Mobile Forensics
Mobile Forensics
Mobile Forensics
  • Introduction
  • Preparations
    • Knowledge
    • Safety
    • Trust
    • Backup
  • Methodology
  • Checking Windows Computers
    • Review Programs Launching at Startup
    • Review Running Processes
    • Review Network Connections
    • Extract Data for Further Analysis
  • Checking Mac Computers
    • Review Programs Launching at Startup
    • Review Running Processes
    • Review Kernel Extensions
    • Review Network Connections
    • Review XProtect Logs
    • Extract Data for Further Analysis
  • Checking Smartphones
    • Note: curriculum
    • Smartphone System Architecture
    • Check Devices Linked to Chat Applications
    • Check for Suspicious Messages
    • Monitor Network Traffic
    • Note: Monitoring Network Traffic on Linux
  • Checking Android Devices Basic
    • Review Installed Applications
    • Check Storage
    • Check if the Phone is under Android Device Policy
    • Check if the Phone is Rooted
    • Check if Developer Options is Enabled
    • Analyze Applications
    • Extract Data for Further Analysis
    • Optional : Check for Indicators of Stalkerware Installation
  • Checking Android Devices Advanced
    • Wireshark
    • MVT
    • Other Tools
  • Checking iOS Devices
    • Review iCloud Accounts
    • Review Installed Applications
    • Check for Mobile Device Management Profiles
    • Check for Shortcuts
    • Check for Jailbreaks
    • Enable and Check App Privacy Report
    • Extract Data for Further Analysis
    • Analyzing Extracted Data
    • About Lockdown Mode
  • Checking Devices Remotely
    • Mac Computers
    • Android
  • Concluding a Forensic Gathering
  • References and Further Learning
  • License and Credits
Powered by GitBook
On this page
  • Why do Quick Forensics?
  • The objectives

Introduction

NextPreparations

Last updated 8 months ago

Often times, members of civil society have the more or less justified suspicion of being surveilled. Perhaps they experienced anomalies with their computers or mobile devices, or they have reasons to believe that some of their communications have been intercepted.

Technologists and first responders working in civil society are often requested assistance with the inspection of human rights defenders' devices. The purpose of this guide is to provide an introduction to a methodology that could be useful for the quick assessment of potential infections.

While the methodology introduced here by no means is sufficient to provide a definitive and conclusive assessment over the cleanliness of a suspected device, it can help at least to identify the more obvious infections. Ultimately, it is up to your intuition and understanding of the context to determine what are the best recommendations to give. Hopefully this guide will help you getting started doing Quick Forensics, and will provide you the tools and techniques to start practicing and developing your skills.

Note:

  • This guide is a fork from the .

  • This fork aims to keep existing content up-to-date, while adding latest information.

  • This fork is currently under development. You can contribute to this text .

Why do Quick Forensics?

Learning to perform quick forensics helps determine whether additional resources might be required or not.

Learning to triage helps determine whether the case requires additional resources or not. Being able to extract relevant data means that in-depth investigators will not need access to the device (at least, not immediately). More people doing triaging, means better scalability of incident response in civil society. Researchers working on targeted threats against civil society are few, and mostly focused on publications.

The objectives

When performing quick forensics and responding to a potential compromise, we have the following broad objectives:

  1. Try to determine if the device is indeed potentially infected.

  2. Extract sufficient data for subsequent verification and that could be useful for further investigation (for example, to determine what type of malware infected the device).

  3. Determine what to do with the device and how to further assist its owner.

original guide by Security Without Borders
here