Module 15: Mobile Forensics

Components of a SIM file system

- Master File (MF): The MF is the root of the file system; it contains one or more DFs. It may contain one or more EFs. A 2-byte file identifier of 3F00 identifies the MF, which is completely reserved for MF. - Dedicated File (DF): DFs or directories are available next to the MF in the hierarchy; they only contain the header that holds information related to the file structure and security. Similar to the MF, a 2-byte identifier is used in DFs to identify them. - Elementary File (EF): EFs are next to the DF in the hierarchy; they contain both the header and body, which store the actual data in different forms, including the transparent, linear fixed, and cyclic forms. - Service provider name (SPN): It signifies a SIM card service provider (for example, Idea, and Airtel). Investigators must pay more attention to the authenticity and verifiability of the service provider records.

Android Boot Process

1. Boot ROM is activated and loads Boot Loader into RAM 2. Boot Loader initializes and then starts the Kernel 3. Kernel initializes interrupt controllers, memory protections, caches, and scheduling. System can use virtual memory and launch the user space process (init) 4. Init process launches and is first process on device, parent process. Next init initializes Zygote, runtime, and daemon processes; the Android logo appears 5. Zygote is used to spin up new VMs for each app that is started; a new DVM with code sharing across the vms. 6. Runtime requests Zygote launch system server; which includes: power manager, battery service, and Bluetooth

iOS Boot Process

1. BootRom initializes some components and checks signature of LLB (lower level bootloader) 2. LLB is loaded and checks signature of iBoot (stage-2 boot loader) 3. iBoot is loaded and checks kernel and device tree signatures (Not booted in Device Firmware Upgrade DFU mode) 4. Kernel and device trees load. Kernel checks signatures of all user applications

International Mobile Equipment Identifier (IMEI)

15-digit GSM-based unique number on handset that identifies the manufacturer, model type, and country of approval for GSM devices. If a device is unlocked, obtained with *#06#

SIM service table (SST)

A subscriber provides the service data stored in the SIM; these data are stored in the form of a table, where the associated services include N27- MENU SELECTION and N38-GPRS.

Dalvik Virtual Machine

A type of Java VM responsible for power and memory management.

Android Runtime

An application runtime setting used by the Android OS that transforms the machine bytecode into normal instructions. It is the successor of Dalvik.

Booting iPhone in DFU Mode

Booting iPhone in DFU Mode (For A9 devices) involves the following steps: ▪ Connect the iPhone to the computer via a USB Cable ▪ Press and hold both the Home and Lock buttons ▪ Continue holding the Home button for 8 s and then release the Lock button ▪ The display screen remains black when the iPhone is in DFU Mode and iTunes (on Mac) will alert the user that it has detected an iPhone in the recovery mode Booting iPhone in DFU Mode (For A10 devices) involves the following steps: ▪ Connect the iPhone to the computer via a USB Cable ▪ Press and hold both the Side and Volume Down buttons ▪ Continue holding the Volume Down button for 8 s and then release the Side button ▪ The display screen remains black when the iPhone is in DFU Mode and iTunes (on Mac) will alert the user that it has detected an iPhone in the recovery mode Steps involved in booting an iPhone in DFU Mode (For A11 and later devices): ▪ Connect the iPhone to the workstation via a USB Cable ▪ Quick press and release the Volume Up button ▪ Quick press and release the Volume Down button ▪ Press and hold the Side button until the screen goes black ▪ Continue holding the Side button and press the Volume Down button for 5 s; then, release the Side button ▪ Release the Volume Down button after 10 s; the screen remains black, which is a clear indication that the iPhone is in DFU Mode. iTunes (on Mac) will alert the user that it has detected an iPhone in the Recovery mode.

Linux Kernel

Built on top of the Linux 2.6 Kernel, responsible for interacting with the hardware.

SIM Data Acquisition Tools

Cellebrite UFED Touch2 AccessData Mobile Phone Examiner (MPE) Plus MOBILedit Forensic SIMcon Paraben's E3 Forensic Platform

SIM Cloning

Duplicating a SIM card for further investigation to avoid accidental tampering

Risks of Jailbreaking

Forensic validity of the evidence According to the NIST guidelines for mobile phone forensics, any action performed by an investigator should not compromise the evidence that may subsequently be relied upon in court Failure of jailbreaks The jailbreaks developed for early versions of iOS 9 attempt to bypass system Kernel Patch Protection (KKP) which can make the device unbootable Remote device management To install a jailbreak on an iOS device, the investigator must connect the device to the internet, this may cause the device susceptible to remote connection or pending remote communication that can erase valuable data

Logical Acquisition of Mobile Devices

Full device backup can also be considered as logical acquisition Logical acquisition can be performed manually using "adb" commands on Android devices and iTunes backup on iOS devices, only when the investigator determines/bypasses the device passcode

Hardware Abstraction Layer (HAL)

In Android OSes provides a standard interface for hardware vendors that expose the device hardware capabilities to higher-level Java API frameworks.

Mobile Storage and Evidence Locations

Internal memory RAM, ROM, or flash memory (NAND/NOR) is used to store mobile phone OS, applications and data SIM card Stores personal information, address books, messages, and service-related information External memory Stores personal information such as audio, video, and images Cloud storage Android devices mostly use Google Drive and iOS devices use iCloud storage to store in documents, videos, contacts, notes, etc.

Mobile network code (MNC)

Is a two-digit network identification number used along with the MCC printed on a SIM. It is used to identify the SIM user on a mobile phone network.

Mobile subscriber identification number (MSIN)

It is a 10-digit number mobile identification number that helps in identifying the mobile phone service provider within a mobile carrier network.

International mobile subscriber identity (IMSI)

It is a 15-digit subscriber identification number that helps investigators in tracing a lost mobile device. It defines a subscriber in the wireless world, including the country and mobile network to which the subscriber belongs.

Phase ID (Phase)

It is a SIM identification number that is used for identifying each SIM. It is stored in bytes in the SIM; forensic tools are required to extract this information.

Challenges in Mobile Forensics

OS Mobile devices use various Oses such as Android, iOS, BlackBerry OS, and Windows OS Forensic investigators should be able to handle the different versions of these OSes Security Security features such as passcode, fingerprint, face unlock, and data encryption that protect the user data and privacy These encryption barriers have become a constant challenge for the investigators during data acquisition Cloud Data Acquiring cloud related data is difficult owing to the legal constraints involved in it Data Preservation During seizure, the investigators should prevent the device from all forms of data communications preventing the data from wiping via remote commands Data Extraction Has become difficult due to the security features offered by the devices and Oses Investigator must select the right tools to gain access to the device and acquire the maximum data Anti-Forensics Techniques Data hiding, data forgery, and secure wiping make the investigation difficult Investigators should develop tools and techniques to identify anti-forensics techniques that damage the investigation process

Phone Locking on iOS

Password types: Numeric Only Length:6 Face Lock If the iOS device is connected to the computer, the forensic investigator can use the lockdown records that are stored on the computer to perform logical acquisition without unlocking the device

Phone locking on Android

Password types: Password Pattern PIN

Mobile Forensics Process- Document the Evidence

Phone Identification ▪ Write down all information on display (photograph, if possible) and record the date and time when the device was collected. ▪ Note the physical condition of the phone and take pictures of the SIM card and SD card (if any) with identifying information. ▪ Identify a phone by its brand, model, OS, and service provider that can help in selecting the appropriate tools for the acquisition process. ▪ You can obtain this information from the battery cavity, SIM card, or the mobile phone board under the battery. The label under the battery contains the mobile phone model, type, code, IMEI, and FCC ID. Connection Identification ▪ The mobile phone should be connected to the forensic workstation through a cable, infrared, or Bluetooth. ▪ Selecting the connection type depends on the phone, tool used, and acquisition conditions.

Data Stored in SIM

SIM is a microcontroller-based smart card that stores important data such as: Integrated Circuit Card Identifier (ICCID) International Mobile Subscriber Identity (IMSI) Service provider name (SPN) Mobile country code (MCC) Mobile network code (MNC) Mobile subscriber identification number (MSIN) Mobile international subscriber directory number (MSISDN) Abbreviated dialing numbers (AND) Last dialed numbers (LDN) Short message service (SMS) Text message parameters (SMSP) Text message status (SMSS) Phase ID (Phase) SIM Service Table (SST) HPLMN search period (HPLMNSP) PLMN selector (PLMNsel) Forbidden PLMNs (FPLMN) Capability configuration parameter (CCP) Access control class (ACC) Broadcast control channels (BCCH) Language preference (LP) Card holder verification (CHV1 and CHV2) Ciphering key (Kc) Ciphering key sequence number Emergency call code Fixed dialing numbers (FDN) Dialing Extension (EXT1 and EXT2) Groups (GID1 and GID2) Preferred network messages (CBMI) Calls per unit (PUCT) Accumulated Call Meter (ACM) Call Limit (ACMmax) Location Information (LOCI) Local area identity (LAI) Own dialing number Temporary mobile subscriber identity (TMSI) Routing area identifier (RAI) network code Service dialing numbers (SDNs) Depersonalization keys

Mobile Forensics Process- Preserve the Evidence

Signal Containment Device/Bags: ▪ Faraday Bag- prevent signals from being sent to or reaching a mobile phone ▪ Signal Disruption Bag/ Wireless StrongHold Bag- prevents any type of signal from reaching a mobile device ▪ Arson Cans- prevent someone connected to the crime from hitting the phone with a text or email "bomb" that floods the phone memory with messages that crowd out all other previous calls from the log ▪ Aluminum Foil- wrapped with three layers of aluminum foil to prevent incoming signals and secure the mobile data ▪ RF/EMI Shielded Forensic Pouches- preserve mobile devices in radio frequency (RF) tight environment by making sure that the data is not compromised from the moment of capture, include a USB connector to provide fast and secure evidence collection and extraction. ▪ Cell Phone Signal Disruption Device- while the law clearly prohibits the usage of a device to disrupt cell phone signals, there are no rules against passive cell phone blocking.

Mobile Malware Examples

Some examples include XcodeGhost malware that targets iOS devices and xHelper malware that targets Android devices.

Types of Jailbreaks

Tethered Jailbreak A tethered jailbroken device cannot be rebooted without a computer and the jailbreak application because the device no longer runs on a patched kernel once it is turned off To restart the tethered device, it must be re-jailbroken; otherwise, it enters the recovery mode Untethered Jailbreak An untethered jailbreak allows users to reboot the device any number of times because after every reboot the device gets jailbroken automatically Semi-tethered Jailbreak Unlike in tethered jailbreak, semi-tethered jailbreak allows users to reboot the device, but jailbreak features are not loaded into the device Semi-untethered jailbreak It is similar to untethered jailbreak except that it boots into a non-jailbroken state after rebooting the device In this type of jailbreak, the user can be able to jailbreak

Call Detail Record (CDR) Contents

The call data records contain several categories of information such as: ▪ Phone number of the subscriber from where call originated (calling party, A-party) ▪ Phone number receiving the call (called party, B-party) ▪ Called telephone number or numbers ▪ Names and addresses of the subscribers or registered users ▪ Date and time of the start and end of a communication ▪ Telephone service used, e.g., voice, conference call, SMS, or MMS ▪ IMSI of the calling and called party and IMEI of the calling and called party ▪ Location label (cell ID) at the start and end of a communication ▪ Data mapping between the cell IDs and their geographical location at the start and end of a communication ▪ Route through which the call entered the exchange ▪ Route through which the call left the exchange ▪ Additional digits on the called number used to route or charge the call ▪ Disposition or results of the call, indicating, for example, whether the call was connected ▪ Any fault condition encountered

Integrated Circuit Card Identification (ICCID)

a 19-digit unique identification number printed on the SIM to identify each SIM internationally. It helps investigators in tracing a lost mobile.

Some Important Application Framework Blocks

o Package Manager: It tracks the apks installed in a mobile device o Activity Manager: It controls the life cycle of the applications running in a device o Window Manager: The window manager is responsible for managing functions like which windows should be displayed and how they should be displayed on screen o Content Providers: Content providers allow applications to share data between each other o Telephony Manager: This application framework block controls/manages the calls made from the device o Location Manager: It manages the location of an Android device using GPS or cell tower o Resource Manager: It manages the various types of resources used in applications such as strings, color settings, and user interface layouts o Notification Manager: This block allows mobile device applications to display alerts and notifications on the screen

Some of Android Important Native Libraries...

o Surface manager: It takes care of displaying windows owned by different applications running on different processes o Media framework: The media framework offers various media codecs that allow the recording and playback of all media formats o SQLite: SQLite is the database engine that stores data in Android devices. o OpenGL/ES and SGL: This is used to render 2D (SGL) or 3D (OpenGL/ES) graphics content to the screen o FreeType: It renders the bitmap and vector fonts o WebKit: It is a browser engine used to display web pages o Libc: It is a C system library tuned for embedded Linux-based devices

Key iOS Artifacts

▪ Clients.plist: This file contains the geolocation data of applications and system services on the iOS devices. File location: /private/var/root/Library/Caches/locationd/clients.plist ▪ Cookies.plist: This file contains cookies that are saved for websites when web pages are accessed on the Safari web browser. File location: /private/var/mobile/Library/Cookies/ ▪ Keyboard Cache: It comprises the texts entered by the user that are cached by the device. Forensic examiners might also retrieve the password cached on this file to perform various tasks such as taking the backup of an encrypted device or performing brute force attack. File location: /private/var/mobile/Library/Keyboard/dynamic-text.dat ▪ AddressBook.sqlitedb: This database file contains information of all contacts on an iOS device. File Location: /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb ▪ Call_history.db: This database file maintains a log of missed calls, incoming calls, and received calls along with other metadata such as call duration, time, and date. File location: /private/var/mobile/Library/CallHistory/call_history.db ▪ Sms.db: It is the default SMS database file in an iOS device that stores the received, sent and deleted text messages. File location: /private/var/mobile/Library/SMS/sms.db ▪ DraftMessage.plist: This file contains the draft messages. File location: /private/var/mobile/Library/Draft/PENDING/.draft/ ▪ Calendar.sqlitedb: This database file contains manually created calendar events. File location: /private/var/mobile/Library/Calendar/Calendar.sqlitedb ▪ SafariHistory.plist: This file stores the web history of the Safari Web Browser. File location: /private/var/mobile/Library/Safari ▪ Bookmarks.db: It contains bookmarks stored on the Safari web browser. File location: /private/var/mobile/Library/Safari/Bookmarks.db ▪ SafeBrowsing.db: This database file contains a history of the websites visited using the safe browsing feature of Safari. File location: /private/var/mobile/Library/Safari/SafeBrowsing.db ▪ Voicemail.db: This database file contains voicemails and their metadata, including contact numbers, timestamps, callback number, and message duration. File location: /private/var/mobile/Library/Voicemail/voicemail.db Note: Voicemail recordings are stored in the directory /private/var/mobile/Library/Voicemail. ▪ Photos.sqlite: This file contains the image files stored in the photos application database. File location: /private/var/mobile/Media/PhotoData/Photos.sqlite

Booting iPhone in Recovery Mode

▪ For A9 devices: Press and hold the Side and Home buttons simultaneously, until the device goes into recovery mode ▪ For A10 devices: Press and hold the Side and Volume Down buttons simultaneously, until the device goes into recovery mode ▪ For A11 and later devices: o Press and release the Volume Up button, followed by the Volume Down button o Press and continue holding the Side button until the device goes into Recovery mode

Android Debug Bridge (ADB)

○ A command-line tool that allows investigators to connect the device to a forensic workstation through a USB and communicate with it ○ Facilitate device actions such as copying files back and forth, installing and uninstalling applications, and running shell commands on a device ○ Note: to use these commands to control an Android device over USB, the investigator should first enable the USB debugging feature ○ Components Daemon: It is a background process that runs commands on a device. Client: The client runs on the forensic workstation and issues adb commands to install or uninstall applications and acquire data from the device. Server: It runs as a background process on a forensic workstation and manages the communication between the client and daemon. Host: It is used a distractor.

Subscriber Identity Module (SIM)

○ A removable component that contains information about the subscriber ○ It has both volatile and nonvolatile memory ○ The file system involves authenticating a cell phone user to the network, thereby allowing access to those who access the subscripted services

Mobile Data Acquisition Methods

○ Cellular data acquisition ○ SIM file system acquisition ○ Logical acquisition of Device ○ Physical acquisition of Device ○ Cloud data acquisition

Mobile Forensics Process- Collect the Evidence

○ Check whether the mobile device is connected to a computer ○ Confirm the power state of the device If the device is found "ON" and "Unlocked", then enable Stay Awake setting on the device to keep the device active and also connect it to a power source to charge it If the device is found "ON" and "Locked", connect the device to a power source to ensure that the device does not shut down If the device is "OFF", then leave it in the turned off state because turning it ON could alter the evidence on the device ○ If the owner of the device is present at the scene, the law enforcement agents can obtain passcode from the owner, if they deny, the investigators can get a warrant and proceed legally

Cloud Data Acquisition on Android and iOS Devices

○ Cloud data acquisition provides valuable evidence related to the users activities, hence it is important for the investigator to perform cloud forensics to extract data and deal with the criminal activities performed by the user ○ Android users use a google account to access google drive whereas iPhone users use an iCloud account to access iCloud storage ○ On android devices, the forensic investigator can obtain iCloud backups with known Apple ID and password or binary authentication token from the computer that is in sync with the device These iCloud backups contains the same information as those created using iTunes ○ If the user ID and password are not available, the investigator can obtain this information directly from the Cloud Service Providers in a legal manner

Flasher Boxes

○ Devices that can be used as mobile forensics tools to recover data from mobile devices ○ Enable the extraction of data from dead or faulty mobile phones which cannot be achieved via physical extraction tools

Logical Acquisition Tools for Mobile Devices

○ FED Logical Analyzer ○ XRY LOGICAL ○ Paraben's E3 DS ○ Oxygen Forensic® Extractor ○ MOBILedit Forensic Express ○ Mobile Phone Examiner Plus

Cell Site Analysis: Analyzing Service Provider Data

○ Forensic investigators can legally obtain data form the service provider that can act as backup evidence during examination ○ Useful when the attacker or owner of the mobile phone has deleted the call history/text messages from the device to wipe out evidence ○ It can also be required in the following cases When the deleted data cannot be recovered When the location-based services are not turned ON in the phone ○ Potential evidence that could be obtained from Service Provider Data Phone owner location Call Detail Records (CDR) Billing Information Information about the stationary or moving state of the mobile phone during a specific time interval ○ CDR can provide detailed info regarding the outgoing calls ○ CDRs have probative value for investigative or legal purposes ○ Investigators should investigate the device data (internal, external, SIM) and service provider

Different Cellular Networks

○ Global System for Mobile Communication (GSM) - This is a major and popularly used cellular network. ○ Code Division Multiple Access (CDMA) - This is one of the dominant types of cellular networks. It employs the spread-spectrum technology where the communication channels are defined in terms of codes. ○ Enhanced Data Rates for GSM Evolution (EDGE) - Improved data transmission rates are possible through the backward-compatible digital mobile phone technology. It delivers high bit rates per radio channel that are used for packet-switch applications. ○ General Packet Radio Service (GPRS) - This is a packet-oriented mobile data service. It is available to the users of GSM and IS-136 mobiles. It uses the technology of frequency-division duplex and time-division multiple access. ○ High Speed Packet Access (HSPA) - It extends and improves the performance of the existing 3G mobile communication networks using W-CDMA protocols. ○ Universal Mobile Telecommunications System (UMTS) - This is a 3G mobile phone technology (upgrade to 4-G) that uses W-CDMA as the underlying air interface. ○ Evolved High Speed Packet Access (HSPA+) - It is sometimes referred to as 3.5G and it can achieve higher data rates of up to 42.2 Mbit/s. ○ High Speed Downlink Packet Access (HSDPA) - This 3G mobile telephony communication protocol allows high data transfer speeds for networks based on UMTS ○ Time Division Multiple Access (TDMA) - In this type of communication, a single-frequency channel is provided to multiple users over a divided time slot ○ Unlicensed Mobile Access (UMA) - UMA or the Generic Access Network enables mobile services such as voice, IP Multimedia Subsystem/Session Initiation Protocol (IMS/SIP applications), and data to access IP networks ○ Long-Term Evolution (LTE) - It is a standard 4G wireless broadband communication for mobile devices and data terminals based on the GSM/EDGE and UMTS/HSPA technologies. It provides 10 times the speed offered by 3G networks. ○ Voice over Long-Term Evolution (VoLTE)- It is a standard high-speed wireless communication technology for mobile devices and data terminals, including IoT devices and wearables. It allows voice calls over the 4G LTE network.

Mobile Forensics

○ Involves the process of examining a mobile device and the digital evidence associated with the device ○ Includes the recovery and analysis of data from the internal memory of a mobile device, SD cards, and SIM cards ○ Aims to trace the perps of crimes that involve the user of mobile phones

Jailbreaking of iOS Devices

○ Jailbreaking an iOS device provides root access to the iOS file system; this allows the investigator to perform data acquisition on the device ○ This process requires entering the device into DFU (Device Firmware Upgrade) mode ○ Since jailbreaking modifies the software to remove the restrictions set by Apple, the device allows the installation of unauthorized applications ○ In forensic analysis, jailbreaking an iOS device is a key step to extract data such as contacts, call history, secure chats, protected messages, installed applications, browser artifacts, system logs, bit-by-bit image of the device and deleted data that serve as a potential source of evidence during examination ○ Jailbreaking tools include redsn0w, Electra, checkra1n, and unc0ver ○To perform a jailbreak on an iOS device, the investigator must ensure that: The device is in the unlocked state Device should pair with the computer ○Jailbreaking tool should be selected according to the device iOS version that has known vulnerability

Components of Cellular Network

○ Mobile Switching Center (MSC): it is the switching system for the cellular networks ○ Base transceiver Station (BTS): it is the radio transceiver equipment that communicates with mobile phones ○ Base Station Controller (BSC): it manages the transceiver equipment and performs channel assignment ○ Base Station Subsystem (BSS): it is responsible for managing the radio network and is controlled by the Mobile Service Switching Center (MSC), it consists of the elements Base Station controller (BSC), Base Transceiver Station (BTS), and Transcoder (TC) ○ Home Location Register (HLR): it is the database at the MSC, it is the central repository system for subscriber data and service information ○ Visitor Location Register (VLR): it is the database used in conjunction with the HLR for mobile phones roaming outside their service area

SQLite Database Extraction

○ Mobile phones use SQLite database files to store information such as address book contacts, SMS messages, emails, and other sensitive information ○ These SQLite database files must be extracted and analyzed forensically in order to find potential evidence ○ The SQLite database files are extracted using SQLite browsing tools

Normal and DFU Mode Booting

○ Normal Boot Process: BootRom starts the boot process LLB, the first level boot loader, is loaded after the verification of integrity and authenticity The stage 2 bootloader iBoot starts after the verification Kernel and NAND flash is also loaded after the verification ○ DFU Mode: BootRom signature checks the second stage boot loaders, iBSS and iBEC iBEC checks the kernel Kernel checks the RamDisk and loads RamDisk into RAM

Physical Acquisition of Mobile Devices

○ Physical acquisition involves the creation of a bit-by-bit copy of the data stored in the physical storage media of mobile phones including hidden files, system files and deleted data ○ The most difficult extraction because mobile device manufacturers often do not allow users to arbitrary read the device memory ○ Physical acquisition can be performed manually on rooted/jailbroken mobile devices ○ The investigator should use tools such as Cellebrite PREMIUM, MOBILedit Forensic Express, and Elcomsoft Forensic Toolkit which do not require rooting/jailbreaking of the devices to perform physical acquisition

Chip-off Forensics

○ Refers to a complete bit-stream imaging of a device containing embedded flash memory (NAND, NOR, OneNAND, or eMMC) ○ This technique allows examiners to extract data from: Pattern/PIN locked devices Damaged/dismantled devices ○ Forensics Process: Assessment Research about the device Acquisition Physically remove the memory chip Clean and repair (re-ball) the chip as required Use chip programmers and adapters to acquire a bit-stream image Analysis Analyze the raw bit-stream image for evidence

JTAG Forensics

○ Refers to the forensic technique where an examiner directly connects to the Test Access Ports (TAPs) of a mobile device and instructs the processor to transfer all the data stored in the memory chips ○ TPAs are present in most mobile devices; therefore, device manufacturers can test them before they leave the factory to ensure they are functioning properly ○ Enables examiners to extract data from pattern/PIN locked devices ○ Forensic Process Step 1: Identify the TAPs by reading the documents on the device. When the TAPs are unknown, examine the device PCB for potential TAPs and manually trace or probe to pinpoint specific connector pins. This is included in Assessment phase. Step 2: A solder wire leads to the correct connector pins or a solderless jig can be used to connect. Step 3: Connect the wire leads to an appropriate JTAG emulator along with the exhibiting device. Step 4: Read the flash memory after selecting the appropriate device profile or manually configure the correct processor/memory settings. Step 2, step 3, and step 4 are included in acquisition phase. Step 5: Analyze the extracted data using industry standard forensic tools and custom utilities. This is included in Analysis phase.

Rooting of Android

○ Rooting can be performed on an Android device only after unlocking the bootloader, which is a security feature available since Android Lollipop ○ If the bootloader of a mobile device is unlocked, the forensic investigator can root the device to perform data acquisition ○ To root the mobile device, the investigator should install third party rooting tools such as Magisk Manager and SuperSU ○ To avoid data loss, the forensic investigator must take backup of the device data or perform logical acquisition before rooting the device ○ Note: physical acquisition can be performed only on ROOTED Android Devices

Top Threats Targeting Mobile Devices

○ Web and Network-based attacks ○ Malware ○ Social Engineering Attacks ○ Resource Abuse ○ Data Loss ○ Data Integrity Threats ○ Browser Exploits