WEBVTT 1 00:00:00.160 --> 00:00:03.040 Welcome to the deep dive. You've asked us to get 2 00:00:03.040 --> 00:00:06.919 into the weeds on mobile device forensics using Chuck Eastams 3 00:00:07.080 --> 00:00:10.640 and in depth guide to Mobile device forensics as our map. 4 00:00:10.800 --> 00:00:12.679 Yeah, it's quite a detailed guide. 5 00:00:12.759 --> 00:00:16.679 Our goal today to really pull out the key stuff, 6 00:00:16.719 --> 00:00:19.320 how these devices get examined, what secrets they hold, and 7 00:00:19.359 --> 00:00:20.719 give you a solid handle on. 8 00:00:20.719 --> 00:00:23.960 It all exactly. The source covers a lot, from the 9 00:00:24.079 --> 00:00:28.359 nitty gritty of wireless tech and hardware to specific forensic 10 00:00:28.440 --> 00:00:32.159 methods for iOS and Android, even advance things like JTAG, 11 00:00:32.320 --> 00:00:36.159 chip off data analysis, and crucially the legal side. 12 00:00:36.359 --> 00:00:38.840 Right. So the mission for you, our listener, is to 13 00:00:38.920 --> 00:00:41.280 walk away with a good grasp of the core ideas 14 00:00:41.320 --> 00:00:43.840 and steps in mobile forensics. Think of it as getting 15 00:00:43.880 --> 00:00:46.119 you up to speed without having to wade through well 16 00:00:46.159 --> 00:00:47.039 everything yourself. 17 00:00:47.240 --> 00:00:49.359 Makes sense. It's a complex field, definitely. 18 00:00:49.679 --> 00:00:51.960 So let's kick things off with how these devices actually 19 00:00:52.000 --> 00:00:54.079 talk to each other wirelessly? The basics. 20 00:00:54.159 --> 00:00:57.520 Okay, so the book lays the groundwork with wireless technology, 21 00:00:57.719 --> 00:00:59.679 makes sense, right, It's how they connect. It starts with 22 00:00:59.679 --> 00:01:03.799 electro magnetic waves. Talks about frequency, wavelength and that inverse 23 00:01:03.840 --> 00:01:04.920 relationship they have. Right. 24 00:01:04.959 --> 00:01:06.959 One goes up the other goes down, but the speedy 25 00:01:07.040 --> 00:01:09.120 speed of light stays constant. 26 00:01:08.799 --> 00:01:13.599 Exactly, and frequency measured in hurts, you know, cycles per second. 27 00:01:13.719 --> 00:01:17.120 We usually see killohertz, memohrts, gearherts, bigger. 28 00:01:16.879 --> 00:01:19.319 Numbers like Wi Fi that's often two point four or 29 00:01:19.359 --> 00:01:21.079 five gigaherts, isn't it precisely? 30 00:01:21.239 --> 00:01:24.280 Those are the carrier waves and the actual data that 31 00:01:24.319 --> 00:01:27.760 gets put onto the carrier using modulation. AM and FM 32 00:01:27.799 --> 00:01:30.879 are basic examples the book gives, but modern stuff is 33 00:01:30.959 --> 00:01:31.719 way more complex. 34 00:01:31.799 --> 00:01:34.519 Okay, so radio waves are key. How do they fit 35 00:01:34.640 --> 00:01:35.959 into the tech landscape? 36 00:01:36.000 --> 00:01:39.519 Well, they're fundamental for lots of wireless tech Wi Fi obviously, 37 00:01:39.519 --> 00:01:42.840 those eight or two point one one standards in Bluetooth 38 00:01:43.200 --> 00:01:46.920 often around two point four gigaherts too, devices talk without 39 00:01:46.959 --> 00:01:47.840 plugging things in. 40 00:01:48.079 --> 00:01:51.319 Now, the book mentions some ways signals are transmitted. Spread 41 00:01:51.359 --> 00:01:54.239 spectrum techniques. Sounded a bit technical, Yeah. 42 00:01:54.079 --> 00:01:55.799 It gets into that. They are clever ways to make 43 00:01:55.799 --> 00:01:58.879 the signal more secure or reliable by spreading it out. Okay, 44 00:01:59.040 --> 00:02:03.359 just frequency hopping FHSS jumps between frequencies harder to catch. 45 00:02:03.560 --> 00:02:07.920 Direct sequence DSSs spreads the signal wider to resist interference. 46 00:02:08.400 --> 00:02:13.400 Then CHIRP, spread spectrum CSS, and time hobbing THHSS, varying 47 00:02:13.439 --> 00:02:16.080 frequency over time or transmitting. 48 00:02:15.520 --> 00:02:19.439 In bursts, different strategies for robustness. Got it? So, with 49 00:02:19.520 --> 00:02:22.840 everyone on their phones, how do cellular networks handle all 50 00:02:22.840 --> 00:02:23.520 that traffic? 51 00:02:23.960 --> 00:02:27.639 Multiple access techniques, that's the key. FDMA gives everyone their 52 00:02:27.639 --> 00:02:30.840 own frequency channel. TDMA slices up time, gives everyone a slot. 53 00:02:31.479 --> 00:02:34.520 CDMA is interesting, uses unique codes so lots of people 54 00:02:34.560 --> 00:02:37.560 can share the same frequency. And QDMA that's more for 55 00:02:37.639 --> 00:02:38.439 short range. 56 00:02:38.199 --> 00:02:40.800 Stuff, dividing up the airwaves efficiently. And this tech has 57 00:02:40.840 --> 00:02:42.599 really evolved, hasn't it massively? 58 00:02:42.680 --> 00:02:46.719 The book maps it out GSM than adge the bridge 59 00:02:46.759 --> 00:02:50.039 to three G, than umts LTE and now well five 60 00:02:50.080 --> 00:02:52.520 G each generation faster, better capacity. 61 00:02:52.599 --> 00:02:55.000 Five g's the big one. Now anything specific about its 62 00:02:55.039 --> 00:02:56.080 wireless side we should note? 63 00:02:56.199 --> 00:02:58.319 Yeah, The big thing is a huge range of frequencies 64 00:02:58.319 --> 00:03:00.960 it uses. The book lists example like N seventy one 65 00:03:01.120 --> 00:03:03.879 down at six hunderdguards and N seventy seven way up 66 00:03:03.960 --> 00:03:05.039 round three to four getter hurts. 67 00:03:05.080 --> 00:03:06.159 Wow, quite a spread. 68 00:03:06.360 --> 00:03:09.479 It allows for much more data, lower latency. From a 69 00:03:09.520 --> 00:03:12.919 forensics view, maybe more data, different kinds of data could 70 00:03:12.960 --> 00:03:13.560 be recoverable. 71 00:03:13.639 --> 00:03:16.039 Makes sense, and Wi Fi standards keep evolving too. 72 00:03:16.319 --> 00:03:19.319 Oh yeah, beyond the common ones like GNN. You've got 73 00:03:19.360 --> 00:03:22.960 ad for super fast speeds AFT using old TV channels. 74 00:03:23.000 --> 00:03:26.840 That's the one, and now Wi Fi six acts and 75 00:03:26.879 --> 00:03:30.479 even Wi Fi seven are coming along. Channel bonding is 76 00:03:30.520 --> 00:03:32.560 a key trick there, combining channels. 77 00:03:32.159 --> 00:03:34.840 For more speed and security is always a concern with. 78 00:03:34.840 --> 00:03:37.840 Wireless, absolutely critical. The book runs through Wi Fi security. 79 00:03:38.280 --> 00:03:42.759 WEP totally broken, now avoid it definitely, Then WPA, WPA 80 00:03:42.840 --> 00:03:46.960 two and now WPA three, each getting stronger. Finding WEP 81 00:03:47.120 --> 00:03:49.280 on a device, big red flag for security. 82 00:03:49.319 --> 00:03:52.080 Good point. Okay, solid wireless foundation. Let's get inside the 83 00:03:52.120 --> 00:03:53.639 device itself, the hardware. 84 00:03:53.400 --> 00:03:57.520 Right, The physical bits. Antennas are fundamental. You've got omnidirectional 85 00:03:57.560 --> 00:04:01.039 sending signals everywhere, and directional which focus the signal. Okay, 86 00:04:01.120 --> 00:04:04.840 Key things are the radiation pattern, directivity, how focused it is, 87 00:04:04.879 --> 00:04:06.800 gain which is like signal. 88 00:04:06.520 --> 00:04:09.919 Amplification measured in DBI or dbd exactly. 89 00:04:09.479 --> 00:04:13.080 An efficiency, how well it converts power into radio waves, and. 90 00:04:12.960 --> 00:04:15.400 The area around the antenna matters to different zones. 91 00:04:15.520 --> 00:04:18.360 Correct, there's the reactive near field right next to it 92 00:04:18.600 --> 00:04:21.959 than the radiating near field or personal reason. And finally 93 00:04:21.959 --> 00:04:23.800 the far field the Fraunhoffer region. 94 00:04:23.879 --> 00:04:26.959 And out there in the far field, the signal drops 95 00:04:26.959 --> 00:04:27.519 off quickly. 96 00:04:27.800 --> 00:04:31.519 Yeah, follows the inverse square law. Power decreases significantly with. 97 00:04:31.519 --> 00:04:34.839 Distance, and even with nothing blocking, you lose signal strength 98 00:04:34.959 --> 00:04:36.120 just traveling through air. 99 00:04:36.040 --> 00:04:39.199 That's free space. Path loss gets worse with distance and 100 00:04:39.240 --> 00:04:42.639 also with higher frequencies. The book gives a simplified formula 101 00:04:42.759 --> 00:04:46.079 and mentions the freeze formula, which is more complete considering 102 00:04:46.120 --> 00:04:46.959 antenna games. 103 00:04:47.199 --> 00:04:52.360 Okay. Now inside translating digital to analog signals, the DSP. 104 00:04:52.199 --> 00:04:55.519 The digital signal processor yeh, yep, crucial role. It converts 105 00:04:55.560 --> 00:04:58.839 the phone's digital data into analog signals for transmission and 106 00:04:58.920 --> 00:05:03.439 vice versa for recep uses math like the discrete cosine transform, 107 00:05:03.879 --> 00:05:05.959 and importantly the Fourier transform. 108 00:05:06.079 --> 00:05:08.759 Ah four, You transform always sounds complex? Can you break 109 00:05:08.759 --> 00:05:09.439 it down simply? 110 00:05:09.759 --> 00:05:12.800 Sure? Think of a complex sound like a musical chord. 111 00:05:12.959 --> 00:05:15.879 The Fourier transform is like a prism for sound. It 112 00:05:15.920 --> 00:05:19.079 takes that complex wave and shows you all the individual notes, 113 00:05:19.120 --> 00:05:21.519 the frequencies that make it up, and how strong each 114 00:05:21.519 --> 00:05:21.879 one is. 115 00:05:22.000 --> 00:05:24.399 Okay. That helps, like decomposing it exactly. 116 00:05:24.680 --> 00:05:28.279 It decomposes a signal over time into its frequency components. 117 00:05:28.959 --> 00:05:31.680 The math uses integrals, which you can kind of think 118 00:05:31.720 --> 00:05:34.399 of as finding the area under the curve to figure 119 00:05:34.399 --> 00:05:35.720 out the strength of each frequency. 120 00:05:35.800 --> 00:05:38.480 Got it. Another key piece the SIM card more than 121 00:05:38.560 --> 00:05:39.120 just the phone. 122 00:05:39.000 --> 00:05:43.639 Number, right, Oh, absolutely, the Subscriber Identity module. SIM stores 123 00:05:43.680 --> 00:05:46.399 your MSI, the unique subscriber ID for. 124 00:05:46.360 --> 00:05:49.399 The network International Mobile Subscriber identity right. 125 00:05:49.240 --> 00:05:53.519 Plus the ICCID that's the simzone serial number, security keys, 126 00:05:53.600 --> 00:05:57.360 network info, pimpekey K codes. It's all on there, way 127 00:05:57.399 --> 00:05:58.959 more advanced than the old NAM systems. 128 00:05:59.079 --> 00:06:02.000 And these cards have specific contacts and standards. 129 00:06:02.160 --> 00:06:05.360 Yep, those little gold contacts. They handle power clock data 130 00:06:05.439 --> 00:06:08.199 in out. It all follows isoie C seven eight seventy 131 00:06:08.199 --> 00:06:08.920 two standards. 132 00:06:09.040 --> 00:06:10.199 What other info is stored? 133 00:06:10.399 --> 00:06:14.000 Well, the IMSI itself contains the MCC and MNC country 134 00:06:14.040 --> 00:06:17.920 and network codes. There's the LAI locationary identity with the 135 00:06:18.040 --> 00:06:21.600 LAC code. And they've shrunk over time, full size mini 136 00:06:21.959 --> 00:06:25.959 micro nano, iPhone five use nano and we have e. 137 00:06:26.040 --> 00:06:28.279 Sims too, embedded sims right, And. 138 00:06:28.199 --> 00:06:32.600 They have a simple file system master file MF, directory files, DF, 139 00:06:32.879 --> 00:06:35.399 elementary files EF for the actual data. 140 00:06:35.439 --> 00:06:38.480 Amazing what's packed into that tiny chip. Then there's a CPU, the. 141 00:06:38.439 --> 00:06:41.160 Central processing unit yep, the book calls it the brains, 142 00:06:41.240 --> 00:06:45.399 which is pretty accurate, executes all the instructions, runs the OS, apps, 143 00:06:45.560 --> 00:06:46.720 controls everything. 144 00:06:46.399 --> 00:06:50.160 And radios are getting smarter too. Software defined Radio SDR. 145 00:06:50.319 --> 00:06:51.959 Yeah, SDR is interesting. It means a lot of the 146 00:06:52.079 --> 00:06:56.160 radio functions like tuning, filtering, modulation are done in software 147 00:06:56.199 --> 00:06:57.199 instead of fixed hardware. 148 00:06:57.279 --> 00:06:57.920 More flexible. 149 00:06:57.959 --> 00:07:00.560 Exactly, you need an RF front end, fast and a 150 00:07:00.560 --> 00:07:03.480 good processor, but you can change what the radio does 151 00:07:03.560 --> 00:07:06.560 just by updating the software sports different standards more easily. 152 00:07:06.639 --> 00:07:09.040 Very cool now. The book also mentioned things used to 153 00:07:09.040 --> 00:07:12.759 disrupt or monitor signals, jammers and MSI catchers. 154 00:07:13.079 --> 00:07:17.519 Right, jammers illegally block signals. IMSI catchers try to grab 155 00:07:17.560 --> 00:07:21.040 phone identifiers often used for surveillance, important to be aware 156 00:07:21.079 --> 00:07:21.800 of in forensics. 157 00:07:21.839 --> 00:07:25.360 Definitely highlights the dual nature of the tech. Okay, hardware covered, 158 00:07:25.639 --> 00:07:28.319 let's shift to the software running the show. iOS and 159 00:07:28.319 --> 00:07:29.480 Android makes sense. 160 00:07:29.959 --> 00:07:34.240 Chapter three dives into iOS. Huge deal in forensics because well, 161 00:07:34.319 --> 00:07:37.720 iPhones are everywhere. Sure, big folks on the filesystem APFS 162 00:07:37.720 --> 00:07:41.920 Apple filesystem replace the older HFS plus around iOS ten 163 00:07:42.000 --> 00:07:46.240 point three. Key features are strong encryption, snapshots, fifty four 164 00:07:46.240 --> 00:07:51.279 bit file IDs, checksums for data integrity, really robust. 165 00:07:50.920 --> 00:07:53.240 And iOS has that layered structure. 166 00:07:52.920 --> 00:07:55.759 YEP four main layers, core OS at the bottom, core 167 00:07:55.839 --> 00:07:59.079 services media, and Coco touch for the user interface. Gestures 168 00:07:59.079 --> 00:08:02.199 all that. The book also flax security updates in iOS fourteen, 169 00:08:02.279 --> 00:08:04.439 like those little dots showing caarenramic. 170 00:08:04.000 --> 00:08:06.560 Use ah yeah, the recording indicators. 171 00:08:06.079 --> 00:08:08.759 Random Wi Fi Mac addresses, and something called blast or 172 00:08:08.800 --> 00:08:10.879 to sandbox I message data more secure. 173 00:08:11.079 --> 00:08:13.000 Saw a mention of three tools. What's that about? 174 00:08:13.120 --> 00:08:15.279 It's a third party tool can pull lots of info 175 00:08:15.279 --> 00:08:18.480 about an iPhone, specs, software's version apps, but the book 176 00:08:18.480 --> 00:08:21.920 notes getting the really sensitive stuff like call logs often 177 00:08:22.000 --> 00:08:24.160 means jail breaking the phone first. 178 00:08:24.040 --> 00:08:28.160 Which isn't ideal forensically not usually no modifies the system, 179 00:08:28.279 --> 00:08:30.560 and iPhones pack a lot of sensors in screen. 180 00:08:30.279 --> 00:08:33.720 Tech definitely Olid's greens haptic touch instead of the old 181 00:08:33.720 --> 00:08:40.720 pressure sensitive three D touch, and sensors galore, proximity light, magnetometer, accelerometer, 182 00:08:40.840 --> 00:08:44.120 gyro barometer, plus biometrics like touch ID and face. 183 00:08:43.960 --> 00:08:46.559 ID apples big on security right very they. 184 00:08:46.480 --> 00:08:50.320 Have a dedicated crypto processor use strong AES two hundred 185 00:08:50.320 --> 00:08:52.759 and fifty six bit encryption. Remember the FBI and the 186 00:08:52.799 --> 00:08:53.840 San Bernardino phone. 187 00:08:53.919 --> 00:08:54.759 Yeah, that was a big deal. 188 00:08:54.799 --> 00:08:57.000 Shows how tough it could be. Encryption is always on 189 00:08:57.039 --> 00:09:00.039 when locked. Tools like gray key exist. Trying to I 190 00:09:00.200 --> 00:09:02.679 pass this, but it's an ongoing battle. The book lists 191 00:09:02.720 --> 00:09:05.200 some older processors to A eight, A nine, A ten 192 00:09:05.559 --> 00:09:09.360 and their security features. Bottom line, you need to understand 193 00:09:09.399 --> 00:09:11.600 iOS internals even with fancy tools. 194 00:09:11.639 --> 00:09:15.879 Okay, so iOS lockdown encrypted? What about Android? Different? 195 00:09:15.879 --> 00:09:20.039 Beast entirely pretty much? Chapter four covers Android starts with 196 00:09:20.080 --> 00:09:20.840 those hidden codes. 197 00:09:20.879 --> 00:09:23.320 You can dial ah the secret menus. 198 00:09:23.120 --> 00:09:26.159 Exactly like hashtag ninety ninety I, dagger ashig, Zerosi ex 199 00:09:26.200 --> 00:09:29.519 chech for the Imei. Super useful, but the book warns 200 00:09:29.559 --> 00:09:32.519 they vary a lot between manufacturers. Got to search for 201 00:09:32.559 --> 00:09:33.639 device specific ones. 202 00:09:33.799 --> 00:09:36.799 Good tip and interacting with the system ady B comes 203 00:09:36.840 --> 00:09:37.240 up a lot. 204 00:09:37.399 --> 00:09:39.720 Android Debugging Bridge Yeah, it's a command line tool lets 205 00:09:39.759 --> 00:09:41.919 you talk to the device of developer modis on. You 206 00:09:41.919 --> 00:09:45.600 can pull files, add me, pull, restore, backups, reboot into 207 00:09:45.639 --> 00:09:49.320 recovery and dumpsies. Is incredibly powerful for grabbing system. 208 00:09:49.039 --> 00:09:52.240 Info like listing files and system directories yep. 209 00:09:52.240 --> 00:09:55.000 LL system ben is an example. Lots of useful commands 210 00:09:55.000 --> 00:09:55.440 listed in the. 211 00:09:55.399 --> 00:09:58.000 Book, and Android uses different file systems than iOS. 212 00:09:58.159 --> 00:10:01.360 Right, no single standard like ap fac F twofs from 213 00:10:01.399 --> 00:10:05.559 Samsung Flash Friendly files is to name jasha FS two yaffs. 214 00:10:05.840 --> 00:10:09.799 Depends on the device, the kernel version more fragmentation. 215 00:10:09.399 --> 00:10:10.879 And security is more varied too. 216 00:10:11.320 --> 00:10:15.679 Generally, yes, core Android has features, but manufacturers add their 217 00:10:15.720 --> 00:10:19.200 own stuff. The book mentions Adyntum encryption for devices that 218 00:10:19.240 --> 00:10:22.320 don't have hardware as support uses cha Chai and poly 219 00:10:22.440 --> 00:10:23.039 three to five. 220 00:10:23.360 --> 00:10:26.480 Also, saft flashing tools mentioned odin Android Flash Tool. 221 00:10:26.559 --> 00:10:28.519 Yeah, those let you write new firmware to the device. 222 00:10:28.960 --> 00:10:32.360 Can be used for updates, repairs, or trying to bypass security. 223 00:10:32.960 --> 00:10:35.679 But big warning, mess it up and you can break the. 224 00:10:35.600 --> 00:10:40.759 Phone, render it useless, risky, very and since Android's open source, 225 00:10:40.759 --> 00:10:43.000 you can actually look at the code absolutely. 226 00:10:43.320 --> 00:10:47.000 The book points to cs dot android dot com. Understanding 227 00:10:47.000 --> 00:10:49.720 the source code, how it boots, how security works can 228 00:10:49.759 --> 00:10:52.799 be invaluable for deep forensic work. There are even a 229 00:10:52.799 --> 00:10:55.159 couple of hands on labs in the chapter using codes 230 00:10:55.159 --> 00:10:56.279 in ADB cool. 231 00:10:56.320 --> 00:10:59.600 So two very different operating systems needing different approaches. Okay, 232 00:10:59.639 --> 00:11:01.799 we know how they work, how do we actually get 233 00:11:01.840 --> 00:11:04.080 the data? Forensic techniques and tools right? 234 00:11:04.320 --> 00:11:06.960 Chapter five starts with principles that apply to both. What 235 00:11:07.000 --> 00:11:11.519 can you recover? Call logs, messages, photos, videos, device info, GPS, 236 00:11:11.519 --> 00:11:13.799 network stuff pretty standardless. 237 00:11:13.799 --> 00:11:16.159 First step is always documentation. 238 00:11:15.720 --> 00:11:20.519 Always model, imei, sim details, OS version, get it all down. 239 00:11:20.960 --> 00:11:23.639 GPS is often huge. Tracking movements, checking. 240 00:11:23.360 --> 00:11:25.120 Alibis are their official guidelines for this. 241 00:11:25.600 --> 00:11:30.159 Yes, SWGD Scientific Working Group on Digital Evidence has best 242 00:11:30.159 --> 00:11:34.840 practices like their mobile forensics pyramid. NIST also has detailed 243 00:11:34.840 --> 00:11:37.879 guidelines for reports. What needs to be included like what 244 00:11:38.279 --> 00:11:44.039 examiner details, evidence, description, methods, used, findings, any limitations, data hiding. 245 00:11:44.120 --> 00:11:47.320 It also mentions DOOJ guidance on accuracy and even cites 246 00:11:47.320 --> 00:11:52.240 the Federal rules on expert reports. Needing enough detail for reproducibility. 247 00:11:51.519 --> 00:11:53.320 So someone else could follow your steps and get the 248 00:11:53.320 --> 00:11:57.600 same result makes sense crucial for court Okay, specifically for iOS, 249 00:11:58.039 --> 00:11:59.519 any unique steps. 250 00:11:59.200 --> 00:12:02.679 Or tools thing stop it syncing with iTunes or finder 251 00:12:02.679 --> 00:12:06.360 automatically preserve the state. Good point then tools doctor phone 252 00:12:06.360 --> 00:12:09.440 gets a mention. Oxygen Forensics known for being user friendly, 253 00:12:09.639 --> 00:12:12.840 good with location data. Mobile edit is noted as affordable 254 00:12:12.879 --> 00:12:16.519 cross platform axiom for magnet forensics two and Celebrate is 255 00:12:16.519 --> 00:12:18.960 often seen as the big comprehensive solution. 256 00:12:18.799 --> 00:12:21.120 A whole toolkit available and for Android. 257 00:12:21.240 --> 00:12:24.360 Chapter six circles back to Android, repeats the general principles 258 00:12:24.399 --> 00:12:28.120 airplane mode immediately is key mentions, SWGDE and NIST again, 259 00:12:28.360 --> 00:12:31.279 then really emphasizes using ADB shell commands. 260 00:12:31.080 --> 00:12:33.200 For navigation and documentation. 261 00:12:32.840 --> 00:12:36.440 Exactly, L sty list files, CD to change directories, and 262 00:12:36.519 --> 00:12:39.279 all those useful l's flags AL for details, A for 263 00:12:39.360 --> 00:12:44.440 hidden files, ALH for readable sizes, AR for recursive, altr 264 00:12:44.679 --> 00:12:47.240 to sort by time, useful. 265 00:12:46.879 --> 00:12:49.360 Stuff, and looking inside the apps themselves. 266 00:12:49.480 --> 00:12:53.000 Yeah, touches on decompiling Android apps APKs, using tools like 267 00:12:53.039 --> 00:12:56.000 Android Studio to see the underlying code. The focus here 268 00:12:56.039 --> 00:12:58.799 is more on free or low cost tools and methods 269 00:12:58.799 --> 00:12:59.399 for Android. 270 00:13:00.000 --> 00:13:02.919 Okay, so different tools, different os quirks. But what if 271 00:13:02.960 --> 00:13:05.960 those standard software methods just don't work, say the phone's 272 00:13:06.000 --> 00:13:08.919 badly damaged or locked down tight Then you. 273 00:13:08.879 --> 00:13:11.240 Get into the advance stuff. Chapter seven covers j TAG 274 00:13:11.360 --> 00:13:14.759 and chip off. These are last resorts based pl access exactly. 275 00:13:14.840 --> 00:13:17.159 You're bypassing the OS, going straight for the memory chips 276 00:13:17.200 --> 00:13:20.000 on the circuit board. JTAG Joint Test Action Group was 277 00:13:20.039 --> 00:13:22.360 originally for testing boards, but forensics adapted. 278 00:13:22.399 --> 00:13:24.440 It sounds like you need serious electronic skill. 279 00:13:24.559 --> 00:13:27.480 You really do. The chapter actually covers some basics DC 280 00:13:27.720 --> 00:13:32.759 versus AC power, watts, jewels, components like inductors, capacitors, resistors, 281 00:13:32.919 --> 00:13:34.399 even has table of symbols. 282 00:13:34.480 --> 00:13:36.120 So how does j TAG actually work? 283 00:13:36.519 --> 00:13:38.440 You connect to specific points on the board called the 284 00:13:38.440 --> 00:13:44.000 test access port or TP. There are pins like TDI, TDO, TCK, TMS, 285 00:13:44.559 --> 00:13:47.120 test data in, test data out, test clock, et cetera. 286 00:13:47.240 --> 00:13:48.519 The connection points right. 287 00:13:48.840 --> 00:13:51.519 You use these to talk directly to the chips using 288 00:13:51.519 --> 00:13:54.879 a standard protocol i e. E eleven forty nine point one. 289 00:13:55.279 --> 00:13:58.799 The big challenge finding those tap points. They aren't standardized 290 00:13:58.799 --> 00:14:04.759 across devices. Definitely, you'd specialized tools too, like a RIF box. 291 00:14:05.240 --> 00:14:10.200 The chapter shows it software mentions common errors, and again SWGDI, EE, 292 00:14:10.399 --> 00:14:13.399 NST have standards of practices around JTAG. 293 00:14:13.159 --> 00:14:16.200 Highly specialized work. Okay, let's say you've got the data 294 00:14:16.440 --> 00:14:19.200 either normally or through JTAG. How do you make sense 295 00:14:19.200 --> 00:14:20.759 of it? Databases were mentioned. 296 00:14:20.559 --> 00:14:24.320 Yeah, chapter eight. Mobile devices use databases extensively, often squadlight 297 00:14:24.519 --> 00:14:27.879 to store app data, contacts messages you name it. Understanding 298 00:14:27.919 --> 00:14:32.519 relational databases is key tables, keys, exactly tables hold the data, rows, records, 299 00:14:32.600 --> 00:14:36.679 calumns or attributes, primary keys, uniquely identify rose foreign keys, 300 00:14:36.679 --> 00:14:40.559 link related tables together. Helps organize data, avoid repetition, and. 301 00:14:40.480 --> 00:14:43.159 You use SQL to query these databases. 302 00:14:43.240 --> 00:14:46.720 Yeah, structured quarry language YEP. The chapter covers the basics. 303 00:14:47.000 --> 00:14:49.960 Select to get data, update to change it, delete, removing, 304 00:14:50.159 --> 00:14:53.840 insert to add, and where is crucial for filtering examples 305 00:14:54.000 --> 00:14:57.039 like selection contacts where city in New York or using 306 00:14:57.200 --> 00:15:00.000 like to find patterns and or to combine conditions between 307 00:15:00.360 --> 00:15:04.759 for ranges distinct for unique values, need brackets if column 308 00:15:04.799 --> 00:15:05.720 names have spaces. 309 00:15:05.840 --> 00:15:09.759 So SQL proficiency is vital and squilight is the common 310 00:15:09.799 --> 00:15:11.159 one on phones. How do you view it? 311 00:15:11.399 --> 00:15:15.159 Several ways? Command line or graphical tools like dB browser 312 00:15:15.200 --> 00:15:18.600 for Squidal or even Chrome extensions like squid Viewer lets 313 00:15:18.600 --> 00:15:22.320 you open the database files, browse tables, run SEQL queries directly. 314 00:15:22.919 --> 00:15:26.200 Very useful, okay. Shifting gears a bit. Cell site analysis 315 00:15:26.200 --> 00:15:28.720 and smart TVs also covered. 316 00:15:28.480 --> 00:15:32.159 Right chapter nine. Cell site analysis uses cell tower connection 317 00:15:32.240 --> 00:15:34.720 records to estimate where a phone was over time. You 318 00:15:34.759 --> 00:15:36.240 plot the tower connections on a map. 319 00:15:36.399 --> 00:15:39.480 How accurate is that? Determining the exact handoff point between 320 00:15:39.480 --> 00:15:41.039 towers seems fuzzy. 321 00:15:40.759 --> 00:15:43.679 It can be. Without detailed signal strength data, you might 322 00:15:43.720 --> 00:15:46.519 assume the handoff is midway between towers. There's always a 323 00:15:46.519 --> 00:15:49.519 margin of air, often biggest for the first tower connection. 324 00:15:49.480 --> 00:15:51.399 But using multiple towers helps. 325 00:15:51.519 --> 00:15:53.919 Yeah, it refines the location. If you have timestamps, you 326 00:15:54.000 --> 00:15:57.279 might even estimate average speed between tower locations, like the 327 00:15:57.279 --> 00:15:58.200 example in the book. 328 00:15:58.039 --> 00:16:02.399 Shows interesting and smart. They're like big phones, now, aren't they? 329 00:16:02.519 --> 00:16:04.919 Pretty much? Many run androids, so you can often use 330 00:16:04.960 --> 00:16:09.080 ADB for forensics and gable USB debugging connect via IP. 331 00:16:09.320 --> 00:16:10.720 Use similar commands. 332 00:16:10.360 --> 00:16:13.159 Yep, gump seas to get system info, ad B polled 333 00:16:13.159 --> 00:16:16.120 to grab filed like photos can be useful. Restarting the 334 00:16:16.159 --> 00:16:18.399 ADB server sometimes needed if connections fail. 335 00:16:18.519 --> 00:16:22.080 Adapting techniques to new devices makes sense. But what about 336 00:16:22.080 --> 00:16:23.360 people trying to hide data? 337 00:16:23.720 --> 00:16:29.480 Anti forensics AH Chapter ten Big topic starts with seganography, 338 00:16:29.600 --> 00:16:31.519 hiding data within other data. 339 00:16:31.200 --> 00:16:33.279 Like hiding text in an image exactly. 340 00:16:33.679 --> 00:16:36.080 The book shows how changing just one tiny bit in 341 00:16:36.120 --> 00:16:38.639 a pixel is invisible to us, but can hide information. 342 00:16:39.080 --> 00:16:42.000 The image or audio file is the channel Lots of 343 00:16:42.039 --> 00:16:43.039 tools exist to do. 344 00:16:43.039 --> 00:16:44.399 This and ways to detect it. 345 00:16:44.639 --> 00:16:48.480 STAG analysis right statistical analysis looking for noise patterns. Tools 346 00:16:48.519 --> 00:16:51.200 like STAG detect exist. The chapter shows an example using 347 00:16:51.240 --> 00:16:54.000 deep sound to hide a file in audio Exammers need 348 00:16:54.000 --> 00:16:54.759 to be aware. 349 00:16:54.559 --> 00:16:59.240 This happens, okay, hiding data? What about scrambling it? Cryptography 350 00:16:59.480 --> 00:17:00.200 also huge phage. 351 00:17:00.679 --> 00:17:03.480 Symmetric crypto uses the same key to encrypt and decrypt 352 00:17:03.519 --> 00:17:07.480 think filer disc encryption. Asymmetric uses different public private keys 353 00:17:07.480 --> 00:17:12.920 for secure communication signatures essential to understand for Iosandroid security. 354 00:17:12.960 --> 00:17:14.079 How do they work? Basically? 355 00:17:14.200 --> 00:17:18.519 Symmetric often involves substitution, swapping the letters bits and transposition 356 00:17:18.839 --> 00:17:22.759 shuffling them, done in multiple complex rounds using algorithms like AES. 357 00:17:23.640 --> 00:17:27.599 Asymmetric like RSA, relies on complex math with prime numbers 358 00:17:27.640 --> 00:17:28.279 to create the key. 359 00:17:28.319 --> 00:17:30.400 Pairs and phones use specific types. 360 00:17:30.279 --> 00:17:32.759 Yep AES two fifty six bit is common for full 361 00:17:32.799 --> 00:17:36.079 disc encryption on both platforms. Older stuff like A fifty 362 00:17:36.119 --> 00:17:39.799 one was used in GSM. Umts has its own authentication methods. 363 00:17:39.920 --> 00:17:41.759 What about hashing different from encryption? 364 00:17:41.880 --> 00:17:44.480 Totally different. Hashing is a one way process takes input, 365 00:17:44.720 --> 00:17:47.839 creates a fixed size fingerprint or hash can't go backwards. 366 00:17:48.240 --> 00:17:51.599 Used for integrity checking, making sure data hasn't changed. MD five, 367 00:17:51.920 --> 00:17:54.839 SAHA one, SA two fifty six are common examples. 368 00:17:54.920 --> 00:17:56.559 Dot it and password tracking. 369 00:17:56.440 --> 00:17:59.680 Trying to guess or find passwords to decrypt data. Brute 370 00:17:59.680 --> 00:18:03.920 force dictionary attacks rainbow tables, but strong encryption makes it very, 371 00:18:04.039 --> 00:18:04.480 very hard. 372 00:18:04.720 --> 00:18:07.359 Seems like a constant cat and mouse game. Okay, we've 373 00:18:07.400 --> 00:18:10.200 covered tech and techniques, but none of it matters without 374 00:18:10.240 --> 00:18:12.720 the legal and ethical framework absolutely vital. 375 00:18:13.160 --> 00:18:16.559 Chapter eleven dives into this. Starts with rules of evidence 376 00:18:16.640 --> 00:18:20.079 like FRE nine oh one nine oh two on authenticating 377 00:18:20.119 --> 00:18:22.359 digital evidence so it's admissible. 378 00:18:21.839 --> 00:18:24.119 In court and keeping track of the avidance itself. 379 00:18:24.240 --> 00:18:29.759 Crucial Chaining custody needs meticulous tracking logs software like ASIS 380 00:18:29.839 --> 00:18:34.160 or Evidence Tracker, barcodes even RFID got to prove the 381 00:18:34.200 --> 00:18:35.200 evidence wasn't tampered with. 382 00:18:35.319 --> 00:18:38.480 And when examiners testify, they're experts, right. 383 00:18:38.400 --> 00:18:42.000 Yes, explot test money relies on specialized knowledge. Federal Rule 384 00:18:42.039 --> 00:18:45.319 seven oh two defines who qualifies, and the Daubert Standard 385 00:18:45.319 --> 00:18:49.000 seys criteria for scientific reliability, testing, peer review, error rates, 386 00:18:49.240 --> 00:18:52.160 general acceptance. Forensic techniques have to meet these standards. 387 00:18:52.240 --> 00:18:56.079 Can't just search any phone though warrants consent. 388 00:18:55.880 --> 00:18:59.480 Fourth Amendment territory generally need a warrant based on probable cause, 389 00:18:59.559 --> 00:19:02.920 especially the expectation of privacy we have with phones. Consent 390 00:19:03.000 --> 00:19:06.039 is an exception, but it must be voluntary informed and 391 00:19:06.079 --> 00:19:08.359 the search can't exceed the scope of the consent given 392 00:19:08.720 --> 00:19:12.799 who can consent matters to owners sometimes parents. 393 00:19:12.599 --> 00:19:15.559 And ethics foundational, I imagine, non negotiable. 394 00:19:15.920 --> 00:19:21.079 The chapter mentions AAFS guidelines be professional, don't misrepresent qualifications 395 00:19:21.160 --> 00:19:24.880 or findings site sources properly. Your duty is to the 396 00:19:24.920 --> 00:19:28.039 scientific truth, not just winning a case. You have to 397 00:19:28.039 --> 00:19:31.799 report weaknesses too briefly. Touches on kerminl versus civil cases, 398 00:19:31.839 --> 00:19:32.759 PI licenses. 399 00:19:33.039 --> 00:19:36.119 Scientific principles apply here too, definitely the. 400 00:19:36.079 --> 00:19:40.160 Scientific method peer review for validating techniques Lowcard's principle. Every 401 00:19:40.200 --> 00:19:42.559