Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Bücher
Zeitschriften
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
MTZ-Fachkongress

Antriebe und Energiesysteme von morgen


Austausch von Automobil- und Energiewirtschaft

Am 14./15. Mai geht es in Chemnitz um die Mobilitätswende durch Elektro- und Wasserstofffahrzeuge.
Erweiterte Suche
Anmelden
nach oben

Open Access 2022 | Open Access | Buch

Buchtitelbild

Mobile Forensics – The File Format Handbook

Common File Formats and File Systems Used in Mobile Devices

herausgegeben von: Dr. Christian Hummert, Prof. Dr. Dirk Pawlaszczyk

Verlag: Springer International Publishing

Enthalten in: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Inhaltsverzeichnis
insite
SUCHEN

Über dieses Buch

This open access book summarizes knowledge about several file systems and file formats commonly used in mobile devices. In addition to the fundamental description of the formats, there are hints about the forensic value of possible artefacts, along with an outline of tools that can decode the relevant data.

The book is organized into two distinct parts:

Part I describes several different file systems that are commonly used in mobile devices.

· APFS is the file system that is used in all modern Apple devices including iPhones, iPads, and even Apple Computers, like the MacBook series.

· Ext4 is very common in Android devices and is the successor of the Ext2 and Ext3 file systems that were commonly used on Linux-based computers.

· The Flash-Friendly File System (F2FS) is a Linux system designed explicitly for NAND Flash memory, common in removable storage devices and mobile devices, which Samsung Electronics developed in 2012.

· The QNX6 file system is present in Smartphones delivered by Blackberry (e.g. devices that are using Blackberry 10) and modern vehicle infotainment systems that use QNX as their operating system.

Part II describes five different file formats that are commonly used on mobile devices.

· SQLite is nearly omnipresent in mobile devices with an overwhelming majority of all mobile applications storing their data in such databases.

· The second leading file format in the mobile world are Property Lists, which are predominantly found on Apple devices.

· Java Serialization is a popular technique for storing object states in the Java programming language. Mobile application (app) developers very often resort to this technique to make their application state persistent.

· The Realm database format has emerged over recent years as a possible successor to the now ageing SQLite format and has begun to appear as part of some modern applications on mobile devices.

· Protocol Buffers provide a format for taking compiled data and serializing it by turning it into bytes represented in decimal values, which is a technique commonly used in mobile devices.

The aim of this book is to act as a knowledge base and reference guide for digital forensic practitioners who need knowledge about a specific file system or file format. It is also hoped to provide useful insight and knowledge for students or other aspiring professionals who want to work within the field of digital forensics. The book is written with the assumption that the reader will have some existing knowledge and understanding about computers, mobile devices, file systems and file formats.

Inhaltsverzeichnis

Frontmatter
PDF

Mobile File System Formats

Frontmatter

Open Access

Chapter 1. APFS
Abstract
The Apple File System (APFS) has been the standard FS for Apple devices since 2017. At that time, no digital forensic tools supported it, leaving tool dependent digital or mobile forensic investigators without the ability to investigate this file system properly. The APFS was first enabled on iOS, the operating system of iPhone, and later that same year on MacOS. APFS replaced the HFS+ FS. This chapter will document the important metadata structures of APFS, which is based on state of the art research, and we are focusing on the investigative meaning of the structures.
Rune Nordvik
PDF

Open Access

Chapter 2. Ext4
Abstract
The Ext4 file system is often used by Android cell phones and by Linux distributions. As a mobile forensic expert, it is necessary to understand the structures of this file system to recover data, verify tool results, and detect anti-forensics techniques that may be present in the file system. In this chapter, we will have a deep dive into topics important for an investigation. Many digital forensic tools do not recover much from the Ext4 file system [52], and therefore we show some of the most useful Ext4 recovery techniques proposed by current research.
The Ext4 file system is often used by Android1 operating systems, and also by Linux desktop distributions [14], and this file system is open source. The Ext4 file system replaces the Ext2 and Ext3, but it is mostly backwards compatible. Carrier described Ext2 and Ext3 in his File System forensic analysis book [10], which includes information also relevant for Ext4. Fairbanks describes the Ext4 file system at a low level and from a Digital Forensics perspective. This chapter will describe file system information important for mobile forensic investigators and other digital forensic experts.
Rune Nordvik
PDF

Open Access

Chapter 3. The Flash-Friendly File System (F2FS)
Abstract
The Flash-Friendly File System (F2FS) is used not just by removable media but also by mobile devices and more. In this chapter, we look under the hood to better understand the structure of and recognize this file system. From a forensic perspective, we look for deleted files to see if we can retrieve them.
Chris Currier
PDF

Open Access

Chapter 4. QNX6
Abstract
The QNX6 filesystem is present in Smartphones delivered by Blackberry (e.g. Devices that are using Blackberry 10) and modern vehicle infotainment systems that use QNX as their operating system. In 2015 QNX as an OS was used in over 50 million vehicles [6] and can hence be considered as one of the most important operating systems in the automotive world. Today’s digital forensics tools don’t recover a lot from this filesystem, have difficulties with different block sizes, or even don’t support the filesystem at all. So it’s crucial for the forensic examiner to understand the principles of this filesystem used. This chapter gives an overview of how the filesystem generally stores the files and metadata to give the examiner the chance to get the most information out of the evidence.
Conrad Meyer
PDF

Mobile File Formats

Frontmatter

Open Access

Chapter 5. SQLite
Abstract
SQLite is, without doubt, the most widely used database systemworldwide at the moment. The single file database system is used, among other things, in operating systems for cell phones, such as Android, iOS or Symbian OS. On a typical smartphone, we usually find several hundred SQLite databases used by a wide variety of apps. Due to its widespread use, the database format is of particular importance in mobile forensics. It is not uncommon for the suspect to try to cover his tracks by deleting database content. Recovering deleted records from a database presents a special challenge. In this chapter, the on-disk database format of the SQLite database system is highlighted. Therefore,we take a closer look at the database header as well as record structure on a binary level. We first examine the structure of the data. Recovery options for erased records are discussed as well. Special attention is paid to the slack areas within the database: unallocated space, Freelist as well as free blocks. In this context, we discuss basic techniques for carving and acquisition of deleted data artefacts. Despite the main database format and recovery options, temporary file types like write-ahead logs and rollback journals are analyzed as well.
Dirk Pawlaszczyk
PDF

Open Access

Chapter 6. Property Lists
Abstract
Property List files (*.plist) are a widely used data storage format used by Apple software. Most of the system properties are stored in plists, but also, many apps store their configuration in plist-files. The data held within Property is regularly of high evidential value for forensic analysts, so understanding the format is essential for the forensic investigation of Apple mobile devices and computers. Not all of today’s digital forensics tools recover plists properly. Especially for carved or damaged plists, the support is insufficient. So the forensic examiner must understand the principles of this file format. This chapter gives an overview of the plist structure to give the examiner the knowledge to get the most information out of the evidence possible.
Christian Hummert, Georgina Louise Humphries
PDF

Open Access

Chapter 7. Java Serialization
Abstract
Java Serialization is a popular technique for storing object states in the Java programming language. In the field of mobile forensics, we come across such artefacts. App developers very often resort to this technique to make their application state persistent. Serialization is also used when transferring data over a network between two Java applications using Remote Method Invocation(RMI). In the past, there have been recurring security issues associated with this technology. Despite its importance for forensic casework, one can hardly find any literature on this topic. In this chapter, we give an insight into the binary format. For this purpose, special features of the format are presented using an example. In addition to the actual protocol structure, basic steps for acquiring such data and analyzing it will be discussed. Practical hints for searching serials are given. Finally, the security issues are addressed.
Dirk Pawlaszczyk
PDF

Open Access

Chapter 8. Realm
Abstract
In this chapter,we explore some of the fundamentals of the Realm database (sometimes referred to as RealmDB or simply Realm). It is widely known within the Digital Forensics discipline that SQLite is the most commonly found database format within any mobile device application and even some desktop applications. Realm is a relatively new database format built as a potential replacement for SQLite, as technology and applications continue to develop and evolve. At the time of writing, it is clear that the database is not as commonly found as some might have expected, but that is not to say the database format will not eventually find its way into many modern apps over the coming years. To that end, we decided to research the database to try and provide some of the details of interest relating to the fundamentals behind the new format.We hope this chapter will help digital forensic examiners and investigators learn and grasp some of the basic concepts of Realm, hoping that any new knowledge and understanding might support and assist in future research into the topic.
Phil Cobley, Ginger Geneste
PDF

Open Access

Chapter 9. Protocol Buffers
Abstract
Protocol Buffers (Protobufs) are discussed in this chapter, from creating one to analyzing the data. This particular serialization format, originally developed by Google, is used in various apps.We discuss creating a protocol buffer and adding data through Python step by step. This provides a better understanding of how and why protocol buffers are formed and used. We also clarify how to recognize and decode them during a forensic examination.
Chris Currier
PDF
Backmatter
PDF
Metadaten
Titel
Mobile Forensics – The File Format Handbook
herausgegeben von
Dr. Christian Hummert
Prof. Dr. Dirk Pawlaszczyk
Copyright-Jahr
2022
Electronic ISBN
978-3-030-98467-0
Print ISBN
978-3-030-98466-3
DOI
https://doi.org/10.1007/978-3-030-98467-0

Premium Partner

    Bildnachweise