Book Review: "Practical Mobile Forensics"


"Practical Mobile Forensics, Second Edition", by Heather Mahalik, Rohit Tamma, and Satish Bommisetty is an excellent practitioners guide to mobile forensics. It covers everything from acquisition to analysis on iOS, Android, and Windows Phones. The book does a decent job at highlighting the inner-workings of various smartphone operating systems in regards to how they each store forensic evidence, that is to say it lists the various models of the phones, which models have which capabilities, and extra details like where the encryption keys are located or where they store application data. However, the book spends a lot more time looking at tools that practitioners use, mostly advanced proprietary acquisition and analysis tools, showing walkthroughs of how to use the tools and analyze key files, relative to the systems being analyzed and the investigation at hand. This edition of the book sits at 412 pages, published in May 2016, and costs between $40-$55 on Amazon. The book includes a ton of screenshots and reads relatively fast as the topics are pretty high level. Overall, I give the book 7 out of 10 stars, namely for it's relevance to practitioners using industry standard forensics tools, that said I thought the book could have had a more logical layout, as well as dug deeper into the theory and interworking of the operating systems. One of the most annoying parts of the book is that the layout seemingly jumps all around, between iOS and Android, between acquisition and analysis techniques, rather than following a more logical progression (chapters 5-8 are the parts that really flop back and forth in the print edition I had). The following are the chapters of the book so you can see what I mean by the layout of chapters, as well as what tools are covered in the book.

Preface

Chapter 1: Introduction to Mobile Forensics

Why do we need mobile forensics?
Mobile forensics
The mobile phone evidence extraction process
Practical mobile forensics approaches 
Potential evidence stored on mobile phones
Rules of evidence
Good forensic practices
Summary

Chapter 2: Understanding the Internals of iOS Devices

iPhone models
iPhone hardware
iPad models
Understanding iPad hardware 
Apple Watch models
Understanding the Apple Watch hardware
File system
The HFS Plus file system
Disk layout
iPhone operating system
Summary

Chapter 3: iOS Forensics Tools

Working with Elcomsoft iOS Forensics Toolkit
Oxygen Forensic Detective
Working with Cellebrite UFED Physical Analyzer
Working with BlackLight
Open source or free methods
Working with Magnet ACQUIRE 
Working with NowSecureCE
Summary

Chapter 4: Data Acquisition from iOS Devices

Operating models of iOS devices
Physical Acquisition
Encrypted file systems
File system Acquisition
Logical Acquisition
Bypassing the passcode
Acquisition of jailbroken devices
Summary

Chapter 5: Data Acquisition from iOS Backups 

iTunes backups
Working with iCloud backups
Summary

Chapter 6: Android Data Extraction Techniques 

Data extraction techniques
Summary

Chapter 7: iOS Data Analysis and Recovery

Timestamps
SQLite databases
Property lists
The Apple Watch
Recovering deleted SQLite records
Summary

Chapter 8: Android Data Analysis and Recovery

Analyzing the Android image
Android data recovery
Summary

Chapter 9: Understanding Android

The evolution of Android
The Android model
The Android security
The Android file hierarchy
The Android file system
Summary

Chapter 10: Android Forensics Setup and Pre Data Extraction Techniques

Setting up the forensics environment for Android
Screen lock bypassing techniques 
Gaining root access
Summary

Chapter 11: Android App Analysis, Malware, and Reverse Engineering

Analyzing Android apps
Reverse Engineering Android apps
Android malware
Summary

Chapter 12: Windows Phone Forensics

Windows Phone OS
The Windows Phone file system 
Data acquisition
Summary

Chapter 13: Parsing Third-Party Application Files

Third-part application overview
Encoding versus encryption
Application data storage
Forensics methods used to extract third-party application data 
Summary

I really enjoy how the book covers some open source tools as well as industry standard mobile forensics tools. The various industry standard proprietary tools that are covered are certainly the popular models that I've used in my practice, as well as analyzing many of the same databases as in my own practice, which should be a huge draw for those looking for practical guidance in using these tools. I also enjoyed the page on SQLite which gave readers a crash course in basic commands for exploring any applications databases they come across. I also liked the bit on performing mobile forensics on backups from the target phones, providing alternative avenues to get at the data in question. Finally, I found the segment on the various screen lock bypasses pretty interesting, some pretty nice tricks there for enabling access for both the red and blue teams. The book publisher, Packt, also puts out a bunch of samples from each chapter and sub chapter, which I highly encourage perspective readers to checkout here. The following is a SANS DFIR sessions with one of the authors Heather Mahalik, who teaches several SANS classes on the same material, enjoy!