Mobile Forensics - the File Format Handbook : : Common File Formats and File Systems Used in Mobile Devices.
Saved in:
| : | |
|---|---|
| TeilnehmendeR: | |
| Place / Publishing House: | Cham : : Springer International Publishing AG,, 2022. Ã2022. |
| Year of Publication: | 2022 |
| Edition: | 1st ed. |
| Language: | English |
| Online Access: | |
| Physical Description: | 1 online resource (276 pages) |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| id |
5006976056 |
|---|---|
| ctrlnum |
(MiAaPQ)5006976056 (Au-PeEL)EBL6976056 (OCoLC)1315756811 |
| collection |
bib_alma |
| record_format |
marc |
| spelling |
Hummert, Christian. Mobile Forensics - the File Format Handbook : Common File Formats and File Systems Used in Mobile Devices. 1st ed. Cham : Springer International Publishing AG, 2022. Ã2022. 1 online resource (276 pages) text txt rdacontent computer c rdamedia online resource cr rdacarrier Intro -- Preface -- Roadmap -- Scope of the Book -- Conventions Used in This Book -- Acknowledgements -- Contents -- Part I Mobile File System Formats -- Chapter 1 APFS -- 1.1 Introduction -- 1.2 APFS File system category -- 1.2.1 Finding the APFS container -- 1.2.2 Object header -- Object type, some examples -- Object type masks -- Object type flags -- Ephemeral Objects -- Physical Objects -- Virtual Objects -- 1.2.3 Superblocks -- 1.2.4 Checkpoint mapping -- 1.2.5 Volumes -- Finding the Volume -- Showing the Volume (APSB) -- Volume Object mapping -- 1.3 APFS Metadata Category -- 1.4 APFS File Name category -- 1.5 APFS Content Category -- 1.6 APFS Application Category -- 1.7 Comparing our results with a commercial tool -- Chapter 2 Ext4 -- 2.1 Introduction -- 2.2 Ext4 File system category -- 2.3 Superblock -- 2.3.1 Temporary data about the File system -- 2.3.2 Supported features -- Compatible features -- Incompatible features -- Read only compatible features -- 2.3.3 The group descriptor -- Universal Unique Identifier -- 2.4 Ext4 Metadata Category -- 2.4.1 The inode -- 2.4.2 User privileges and type of file -- 2.4.3 Temporary metadata describing inodes -- 2.4.4 Temporary metadata manipulations -- 2.4.5 Links count -- Blocks used by a file -- Inode flags -- Block map, Extent tree or inline data -- File version -- Operating System Descriptor 2 -- Project ID -- 2.5 Ext4 File Name category -- 2.6 Ext4 Content Category -- 2.6.1 Recovery of files -- Inode Carving using extent magic signature -- 2.6.2 Generic metadata time carving -- 2.6.3 Additional file content -- 2.7 Ext4 Application Category -- Chapter 3 The Flash-Friendly File System (F2FS) -- 3.1 Introduction -- 3.1.1 NAND (Not And) Flash Memory -- NAND flash memory -- NOR flash memory -- 3.1.2 Flash Translation Layer (FTL) -- 3.2 Flash Filesystems. 3.2.1 The Log-Structured File System (LSFS) or (LFS) -- 3.2.2 Flash-Friendly File System (F2FS): Enter F2FS -- 3.2.3 Wandering Tree Problem -- 3.3 On-Disk Layout of F2FS -- Sector -- Partitions -- 3.3.1 Creation of F2FS partitions with Mkfs.f2fs -- 3.3.2 F2FS on Disk -- Superblock -- Zone -- Section and Segment -- Check Point (CP) -- Segment Information Table (SIT) -- Node Address Table (NAT) -- Segment Summary Area (SSA) -- Updates to the SIT and NAT -- Shadow Copy -- Main Area -- 3.4 File Structure of F2FS -- 3.4.1 Node Structure -- 3.4.2 File Creation and Management -- Directory Structure -- 3.4.3 Fsck.f2fs Identifying Files -- 3.4.4 Metadata -- 3.4.5 Multi-Head Logging -- 3.4.6 Cleaning -- Adaptive Logging -- Roll-Back Recovery -- Important -- 3.5 Forensic Analysis -- 3.5.1 F2FS Sample Dataset -- 3.5.2 F2FS andWindows -- 3.5.3 Data-Extraction with XRY -- 3.5.4 Superblock Examination -- 3.5.5 Examine NAT, SIT & -- SSA with Linux -- Node Allocation Table (NAT) Data -- Show the Segment Info Table (SIT) Data -- Look inside the Segment Summary Area (SSA) Data -- Obtain a file by it's node ID -- 3.5.6 Carving for artefacts with XAMN -- PNG File Signature Analysis -- 3.5.7 Node Allocation Table (NAT) Comparisons -- Additional Data Structure -- 3.6 F2FS Application fields -- 3.7 Conclusion -- Chapter 4 QNX6 -- 4.1 Introduction -- 4.2 QNX6 Filesystem Structure -- 4.2.1 Superblock -- 4.2.2 Bitmap -- 4.2.3 Inode -- 4.2.4 Directories -- 4.2.5 Long Filenames Inode -- 4.3 Example: Construction of a file -- 4.4 Deleted Files -- 4.5 Forensic Tools supporting QNX6 filesystems -- Part II Mobile File Formats -- Chapter 5 SQLite -- 5.1 Introduction -- 5.2 The SQLite File Structure -- 5.2.1 The Database Header -- 5.2.2 Storage Classes, Serial Types and Varint-Encoding -- 5.2.3 Decoding The SQLite_Master Table -- 5.2.4 Page Structure. 5.2.5 Recovering Data Records -- 5.3 Accessing The Freelist -- 5.4 More Artefacts -- 5.4.1 Temporary File Types -- 5.4.2 Rollback Journals -- 5.4.3 Write-Ahead Logs -- 5.5 Conclusions -- Chapter 6 Property Lists -- 6.1 Introduction -- 6.2 Binary plist Structure -- 6.3 Example -- 6.4 Forensic Tools Supporting plists -- 6.5 Conclusions -- Chapter 7 Java Serialization -- 7.1 Introduction -- 7.2 Object Serialization in Java -- 7.2.1 Serialization Techniques in Java -- 7.2.2 Serialization by Example -- 7.3 Java Object Serialization Protocol Revealed -- 7.4 Pitfalls and Security Issues -- 7.4.1 Hands on Serialized Objects -- 7.4.2 Beware of Gadget Chains -- 7.5 Conclusions -- Chapter 8 Realm -- 8.1 Organisation of this Chapter -- 8.2 Introduction -- 8.3 SQLite, It is Not! -- 8.3.1 Relational Databases -- 8.3.2 SQLite as a Relational Database -- 8.3.3 SQLite Schema -- 8.3.4 Temporary SQLite Files -- 8.3.5 SQLite File Format -- 8.4 How Realm Works -- 8.4.1 Realm Database Fundamentals -- 8.4.2 Common Concepts and Terminology -- Basic Object-Oriented Programming Concepts -- Top-level Objects -- Object Types -- Group -- Arrays -- 8.5 File Storage and Structures -- 8.5.1 Realm Files and Folders -- 8.5.2 The Realm File -- The Lock File -- The Management Directory -- Stateless Realm Instances -- 8.5.3 Creating Realm Test Instance -- Step 1: Launch the Task Application -- Step 2: Open a CMD Window -- Step 3: Create an Output Folder -- Step 4: Start ADB -- Step 5: Get ADB Root -- Step 6: Find the Application Data -- Step 7: Use the "pull" Command -- 8.5.4 The Realm Database File Structure -- 8.5.5 Realm File Header -- "Top Ref" Bytes 0x00 to 0x0F (d0-d15) -- "Mnemonic" Bytes 0x10 to 0x13 (d16-d19) -- "File Format" Bytes 0x14 to 0x15 (d20-d21) -- "Reserved" Byte 0x16 (d22) -- "Flags" Byte 0x17 (d23) -- 8.5.6 Realm File Arrays -- 8.5.7 Realm Array Header. 8.5.8 Checksum -- 8.5.9 Flags -- Bit Group 1: is_inner_bptree_node -- Bit Group 2: has_refs -- Bit Group 3: context_flag -- Bit Group 4: width_scheme -- Bit Group 5: width_ndx -- 8.5.10 Size -- 8.5.11 Realm Array Payload -- 8.5.12 Size Calculation Example -- 8.5.13 Array Example Header -- 8.5.14 Array Example Flags -- 8.5.15 Array Example Size -- 8.6 Conclusion -- Chapter 9 Protocol Buffers -- 9.1 Introduction -- 9.1.1 What is a Protocol Buffer? -- 9.1.2 Why are Protocol Buffers Used? -- 9.2 Using Protocol Buffers -- Messages -- Services -- The Proto File -- Define the Syntax -- Message Type -- Fields -- Scalar Values -- 9.2.1 The Schema Defintion -- Field Type -- Field Names -- Enums -- Nesting -- Importing & -- Packages -- 9.2.2 Compiling Your Protocol Buffer -- Analysing the Python Protobuf-Code -- A 2nd Example The FormobileChat message -- Formobilechat_pb2.py -- 9.2.3 Creation of a Protobufs with Python -- Writing the Object to a Binary File -- Remember Size = Speed -- The Raw Binary Data -- 9.2.4 Reversing Proto Buffer Messages -- Data Conversion -- Timestamp -- Pictures or other files represented by octal data -- 9.3 Practical Analysis of different Proto Buffers -- 9.3.1 Mobile Device Artifact Examples -- Example Waze Navigation App -- BASE64 Encoding -- Example: Apple Web Cache file -- Identifying Base64 Encoded Data -- 9.3.2 Yet another example: Apply Property List (PLIST) Files -- 9.3.3 Suggested Examination Process of a File -- 9.3.4 Tools -- 9.4 Conclusion -- References -- Index. Description based on publisher supplied metadata and other sources. Electronic reproduction. Ann Arbor, Michigan : ProQuest Ebook Central, 2024. Available via World Wide Web. Access may be limited to ProQuest Ebook Central affiliated libraries. Electronic books. Pawlaszczyk, Dirk. Print version: Hummert, Christian Mobile Forensics - the File Format Handbook Cham : Springer International Publishing AG,c2022 9783030984663 ProQuest (Firm) https://ebookcentral.proquest.com/lib/oeawat/detail.action?docID=6976056 Click to View |
| language |
English |
| format |
eBook |
| author |
Hummert, Christian. |
| spellingShingle |
Hummert, Christian. Mobile Forensics - the File Format Handbook : Common File Formats and File Systems Used in Mobile Devices. Intro -- Preface -- Roadmap -- Scope of the Book -- Conventions Used in This Book -- Acknowledgements -- Contents -- Part I Mobile File System Formats -- Chapter 1 APFS -- 1.1 Introduction -- 1.2 APFS File system category -- 1.2.1 Finding the APFS container -- 1.2.2 Object header -- Object type, some examples -- Object type masks -- Object type flags -- Ephemeral Objects -- Physical Objects -- Virtual Objects -- 1.2.3 Superblocks -- 1.2.4 Checkpoint mapping -- 1.2.5 Volumes -- Finding the Volume -- Showing the Volume (APSB) -- Volume Object mapping -- 1.3 APFS Metadata Category -- 1.4 APFS File Name category -- 1.5 APFS Content Category -- 1.6 APFS Application Category -- 1.7 Comparing our results with a commercial tool -- Chapter 2 Ext4 -- 2.1 Introduction -- 2.2 Ext4 File system category -- 2.3 Superblock -- 2.3.1 Temporary data about the File system -- 2.3.2 Supported features -- Compatible features -- Incompatible features -- Read only compatible features -- 2.3.3 The group descriptor -- Universal Unique Identifier -- 2.4 Ext4 Metadata Category -- 2.4.1 The inode -- 2.4.2 User privileges and type of file -- 2.4.3 Temporary metadata describing inodes -- 2.4.4 Temporary metadata manipulations -- 2.4.5 Links count -- Blocks used by a file -- Inode flags -- Block map, Extent tree or inline data -- File version -- Operating System Descriptor 2 -- Project ID -- 2.5 Ext4 File Name category -- 2.6 Ext4 Content Category -- 2.6.1 Recovery of files -- Inode Carving using extent magic signature -- 2.6.2 Generic metadata time carving -- 2.6.3 Additional file content -- 2.7 Ext4 Application Category -- Chapter 3 The Flash-Friendly File System (F2FS) -- 3.1 Introduction -- 3.1.1 NAND (Not And) Flash Memory -- NAND flash memory -- NOR flash memory -- 3.1.2 Flash Translation Layer (FTL) -- 3.2 Flash Filesystems. 3.2.1 The Log-Structured File System (LSFS) or (LFS) -- 3.2.2 Flash-Friendly File System (F2FS): Enter F2FS -- 3.2.3 Wandering Tree Problem -- 3.3 On-Disk Layout of F2FS -- Sector -- Partitions -- 3.3.1 Creation of F2FS partitions with Mkfs.f2fs -- 3.3.2 F2FS on Disk -- Superblock -- Zone -- Section and Segment -- Check Point (CP) -- Segment Information Table (SIT) -- Node Address Table (NAT) -- Segment Summary Area (SSA) -- Updates to the SIT and NAT -- Shadow Copy -- Main Area -- 3.4 File Structure of F2FS -- 3.4.1 Node Structure -- 3.4.2 File Creation and Management -- Directory Structure -- 3.4.3 Fsck.f2fs Identifying Files -- 3.4.4 Metadata -- 3.4.5 Multi-Head Logging -- 3.4.6 Cleaning -- Adaptive Logging -- Roll-Back Recovery -- Important -- 3.5 Forensic Analysis -- 3.5.1 F2FS Sample Dataset -- 3.5.2 F2FS andWindows -- 3.5.3 Data-Extraction with XRY -- 3.5.4 Superblock Examination -- 3.5.5 Examine NAT, SIT & -- SSA with Linux -- Node Allocation Table (NAT) Data -- Show the Segment Info Table (SIT) Data -- Look inside the Segment Summary Area (SSA) Data -- Obtain a file by it's node ID -- 3.5.6 Carving for artefacts with XAMN -- PNG File Signature Analysis -- 3.5.7 Node Allocation Table (NAT) Comparisons -- Additional Data Structure -- 3.6 F2FS Application fields -- 3.7 Conclusion -- Chapter 4 QNX6 -- 4.1 Introduction -- 4.2 QNX6 Filesystem Structure -- 4.2.1 Superblock -- 4.2.2 Bitmap -- 4.2.3 Inode -- 4.2.4 Directories -- 4.2.5 Long Filenames Inode -- 4.3 Example: Construction of a file -- 4.4 Deleted Files -- 4.5 Forensic Tools supporting QNX6 filesystems -- Part II Mobile File Formats -- Chapter 5 SQLite -- 5.1 Introduction -- 5.2 The SQLite File Structure -- 5.2.1 The Database Header -- 5.2.2 Storage Classes, Serial Types and Varint-Encoding -- 5.2.3 Decoding The SQLite_Master Table -- 5.2.4 Page Structure. 5.2.5 Recovering Data Records -- 5.3 Accessing The Freelist -- 5.4 More Artefacts -- 5.4.1 Temporary File Types -- 5.4.2 Rollback Journals -- 5.4.3 Write-Ahead Logs -- 5.5 Conclusions -- Chapter 6 Property Lists -- 6.1 Introduction -- 6.2 Binary plist Structure -- 6.3 Example -- 6.4 Forensic Tools Supporting plists -- 6.5 Conclusions -- Chapter 7 Java Serialization -- 7.1 Introduction -- 7.2 Object Serialization in Java -- 7.2.1 Serialization Techniques in Java -- 7.2.2 Serialization by Example -- 7.3 Java Object Serialization Protocol Revealed -- 7.4 Pitfalls and Security Issues -- 7.4.1 Hands on Serialized Objects -- 7.4.2 Beware of Gadget Chains -- 7.5 Conclusions -- Chapter 8 Realm -- 8.1 Organisation of this Chapter -- 8.2 Introduction -- 8.3 SQLite, It is Not! -- 8.3.1 Relational Databases -- 8.3.2 SQLite as a Relational Database -- 8.3.3 SQLite Schema -- 8.3.4 Temporary SQLite Files -- 8.3.5 SQLite File Format -- 8.4 How Realm Works -- 8.4.1 Realm Database Fundamentals -- 8.4.2 Common Concepts and Terminology -- Basic Object-Oriented Programming Concepts -- Top-level Objects -- Object Types -- Group -- Arrays -- 8.5 File Storage and Structures -- 8.5.1 Realm Files and Folders -- 8.5.2 The Realm File -- The Lock File -- The Management Directory -- Stateless Realm Instances -- 8.5.3 Creating Realm Test Instance -- Step 1: Launch the Task Application -- Step 2: Open a CMD Window -- Step 3: Create an Output Folder -- Step 4: Start ADB -- Step 5: Get ADB Root -- Step 6: Find the Application Data -- Step 7: Use the "pull" Command -- 8.5.4 The Realm Database File Structure -- 8.5.5 Realm File Header -- "Top Ref" Bytes 0x00 to 0x0F (d0-d15) -- "Mnemonic" Bytes 0x10 to 0x13 (d16-d19) -- "File Format" Bytes 0x14 to 0x15 (d20-d21) -- "Reserved" Byte 0x16 (d22) -- "Flags" Byte 0x17 (d23) -- 8.5.6 Realm File Arrays -- 8.5.7 Realm Array Header. 8.5.8 Checksum -- 8.5.9 Flags -- Bit Group 1: is_inner_bptree_node -- Bit Group 2: has_refs -- Bit Group 3: context_flag -- Bit Group 4: width_scheme -- Bit Group 5: width_ndx -- 8.5.10 Size -- 8.5.11 Realm Array Payload -- 8.5.12 Size Calculation Example -- 8.5.13 Array Example Header -- 8.5.14 Array Example Flags -- 8.5.15 Array Example Size -- 8.6 Conclusion -- Chapter 9 Protocol Buffers -- 9.1 Introduction -- 9.1.1 What is a Protocol Buffer? -- 9.1.2 Why are Protocol Buffers Used? -- 9.2 Using Protocol Buffers -- Messages -- Services -- The Proto File -- Define the Syntax -- Message Type -- Fields -- Scalar Values -- 9.2.1 The Schema Defintion -- Field Type -- Field Names -- Enums -- Nesting -- Importing & -- Packages -- 9.2.2 Compiling Your Protocol Buffer -- Analysing the Python Protobuf-Code -- A 2nd Example The FormobileChat message -- Formobilechat_pb2.py -- 9.2.3 Creation of a Protobufs with Python -- Writing the Object to a Binary File -- Remember Size = Speed -- The Raw Binary Data -- 9.2.4 Reversing Proto Buffer Messages -- Data Conversion -- Timestamp -- Pictures or other files represented by octal data -- 9.3 Practical Analysis of different Proto Buffers -- 9.3.1 Mobile Device Artifact Examples -- Example Waze Navigation App -- BASE64 Encoding -- Example: Apple Web Cache file -- Identifying Base64 Encoded Data -- 9.3.2 Yet another example: Apply Property List (PLIST) Files -- 9.3.3 Suggested Examination Process of a File -- 9.3.4 Tools -- 9.4 Conclusion -- References -- Index. |
| author_facet |
Hummert, Christian. Pawlaszczyk, Dirk. |
| author_variant |
c h ch |
| author2 |
Pawlaszczyk, Dirk. |
| author2_variant |
d p dp |
| author2_role |
TeilnehmendeR |
| author_sort |
Hummert, Christian. |
| title |
Mobile Forensics - the File Format Handbook : Common File Formats and File Systems Used in Mobile Devices. |
| title_sub |
Common File Formats and File Systems Used in Mobile Devices. |
| title_full |
Mobile Forensics - the File Format Handbook : Common File Formats and File Systems Used in Mobile Devices. |
| title_fullStr |
Mobile Forensics - the File Format Handbook : Common File Formats and File Systems Used in Mobile Devices. |
| title_full_unstemmed |
Mobile Forensics - the File Format Handbook : Common File Formats and File Systems Used in Mobile Devices. |
| title_auth |
Mobile Forensics - the File Format Handbook : Common File Formats and File Systems Used in Mobile Devices. |
| title_new |
Mobile Forensics - the File Format Handbook : |
| title_sort |
mobile forensics - the file format handbook : common file formats and file systems used in mobile devices. |
| publisher |
Springer International Publishing AG, |
| publishDate |
2022 |
| physical |
1 online resource (276 pages) |
| edition |
1st ed. |
| contents |
Intro -- Preface -- Roadmap -- Scope of the Book -- Conventions Used in This Book -- Acknowledgements -- Contents -- Part I Mobile File System Formats -- Chapter 1 APFS -- 1.1 Introduction -- 1.2 APFS File system category -- 1.2.1 Finding the APFS container -- 1.2.2 Object header -- Object type, some examples -- Object type masks -- Object type flags -- Ephemeral Objects -- Physical Objects -- Virtual Objects -- 1.2.3 Superblocks -- 1.2.4 Checkpoint mapping -- 1.2.5 Volumes -- Finding the Volume -- Showing the Volume (APSB) -- Volume Object mapping -- 1.3 APFS Metadata Category -- 1.4 APFS File Name category -- 1.5 APFS Content Category -- 1.6 APFS Application Category -- 1.7 Comparing our results with a commercial tool -- Chapter 2 Ext4 -- 2.1 Introduction -- 2.2 Ext4 File system category -- 2.3 Superblock -- 2.3.1 Temporary data about the File system -- 2.3.2 Supported features -- Compatible features -- Incompatible features -- Read only compatible features -- 2.3.3 The group descriptor -- Universal Unique Identifier -- 2.4 Ext4 Metadata Category -- 2.4.1 The inode -- 2.4.2 User privileges and type of file -- 2.4.3 Temporary metadata describing inodes -- 2.4.4 Temporary metadata manipulations -- 2.4.5 Links count -- Blocks used by a file -- Inode flags -- Block map, Extent tree or inline data -- File version -- Operating System Descriptor 2 -- Project ID -- 2.5 Ext4 File Name category -- 2.6 Ext4 Content Category -- 2.6.1 Recovery of files -- Inode Carving using extent magic signature -- 2.6.2 Generic metadata time carving -- 2.6.3 Additional file content -- 2.7 Ext4 Application Category -- Chapter 3 The Flash-Friendly File System (F2FS) -- 3.1 Introduction -- 3.1.1 NAND (Not And) Flash Memory -- NAND flash memory -- NOR flash memory -- 3.1.2 Flash Translation Layer (FTL) -- 3.2 Flash Filesystems. 3.2.1 The Log-Structured File System (LSFS) or (LFS) -- 3.2.2 Flash-Friendly File System (F2FS): Enter F2FS -- 3.2.3 Wandering Tree Problem -- 3.3 On-Disk Layout of F2FS -- Sector -- Partitions -- 3.3.1 Creation of F2FS partitions with Mkfs.f2fs -- 3.3.2 F2FS on Disk -- Superblock -- Zone -- Section and Segment -- Check Point (CP) -- Segment Information Table (SIT) -- Node Address Table (NAT) -- Segment Summary Area (SSA) -- Updates to the SIT and NAT -- Shadow Copy -- Main Area -- 3.4 File Structure of F2FS -- 3.4.1 Node Structure -- 3.4.2 File Creation and Management -- Directory Structure -- 3.4.3 Fsck.f2fs Identifying Files -- 3.4.4 Metadata -- 3.4.5 Multi-Head Logging -- 3.4.6 Cleaning -- Adaptive Logging -- Roll-Back Recovery -- Important -- 3.5 Forensic Analysis -- 3.5.1 F2FS Sample Dataset -- 3.5.2 F2FS andWindows -- 3.5.3 Data-Extraction with XRY -- 3.5.4 Superblock Examination -- 3.5.5 Examine NAT, SIT & -- SSA with Linux -- Node Allocation Table (NAT) Data -- Show the Segment Info Table (SIT) Data -- Look inside the Segment Summary Area (SSA) Data -- Obtain a file by it's node ID -- 3.5.6 Carving for artefacts with XAMN -- PNG File Signature Analysis -- 3.5.7 Node Allocation Table (NAT) Comparisons -- Additional Data Structure -- 3.6 F2FS Application fields -- 3.7 Conclusion -- Chapter 4 QNX6 -- 4.1 Introduction -- 4.2 QNX6 Filesystem Structure -- 4.2.1 Superblock -- 4.2.2 Bitmap -- 4.2.3 Inode -- 4.2.4 Directories -- 4.2.5 Long Filenames Inode -- 4.3 Example: Construction of a file -- 4.4 Deleted Files -- 4.5 Forensic Tools supporting QNX6 filesystems -- Part II Mobile File Formats -- Chapter 5 SQLite -- 5.1 Introduction -- 5.2 The SQLite File Structure -- 5.2.1 The Database Header -- 5.2.2 Storage Classes, Serial Types and Varint-Encoding -- 5.2.3 Decoding The SQLite_Master Table -- 5.2.4 Page Structure. 5.2.5 Recovering Data Records -- 5.3 Accessing The Freelist -- 5.4 More Artefacts -- 5.4.1 Temporary File Types -- 5.4.2 Rollback Journals -- 5.4.3 Write-Ahead Logs -- 5.5 Conclusions -- Chapter 6 Property Lists -- 6.1 Introduction -- 6.2 Binary plist Structure -- 6.3 Example -- 6.4 Forensic Tools Supporting plists -- 6.5 Conclusions -- Chapter 7 Java Serialization -- 7.1 Introduction -- 7.2 Object Serialization in Java -- 7.2.1 Serialization Techniques in Java -- 7.2.2 Serialization by Example -- 7.3 Java Object Serialization Protocol Revealed -- 7.4 Pitfalls and Security Issues -- 7.4.1 Hands on Serialized Objects -- 7.4.2 Beware of Gadget Chains -- 7.5 Conclusions -- Chapter 8 Realm -- 8.1 Organisation of this Chapter -- 8.2 Introduction -- 8.3 SQLite, It is Not! -- 8.3.1 Relational Databases -- 8.3.2 SQLite as a Relational Database -- 8.3.3 SQLite Schema -- 8.3.4 Temporary SQLite Files -- 8.3.5 SQLite File Format -- 8.4 How Realm Works -- 8.4.1 Realm Database Fundamentals -- 8.4.2 Common Concepts and Terminology -- Basic Object-Oriented Programming Concepts -- Top-level Objects -- Object Types -- Group -- Arrays -- 8.5 File Storage and Structures -- 8.5.1 Realm Files and Folders -- 8.5.2 The Realm File -- The Lock File -- The Management Directory -- Stateless Realm Instances -- 8.5.3 Creating Realm Test Instance -- Step 1: Launch the Task Application -- Step 2: Open a CMD Window -- Step 3: Create an Output Folder -- Step 4: Start ADB -- Step 5: Get ADB Root -- Step 6: Find the Application Data -- Step 7: Use the "pull" Command -- 8.5.4 The Realm Database File Structure -- 8.5.5 Realm File Header -- "Top Ref" Bytes 0x00 to 0x0F (d0-d15) -- "Mnemonic" Bytes 0x10 to 0x13 (d16-d19) -- "File Format" Bytes 0x14 to 0x15 (d20-d21) -- "Reserved" Byte 0x16 (d22) -- "Flags" Byte 0x17 (d23) -- 8.5.6 Realm File Arrays -- 8.5.7 Realm Array Header. 8.5.8 Checksum -- 8.5.9 Flags -- Bit Group 1: is_inner_bptree_node -- Bit Group 2: has_refs -- Bit Group 3: context_flag -- Bit Group 4: width_scheme -- Bit Group 5: width_ndx -- 8.5.10 Size -- 8.5.11 Realm Array Payload -- 8.5.12 Size Calculation Example -- 8.5.13 Array Example Header -- 8.5.14 Array Example Flags -- 8.5.15 Array Example Size -- 8.6 Conclusion -- Chapter 9 Protocol Buffers -- 9.1 Introduction -- 9.1.1 What is a Protocol Buffer? -- 9.1.2 Why are Protocol Buffers Used? -- 9.2 Using Protocol Buffers -- Messages -- Services -- The Proto File -- Define the Syntax -- Message Type -- Fields -- Scalar Values -- 9.2.1 The Schema Defintion -- Field Type -- Field Names -- Enums -- Nesting -- Importing & -- Packages -- 9.2.2 Compiling Your Protocol Buffer -- Analysing the Python Protobuf-Code -- A 2nd Example The FormobileChat message -- Formobilechat_pb2.py -- 9.2.3 Creation of a Protobufs with Python -- Writing the Object to a Binary File -- Remember Size = Speed -- The Raw Binary Data -- 9.2.4 Reversing Proto Buffer Messages -- Data Conversion -- Timestamp -- Pictures or other files represented by octal data -- 9.3 Practical Analysis of different Proto Buffers -- 9.3.1 Mobile Device Artifact Examples -- Example Waze Navigation App -- BASE64 Encoding -- Example: Apple Web Cache file -- Identifying Base64 Encoded Data -- 9.3.2 Yet another example: Apply Property List (PLIST) Files -- 9.3.3 Suggested Examination Process of a File -- 9.3.4 Tools -- 9.4 Conclusion -- References -- Index. |
| isbn |
9783030984670 9783030984663 |
| callnumber-first |
Q - Science |
| callnumber-subject |
QA - Mathematics |
| callnumber-label |
QA76 |
| callnumber-sort |
QA 276.9 A73 |
| genre |
Electronic books. |
| genre_facet |
Electronic books. |
| url |
https://ebookcentral.proquest.com/lib/oeawat/detail.action?docID=6976056 |
| illustrated |
Not Illustrated |
| oclc_num |
1315756811 |
| work_keys_str_mv |
AT hummertchristian mobileforensicsthefileformathandbookcommonfileformatsandfilesystemsusedinmobiledevices AT pawlaszczykdirk mobileforensicsthefileformathandbookcommonfileformatsandfilesystemsusedinmobiledevices |
| status_str |
n |
| ids_txt_mv |
(MiAaPQ)5006976056 (Au-PeEL)EBL6976056 (OCoLC)1315756811 |
| carrierType_str_mv |
cr |
| is_hierarchy_title |
Mobile Forensics - the File Format Handbook : Common File Formats and File Systems Used in Mobile Devices. |
| author2_original_writing_str_mv |
noLinkedField |
| marc_error |
Info : Unimarc and ISO-8859-1 translations identical, choosing ISO-8859-1. --- [ 856 : z ] |
| _version_ |
1792331062739730432 |
| fullrecord |
<?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>08699nam a22004213i 4500</leader><controlfield tag="001">5006976056</controlfield><controlfield tag="003">MiAaPQ</controlfield><controlfield tag="005">20240229073846.0</controlfield><controlfield tag="006">m o d | </controlfield><controlfield tag="007">cr cnu||||||||</controlfield><controlfield tag="008">240229s2022 xx o ||||0 eng d</controlfield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">9783030984670</subfield><subfield code="q">(electronic bk.)</subfield></datafield><datafield tag="020" ind1=" " ind2=" "><subfield code="z">9783030984663</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(MiAaPQ)5006976056</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(Au-PeEL)EBL6976056</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(OCoLC)1315756811</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">MiAaPQ</subfield><subfield code="b">eng</subfield><subfield code="e">rda</subfield><subfield code="e">pn</subfield><subfield code="c">MiAaPQ</subfield><subfield code="d">MiAaPQ</subfield></datafield><datafield tag="050" ind1=" " ind2="4"><subfield code="a">QA76.9.A73</subfield></datafield><datafield tag="100" ind1="1" ind2=" "><subfield code="a">Hummert, Christian.</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">Mobile Forensics - the File Format Handbook :</subfield><subfield code="b">Common File Formats and File Systems Used in Mobile Devices.</subfield></datafield><datafield tag="250" ind1=" " ind2=" "><subfield code="a">1st ed.</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="a">Cham :</subfield><subfield code="b">Springer International Publishing AG,</subfield><subfield code="c">2022.</subfield></datafield><datafield tag="264" ind1=" " ind2="4"><subfield code="c">Ã2022.</subfield></datafield><datafield tag="300" ind1=" " ind2=" "><subfield code="a">1 online resource (276 pages)</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="a">text</subfield><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="a">computer</subfield><subfield code="b">c</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="a">online resource</subfield><subfield code="b">cr</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="505" ind1="0" ind2=" "><subfield code="a">Intro -- Preface -- Roadmap -- Scope of the Book -- Conventions Used in This Book -- Acknowledgements -- Contents -- Part I Mobile File System Formats -- Chapter 1 APFS -- 1.1 Introduction -- 1.2 APFS File system category -- 1.2.1 Finding the APFS container -- 1.2.2 Object header -- Object type, some examples -- Object type masks -- Object type flags -- Ephemeral Objects -- Physical Objects -- Virtual Objects -- 1.2.3 Superblocks -- 1.2.4 Checkpoint mapping -- 1.2.5 Volumes -- Finding the Volume -- Showing the Volume (APSB) -- Volume Object mapping -- 1.3 APFS Metadata Category -- 1.4 APFS File Name category -- 1.5 APFS Content Category -- 1.6 APFS Application Category -- 1.7 Comparing our results with a commercial tool -- Chapter 2 Ext4 -- 2.1 Introduction -- 2.2 Ext4 File system category -- 2.3 Superblock -- 2.3.1 Temporary data about the File system -- 2.3.2 Supported features -- Compatible features -- Incompatible features -- Read only compatible features -- 2.3.3 The group descriptor -- Universal Unique Identifier -- 2.4 Ext4 Metadata Category -- 2.4.1 The inode -- 2.4.2 User privileges and type of file -- 2.4.3 Temporary metadata describing inodes -- 2.4.4 Temporary metadata manipulations -- 2.4.5 Links count -- Blocks used by a file -- Inode flags -- Block map, Extent tree or inline data -- File version -- Operating System Descriptor 2 -- Project ID -- 2.5 Ext4 File Name category -- 2.6 Ext4 Content Category -- 2.6.1 Recovery of files -- Inode Carving using extent magic signature -- 2.6.2 Generic metadata time carving -- 2.6.3 Additional file content -- 2.7 Ext4 Application Category -- Chapter 3 The Flash-Friendly File System (F2FS) -- 3.1 Introduction -- 3.1.1 NAND (Not And) Flash Memory -- NAND flash memory -- NOR flash memory -- 3.1.2 Flash Translation Layer (FTL) -- 3.2 Flash Filesystems.</subfield></datafield><datafield tag="505" ind1="8" ind2=" "><subfield code="a">3.2.1 The Log-Structured File System (LSFS) or (LFS) -- 3.2.2 Flash-Friendly File System (F2FS): Enter F2FS -- 3.2.3 Wandering Tree Problem -- 3.3 On-Disk Layout of F2FS -- Sector -- Partitions -- 3.3.1 Creation of F2FS partitions with Mkfs.f2fs -- 3.3.2 F2FS on Disk -- Superblock -- Zone -- Section and Segment -- Check Point (CP) -- Segment Information Table (SIT) -- Node Address Table (NAT) -- Segment Summary Area (SSA) -- Updates to the SIT and NAT -- Shadow Copy -- Main Area -- 3.4 File Structure of F2FS -- 3.4.1 Node Structure -- 3.4.2 File Creation and Management -- Directory Structure -- 3.4.3 Fsck.f2fs Identifying Files -- 3.4.4 Metadata -- 3.4.5 Multi-Head Logging -- 3.4.6 Cleaning -- Adaptive Logging -- Roll-Back Recovery -- Important -- 3.5 Forensic Analysis -- 3.5.1 F2FS Sample Dataset -- 3.5.2 F2FS andWindows -- 3.5.3 Data-Extraction with XRY -- 3.5.4 Superblock Examination -- 3.5.5 Examine NAT, SIT &amp -- SSA with Linux -- Node Allocation Table (NAT) Data -- Show the Segment Info Table (SIT) Data -- Look inside the Segment Summary Area (SSA) Data -- Obtain a file by it's node ID -- 3.5.6 Carving for artefacts with XAMN -- PNG File Signature Analysis -- 3.5.7 Node Allocation Table (NAT) Comparisons -- Additional Data Structure -- 3.6 F2FS Application fields -- 3.7 Conclusion -- Chapter 4 QNX6 -- 4.1 Introduction -- 4.2 QNX6 Filesystem Structure -- 4.2.1 Superblock -- 4.2.2 Bitmap -- 4.2.3 Inode -- 4.2.4 Directories -- 4.2.5 Long Filenames Inode -- 4.3 Example: Construction of a file -- 4.4 Deleted Files -- 4.5 Forensic Tools supporting QNX6 filesystems -- Part II Mobile File Formats -- Chapter 5 SQLite -- 5.1 Introduction -- 5.2 The SQLite File Structure -- 5.2.1 The Database Header -- 5.2.2 Storage Classes, Serial Types and Varint-Encoding -- 5.2.3 Decoding The SQLite_Master Table -- 5.2.4 Page Structure.</subfield></datafield><datafield tag="505" ind1="8" ind2=" "><subfield code="a">5.2.5 Recovering Data Records -- 5.3 Accessing The Freelist -- 5.4 More Artefacts -- 5.4.1 Temporary File Types -- 5.4.2 Rollback Journals -- 5.4.3 Write-Ahead Logs -- 5.5 Conclusions -- Chapter 6 Property Lists -- 6.1 Introduction -- 6.2 Binary plist Structure -- 6.3 Example -- 6.4 Forensic Tools Supporting plists -- 6.5 Conclusions -- Chapter 7 Java Serialization -- 7.1 Introduction -- 7.2 Object Serialization in Java -- 7.2.1 Serialization Techniques in Java -- 7.2.2 Serialization by Example -- 7.3 Java Object Serialization Protocol Revealed -- 7.4 Pitfalls and Security Issues -- 7.4.1 Hands on Serialized Objects -- 7.4.2 Beware of Gadget Chains -- 7.5 Conclusions -- Chapter 8 Realm -- 8.1 Organisation of this Chapter -- 8.2 Introduction -- 8.3 SQLite, It is Not! -- 8.3.1 Relational Databases -- 8.3.2 SQLite as a Relational Database -- 8.3.3 SQLite Schema -- 8.3.4 Temporary SQLite Files -- 8.3.5 SQLite File Format -- 8.4 How Realm Works -- 8.4.1 Realm Database Fundamentals -- 8.4.2 Common Concepts and Terminology -- Basic Object-Oriented Programming Concepts -- Top-level Objects -- Object Types -- Group -- Arrays -- 8.5 File Storage and Structures -- 8.5.1 Realm Files and Folders -- 8.5.2 The Realm File -- The Lock File -- The Management Directory -- Stateless Realm Instances -- 8.5.3 Creating Realm Test Instance -- Step 1: Launch the Task Application -- Step 2: Open a CMD Window -- Step 3: Create an Output Folder -- Step 4: Start ADB -- Step 5: Get ADB Root -- Step 6: Find the Application Data -- Step 7: Use the "pull" Command -- 8.5.4 The Realm Database File Structure -- 8.5.5 Realm File Header -- "Top Ref" Bytes 0x00 to 0x0F (d0-d15) -- "Mnemonic" Bytes 0x10 to 0x13 (d16-d19) -- "File Format" Bytes 0x14 to 0x15 (d20-d21) -- "Reserved" Byte 0x16 (d22) -- "Flags" Byte 0x17 (d23) -- 8.5.6 Realm File Arrays -- 8.5.7 Realm Array Header.</subfield></datafield><datafield tag="505" ind1="8" ind2=" "><subfield code="a">8.5.8 Checksum -- 8.5.9 Flags -- Bit Group 1: is_inner_bptree_node -- Bit Group 2: has_refs -- Bit Group 3: context_flag -- Bit Group 4: width_scheme -- Bit Group 5: width_ndx -- 8.5.10 Size -- 8.5.11 Realm Array Payload -- 8.5.12 Size Calculation Example -- 8.5.13 Array Example Header -- 8.5.14 Array Example Flags -- 8.5.15 Array Example Size -- 8.6 Conclusion -- Chapter 9 Protocol Buffers -- 9.1 Introduction -- 9.1.1 What is a Protocol Buffer? -- 9.1.2 Why are Protocol Buffers Used? -- 9.2 Using Protocol Buffers -- Messages -- Services -- The Proto File -- Define the Syntax -- Message Type -- Fields -- Scalar Values -- 9.2.1 The Schema Defintion -- Field Type -- Field Names -- Enums -- Nesting -- Importing &amp -- Packages -- 9.2.2 Compiling Your Protocol Buffer -- Analysing the Python Protobuf-Code -- A 2nd Example The FormobileChat message -- Formobilechat_pb2.py -- 9.2.3 Creation of a Protobufs with Python -- Writing the Object to a Binary File -- Remember Size = Speed -- The Raw Binary Data -- 9.2.4 Reversing Proto Buffer Messages -- Data Conversion -- Timestamp -- Pictures or other files represented by octal data -- 9.3 Practical Analysis of different Proto Buffers -- 9.3.1 Mobile Device Artifact Examples -- Example Waze Navigation App -- BASE64 Encoding -- Example: Apple Web Cache file -- Identifying Base64 Encoded Data -- 9.3.2 Yet another example: Apply Property List (PLIST) Files -- 9.3.3 Suggested Examination Process of a File -- 9.3.4 Tools -- 9.4 Conclusion -- References -- Index.</subfield></datafield><datafield tag="588" ind1=" " ind2=" "><subfield code="a">Description based on publisher supplied metadata and other sources.</subfield></datafield><datafield tag="590" ind1=" " ind2=" "><subfield code="a">Electronic reproduction. Ann Arbor, Michigan : ProQuest Ebook Central, 2024. Available via World Wide Web. Access may be limited to ProQuest Ebook Central affiliated libraries. </subfield></datafield><datafield tag="655" ind1=" " ind2="4"><subfield code="a">Electronic books.</subfield></datafield><datafield tag="700" ind1="1" ind2=" "><subfield code="a">Pawlaszczyk, Dirk.</subfield></datafield><datafield tag="776" ind1="0" ind2="8"><subfield code="i">Print version:</subfield><subfield code="a">Hummert, Christian</subfield><subfield code="t">Mobile Forensics - the File Format Handbook</subfield><subfield code="d">Cham : Springer International Publishing AG,c2022</subfield><subfield code="z">9783030984663</subfield></datafield><datafield tag="797" ind1="2" ind2=" "><subfield code="a">ProQuest (Firm)</subfield></datafield><datafield tag="856" ind1="4" ind2="0"><subfield code="u">https://ebookcentral.proquest.com/lib/oeawat/detail.action?docID=6976056</subfield><subfield code="z">Click to View</subfield></datafield></record></collection> |