Learning Android Forensics
图书信息
| 作者 | Oleg Skulkin |
| 出版社 | Packt Publishing |
| ISBN | 9781789137491 |
| 出版时间 | 2018-12-28 |
| 字数 | 33.2万 |
| 分类 | 进口书,外文原版书,电脑,网络 |
读书简介
A comprehensive guide to Android forensics, from setting up the workstation to analyzing key artifacts Key Features *Get up and running with modern mobile forensic strategies and techniques *Analyze the most popular Android applications using free and open source forensic tools *Learn malware detection and analysis techniques to investigate mobile cybersecurity incidents Book Description Many forensic examiners rely on commercial, push-button tools to retrieve and analyze data, even though there is no tool that does either of these jobs perfectly. Learning Android Forensics will introduce you to the most up-to-date Android platform and its architecture, and provide a high-level overview of what Android forensics entails. You will understand how data is stored on Android devices and how to set up a digital forensic examination environment. As you make your way through the chapters, you will work through various physical and logical techniques to extract data from devices in order to obtain forensic evidence. You will also learn how to recover deleted data and forensically analyze application data with the help of various open source and commercial tools. In the concluding chapters, you will explore malware analysis so that you’ll be able to investigate cybersecurity incidents involving Android malware. By the end of this book, you will have a complete understanding of the Android forensic process, you will have explored open source and commercial forensic tools, and will have basic skills of Android malware identification and analysis. What you will learn *Understand Android OS and architecture *Set up a forensics environment for Android analysis *Perform logical and physical data extractions *Learn to recover deleted data *Explore how to analyze application data *Identify malware on Android devices *Analyze Android malware Who this book is for If you are a forensic analyst or an information security professional wanting to develop your knowledge of Android forensics, then this is the book for you. Some basic knowledge of the Android mobile platform is expected.
目录
Title Page
Copyright and Credits
Learning Android Forensics Second Edition
About Packt
Why subscribe?
Packt.com
Contributors
About the authors
About the reviewers
Packt is searching for authors like you
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Reviews
Introducing Android Forensics
Mobile forensics
The mobile forensics approach
Investigation preparation
Seizure and isolation
The acquisition phase
Examination and analysis
Reporting
Challenges in mobile forensics
Android architecture
The Linux kernel
Hardware abstraction level
Android Runtime
Native C/C++ Libraries
Java API Framework
The application layer
Android security
Security at OS level through the Linux kernel
Permission model
Sample permission model in Android
Application sandboxing
SELinux in Android
Application signing
Secure inter-process communication
Binder communication model
Android hardware components
Core components
Central Processing Unit (CPU)
Baseband processor
Memory
SD Card
Display
Battery
Android boot process
Boot ROM code execution
The bootloader
The Linux kernel
The init process
Zygote and Dalvik
System server
Summary
Setting up the Android Forensic Environment
Android forensic setup
Android SDK
Installing the Android SDK
Android Virtual Device
Connecting and accessing Android devices from the workstation
Identifying the correct device cable
Installing device drivers
Accessing the device
Android Debug Bridge
Using ADB to access the device
Detecting a connected device
Directing commands to a specific device
Issuing shell commands
Basic Linux commands
Installing an application
Pulling data from the device
Pushing data to the device
Restarting the ADB server
Viewing log data
Rooting Android
What is rooting?
Why root?
Recovery and fastboot
Recovery mode
Accessing recovery mode
Custom recovery
Fastboot mode
Locked and unlocked boot loaders
How to root
Rooting an unlocked boot loader
Rooting a locked boot loader
ADB on a rooted device
Summary
Understanding Data Storage on Android Devices
Android partition layout
Common partitions in Android
Identifying partition layout
Android file hierarchy
Overview of directories
The acct directory
The cache directory
The config directory
The data directory
The dev directory
The mnt directory
The proc directory
The sbin directory
The storage directory
The system directory
Application data storage on the device
Shared preferences
Internal storage
External storage
SQLite database
Network
Android filesystem overview
Viewing filesystems on an Android device
Common Android filesystems
Flash memory filesystems
Media-based filesystems
Pseudo filesystems
Summary
Extracting Data Logically from Android Devices
Logical extraction overview
What data can be recovered logically?
Root access
Manual ADB data extraction
USB Debugging
Using adb shell to determine if a device is rooted
adb pull
Recovery Mode
Fastboot mode
Determining bootloader status
Booting to a custom recovery image
ADB backup extractions
Extracting a backup over ADB
Parsing ADB backups
Data locations within ADB backups
ADB dumpsys
Dumpsys batterystats
Dumpsys procstats
Dumpsys user
Dumpsys App Ops
Dumpsys Wi-Fi
Dumpsys notification
Dumpsys conclusions
Helium backup extractions
Bypassing Android lock screens
Lock screen types
None/Slide lock screens
Pattern lock screens
Password/PIN lock screens
Smart Locks
Trusted Face
Trusted Voice
Trusted Location
Trusted Device
On-body Detection
General bypass information
Removing Android lock screens
Removing PIN/password with ADB
Removing PIN/Password with ADB and SQL
Android SIM card extractions
Acquiring SIM card data
SIM Security
SIM cloning
Summary
Extracting Data Physically from Android Devices
Physical extraction overview
What data can be acquired physically?
Root access
Extracting data physically with dd
Determining what to image
Writing to an SD card
Writing directly to an examiner's computer with netcat
Installing netcat on the device
Using netcat
Extracting data physically with nanddump
Extracting data physically with Magnet ACQUIRE
Verifying a full physical image
Analyzing a full physical image
Autopsy
Issues with analyzing physical dumps
Imaging and analyzing Android RAM
What can be found in RAM?
Imaging RAM with LiME
Acquiring Android SD cards
What can be found on an SD card?
SD card security
Advanced forensic methods
JTAG
Chip-off
Summary
Recovering Deleted Data from an Android Device
Data recovery overview
How can deleted files be recovered?
Recovering deleted data from SD cards
Recovering deleted records from SQLite databases
Recovering deleted data from internal memory
Recovering deleted data using file carving
Summary
Forensic Analysis of Android Applications
Application analysis overview
Why do app analysis?
Layout of this chapter
Determining which apps are installed
Understanding Unix epoch time
Wi-Fi analysis
Contacts/Call analysis
SMS/MMS analysis
User dictionary analysis
Gmail analysis
Google Chrome analysis
Decoding the Webkit time format
Google Maps analysis
Google Hangouts analysis
Google Keep analysis
Converting a Julian date
Google Plus analysis
Facebook analysis
Facebook Messenger analysis
Skype analysis
Recovering video messages from Skype
Snapchat analysis
Viber analysis
Tango analysis
Decoding Tango messages
WhatsApp analysis
Decrypting WhatsApp backups
Kik analysis
WeChat analysis
Decrypting the WeChat EnMicroMsg.db
Summary
Android Forensic Tools Overview
Autopsy
Creating a case in Autopsy
Analyzing data in Autopsy
Belkasoft Evidence Center
Creating a case in Belkasoft Evidence Center
Analyzing data in Belkasoft Evidence Center
Magnet AXIOM
Creating a case in Magnet AXIOM
Analyzing data in Magnet AXIOM
Summary
Identifying Android Malware
An introduction to Android malware
Android malware overview
Banking malware
Spyware
Adware
Ransomware
Cryptomining malware
Android malware identification
Android malware identification using antivirus scanners
Android malware identification using VirusTotal
Android malware identification using YARA rules
Summary
Android Malware Analysis
Dynamic analysis of malicious Android applications
Dynamic analysis using an online sandbox
Static analysis of malicious Android applications
Unpacking Android applications
Manifest file decoding and analysis
Android application decompilation
Viewing and analyzing decompiled code
Summary
Further reading
Other Books You May Enjoy
Leave a review - let other readers know what you think
- 特征工程入门与实践((土)锡南·厄兹代米尔)
- Dup? ce te-am pierdut(Jojo Moyes)
- 人机对话系统(曹均阔,陈国莲)
- 做人要大气(郑斌)
- 分开以后我变成了你喜欢的样子(Josie乔)
- 赢在思维——初中化学拉分题专项集训300题(9年级+中考)(彭嘉全)
- Delphi Collected Poetical Works of John Gower (Illustrated)(John Gower)
- 家庭营养套餐(《健康餐桌》编委会编)
