Midterm Exam Flashcards Preview

Mobile Forensics > Midterm Exam > Flashcards

Flashcards in Midterm Exam Deck (73):
1

What is Digital Forensics?

A branch of forensic science focusing on the recovery and investigation of raw data residing in electronic or digital devices.

2

Forensically Sound

Original Evidence has not been modified.
Difficult on mobile devices.
Procedures have to be tested, validated, and documented.

3

3 Main Categories of Mobile Forensics

Seizure.
Acquisition.
Examination/Analysis.

4

Biggest Challenges to Mobile Forensics

Data can be accessed, stored, and synchronized across multiple devices.

5

Difficulties in Obtaining Mobile Data: Devices

Hardware/OS differences.
Generic state of device.
Dynamic nature of devices.
Alteration of data/device.

6

Difficulties in Obtaining Mobile Data: Remote Access

Wipes and resets.
Communication shielding.

7

Difficulties in Obtaining Mobile Data: Resources

Lack of resources.
Lack of available tools.
Legal issues.

8

Difficulties in Obtaining Mobile Data: Security

Security features.
Anti-forensics techniques.
Passcode recovery.
Malicious programs.

9

Mobile Evidence Extraction Process: About

Extractions of each mobile device may differ.
A consistent examination process should be followed.
There is no well established standard process.
All methods used should be tested, validated, and
documented.

10

Mobile Evidence Extraction Process: Steps

Intake.
Identification.
Preparation.
Isolation.
Processing.
Verification.
Document and Reporting.
Presentation.
Archive.

11

Mobile Evidence Extraction Process: Intake

Starting phase.
Documents ownership information and the type of
incident the mobile device was involved in.
Outlines the type of data or information needed.
Developing specific objectives for each examination is the critical part of this phase.

12

Mobile Evidence Extraction Process: Identification

Legal authority.
Goals of the examination.
Make, model, and identifying information of device.
Removable and external data storage.
Other sources of potential evidence.

13

Mobile Evidence Extraction Process: Preparation

Research appropriate methods and tools to be
used on the particular mobile device.

14

Mobile Evidence Extraction Process: Steps: Isolation

Isolation before acquisition and examination of the device is important.
Multiple methods of isolation possible.
Some methods are more preferred than others.

15

Mobile Evidence Extraction Process: Processing

The phone should be acquired using a tested method
that is repeatable and as forensically sound as possible.
Physical acquisitions are most preferred.
Least amount of changes to the device.
File system or logical extractions next best methods.

16

Mobile Evidence Extraction Process: Verification

Verify the data in the extraction is accurate by comparing to data on the mobile device:
Comparing extracted data to the handset.
Using multiple tools and comparing results.
Using hash values.

17

Mobile Evidence Extraction Process: Documents and Reporting

Documentation should be done throughout the
examination process.
After examination is complete, peer-review results.

18

Mobile Evidence Extraction Process: Presentation

Information extracted and documented should be
able to be clearly presented.
Findings should be clear, concise, and repeatable
Some tools include features that can help explain
findings across multiple devices.

19

Mobile Evidence Extraction Process: Archive

Preserving extracted data is important.
Retained in a usable format.
Remember court cases can go on for years.
Digital forensics tools are always advancing.

20

4 Main Types of Operating Systems

Google Android.
Apple iOS.
RIM Blackberry.
Windows.

21

5 Levels of Mobile Forensics Tools

Manual Extraction.
Logical Analysis.
Hex Dump.
Chip-off.
Micro-Read.

22

3 Data Acquisition Methods

Manual.
Logical.
Physical.

23

5 General Rules of Evidence for Digital Evidence

Admissible.
Authentic.
Complete.
Reliable.
Believable.

24

Leading Operating System for Smart Phones

Android.

25

Easiest Way to Identify iDevice Hardware

Observing the model number displayed on the back of the device.

26

What is the iOS Filed System Built on?

HSF Plus.
HSF.

27

What are the 2 Partitions of the File System? iOS

System.
Data.

28

What was the Original iPhone OS Originally Called?

Alpine?

29

What was the Original iPhone OS Originally Called?

OS X.

30

Are all iOS versions supported by all iDevices.

No.

31

What is Jailbreaking?

Removing limitations by Apple’s mobile operating system through software and hardware exploits.
Biggest reason is for to install unapproved apps.

32

3 Modes iOS Devices are Capable of Running in

Normal.
Recovery.
DFU.

33

iOS Recovery Mode

If one step in the boot-up process is unable to load
or verify the next step.
Required to perform upgrades or restore the iDevice.

34

iOS Normal Mode

The normal mode the phone boots into.

35

iOS Normal Mode

When an iDevice is switched on and booted into its operating system.

36

2 Types of Memory in iOS Devices

RAM.
NAND flash memory.

37

Custom Ramdisk Method: iOS

Gains access to file system by loading a custom
ramdisk into memory and exploiting a weakness
in the boot process while the device is in DFU mode.
Custom ramdisk contains the forensic tools necessary
to dump the file system.
Loading a custom ramdisk does not alter the user
data.
Only works for iPhone 4 and older.

38

Where is the passcode stored since iOS 4?

Not on the device in any format.

39

Where is the passcode stored since iOS 4?

Not on the device in any format.
Previously stored directly in the keychain.

40

What are the actual iOS files encrypted with?

Actual files on the file system are encrypted with
data protection class keys.

41

What does jailbreaking allow examiners to do? iOS

Allows physical acquisitions on devices that are not
vulnerable to the Boot ROM exploit must be jailbroken.
Install tools that would not normally be on the device.
Problem: makes changes to devices that may damage evidence or render it inadmissible in court.
Logical acquisition should be considered first.

42

What was introduced in iOS 6 that prevents examiners from patching the kernal code directly?

Kernal Address Space Layout Randomization.
Kernal Address Space Protection.

43

What is a computer that an iDevice is backed up to called?

The host computer.

44

Where are the iOS pairing records stored by a Windows computer?

/var/root/Library/Lockdown/pair_records/directory.
Pairing records are stored as a plist file with a filename representing the unique identifier given to the computer.
Windows - %AllUserProfile%\Apple\Lockdown.

45

Where are the iOS pairing records stored by a Mac OS X computer?

Mac OS X - /private/var/db/lockdown.

46

40-Character Hex String that Corresponds to iOS Backup Files?

It matches the UDID of the device.

47

4 Data Files Contained in iOS Backup Directory?

info.plist
manifest.plist
status.plist
manifest.mbdb

48

iOS info.plist

This file stores details about the backed up device:
ICCID.
Last backup date.
IMEI.
Phone number.
Installed Apps.
Product type and production version.
Serial number.
iTunes version.
Device’s UDID.

49

iOS manifest.plist

Describes the contents of the backup:
Applications.
Date.
IsEncrypted.
Lockdown.
WasPasscodeSet.
 Backup Keybag

50

iOS manifest.plist

Describes the contents of the backup:
Applications.
Date.
IsEncrypted.
Lockdown.
WasPasscodeSet.
Backup Keybag.

51

iOS status.plist

The status.plist file stores details about the backup status:
Backup state.
Date.
IsFullBackup.

52

iOS manifest.mbdb

Contains records about all other files in the backup.directory.

53

Is a complete backup created every time a user backs up their iOS device?

First backup is a complete backup.
Subsequent backups only files that are modified.

54

Number of File Backup Domain Categories in iOS

12.

55

What domain is the Addressbook database in iOS?

HomeDomain.

56

What do you need to know in order to extract an iCloud backup?

Apple ID and password.

57

2 Timestamps on iPhone?

Unix.
MAC.

58

Unix Time on iOS

Unix timestamps are the number of seconds that offsets the Unix epoch time starting from January 1, 1970.

59

MAC Time on iOS

Mac absolute time is the number of seconds that offsets the Unix epoch time starting from January 1, 2001.

60

SQLite Database File Extensions

.db, .sqlitedb, or no extension.

61

Important Database Files in iOS

Addressbook/Addressbook Images.
Call History.
SMS Messages/SMS Spotlight.
Calendar Events.
Emails.
Photos Metadata.
GPS.
Voicemail/Voicemail Directory.
Notes.
Safari bookmarks/Safari web cache.
Web application cache.

62

Important plist Domain Files in iOS

HomeDomain plist files.
RootDomain plist files.
WirelessDomain list files.
SystemPreferences plist files.

63

What information is in the WirelessDoman file?

WirelessDomain plist files contain useful information about the SIM card last used in the device.

64

Other important files in iOS?

Cookies.
Keyboard cache.
Photos/wallpaper/snapshots.
Recordings.
Downloaded applications.

65

Can deleted SQLite databases be recovered?

Yes,SQLite databases store the deleted records within the database itself.

66

Elcomsoft iOS Forensic Toolkit Features

Supported by both MAC OS X and Windows.
Physical and logical extractions.
Password recovery attacks.
Extract device keys to decrypt raw disk image and keychain items.
Logs and records every step of investigation.

67

Elcomsoft iOS Forensic Toolkit Downsides

Does not provide options to analyze acquired data or recover the deleted data.
Supports most iOS devices, but some must be jailbroken.
Does not support all iOS devices.

68

Oxygen Features

Allows fully automated forensic acquisition and analysis.
Supports a lot of devices.
Can recover deleted data from databases.
Import a backup/image file obtained using a different tool for analysis.
Password recovery from keychain.
Timeline.

69

Oxygen Downsides

Windows only.
Does not support physical acquisitions.
Some logicals need to be jailbroken.

70

Cellebrite Features

Supports physical, logical, and file system acquisitions.
Extracts device keys required to decrypt raw disk images and keychain items.
Reveals device passwords if possible.
Supports passcode recovery attacks.
Advanced analysis and decoding of extracted application data.

71

Which tools run on Windows?

Forensic Toolkit.
Oxygen.
Cellebrite.

72

Which tools run on Mac OS X?

Forensic Toolkit.

73

Disadvantages of Open Source Tools

They often do not go through rigorous amounts of testing and validation and may miss data that could be manually extracted by the examiner.