This document provides guidance on building your own mobile forensics methodology (BYOM). It discusses the needs, knowledge, tools, and suggested readings required for mobile forensics. The document outlines knowledge required about mobile operating systems, file systems, file formats, and programming. It also lists commercial, open-source, and hardware tools that can be used and provides information on training resources, best practices, workflows, and standardization in mobile forensics. The goal is to help practitioners develop their own customized mobile forensics methodology.

1. BYOM
Build Your Own Methodology
(in Mobile Forensics)
24 APRIL 2020
SOMEWHERE ONLINE…

2. BYOM (BUILD YOUR OWN METHODOLOGY)
NEEDS
Knowledge Tools Training/Updates
Workflow Case history Standardization

3. KNOWLEDGE
Mobile OS
Architecture
(Android and iOS)
Versions
Security
Rooting/Jailbreaking
Encryption
Partitions layout
Cloud
File system(s)
EXT4
APFS
exFAT
FAT32
HFS+
F2FS
JFFS2/YAFFS2
File format
SQLite
Plist
XML
Protobuf
Realm
Programming
Python
SQL
Powershell
Forensic
Acquisition
Methods
Manual
Logical
Backup
File System
Physical
Cloud

4. SUGGESTED READINGS
MOBILE OS AND SECURITY BOOKS
Android Internals by Jonathan Levin
Android Security Internals by Nikolay Elenkov
Mac OS X and iOS Internals: to the Apple’s Core by Jonathan Levin
Hacking and Securing iOS Applications by Jonathan Zdziarski
The Mobile Application Hacker’s Handbook by Shaun Colley and others
iOS Hacker’s Handbook by Stefen Esser and others
Android Hacker’s Handbook by Joshua Drake and others
Hacking Exposed Mobile by Neil Bergman and others

5. SUGGESTED READINGS
FILE SYSTEMS
File System Forensic Analysis by Brian Carrier
EXT https://ext4.wiki.kernel.org/
APFS https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf
exFAT https://docs.microsoft.com/en-us/windows/win32/fileio/exfat-specification
FAT32 http://www.cs.fsu.edu/~cop4610t/assignments/project3/spec/fatspec.pdf
HFS+ https://developer.apple.com/library/archive/technotes/tn/tn1150.html

6. SUGGESTED READINGS
FILE FORMAT
SQLite Forensics by Paul Sanderson
SQLite https://www.sqlite.org/
Plist https://web.archive.org/web/20090225194402/http://developer.apple.com/documentation/Cocoa/Conceptual/PropertyLists/Introduction/chapter_1_section_1.html
Protobuf https://developers.google.com/protocol-buffers/docs/reference/proto3-spec
Realm https://realm.io/

7. SUGGESTED READINGS
MOBILE FORENSICS BOOKS
iPhone and iOS Forensics by Andrew Hogg
Android Forensics by Andrew Hogg
Practical Mobile Forensics by Rohit Tamma, Oleg Skulkin and Heather Mahalik
Mobile Forensics Investigations by Lee Reiber
Seeking the Truth from Mobile Evidence by John Bair
Mobile Forensics – Advanced Investigative Services by Oleg Afonin and Vladimir Katalov
Learning Android Forensics by Rohit Tamma, Oleg Skulkin and Donnie Tindall
Learning iOS Forensics by Mattia Epifani and Pasquale Stirparo

8. COMMERCIAL TOOLS
Mobile
Forensics Tools
Belkasoft
Blackbag
Cellebrite
Elcomsoft
Grayshift
Guidance
Mobile
Forensics Tools
Magnet Forensics
MobilEdit
MSAB
Oxygen Forensics
Paraben
SecureView
Digital
Forensics Tools
AccessData
Guidance
X-Ways
Sanderson Forensic

9. OPEN/FREE/SHAREWARE TOOLS
ADB https://developer.android.com/studio/releases/platform-tools
Libimobiledevice https://www.libimobiledevice.org/
Autopsy https://www.sleuthkit.org/autopsy/
Andriller https://www.andriller.com/
APOLLO https://github.com/mac4n6/APOLLO
ALEAPP https://github.com/abrignoni/ALEAPP
iLEAPP https://github.com/abrignoni/iLEAPP
iBackup Bot https://www.icopybot.com/itunes-backup-manager.htm
ArtEx https://www.doubleblak.com/software.php?app=ArtEx
MobileRevelator https://github.com/bkerler/MR

10. TOOLS FOR SPECIFIC FILE FORMAT
Plist Editor Pro https://www.icopybot.com/plist-editor.htm
DB Browser for SQLite https://sqlitebrowser.org/
Realm Studio https://realm.io/products/realm-studio/
SQLite Miner https://github.com/threeplanetssoftware/sqlite_miner
SQLite Deleted Parser https://github.com/mdegrazia/SQLite-Deleted-Records-Parser
Sysdiagnose Scripts https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts
MobileRevelator https://github.com/bkerler/MR

11. HARDWARE
Flasher
Boxes
Octoplus Pro Box
Z3X Box
Furious Gold
ORT Box
ATF Box
Flasher
Boxes
Medusa Pro
Chimera Tool
NCK Dongle
UFS Turbo Box
Miracle Box
Unlocking
Tools
XPIN Clip
MFC Dongle
BST Dongle
Others
Faraday Bags
VR-Table
Coded

12. Mobile Device Forensics and Analysis (MDFA)
Digital Forensics Discord Group
XDA Developers
Online Meetings
COMMUNITY

13. This Week in 4N6 https://thisweekin4n6.com/
About DFIR https://aboutdfir.com/
DFIR Training https://www.dfir.training/
Forensic Focus https://www.forensicfocus.com/
UPDATES

14. Sarah Edwards https://www.mac4n6.com
Heather Mahalik https://smarterforensics.com
Mattia Epifani http://mattiaep.blogspot.com
Adrian Leong http://cheeky4n6monkey.blogspot.com
Alexis Brignoni https://abrignoni.blogspot.com
Jon B https://www.ciofecaforensics.com
Mari DeGrazia http://az4n6.blogspot.com
Andrew Hoog https://www.hack42labs.com
Ian Whiffin http://doubleblak.com/blogs.php
Josh Hickman https://thebinaryhick.blog
BLOGS

15. SANS FOR 585
Smartphone Forensic Analysis In-Depth
Vendor training
• https://articles.forensicfocus.com/2020/04/13/industry-
roundup-online-digital-forensics-training/
TRAINING

16. WORKFLOW
https://digital-forensics.sans.org/media/DFIR-Smartphone-Forensics-Poster.pdf

17. BEST PRACTICES FOR MOBILE DEVICE EVIDENCE COLLECTION,
PRESERVATION AND ACQUISTION
https://www.swgde.org/

18. INTAKE
Is it turned on or off?
(If it is on) Is it disconnected from external networks?
(If it is on) Is it protected with a passcode/pattern lock?
External physical state? (Ok/Broken/Damaged/Destroyed)
When was the device seized?
Did the user/suspect provided any code?
Does it contain SIM Card(s) and/or SD Card(s)?

19. IDENTIFICATION
First step: what is that??
Some methods to identify devices
• IMEI
• Model number
• Serial number
Where/how to find the IMEI number?
• Packaging box
• Rear of the device
• Under the battery
• In the SIM card tray
• *#06#
• Android Settings -> About Phone -> Status -> IMEI Information
• iPhone Settings -> General -> IMEI

20. IDENTIFICATION
Check device
information
http://www.imei.info/
https://numberingplans.com/
http://phonedb.net/
http://www.imeipro.info/
Check device
warranty status
Samsung
https://support-
ca.samsung.com/secaew/consumer/ca/findwarranty/warrantyinfo
Apple
https://checkcoverage.apple.com/
Huawei
https://consumer.huawei.com/us/support/warranty-query/
Oppo
https://oppo-au.custhelp.com/app/products/warranty_status
Xiaomi
https://www.mi.com/en/verify/#/en/tab/imei
Lenovo/Motorola
https://support.lenovo.com/warrantylookup

21. IDENTIFICATION (IMEI.INFO)

22. PREPARATION
DEFINE THE EXTRACTION METHOD
Check your «Case History» [NEXT SLIDE]
Check what was requested during the intake
•If you need just only a specific SMS/Picture/WhatsApp chat, do you really need to acquire everything?
Check support by your Mobile Forensics Toolkit(s)
Ask the community
Check for custom recoveries/engineering bootloader/flasher boxes
Verify support by specific external services
Identify specific vulnerabilities
A physical approach is feasible?
Think outside the box…
•Cloud
•Local backup
•Provider requests
•Connected/synced devices (Smartwatch, Smart TV, Home Assistants, …)

23. CASE HISTORY
Start building it ASAP!
Learn from your experience and errors
• When
• Device brand and model
• Device chipset brand and model
• Used tool / tecnhique
• Obtained acquisition
• Lock bypass (yes/no)
• Encryption (yes/no)
• Case reference
• Person
• Result
• Notes

24. CHECK SUPPORT BY TOOLS
https://www.digitalforensiccompass.com/

25. ANALYSIS
Parsing with different tools has pros and cons ☺
Pros
• Different support for different OS/Apps
• Verifying the results
Cons
• Processing time
• Duplication
• Cost
Often you need to add manual parsing and investigation!
• SQL queries
• Parsing scripts

26. ANALYSIS

27. ANALYSIS

28. STANDARDIZATION
Cyber-investigation Analysis Standard Expression
(CASE) is a community-developed specification
language
https://caseontology.org/
It is intended to serve the needs of the broadest
possible range of cyber-investigation domains,
including digital forensic science
The primary motivation for CASE is interoperability -
to advance the exchange of cyber-investigation
information between tools and organizations.

29. CREDITS AND CONTACTS
@RN Team
Mattia Epifani
Francesco Picasso
Claudia Meda
Fabio Massimo Ceccarelli
mattia.epifani@realitynet.it
@mattiaep