between acquisition and analysis techniques, rather than following a more logical progression (chapters 5-8 are the parts that really flop back and forth in the print edition I had). The following are the chapters of the book so you can see what I mean by the layout of chapters, as well as what tools are covered in the book.
Preface
Chapter 1: Introduction to Mobile Forensics
Why do we need mobile forensics?Mobile forensics
The mobile phone evidence extraction process
Practical mobile forensics approaches
Potential evidence stored on mobile phones
Rules of evidence
Good forensic practices
Summary
Chapter 2: Understanding the Internals of iOS Devices
iPhone modelsiPhone hardware
iPad models
Understanding iPad hardware
Apple Watch models
Understanding the Apple Watch hardware
File system
The HFS Plus file system
Disk layout
iPhone operating system
Summary
Chapter 3: iOS Forensics Tools
Working with Elcomsoft iOS Forensics ToolkitOxygen Forensic Detective
Working with Cellebrite UFED Physical Analyzer
Working with BlackLight
Open source or free methods
Working with Magnet ACQUIRE
Working with NowSecureCE
Summary
Chapter 4: Data Acquisition from iOS Devices
Operating models of iOS devicesPhysical Acquisition
Encrypted file systems
File system Acquisition
Logical Acquisition
Bypassing the passcode
Acquisition of jailbroken devices
Summary
Chapter 5: Data Acquisition from iOS Backups
iTunes backupsWorking with iCloud backups
Summary
Chapter 6: Android Data Extraction Techniques
Data extraction techniquesSummary
Chapter 7: iOS Data Analysis and Recovery
TimestampsSQLite databases
Property lists
The Apple Watch
Recovering deleted SQLite records
Summary
Chapter 8: Android Data Analysis and Recovery
Analyzing the Android imageAndroid data recovery
Summary
Chapter 9: Understanding Android
The evolution of AndroidThe Android model
The Android security
The Android file hierarchy
The Android file system
Summary
Chapter 10: Android Forensics Setup and Pre Data Extraction Techniques
Setting up the forensics environment for AndroidScreen lock bypassing techniques
Gaining root access
Summary
Chapter 11: Android App Analysis, Malware, and Reverse Engineering
Analyzing Android appsReverse Engineering Android apps
Android malware
Summary
Chapter 12: Windows Phone Forensics
Windows Phone OSThe Windows Phone file system
Data acquisition
Summary
Chapter 13: Parsing Third-Party Application Files
Third-part application overviewEncoding versus encryption
Application data storage
Forensics methods used to extract third-party application data
Summary
I really enjoy how the book covers some open source tools as well as industry standard mobile forensics tools. The various industry standard proprietary tools that are covered are certainly the popular models that I've used in my practice, as well as analyzing many of the same databases as in my own practice, which should be a huge draw for those looking for practical guidance in using these tools. I also enjoyed the page on SQLite which gave readers a crash course in basic commands for exploring any applications databases they come across. I also liked the bit on performing mobile forensics on backups from the target phones, providing alternative avenues to get at the data in question. Finally, I found the segment on the various screen lock bypasses pretty interesting, some pretty nice tricks there for enabling access for both the red and blue teams. The book publisher, Packt, also puts out a bunch of samples from each chapter and sub chapter, which I highly encourage perspective readers to checkout here. The following is a SANS DFIR sessions with one of the authors Heather Mahalik, who teaches several SANS classes on the same material, enjoy!
