WEBVTT

1
00:00:00.120 --> 00:00:03.879
<v Speaker 1>Welcome to our deep dive into mobile forensics. You've given

2
00:00:03.919 --> 00:00:08.039
<v Speaker 1>me a stack material on iOS and Android file systems,

3
00:00:08.279 --> 00:00:12.080
<v Speaker 1>security features, and even how to break into them, all legally.

4
00:00:11.759 --> 00:00:13.720
<v Speaker 2>Of course, right, you want to get a grip on

5
00:00:13.839 --> 00:00:17.440
<v Speaker 2>how mobile forensics works, what data we can actually get back,

6
00:00:17.800 --> 00:00:19.800
<v Speaker 2>the tools and techniques involved, from.

7
00:00:19.679 --> 00:00:22.719
<v Speaker 1>The basics to some seriously advanced stuff. You've even got

8
00:00:22.719 --> 00:00:24.960
<v Speaker 1>reverse engineering apps and malware in here.

9
00:00:25.120 --> 00:00:26.239
<v Speaker 2>Should be a fun ride.

10
00:00:26.480 --> 00:00:28.679
<v Speaker 1>So we've all seen those TV shows where they pulled

11
00:00:28.800 --> 00:00:33.320
<v Speaker 1>data off phones like magic, But real life mobile forensics

12
00:00:34.560 --> 00:00:35.960
<v Speaker 1>that's way more complex.

13
00:00:35.640 --> 00:00:38.640
<v Speaker 2>Right, Oh? Absolutely For starters, think about the sheer volume

14
00:00:38.640 --> 00:00:41.240
<v Speaker 2>of devices out there, each one with its own hardware

15
00:00:41.240 --> 00:00:44.000
<v Speaker 2>and software, its own security quirks. Then there's the fact

16
00:00:44.000 --> 00:00:45.880
<v Speaker 2>that technology is constantly.

17
00:00:45.399 --> 00:00:49.399
<v Speaker 1>Evolving, so investigators are always playing catchup always, And.

18
00:00:49.359 --> 00:00:51.719
<v Speaker 2>Then you have the legal side of things, the constant

19
00:00:51.759 --> 00:00:54.799
<v Speaker 2>back and forth between law enforcement and individual privacy rights.

20
00:00:54.920 --> 00:00:57.560
<v Speaker 2>Remember that whole FBI versus Apple encryption battle.

21
00:00:57.679 --> 00:01:03.119
<v Speaker 1>Oh yeah, Apple refused to unlock that terrorist's iPhone landmark case.

22
00:01:03.679 --> 00:01:06.920
<v Speaker 1>So how do investigators even approach a device knowing it

23
00:01:06.959 --> 00:01:08.200
<v Speaker 1>could be totally locked down?

24
00:01:08.640 --> 00:01:10.439
<v Speaker 2>Well, the first step is always to figure out what

25
00:01:10.519 --> 00:01:14.040
<v Speaker 2>specific device model you're dealing with. Sounds obvious, but that

26
00:01:14.120 --> 00:01:18.560
<v Speaker 2>dictates what tools and techniques will actually work. iPhones, iPads,

27
00:01:18.840 --> 00:01:22.439
<v Speaker 2>different Android models from every manufacturer, imaginable, It's a lot.

28
00:01:22.560 --> 00:01:24.920
<v Speaker 1>Yeah, You've got a whole section in here on iOS.

29
00:01:24.959 --> 00:01:27.400
<v Speaker 1>What makes iPhones so tricky for forensics?

30
00:01:27.799 --> 00:01:32.480
<v Speaker 2>Well, for one, the file systems. Older iPhones used HFS plus,

31
00:01:32.719 --> 00:01:35.599
<v Speaker 2>which is complex on its own, but newer ones switched

32
00:01:35.599 --> 00:01:39.840
<v Speaker 2>to APFS that throws in some curveballs. Like what sparse files?

33
00:01:40.079 --> 00:01:42.400
<v Speaker 2>A file can exist but not take up actual storage

34
00:01:42.439 --> 00:01:44.840
<v Speaker 2>space until data is written to it. Imagine trying to

35
00:01:44.879 --> 00:01:47.959
<v Speaker 2>recover a deleted file that technically exists but has no

36
00:01:48.079 --> 00:01:52.000
<v Speaker 2>content yet. It really messes with traditional data recovery methods.

37
00:01:52.079 --> 00:01:54.680
<v Speaker 1>Wow, So even understanding how the data is stored is

38
00:01:54.719 --> 00:01:57.280
<v Speaker 1>a challenge. What about all those security features Apple's always

39
00:01:57.319 --> 00:01:58.239
<v Speaker 1>talking about.

40
00:01:58.319 --> 00:02:03.480
<v Speaker 2>Huge factor You've got code signing to prevent unauthorized apps, sandboxing,

41
00:02:03.799 --> 00:02:07.040
<v Speaker 2>isolating apps from each other, and the system. But the

42
00:02:07.040 --> 00:02:10.919
<v Speaker 2>big one is encryption. The whole file system is encrypted

43
00:02:10.960 --> 00:02:14.000
<v Speaker 2>by default on all modern iPhones.

44
00:02:13.560 --> 00:02:16.319
<v Speaker 1>So even if you get the phone, the data scrambled.

45
00:02:16.560 --> 00:02:19.120
<v Speaker 1>Makes sense why those chip off methods are often useless

46
00:02:19.159 --> 00:02:21.039
<v Speaker 1>it's like breaking into a safe and finding a bunch

47
00:02:21.080 --> 00:02:22.680
<v Speaker 1>of gibberish.

48
00:02:22.039 --> 00:02:26.159
<v Speaker 2>Exactly, and that encryption is tied to the user's.

49
00:02:25.879 --> 00:02:29.240
<v Speaker 1>Passcode, adding another layer of difficulty exactly.

50
00:02:28.879 --> 00:02:33.280
<v Speaker 2>So investigators have to get creative logical acquisition. Things like

51
00:02:33.360 --> 00:02:36.919
<v Speaker 2>iTunes backups are often the go to method for newer iPhones,

52
00:02:37.599 --> 00:02:39.800
<v Speaker 2>but sometimes they need deeper access, which.

53
00:02:39.639 --> 00:02:42.919
<v Speaker 1>Is where jail breaking comes in. Risky but necessary to

54
00:02:42.919 --> 00:02:45.479
<v Speaker 1>get past those security barriers. You've got a whole section

55
00:02:45.560 --> 00:02:48.280
<v Speaker 1>here on jail breaking tools, which ones work with, what

56
00:02:48.400 --> 00:02:50.439
<v Speaker 1>iOS versions. It's like a hacker's playbook.

57
00:02:50.599 --> 00:02:54.039
<v Speaker 2>Jail Breaking is a delicate process for sure, but sometimes

58
00:02:54.039 --> 00:02:56.439
<v Speaker 2>it's the only way to get a full filesystem acquisition

59
00:02:56.560 --> 00:02:59.120
<v Speaker 2>yea on a complete copy of the device's storage.

60
00:02:59.159 --> 00:03:02.639
<v Speaker 1>So even with iPhone, there's a spectrum of approaches, from

61
00:03:02.879 --> 00:03:08.520
<v Speaker 1>relatively simple backups to pretty intense filesystem dumps. But Android,

62
00:03:08.520 --> 00:03:10.000
<v Speaker 1>I'm guessing that's a whole other beast.

63
00:03:10.280 --> 00:03:14.599
<v Speaker 2>You bet. Android's open nature, the sheer variety of devices

64
00:03:14.960 --> 00:03:17.719
<v Speaker 2>it makes it both challenging and really fascinating. From a

65
00:03:17.719 --> 00:03:19.199
<v Speaker 2>forensic standpoint.

66
00:03:18.800 --> 00:03:22.280
<v Speaker 1>We're back ready to tackle the wild world of Android forensics.

67
00:03:22.479 --> 00:03:25.120
<v Speaker 1>From what I've read, it's a whole different ballgame compared

68
00:03:25.120 --> 00:03:25.719
<v Speaker 1>to iOS.

69
00:03:25.800 --> 00:03:31.000
<v Speaker 2>That's putting it mildly massive, open source ecosystem, countless device manufacturers,

70
00:03:31.479 --> 00:03:35.479
<v Speaker 2>and a history of let's just say, evolving security measures.

71
00:03:35.639 --> 00:03:38.400
<v Speaker 1>So investigators need to be adaptable, to say the least.

72
00:03:38.400 --> 00:03:40.919
<v Speaker 1>But before we jump into techniques, break down the Android

73
00:03:40.960 --> 00:03:43.840
<v Speaker 1>system itself. How is it structured in a way that

74
00:03:43.960 --> 00:03:45.080
<v Speaker 1>matters for forensics?

75
00:03:45.199 --> 00:03:47.800
<v Speaker 2>Okay, so, at its core, Android runs on the Linux

76
00:03:47.840 --> 00:03:51.360
<v Speaker 2>kernel that handles all the low level stuff, memory processes,

77
00:03:51.400 --> 00:03:55.240
<v Speaker 2>some baseline security, but then you start adding layers, libraries

78
00:03:55.280 --> 00:03:58.840
<v Speaker 2>for graphics, databases, the Android run time that actually executes

79
00:03:58.879 --> 00:03:59.199
<v Speaker 2>the apps.

80
00:03:59.199 --> 00:04:00.840
<v Speaker 1>It goes on and on, so it's not just a

81
00:04:00.879 --> 00:04:03.919
<v Speaker 1>single thing. Investigators need to know what layer they're even

82
00:04:04.000 --> 00:04:06.159
<v Speaker 1>dealing with to find the data precisely.

83
00:04:06.439 --> 00:04:11.039
<v Speaker 2>And don't forget about those filesystems. You might encounter, flash, memory,

84
00:04:11.360 --> 00:04:14.639
<v Speaker 2>media based, or pseudo file systems, each one with its

85
00:04:14.680 --> 00:04:18.040
<v Speaker 2>own quirks. Fun fact, Android used to rely heavily on

86
00:04:18.040 --> 00:04:22.360
<v Speaker 2>why affs two. Okay, but lots of devices have transitioned

87
00:04:22.399 --> 00:04:26.040
<v Speaker 2>over to EXT four and that migration can actually create

88
00:04:26.120 --> 00:04:27.360
<v Speaker 2>challenges for investigators.

89
00:04:27.439 --> 00:04:29.920
<v Speaker 1>Okay, I'm intrigued. Why would switching file systems be a

90
00:04:29.920 --> 00:04:32.360
<v Speaker 1>big deal. Sounds like a technical detail.

91
00:04:32.519 --> 00:04:36.439
<v Speaker 2>It is, but it impacts data recovery. Why affs two.

92
00:04:36.959 --> 00:04:39.319
<v Speaker 2>It had this thing called out of band data stored

93
00:04:39.360 --> 00:04:42.319
<v Speaker 2>separately from the main file data. If you're not careful

94
00:04:42.399 --> 00:04:45.240
<v Speaker 2>during the acquisition process, you could miss that data entirely.

95
00:04:45.519 --> 00:04:47.600
<v Speaker 1>Oh so it's like a hitting compartment that could hold

96
00:04:47.680 --> 00:04:50.800
<v Speaker 1>key evidence Sneakye. But let's talk about the elephant in

97
00:04:50.800 --> 00:04:53.160
<v Speaker 1>the room. Android security. I know it's improved over the years,

98
00:04:53.160 --> 00:04:55.959
<v Speaker 1>but it's also had well, it's had its share of vulnerabilities.

99
00:04:56.000 --> 00:04:59.000
<v Speaker 2>Definitely, early versions of Android pretty easy to crack. Yeah,

100
00:04:59.040 --> 00:05:01.079
<v Speaker 2>but Google is really stif up their game. Now. You've

101
00:05:01.120 --> 00:05:04.439
<v Speaker 2>got the secure kernel, permission models that limit what apps

102
00:05:04.439 --> 00:05:07.160
<v Speaker 2>can do, sandboxing to isolate them, and of course full

103
00:05:07.199 --> 00:05:09.000
<v Speaker 2>disc encryption on all modern devices.

104
00:05:09.399 --> 00:05:12.199
<v Speaker 1>So it's a mix of familiar concepts from iOS, but

105
00:05:12.399 --> 00:05:15.920
<v Speaker 1>implemented in a different way. How does androids approach to

106
00:05:15.959 --> 00:05:18.600
<v Speaker 1>app signing differ from Apples you mentioned that earlier.

107
00:05:18.759 --> 00:05:23.079
<v Speaker 2>Yeah, key distinction. Apple's code signing is incredibly strict. Only

108
00:05:23.120 --> 00:05:27.600
<v Speaker 2>apps they vetted can run on iOS devices period. Androids

109
00:05:27.600 --> 00:05:30.480
<v Speaker 2>a lot more open apps need to be signed, but

110
00:05:30.519 --> 00:05:34.560
<v Speaker 2>it's more about verifying the developer's identity and preventing tampering,

111
00:05:35.160 --> 00:05:36.920
<v Speaker 2>not necessarily guaranteeing safety.

112
00:05:37.079 --> 00:05:39.160
<v Speaker 1>So it's like a walled garden versus I don't know,

113
00:05:39.279 --> 00:05:45.079
<v Speaker 1>a bustling marketplace. More freedom, but more potential for shady

114
00:05:45.079 --> 00:05:46.680
<v Speaker 1>stuff to slip through the cracks.

115
00:05:46.759 --> 00:05:48.839
<v Speaker 2>A very app to analogy, and that's where things like

116
00:05:48.879 --> 00:05:53.040
<v Speaker 2>Selinicx come in. Security enhanced Linux adds another layer of control,

117
00:05:53.319 --> 00:05:57.040
<v Speaker 2>enforcing really strict rules on what processes can access which resources.

118
00:05:57.240 --> 00:06:00.240
<v Speaker 1>So even if an app is compromised, slinx limit, it's

119
00:06:00.279 --> 00:06:02.600
<v Speaker 1>the damage it can do like a security guard inside

120
00:06:02.639 --> 00:06:06.399
<v Speaker 1>the system itself. But let's get practical. How do investigators

121
00:06:06.439 --> 00:06:08.680
<v Speaker 1>approach data acquisition on an Android device?

122
00:06:09.079 --> 00:06:12.720
<v Speaker 2>Like with iOS, they've got logical and physical options. Logical

123
00:06:12.839 --> 00:06:15.920
<v Speaker 2>often involves using the Android Debug Bridge or ADB.

124
00:06:16.360 --> 00:06:20.040
<v Speaker 1>Yeah, we talked about setting up that controlled environment for forensics.

125
00:06:20.360 --> 00:06:24.680
<v Speaker 1>So ADB it's basically like a remote control for Android devices, right,

126
00:06:24.759 --> 00:06:25.759
<v Speaker 1>you got it.

127
00:06:25.759 --> 00:06:29.480
<v Speaker 2>It has commands for creating backups. Think of it like

128
00:06:29.519 --> 00:06:33.720
<v Speaker 2>an iTunes backup, but for Android, pulling specific files, even

129
00:06:33.800 --> 00:06:35.120
<v Speaker 2>accessing the command.

130
00:06:34.759 --> 00:06:37.959
<v Speaker 1>Line handy, But what if you need deeper access when

131
00:06:38.000 --> 00:06:40.480
<v Speaker 1>you're dealing with encryption or deleted data.

132
00:06:41.160 --> 00:06:44.279
<v Speaker 2>Then you might look at physical acquisition chip off, where

133
00:06:44.279 --> 00:06:47.240
<v Speaker 2>you physically remove the memory chip. Right, it's an option,

134
00:06:47.319 --> 00:06:50.920
<v Speaker 2>but it's destructive, there is risky. Then there's JTAG, a

135
00:06:50.959 --> 00:06:54.560
<v Speaker 2>hardware interface that can sometimes access the memory without removing

136
00:06:54.600 --> 00:06:55.000
<v Speaker 2>the chip.

137
00:06:55.160 --> 00:06:57.439
<v Speaker 1>So again a range of techniques depending on the situation.

138
00:06:57.519 --> 00:07:00.240
<v Speaker 1>But all this data acquisition is useless if you can't

139
00:07:00.279 --> 00:07:01.399
<v Speaker 1>get past that lock screen.

140
00:07:01.600 --> 00:07:05.839
<v Speaker 2>Very true Android lock screens. There are constant battleground techniques

141
00:07:05.879 --> 00:07:10.040
<v Speaker 2>that exploit vulnerabilities, social engineering tricks. You can even try

142
00:07:10.040 --> 00:07:13.720
<v Speaker 2>to reset the password remotely using Google's Find My Device.

143
00:07:13.480 --> 00:07:16.879
<v Speaker 1>So it gets pretty creative, but brute force attacks just

144
00:07:16.920 --> 00:07:19.759
<v Speaker 1>trying every combination that can't be practical most of the time.

145
00:07:19.839 --> 00:07:23.759
<v Speaker 2>Right, No, not really lockout mechanisms, the sheer length and

146
00:07:23.759 --> 00:07:26.839
<v Speaker 2>complexity of pass codes these days, it all adds up,

147
00:07:27.279 --> 00:07:30.959
<v Speaker 2>and then you've got the classic smudge attack, analyzing fingerprints

148
00:07:31.040 --> 00:07:33.199
<v Speaker 2>left on the screen to guess the unlocked pattern, though

149
00:07:33.199 --> 00:07:34.879
<v Speaker 2>that's more effective on older devices.

150
00:07:35.079 --> 00:07:38.079
<v Speaker 1>Speaking of older devices, I remember reading that rooting is

151
00:07:38.160 --> 00:07:41.800
<v Speaker 1>often necessary for in depth Android forensics, but it's not

152
00:07:41.920 --> 00:07:43.079
<v Speaker 1>without its risks. Right.

153
00:07:43.279 --> 00:07:47.639
<v Speaker 2>Absolutely, rooting gives you super ruser privileges, complete control over

154
00:07:47.680 --> 00:07:50.920
<v Speaker 2>the device. It's essential for accessing certain data, like the

155
00:07:51.000 --> 00:07:54.879
<v Speaker 2>data data folder where app store sensitive information. But you

156
00:07:54.920 --> 00:07:57.160
<v Speaker 2>can also break the device if you're not careful, and

157
00:07:57.199 --> 00:07:58.680
<v Speaker 2>it definitely avoids the warranty.

158
00:07:58.839 --> 00:08:01.480
<v Speaker 1>So investiators need to way the risks and benefits there.

159
00:08:01.519 --> 00:08:04.240
<v Speaker 1>But let's say they successfully acquire the data, how do

160
00:08:04.319 --> 00:08:07.480
<v Speaker 1>they even navigate the Android file hierarchy? Is it anything

161
00:08:07.560 --> 00:08:08.680
<v Speaker 1>like iOS? Oh?

162
00:08:08.680 --> 00:08:11.839
<v Speaker 2>It's more complex. You've got various directories like data for

163
00:08:12.000 --> 00:08:15.079
<v Speaker 2>user and app data, a state card for external storage,

164
00:08:15.240 --> 00:08:17.920
<v Speaker 2>dot system for the operating system itself. Knowing where to

165
00:08:17.959 --> 00:08:19.360
<v Speaker 2>look is crucial.

166
00:08:19.279 --> 00:08:23.000
<v Speaker 1>And every manufacturer might tweak things a bit, adding another

167
00:08:23.079 --> 00:08:25.839
<v Speaker 1>layer of complexity. It's like trying to find a needle

168
00:08:25.839 --> 00:08:28.000
<v Speaker 1>in a haystack that keeps changing shape.

169
00:08:28.360 --> 00:08:30.439
<v Speaker 2>A very colorful way to put it. But that's what

170
00:08:30.560 --> 00:08:35.159
<v Speaker 2>makes Android forensics so challenging and so rewarding. There's always

171
00:08:35.200 --> 00:08:38.759
<v Speaker 2>something new to learn. Each case presents its own unique

172
00:08:38.759 --> 00:08:39.679
<v Speaker 2>puzzles to solve.

173
00:08:40.240 --> 00:08:45.080
<v Speaker 1>So we've covered the giants iOS Android, but you've also

174
00:08:45.120 --> 00:08:49.919
<v Speaker 1>got some material in here on well an underdog Windows Phone.

175
00:08:50.000 --> 00:08:51.559
<v Speaker 1>I haven't thought about those in years.

176
00:08:51.720 --> 00:08:54.279
<v Speaker 2>Yeah, it's true. Windows Phone never really gained the same

177
00:08:54.320 --> 00:08:57.399
<v Speaker 2>traction as iOS or Android, but they're still out there,

178
00:08:57.559 --> 00:09:00.759
<v Speaker 2>and for an investigator encountering a less comp device, that

179
00:09:00.799 --> 00:09:02.039
<v Speaker 2>could be a real curve ball.

180
00:09:02.279 --> 00:09:04.519
<v Speaker 1>Let's dust off the history books for a second. Remind

181
00:09:04.559 --> 00:09:06.039
<v Speaker 1>me what was the whole deal with Windows Phone? What

182
00:09:06.039 --> 00:09:07.039
<v Speaker 1>were they even trying to do?

183
00:09:07.200 --> 00:09:09.879
<v Speaker 2>Well, Microsoft was trying to carve out their own space

184
00:09:10.039 --> 00:09:13.879
<v Speaker 2>in the smartphone market. They went with a very bowl

185
00:09:14.000 --> 00:09:15.799
<v Speaker 2>visual approach, one of those colorful tiles.

186
00:09:15.840 --> 00:09:18.840
<v Speaker 1>Oh yeah, those life tiles, constantly updating with information. So

187
00:09:18.960 --> 00:09:21.639
<v Speaker 1>from a forensic standpoint, what's set Windows Phone apart?

188
00:09:21.960 --> 00:09:24.279
<v Speaker 2>Well, it had its own unique set of features and quirks,

189
00:09:24.320 --> 00:09:27.519
<v Speaker 2>just like any os. They had this concept called chambers

190
00:09:27.759 --> 00:09:32.240
<v Speaker 2>for isolation, similar to sandboxing, but with its own twist.

191
00:09:32.720 --> 00:09:35.360
<v Speaker 2>And of course encryption was a factor in later versions,

192
00:09:35.440 --> 00:09:36.879
<v Speaker 2>just like with iOS and Android.

193
00:09:37.000 --> 00:09:39.799
<v Speaker 1>So even though it wasn't as popular, Windows Phone still

194
00:09:39.840 --> 00:09:43.720
<v Speaker 1>had security measures in place. Anything particularly interesting or different

195
00:09:43.720 --> 00:09:45.159
<v Speaker 1>about its security.

196
00:09:44.720 --> 00:09:47.960
<v Speaker 2>Well, one standout feature was the capability based security model,

197
00:09:48.559 --> 00:09:52.519
<v Speaker 2>similar to Android's permissions, but even more granular. Apps could

198
00:09:52.559 --> 00:09:55.000
<v Speaker 2>only do what they were explicitly allowed to do. It

199
00:09:55.000 --> 00:09:56.799
<v Speaker 2>was a pretty robust approach.

200
00:09:57.000 --> 00:09:59.480
<v Speaker 1>So it's not just about knowing how to get data

201
00:09:59.559 --> 00:10:02.720
<v Speaker 1>off a whi. Windows phone investigators need to understand those

202
00:10:02.840 --> 00:10:05.360
<v Speaker 1>nuances of its architecture and security to even know what

203
00:10:05.360 --> 00:10:07.200
<v Speaker 1>they're looking for, how to access it.

204
00:10:07.240 --> 00:10:09.799
<v Speaker 2>Exactly, And like with the other platforms, there's a range

205
00:10:09.799 --> 00:10:13.480
<v Speaker 2>of acquisition methods logical options, but tool support is often

206
00:10:13.480 --> 00:10:16.679
<v Speaker 2>more limited just because of Windows Phones, smaller market share.

207
00:10:16.559 --> 00:10:19.879
<v Speaker 1>Makes sense, fewer devices, fewer developers making tools for them.

208
00:10:20.200 --> 00:10:23.600
<v Speaker 1>Are there any go to tools for Windows Phone even

209
00:10:23.639 --> 00:10:24.840
<v Speaker 1>if the options are limited.

210
00:10:25.159 --> 00:10:29.720
<v Speaker 2>Celebrate ufed, a popular commercial suite, offers some support, but

211
00:10:29.799 --> 00:10:33.840
<v Speaker 2>there's also a free tool called wpinternals that has gained

212
00:10:33.879 --> 00:10:37.559
<v Speaker 2>some traction. Lets you extract data without needing that expensive

213
00:10:37.559 --> 00:10:38.600
<v Speaker 2>commercial software.

214
00:10:38.720 --> 00:10:41.879
<v Speaker 1>So there are ways to diyatt good to know, But

215
00:10:41.960 --> 00:10:44.200
<v Speaker 1>once you've got the data, how do you navigate the

216
00:10:44.240 --> 00:10:47.200
<v Speaker 1>Windows Phone filesystem? Is it anything like what we've seen

217
00:10:47.279 --> 00:10:48.639
<v Speaker 1>with iOS and Android.

218
00:10:48.960 --> 00:10:52.559
<v Speaker 2>It's actually closer to NTFS, the filesystem used in Windows

219
00:10:52.600 --> 00:10:56.279
<v Speaker 2>desktop PCs, but it's optimized for mobile, so some of

220
00:10:56.279 --> 00:10:59.720
<v Speaker 2>that knowledge transfers over. But there are unique directories in

221
00:10:59.720 --> 00:11:00.919
<v Speaker 2>file formats.

222
00:11:00.559 --> 00:11:03.919
<v Speaker 1>To learn familiar but with a mobile twist, any specific

223
00:11:04.039 --> 00:11:07.759
<v Speaker 1>files or directories that investigators should prioritize when they're looking

224
00:11:07.799 --> 00:11:09.559
<v Speaker 1>for evidence On a Windows.

225
00:11:09.120 --> 00:11:12.519
<v Speaker 2>Phone, absolutely, the data directory is key. It holds user data,

226
00:11:12.600 --> 00:11:16.120
<v Speaker 2>app data, system settings, and then you've got applications. Pretty

227
00:11:16.120 --> 00:11:18.440
<v Speaker 2>self explanatory. Those are the usual starting points, and.

228
00:11:18.440 --> 00:11:21.120
<v Speaker 1>No Windows system would be complete without a registry, right,

229
00:11:21.360 --> 00:11:23.799
<v Speaker 1>I'm guessing that's a treasure trove of information, just like

230
00:11:23.840 --> 00:11:24.279
<v Speaker 1>on a PC.

231
00:11:24.679 --> 00:11:27.440
<v Speaker 2>Oh, you know it. Registry is a gold mine for

232
00:11:27.519 --> 00:11:31.200
<v Speaker 2>configuration settings, all sorts of clues, and of course investigators

233
00:11:31.200 --> 00:11:35.360
<v Speaker 2>are always on the lookout for those specific artifacts contacts, messages,

234
00:11:35.440 --> 00:11:38.559
<v Speaker 2>call logs, browsing history, all that good stuff.

235
00:11:38.600 --> 00:11:40.919
<v Speaker 1>So even though Windows Phone might seem like a blast

236
00:11:40.919 --> 00:11:44.639
<v Speaker 1>from the past, the fundamentals of mobile forensics still apply.

237
00:11:45.200 --> 00:11:47.879
<v Speaker 1>You need to understand the system, know where to look,

238
00:11:48.279 --> 00:11:50.960
<v Speaker 1>use the right tools to get that data and analyze it.

239
00:11:51.200 --> 00:11:54.679
<v Speaker 2>That's the beauty of it. The specifics change, but the

240
00:11:54.720 --> 00:11:57.840
<v Speaker 2>core principles they stay the same. It's all about piecing

241
00:11:57.879 --> 00:12:01.120
<v Speaker 2>together that digital puzzle no matter what device you're dealing with.

242
00:12:01.399 --> 00:12:05.120
<v Speaker 1>This has been a really incredible deep dive into mobile forensics,

243
00:12:05.159 --> 00:12:09.799
<v Speaker 1>from iPhones to androids to those forgotten Windows phones. You've

244
00:12:09.799 --> 00:12:12.320
<v Speaker 1>really shown the challenges, the possibilities, all of it.

245
00:12:12.320 --> 00:12:15.200
<v Speaker 2>It's been my pleasure and remember with every new device,

246
00:12:15.399 --> 00:12:19.120
<v Speaker 2>every new technology, the field of mobile forensics keeps evolving.

247
00:12:19.440 --> 00:12:21.799
<v Speaker 1>That's a great point to end on. Thanks for joining us,

248
00:12:21.799 --> 00:12:23.879
<v Speaker 1>and we'll see you next time for another deep dive.