Hummert, Christian.

Mobile Forensics - the File Format Handbook : Common File Formats and File Systems Used in Mobile Devices. - 1st ed. - 1 online resource (276 pages)

Intro -- Preface -- Roadmap -- Scope of the Book -- Conventions Used in This Book -- Acknowledgements -- Contents -- Part I Mobile File System Formats -- Chapter 1 APFS -- 1.1 Introduction -- 1.2 APFS File system category -- 1.2.1 Finding the APFS container -- 1.2.2 Object header -- Object type, some examples -- Object type masks -- Object type flags -- Ephemeral Objects -- Physical Objects -- Virtual Objects -- 1.2.3 Superblocks -- 1.2.4 Checkpoint mapping -- 1.2.5 Volumes -- Finding the Volume -- Showing the Volume (APSB) -- Volume Object mapping -- 1.3 APFS Metadata Category -- 1.4 APFS File Name category -- 1.5 APFS Content Category -- 1.6 APFS Application Category -- 1.7 Comparing our results with a commercial tool -- Chapter 2 Ext4 -- 2.1 Introduction -- 2.2 Ext4 File system category -- 2.3 Superblock -- 2.3.1 Temporary data about the File system -- 2.3.2 Supported features -- Compatible features -- Incompatible features -- Read only compatible features -- 2.3.3 The group descriptor -- Universal Unique Identifier -- 2.4 Ext4 Metadata Category -- 2.4.1 The inode -- 2.4.2 User privileges and type of file -- 2.4.3 Temporary metadata describing inodes -- 2.4.4 Temporary metadata manipulations -- 2.4.5 Links count -- Blocks used by a file -- Inode flags -- Block map, Extent tree or inline data -- File version -- Operating System Descriptor 2 -- Project ID -- 2.5 Ext4 File Name category -- 2.6 Ext4 Content Category -- 2.6.1 Recovery of files -- Inode Carving using extent magic signature -- 2.6.2 Generic metadata time carving -- 2.6.3 Additional file content -- 2.7 Ext4 Application Category -- Chapter 3 The Flash-Friendly File System (F2FS) -- 3.1 Introduction -- 3.1.1 NAND (Not And) Flash Memory -- NAND flash memory -- NOR flash memory -- 3.1.2 Flash Translation Layer (FTL) -- 3.2 Flash Filesystems. 3.2.1 The Log-Structured File System (LSFS) or (LFS) -- 3.2.2 Flash-Friendly File System (F2FS): Enter F2FS -- 3.2.3 Wandering Tree Problem -- 3.3 On-Disk Layout of F2FS -- Sector -- Partitions -- 3.3.1 Creation of F2FS partitions with Mkfs.f2fs -- 3.3.2 F2FS on Disk -- Superblock -- Zone -- Section and Segment -- Check Point (CP) -- Segment Information Table (SIT) -- Node Address Table (NAT) -- Segment Summary Area (SSA) -- Updates to the SIT and NAT -- Shadow Copy -- Main Area -- 3.4 File Structure of F2FS -- 3.4.1 Node Structure -- 3.4.2 File Creation and Management -- Directory Structure -- 3.4.3 Fsck.f2fs Identifying Files -- 3.4.4 Metadata -- 3.4.5 Multi-Head Logging -- 3.4.6 Cleaning -- Adaptive Logging -- Roll-Back Recovery -- Important -- 3.5 Forensic Analysis -- 3.5.1 F2FS Sample Dataset -- 3.5.2 F2FS andWindows -- 3.5.3 Data-Extraction with XRY -- 3.5.4 Superblock Examination -- 3.5.5 Examine NAT, SIT & -- SSA with Linux -- Node Allocation Table (NAT) Data -- Show the Segment Info Table (SIT) Data -- Look inside the Segment Summary Area (SSA) Data -- Obtain a file by it's node ID -- 3.5.6 Carving for artefacts with XAMN -- PNG File Signature Analysis -- 3.5.7 Node Allocation Table (NAT) Comparisons -- Additional Data Structure -- 3.6 F2FS Application fields -- 3.7 Conclusion -- Chapter 4 QNX6 -- 4.1 Introduction -- 4.2 QNX6 Filesystem Structure -- 4.2.1 Superblock -- 4.2.2 Bitmap -- 4.2.3 Inode -- 4.2.4 Directories -- 4.2.5 Long Filenames Inode -- 4.3 Example: Construction of a file -- 4.4 Deleted Files -- 4.5 Forensic Tools supporting QNX6 filesystems -- Part II Mobile File Formats -- Chapter 5 SQLite -- 5.1 Introduction -- 5.2 The SQLite File Structure -- 5.2.1 The Database Header -- 5.2.2 Storage Classes, Serial Types and Varint-Encoding -- 5.2.3 Decoding The SQLite_Master Table -- 5.2.4 Page Structure. 5.2.5 Recovering Data Records -- 5.3 Accessing The Freelist -- 5.4 More Artefacts -- 5.4.1 Temporary File Types -- 5.4.2 Rollback Journals -- 5.4.3 Write-Ahead Logs -- 5.5 Conclusions -- Chapter 6 Property Lists -- 6.1 Introduction -- 6.2 Binary plist Structure -- 6.3 Example -- 6.4 Forensic Tools Supporting plists -- 6.5 Conclusions -- Chapter 7 Java Serialization -- 7.1 Introduction -- 7.2 Object Serialization in Java -- 7.2.1 Serialization Techniques in Java -- 7.2.2 Serialization by Example -- 7.3 Java Object Serialization Protocol Revealed -- 7.4 Pitfalls and Security Issues -- 7.4.1 Hands on Serialized Objects -- 7.4.2 Beware of Gadget Chains -- 7.5 Conclusions -- Chapter 8 Realm -- 8.1 Organisation of this Chapter -- 8.2 Introduction -- 8.3 SQLite, It is Not! -- 8.3.1 Relational Databases -- 8.3.2 SQLite as a Relational Database -- 8.3.3 SQLite Schema -- 8.3.4 Temporary SQLite Files -- 8.3.5 SQLite File Format -- 8.4 How Realm Works -- 8.4.1 Realm Database Fundamentals -- 8.4.2 Common Concepts and Terminology -- Basic Object-Oriented Programming Concepts -- Top-level Objects -- Object Types -- Group -- Arrays -- 8.5 File Storage and Structures -- 8.5.1 Realm Files and Folders -- 8.5.2 The Realm File -- The Lock File -- The Management Directory -- Stateless Realm Instances -- 8.5.3 Creating Realm Test Instance -- Step 1: Launch the Task Application -- Step 2: Open a CMD Window -- Step 3: Create an Output Folder -- Step 4: Start ADB -- Step 5: Get ADB Root -- Step 6: Find the Application Data -- Step 7: Use the "pull" Command -- 8.5.4 The Realm Database File Structure -- 8.5.5 Realm File Header -- "Top Ref" Bytes 0x00 to 0x0F (d0-d15) -- "Mnemonic" Bytes 0x10 to 0x13 (d16-d19) -- "File Format" Bytes 0x14 to 0x15 (d20-d21) -- "Reserved" Byte 0x16 (d22) -- "Flags" Byte 0x17 (d23) -- 8.5.6 Realm File Arrays -- 8.5.7 Realm Array Header. 8.5.8 Checksum -- 8.5.9 Flags -- Bit Group 1: is_inner_bptree_node -- Bit Group 2: has_refs -- Bit Group 3: context_flag -- Bit Group 4: width_scheme -- Bit Group 5: width_ndx -- 8.5.10 Size -- 8.5.11 Realm Array Payload -- 8.5.12 Size Calculation Example -- 8.5.13 Array Example Header -- 8.5.14 Array Example Flags -- 8.5.15 Array Example Size -- 8.6 Conclusion -- Chapter 9 Protocol Buffers -- 9.1 Introduction -- 9.1.1 What is a Protocol Buffer? -- 9.1.2 Why are Protocol Buffers Used? -- 9.2 Using Protocol Buffers -- Messages -- Services -- The Proto File -- Define the Syntax -- Message Type -- Fields -- Scalar Values -- 9.2.1 The Schema Defintion -- Field Type -- Field Names -- Enums -- Nesting -- Importing & -- Packages -- 9.2.2 Compiling Your Protocol Buffer -- Analysing the Python Protobuf-Code -- A 2nd Example The FormobileChat message -- Formobilechat_pb2.py -- 9.2.3 Creation of a Protobufs with Python -- Writing the Object to a Binary File -- Remember Size = Speed -- The Raw Binary Data -- 9.2.4 Reversing Proto Buffer Messages -- Data Conversion -- Timestamp -- Pictures or other files represented by octal data -- 9.3 Practical Analysis of different Proto Buffers -- 9.3.1 Mobile Device Artifact Examples -- Example Waze Navigation App -- BASE64 Encoding -- Example: Apple Web Cache file -- Identifying Base64 Encoded Data -- 9.3.2 Yet another example: Apply Property List (PLIST) Files -- 9.3.3 Suggested Examination Process of a File -- 9.3.4 Tools -- 9.4 Conclusion -- References -- Index.

9783030984670


Electronic books.

QA76.9.A73