Mobile Forensics - the File Format Handbook : : Common File Formats and File Systems Used in Mobile Devices.
Saved in:
: | |
---|---|
TeilnehmendeR: | |
Place / Publishing House: | Cham : : Springer International Publishing AG,, 2022. Ã2022. |
Year of Publication: | 2022 |
Edition: | 1st ed. |
Language: | English |
Online Access: | |
Physical Description: | 1 online resource (276 pages) |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Table of Contents:
- Intro
- Preface
- Roadmap
- Scope of the Book
- Conventions Used in This Book
- Acknowledgements
- Contents
- Part I Mobile File System Formats
- Chapter 1 APFS
- 1.1 Introduction
- 1.2 APFS File system category
- 1.2.1 Finding the APFS container
- 1.2.2 Object header
- Object type, some examples
- Object type masks
- Object type flags
- Ephemeral Objects
- Physical Objects
- Virtual Objects
- 1.2.3 Superblocks
- 1.2.4 Checkpoint mapping
- 1.2.5 Volumes
- Finding the Volume
- Showing the Volume (APSB)
- Volume Object mapping
- 1.3 APFS Metadata Category
- 1.4 APFS File Name category
- 1.5 APFS Content Category
- 1.6 APFS Application Category
- 1.7 Comparing our results with a commercial tool
- Chapter 2 Ext4
- 2.1 Introduction
- 2.2 Ext4 File system category
- 2.3 Superblock
- 2.3.1 Temporary data about the File system
- 2.3.2 Supported features
- Compatible features
- Incompatible features
- Read only compatible features
- 2.3.3 The group descriptor
- Universal Unique Identifier
- 2.4 Ext4 Metadata Category
- 2.4.1 The inode
- 2.4.2 User privileges and type of file
- 2.4.3 Temporary metadata describing inodes
- 2.4.4 Temporary metadata manipulations
- 2.4.5 Links count
- Blocks used by a file
- Inode flags
- Block map, Extent tree or inline data
- File version
- Operating System Descriptor 2
- Project ID
- 2.5 Ext4 File Name category
- 2.6 Ext4 Content Category
- 2.6.1 Recovery of files
- Inode Carving using extent magic signature
- 2.6.2 Generic metadata time carving
- 2.6.3 Additional file content
- 2.7 Ext4 Application Category
- Chapter 3 The Flash-Friendly File System (F2FS)
- 3.1 Introduction
- 3.1.1 NAND (Not And) Flash Memory
- NAND flash memory
- NOR flash memory
- 3.1.2 Flash Translation Layer (FTL)
- 3.2 Flash Filesystems.
- 3.2.1 The Log-Structured File System (LSFS) or (LFS)
- 3.2.2 Flash-Friendly File System (F2FS): Enter F2FS
- 3.2.3 Wandering Tree Problem
- 3.3 On-Disk Layout of F2FS
- Sector
- Partitions
- 3.3.1 Creation of F2FS partitions with Mkfs.f2fs
- 3.3.2 F2FS on Disk
- Superblock
- Zone
- Section and Segment
- Check Point (CP)
- Segment Information Table (SIT)
- Node Address Table (NAT)
- Segment Summary Area (SSA)
- Updates to the SIT and NAT
- Shadow Copy
- Main Area
- 3.4 File Structure of F2FS
- 3.4.1 Node Structure
- 3.4.2 File Creation and Management
- Directory Structure
- 3.4.3 Fsck.f2fs Identifying Files
- 3.4.4 Metadata
- 3.4.5 Multi-Head Logging
- 3.4.6 Cleaning
- Adaptive Logging
- Roll-Back Recovery
- Important
- 3.5 Forensic Analysis
- 3.5.1 F2FS Sample Dataset
- 3.5.2 F2FS andWindows
- 3.5.3 Data-Extraction with XRY
- 3.5.4 Superblock Examination
- 3.5.5 Examine NAT, SIT &
- SSA with Linux
- Node Allocation Table (NAT) Data
- Show the Segment Info Table (SIT) Data
- Look inside the Segment Summary Area (SSA) Data
- Obtain a file by it's node ID
- 3.5.6 Carving for artefacts with XAMN
- PNG File Signature Analysis
- 3.5.7 Node Allocation Table (NAT) Comparisons
- Additional Data Structure
- 3.6 F2FS Application fields
- 3.7 Conclusion
- Chapter 4 QNX6
- 4.1 Introduction
- 4.2 QNX6 Filesystem Structure
- 4.2.1 Superblock
- 4.2.2 Bitmap
- 4.2.3 Inode
- 4.2.4 Directories
- 4.2.5 Long Filenames Inode
- 4.3 Example: Construction of a file
- 4.4 Deleted Files
- 4.5 Forensic Tools supporting QNX6 filesystems
- Part II Mobile File Formats
- Chapter 5 SQLite
- 5.1 Introduction
- 5.2 The SQLite File Structure
- 5.2.1 The Database Header
- 5.2.2 Storage Classes, Serial Types and Varint-Encoding
- 5.2.3 Decoding The SQLite_Master Table
- 5.2.4 Page Structure.
- 5.2.5 Recovering Data Records
- 5.3 Accessing The Freelist
- 5.4 More Artefacts
- 5.4.1 Temporary File Types
- 5.4.2 Rollback Journals
- 5.4.3 Write-Ahead Logs
- 5.5 Conclusions
- Chapter 6 Property Lists
- 6.1 Introduction
- 6.2 Binary plist Structure
- 6.3 Example
- 6.4 Forensic Tools Supporting plists
- 6.5 Conclusions
- Chapter 7 Java Serialization
- 7.1 Introduction
- 7.2 Object Serialization in Java
- 7.2.1 Serialization Techniques in Java
- 7.2.2 Serialization by Example
- 7.3 Java Object Serialization Protocol Revealed
- 7.4 Pitfalls and Security Issues
- 7.4.1 Hands on Serialized Objects
- 7.4.2 Beware of Gadget Chains
- 7.5 Conclusions
- Chapter 8 Realm
- 8.1 Organisation of this Chapter
- 8.2 Introduction
- 8.3 SQLite, It is Not!
- 8.3.1 Relational Databases
- 8.3.2 SQLite as a Relational Database
- 8.3.3 SQLite Schema
- 8.3.4 Temporary SQLite Files
- 8.3.5 SQLite File Format
- 8.4 How Realm Works
- 8.4.1 Realm Database Fundamentals
- 8.4.2 Common Concepts and Terminology
- Basic Object-Oriented Programming Concepts
- Top-level Objects
- Object Types
- Group
- Arrays
- 8.5 File Storage and Structures
- 8.5.1 Realm Files and Folders
- 8.5.2 The Realm File
- The Lock File
- The Management Directory
- Stateless Realm Instances
- 8.5.3 Creating Realm Test Instance
- Step 1: Launch the Task Application
- Step 2: Open a CMD Window
- Step 3: Create an Output Folder
- Step 4: Start ADB
- Step 5: Get ADB Root
- Step 6: Find the Application Data
- Step 7: Use the "pull" Command
- 8.5.4 The Realm Database File Structure
- 8.5.5 Realm File Header
- "Top Ref" Bytes 0x00 to 0x0F (d0-d15)
- "Mnemonic" Bytes 0x10 to 0x13 (d16-d19)
- "File Format" Bytes 0x14 to 0x15 (d20-d21)
- "Reserved" Byte 0x16 (d22)
- "Flags" Byte 0x17 (d23)
- 8.5.6 Realm File Arrays
- 8.5.7 Realm Array Header.
- 8.5.8 Checksum
- 8.5.9 Flags
- Bit Group 1: is_inner_bptree_node
- Bit Group 2: has_refs
- Bit Group 3: context_flag
- Bit Group 4: width_scheme
- Bit Group 5: width_ndx
- 8.5.10 Size
- 8.5.11 Realm Array Payload
- 8.5.12 Size Calculation Example
- 8.5.13 Array Example Header
- 8.5.14 Array Example Flags
- 8.5.15 Array Example Size
- 8.6 Conclusion
- Chapter 9 Protocol Buffers
- 9.1 Introduction
- 9.1.1 What is a Protocol Buffer?
- 9.1.2 Why are Protocol Buffers Used?
- 9.2 Using Protocol Buffers
- Messages
- Services
- The Proto File
- Define the Syntax
- Message Type
- Fields
- Scalar Values
- 9.2.1 The Schema Defintion
- Field Type
- Field Names
- Enums
- Nesting
- Importing &
- Packages
- 9.2.2 Compiling Your Protocol Buffer
- Analysing the Python Protobuf-Code
- A 2nd Example The FormobileChat message
- Formobilechat_pb2.py
- 9.2.3 Creation of a Protobufs with Python
- Writing the Object to a Binary File
- Remember Size = Speed
- The Raw Binary Data
- 9.2.4 Reversing Proto Buffer Messages
- Data Conversion
- Timestamp
- Pictures or other files represented by octal data
- 9.3 Practical Analysis of different Proto Buffers
- 9.3.1 Mobile Device Artifact Examples
- Example Waze Navigation App
- BASE64 Encoding
- Example: Apple Web Cache file
- Identifying Base64 Encoded Data
- 9.3.2 Yet another example: Apply Property List (PLIST) Files
- 9.3.3 Suggested Examination Process of a File
- 9.3.4 Tools
- 9.4 Conclusion
- References
- Index.