This document provides an overview of mobile forensics. It discusses key topics like the mobile forensics process, goals of mobile forensics, challenges with acquiring evidence from mobile devices, and analyzing different types of evidence. Specific techniques discussed include hashing, write protection, recovering deleted data through tools like Disk Drill, analyzing Windows and Linux event logs, and investigating malicious files. The document outlines the various components involved in a mobile forensics investigation from acquiring evidence to documenting the chain of custody.
2. Topics
Mobile Forensics Fundamentals & Process
Acquisition & Duplication
Hashing & Write Protection
Analyzing & Investigating Deleted Data
Analyzing Malicious file
3. WHAT IS Mobile FORENSICS?
Mobile forensics is an electronic discovery technique used to
determine and reveal technical criminal evidence.
Mobile forensics involves the
Collection- What needs to be investigated.
Preservation
Analysis
Documentation and
Presentation
of computer evidence stored on a computer.
5. Mobile Forensics Goals
• Finding legal evidence in computing devices and
preserving its integrity in a way that is deemed
admissible in a court of law.
• Preserving and recovering evidence following court-
accepted
technical procedures.
• Identifying data leaks within an organization.
• Accessing possible damage occurring during a data
breach.
8. Mobile hardware and
forensic
• Mobile forensics highly dependent on the
underlying hardware of the mobile devices.
• Investigators need to take different
approaches for mobile forensics depending
upon the mobile hardware architecture.
• Knowledge of mobile hardware also become
important in case of broken device
35. How Are Computers
Used in Cybercrimes?
• A computing device is used as a weapon to commit a crime.
• Example: Launching denial-of-service (DoS) attacks or sending
• Ransomware
• Gaining unauthorized access
36. Forensics Investigation
Types
• Public investigations(Public investigations involve law
enforcement agencies and are conducted according to
country or state law)
• Private (corporate) sector investigations (Private
investigations are usually conducted by enterprises to
investigate policy violations, litigation dispute, wrongful
termination, or leaking of enterprise secrets )
37. Digital Evidence Types
• User-created data includes anything created by a user
(human)
• using a digital device. It includes the following and more:
• Text files (e.g. MS Office documents, IM chat, bookmarks),
• spreadsheets, database, and any text stored in digital format,
• Audio and video files,
• Digital images,
• Webcam recordings (digital photos and videos),
• Address book and calendar,
38. • Hidden and encrypted files (including zipped folders) created
by the computer user,
• Previous backups (including both cloud storage backups and
offline backups like CD/DVDs and tapes),
• Account details (username, picture, password),
• E-mail messages and attachments (both online and client e-
mails as Outlook),
• Web pages, social media accounts, cloud storage, and any
online accounts created by the user.
39. Challenge of Acquiring
Digital Evidence
• computer with a password, access card, or dongle.
• Digital steganography techniques to conceal incriminating
data in images, videos, audio files, file systems, and in plain
sight (e.g. Within MS Word document).
• Encryption techniques to obscure data, making it unreadable
without the password.
40. • Full disk encryption (FDE) including system partition (e.g.
BitLocker drive encryption).
• Strong passwords to protect system/volume; cracking them is
very time consuming and expensive.
• File renaming and changing their extensions (e.g., changing
DOCX into DLL, which is a known Windows system file type)
41. • Attempts to destroy evidence through wiping the hard drive
• securely using various software tools and techniques.
• Removing history from the web browser upon exit and
disabling
42. • Physically damaged digital media; for example, we cannot
retrieve
• deleted files from a failed HDD before repairing it.
• Sensitivity of digital evidence; if not handled carefully it might
be destroyed. Heat, cold, moisture, magnetic fields, and even
just dropping the media device can destroy it.
• Easy alteration of digital evidence; for instance, if a computer
is ON, you must leave it ON and acquire its volatile memory
(if possible), but if the computer is OFF, leave it OFF to avoid
changing any data.
43. • Cybercrimes can cross boarders easily through the Internet,
making the lack of cyberlaw standardization a major issue in
this domain.
• USB thumb drive that belongs to a suspect, but the data
inside it is fully encrypted and protected with a password, the
suspect can deny its ownership of this thumb, making the
decryption process very difficult to achieve without the
correct password/key file.
44. Who Should Collect Digital
Evidence?
• Analytical thinking: This includes the ability to make
correlations between different events/facts when
investigating a crime.
• Solid background in IT knowledge: This includes wide
knowledge about different IT technologies, hardware devices,
operating systems, and applications. This does not mean that
an investigator should know how each technology works in
detail.
45. • Hacking skills: To solve a crime, you should think like a
hacker. Knowing attack techniques and cybersecurity
concepts is essential for a successful investigation.
• Understanding of legal issues concerning digital crime
investigations.
• Excellent knowledge of technical skills related to digital
46. • forensics like data recovery and acquisition and writing
technical reports.
• Online searching skills and ability to gather information from
publicly available sources (i.e., OSINT).
47. FIRST RESPONDENT TEAM
The first responder is the first person to encounter a crime
scene. A first responder has the expertise and skill to deal with
the incident. The first responder may be an officer, security
personnel, or a member of the IT staff or incident response team.
Roles of First Respondent Team:
1. Identifying the crime scene
2. Protecting the crime scene
3. Preserving temporary and fragile evidence
48. First Responder Toolkit
• Crime scene tape.
• Stick-on labels and ties.
• Color marker pens.
• Notepad.
• Gloves.
• Magnifying glass.
• Flashlight.
49. • Sealable bags of mixed size; should be antistatic bags to
preserve evidence integrity.
• Camera (can capture both video and images and must be
configured to show the date/time when the capture
happens).
• Radio frequency-shielding material to prevent some types of
seized devices (e.g., smartphones and tablets with SIM cards)
from receiving calls or messages (also known as a Faraday
shielding bag). This bag will also protect evidence against
• Bootable CDs.
50. • Lightning strikes and electrostatic discharges.
• Chain of custody forms.
• Secure sanitized external hard drive to store image of
any digital exhibits.
• USB hub.
51. Locations of Electronic
Evidence
• Desktops
• Laptops
• Tablets
• Servers and RAIDs
• Network devices like hubs, switches, modems, routers, and
wireless access points
• Internet-enabled devices used in home automation
(e.g., AC and smart refrigerator)
52. • IoT devices
• DVRs and surveillance systems
• MP3 players
• GPS devices
• Smartphones
53. • Game stations (Xbox, PlayStation, etc.)
• Digital cameras
• Smart cards
• Pagers
• Digital voice recorders
• External hard drives
• Flash/thumb drives
• Printers
• Scanners
54. Chain of Custody
• What is the digital evidence? (E.g., describe the acquired
digital evidence.)
• Where was the digital evidence found? (E.g., computer,
tablet, cell phone, etc.; also to be included is the state of the
computing device upon acquiring the digital evidence–ON or
OFF?)
55. • How was the digital evidence acquired? (E.g., tools used; you
also need to mention the steps taken to preserve the
integrity of evidence during the acquisition phase.)
• When was the digital evidence accessed, by whom and for
what reason?
• How was the digital evidence used during the investigation?
56. • How was the digital evidence transported, preserved, and
handled?
• How was the digital evidence examined? (E.g., any tools and
techniques used.)
61. Duplication
• A forensic duplication is an accurate copy of data
that is created with the goal of being admissible as
evidence in legal proceedings.
• We define forensic duplication as an image of every
accessible bit from the source medium.
62. Types of Duplication
1. Simple duplication
• Copy selected data; file, folder, partition.
2. Forensic duplication
• Every bit on the source is retained
• Including deleted files
63. Hashing & Write Protection
Hashing is the transformation of a string of characters into a
usually shorter fixed-length value or key that represents the
original string.
Hash value generation in digital forensic:
• Generally, hash value is used to check the integrity of any
data file but, in digital forensic it is used to check the
integrity of evidence disk data.
• The image of a disk is created in digital forensic for
analysis so, it is necessary the image have exactly or
replica of evidence disk.
• The hash value generated during imaging should match
when that image of evidence disk is extracted for detail
analysis. In digital forensic hash value is generated for
whole disk data not only single or multiple files.
71. Analyzing & Investigating
Deleted Data
Data recovery is the extraction of data from damaged
evidence sources in a forensically sound manner. This method
of recovering data means that any evidence resulting from it
can later be relied on in a court of law.
Tools for recovering deleted Data:
Disk Drill
Recuva
MiniTool Power Data Recovery
Lazesoft
73. Windows Log Analysis
• In an event of a forensic investigation, Windows
Event Logs serve as the primary source of
evidence as the operating system logs every
system activity. Windows Event Log analysis can
help an investigator draw a timeline based on
the logging information and the discovered
artefacts. The information that needs to be
logged depends upon the audit features that are
turned on which means that the event logs can
be turned off with the administrative privileges.
From the forensic point of view, the Event Logs
catch a lot of data.
74. • The Windows Event Logs are used in forensics to
reconstruct a timeline of events.
• The main three components of event logs are:
– Application
– System
– Security
• On Windows Operating System, Logs are saved in
root location %System32%winevtLogs.
• When Maximum Log size is reached:
– Oldest Events are Overwritten
– Archive the Logs when full
– If do not wish to overwrite the events, clear logs
manually
75. The type of events that are recorded can be any occurrence
that affects the system:
• An Incorrect Login Attempt,
• A Hack, Breach, System Settings Modification,
• An Application Failure,
• System Failure etc.
All these events are logged in the
“%System32%/Winevt/Log”.
76.
77.
78.
79. Full Event Log View
• https://www.nirsoft.net/utils/full_event_log_view.html#:
~:text=FullEventLogView%20is%20a%20simple%20tool,
network%2C%20and%20events%20stored%20in%20.
81. Kali Linux Password Reset
1. Boot your Kali system and let the GNU Grub page will
appear.
2. On the GNU GRUB page select the * Advanced options
for Kali GNU/Linux option by down arrow
key and press enter.
3. Now simply select the second one Recovery mode option
and press E key to go to recovery mode of Kali Linux.
4. To modify it just change read-only mode (ro) to rw
(write mode) and add init=/bin/bash like below
screenshot then press F10 to reboot the Kali Linux.
5. After rebooting the Kali Linux system, it will bring you the
bellow screen to reset Kali Linux password.
82. • To reset root password of Kali Linux system, simply type
“passwd ” and hit the enter. Then type the new password
twice for the root user. After successfully resetting Kali
Linux lost password, you will see the succeed
message*password update successfully*. Well
reboot the system with reboot –f and log in with a newly
changed password of root user.