AX150 Core Mobile Acquisition & Analysis Microlearning

Core Mobile Acquisition and Analysis (AX150 Microlearning) is a beginner level course, designed for participants who are unfamiliar with the principles of mobile forensics. The course focuses on iOS and Android devices from the point of collection to the point of analysis whilst exploring Magnet Axiom and Magnet tools such as Magnet Acquire, the Magnet Custom Artifact Generator (MCAG) and Magnet Axiom Dynamic App Finder.

Microlearning is designed to be consumable in very short lessons for those who are on the go and have little time to dedicate hours or days to learning. Single lesson microlearning lessons are the core of this learning modality.

Explore the Magnet Microlearning

Course overview - Core Mobile Acquisition and Analysis (AX150) equips digital forensics professionals with the tools and training necessary to navigate the evolving technology landscape. This introduction will present an overview of the material covered in the course as well as the system requirements needed to get started.

Mobile forensics challenges & case scenario - This will be a step-by-step guide for installing Magnet Axiom. The current state of mobile forensics will be discussed, highlighting the challenges posed by encryption and the shift towards logical imaging over physical imaging due to file-based encryption in iOS and Android devices. The forensic significance of file storage types like SQLite databases and plist files will also be covered.  Students will also be introduced to a course scenario involving a bank robbery investigation.

Device components and handling considerations (part one) - This topic equips students with an in-depth understanding of mobile device technology, covering various internal and external components such as display screens, data ports, SIM, eSIM cards, and memory types like RAM and internal storage. Additionally, it addresses security, battery health, and the roles of the logic board, CPU, and GPU in data processing and security. The topic also notes the importance of specialized tools and techniques in forensic examinations.

Device components and handling considerations (part two) - This topic explores key components of mobile forensics, focusing on the integral roles of NAND storage and RAM within mobile devices. It delves into the technical aspects of non-volatile NAND storage, used for maintaining data without power, and volatile RAM, essential for running applications and storing temporary data. Wireless technologies are also covered, along with crucial techniques for isolation of a device, ensuring the data is held in a close to static state.

Maintaining power & embedded devices - Maintaining power to mobile devices is crucial in modern forensic investigations to prevent data encryption barriers from obstructing information extraction. Keeping a device powered on allows advanced techniques to access data not available after a reboot. For iOS and Android devices using file-based encryption, powering on provides access to more data layers, such as the After First Unlock (AFU) state. Using tools like Magnet Graykey enhances data acquisition from locked devices, offering comprehensive extraction options. Effective power maintenance whilst utilizing equipment like Faraday containers with power supplies, is essential for seamless forensic processes.

iOS acquisitions: security challenges - This topic addresses the unique challenges of mobile device imaging and hashing compared to conventional hard drives, emphasizing the variability in processes across different devices, manufacturers, and operating systems. It highlights the difficulties in consistent hashing due to necessary modifications for forensic access, the role of iOS drivers, USB Restricted Mode, and Lockdown Mode. The topic also explores the impact of device states like Actively Unlocked, After First Unlock, and Before First Unlock on data accessibility, equipping examiners with essential insights for effective data extraction.

iOS backup and encryption techniques - This topic discusses the evolution of iTunes-style backups, focusing on the structural changes and the importance of examiner-initiated encryption to access comprehensive data sets, including HealthKit and keychain information. Key enhancements in encryption security introduced in iOS 10.2 are reviewed, alongside effective strategies for managing and bypassing encryption settings. The topic also introduces data extraction methods through Apple File Conduit and sysdiagnose logs, equipping examiners with critical techniques for thorough iOS device investigations.

Utilizing libimobile for iOS acquisition - This topic introduces libimobile, a critical toolkit for forensic experts to interact with iOS devices on non-Apple platforms like Linux and Windows. It details the process of using libimobile to pair devices, retrieve vital information, and execute backups without iTunes. Participants will learn to navigate libimobile's command-line tools alongside forensic software like Magnet Axiom and Magnet Acquire, demonstrating commands for pairing, information retrieval, and encrypted backups. The topic also covers the significance of the unique device identifier (UDID) and changes in its structure with newer iOS devices, equipping forensic professionals with the necessary skills to manage iOS device data securely and effectively.

Acquisition of iOS using libimobile & Magnet Axiom - This module explores the acquisition of sysdiagnose logs using the libimobile library, essential for forensic analysis of iOS devices. It demonstrates how to generate system logs even from locked devices, and the subsequent acquisition. The course provides a step-by-step demonstration on how to pair devices, extract logs, and manage diagnostic data effectively, maintaining adherence to organizational policies.

ADB backup & extraction for Android (part one) - This topic focuses on leveraging the Android Debug Bridge (ADB) for data backup and extraction with Axiom. It covers the execution of ADB commands to maximize data recovery. The topic also introduces the agent application technique to access active data where available. Practical demonstrations will guide students through acquiring and processing this Android data, learning how to navigate these tools effectively.

ADB backup & extraction for Android (part two) - This topic teaches students how to acquire Android backups with ADB, it details how to use agent APKs to extract data, and how to effectively use other acquisition tools, including Magnet Acquire, with Axiom Process in investigations. 

Navigating iOS quick image structures - This topic explores the structure of iOS backups, focusing on SHA1 hash-named files and the utilization of domains to categorize and encrypt data. It emphasizes the need for examiners to understand these structures to assess and reconstruct data from backups. The topic includes how the file structure uses domain shortcuts to replace file paths and organize data, and how forensic tools interact with these backups. Practical exercises guide examiners in tracing file origins and verifying data integrity using domain paths and the Manifest.db, crucial for effective forensic analysis of iOS devices.

Working with Property List (PLIST) files - This topic covers the three primary plist files crucial in iOS backups: the Info.plist, Manifest.plist, and Status.plist. These files store essential device and backup data in two formats: human-readable XML and binary for machine efficiency. Participants will learn about the structure and function of these files and the significance of key-value pairs in tracking device information and backup settings. Practical exercises guide examiners through accessing and analyzing these plist files to extract valuable data like device identifiers, installed applications, and backup encryption states, ensuring comprehensive understanding and effective use of iOS backup data in forensic analyses.

Owner and account information - This topic details methods for extracting owner and account information from mobile devices. For iOS, it covers retrieving device details and Apple ID information from a plist and databases. Android device information is sourced from Quick Image's Live Data, capturing serial numbers, network details, and more. This topic equips examiners with essential skills for accessing vital personal and device data from mobile devices.

Contacts and call log data in iOS and Android - Contact and call log data captures comprehensive details such as names, numbers, and email addresses for contacts, as well as call duration, partner information, and call status for call logs on both systems. This topic guides forensic examiners in the differences between the operating systems and how to effectively extract this key data.

Native messaging services - This topic delves into the native messaging services of iOS and Android, highlighting their integration and security features. iMessages are encrypted end-to-end but stored decrypted on devices. Android follows a similar pattern with integrated messaging services. This topic also covers the structure of the iOS messaging database, including tables and joins that organize and link message data, providing forensic examiners with the tools to navigate and analyze message data efficiently within Axiom's SQLite viewer. Android are also addressed.

iOS Media and deleted items - This topic covers the structure and forensic significance of the iOS Media directory, focusing on key areas like the DCIM, PhotoData, and PhotoCloudSharingData folders. It outlines how iOS manages Camera Roll storage and tracks file modifications, particularly how edits and thumbnails are preserved and maintained. Additionally, this topic will delve into the mechanisms behind the Recently Deleted folder, highlighting its importance for understanding user behavior around file deletion and concealment.

Hidden and deleted media in iOS and Android - This topic explains the recovery of hidden and recently deleted files in iOS, emphasizing their accessibility in the DCIM directory and protection with biometrics in iOS 16. It discusses the storage and recovery of message attachments in iOS backups using Axiom. For Android, it covers typical media storage locations and identifying Motion Photos. Additionally, it describes live data artifacts, focusing on the Camera History artifact to show usage patterns. Practical exercises guide users in examining media files within forensic cases, utilizing Axiom for artifact exploration and analysis.

Insights from web browsing data - This topic covers the importance of web-related information in mobile device investigations. Both iOS and Android devices come with default browsers like Safari and Google Chrome, which store significant user data. Safari, as the default iOS browser, manages browsing history, bookmarks, and search terms in various databases. This information can be crucial for investigators, offering insights even when users clear their browsing history. Similar methodologies apply to third-party browsers and applications, highlighting the role of web data in uncovering valuable investigative leads.

Analysis of installed applications - This topic explores the techniques used by forensic examiners to identify and analyze installed third-party applications on devices. Examiners gather information from key artifacts, which provide data on app versions, names, permissions, and usage history. By searching the file system and specific directories, they can locate relevant application data. These methods ensure a comprehensive understanding of how apps interact with the device, enabling effective digital investigations.

Data storage in Android applications - This topic covers the organization and analysis of data within Android applications. It explains how data is stored in directories based on package names and the typical subfolders like databases and shared preferences. The topic also details exercises for locating and analyzing specific application data on devices, including tasks such as filtering application usage, searching for app packages, and examining sysdiagnose logs. Additionally, it includes practical exercises for students to practice identifying and extracting relevant information from mobile devices, focusing on both Android and iOS systems.

Custom artifacts - This topic covers building and using custom artifacts in forensic analysis with AXIOM. Given the vast number of smartphone applications, forensic tools must enable examiners to create custom hunters and parsers for unsupported apps. This module explores methods for creating custom artifacts using Dynamic App Finder (DAF) and custom file type searches. It provides a guide for examiners of all skill levels on developing custom artifacts to locate crucial data stored in various file types, enhancing the ability to process and analyze mobile evidence effectively.

Dynamic App Finder process - This topic covers the process of using Axiom's Dynamic App Finder to locate and analyze custom artifacts within evidence items. It includes launching a new case, adding evidence, and enabling the Dynamic App Finder to find relevant artifacts. Detailed steps guide the examiner through customizing artifacts, mapping columns, previewing data, and saving the results. The process allows for the identification and reporting of critical information, such as evidential messages, which can be tagged, sorted, and filtered for further analysis.

Building custom artifacts - This topic covers the creation and use of custom artifacts using XML files and Python scripts, highlighting their respective advantages and limitations. XML-based artifacts are easier to create, suitable for straightforward data parsing and recognition tasks. Python scripts, however, are more powerful for complex operations like advanced data carving and network interactions. Artifacts are defined by specific data structures, which can be parsed or carved from evidence items. Key terms such as artifacts, fragments, and hits are essential for understanding the organization and retrieval of data within this context.

XML custom artifacts for SQLite - This topic covers the process of building an XML custom artifact to extract data from SQLite databases, outlining the necessary XML structure. Key attributes and their functions are explained, such as specifying database names, tables, and columns. Additionally, the topic discusses the use of regular expressions to identify databases, executing SQL queries to retrieve data, and the process of creating an XML custom artifact for extracting data from a specific SQLite database on an iOS device.

SQL statements overview - This topic covers essential SQL statements used for manipulating and querying databases. Key tips are given on how to temporarily rename data columns and conditional logic within queries to display data more meaningfully. Additionally, the topic covers linking tables to combine data from multiple sources, facilitating the reconstruction of comprehensive records from relational databases. These tools enable efficient data handling and improved query clarity.

Magnet Custom Artifact Generator - This topic covers the use of INNER JOINs in database queries and the process of creating custom artifacts in Magnet Axiom. An INNER JOIN returns only records with matching values in both tables, ensuring precise data extraction. Additionally, the Magnet Custom Artifact Generator (MCAG) simplifies creating custom artifacts for AXIOM, allowing integration of various data sources without needing XML or Python expertise. MCAG use can expertly streamline data management within Axiom.