-
A first look at iOS 18 forensics
This has been a tough year for me: my mom passed away in June, and I’m still slowly recovering from the hard blow. It’s time to start again doing what I love: researching and sharing! It’s early September and like every year, that moment is approaching when everyone who deals with mobile forensics starts to…
-
A first look at Android 14 forensics
Android 14 was released to the public by the Open Handset Alliance on October 4, 2023, and is now available on various smartphones, including the Google Pixel. This blog post aims to explore a list of the majr oartifacts you can find on this version of the Android OS. For testing and review, I set up…
-
Analysis of Android settings during a forensic investigation
During the forensic examination of a smartphone, we sometimes need to understand some basic settings of the device. Some simple examples are: What is the name of the device? Is the “Set time automatically” option on or off? Is the “Set time zone automatically” option on or off? Is mobile data switched on or off?…
-
Has the user ever used the XYZ application? aka traces of application execution on mobile devices
A common question during a forensic investigation of a digital device is: “Has the user ever used the XYZ application?“. As always when answering this question, it is important to create and follow a solid process. In this blog post, I want to share a possible process that everyone should customize based on their needs…
-
iOS Forensics: tool validation based on a known dataset – Preamble
Hello world, it’s been a while since my last series of blog posts! But now I am ready to share with you the results of my recent research. I face many different challenges in my daily work as a digital forensics analyst, who deals mainly with mobile devices. All modern smartphones are encrypted (usually with…
-
iOS Forensics References: a curated list
Following up my previous blog post, I decided to create a curated list of iOS Forensics References, organized by folder with specific references (links to blog post, research paper, articles, and so on) for each interesting file. The list is available as a GitHub repository to make it easier to keep it updated. If you…
-
Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective
Back in May 2019, along with my colleagues Heather Mahalik and Adrian Leong, we wrote the paper “Using Apple “Bug Reporting” for forensic purposes” and some scripts to parse data stored in Sysdiagnose logs. The paper is still available for download and, for the most part, is still accurate. But time goes on, and new…
-
Android Forensics References: a curated list
During the forensic analysis of a mobile device, we often have the need to understand the content of a specific file or folder. This is particularly true when a file or a folder is not parsed by our set of tools. Our approach is, typically, to start googling the file or folder name to check…
-
Oh no! I have a wiped iPhone, now what?
One of the most common questions I got asked during presentations and conferences is: “During a search and seizure we found a wiped iPhone, what can we do next?“ First and foremost: you cannot recover data stored on the device before wiping occurred.The encryption keys you need to decrypt the data are gone forever.Full stop…
-
Is Telegram really an encrypted messaging app?
This blog is reserved for more serious things, and ordinarily I wouldn’t spend time on questions like the above. But much as I’d like to spend my time writing about exciting topics, sometimes the world requires a bit of what Brad Delong calls “Intellectual Garbage Pickup,” namely: correcting wrong, or mostly-wrong ideas that spread unchecked…