Mobile Forensics
iOS/Android forensics, data extraction, evidence collection, and analysis.
Overview
Mobile forensics extracts evidence from mobile devices.
Extraction Types
| Type | Method | Data |
|---|---|---|
| Manual | User interaction | Limited |
| Logical | Backup extraction | Moderate |
| File system | Root access | Extensive |
| Physical | Chip-off | Complete |
Tools
| Tool | Platform | Type |
|---|---|---|
| Cellebrite UFED | Both | Physical |
| GrayKey | iOS | Physical |
| Autopsy | Both | Logical |
| Magnet AXIOM | Both | All |
Android Forensics
# ADB backup
adb backup -apk -shared -all -f backup.ab
# Extract data
java -jar abe.jar unpack backup.ab backup.tar
# Analyze
tar -xf backup.tar
ls -la apps/com.package/
iOS Forensics
# iTunes backup location (Windows)
dir %APPDATA%\Apple Computer\MobileSync\Backup\
# iTunes backup location (Mac)
ls ~/Library/Application\ Support/MobileSync/Backup/
# Extract keychain
python3 keychain_dumper.py
Evidence Locations
Android
Architecture Diagram
/data/data/com.package/ → App data
/sdcard/DCIM/ → Photos
/sdcard/Download/ → Downloads
/data/system/users/ → User accounts
iOS
Architecture Diagram
/var/mobile/Containers/Data/Application/ → App data
/var/mobile/Media/DCIM/ → Photos
/var/mobile/Library/SMS/ → Messages
Analysis Checklist
## Mobile Forensics Checklist
- [ ] Extract data safely
- [ ] Document chain of custody
- [ ] Analyze app data
- [ ] Review communications
- [ ] Check location data
- [ ] Extract deleted data
Practice
Extract and analyze data from a mobile device backup.