Surviving Digital Forensics: iOS App Forensics - chat

Learn how to deconstruct iOS apps for forensic evidence.
4.9 (8 ratings) Instead of using a simple lifetime average, Udemy calculates a
course's star rating by considering a number of different factors
such as the number of ratings, the age of ratings, and the
likelihood of fraudulent ratings.
377 students enrolled
$50
Take This Course
  • Lectures 24
  • Contents Video: 2 hours
    Other: 7 mins
  • Skill Level All Levels
  • Languages English
  • Includes Lifetime access
    30 day money back guarantee!
    Available on iOS and Android
    Certificate of Completion
Wishlisted Wishlist

How taking a course works

Discover

Find online courses made by experts from around the world.

Learn

Take your courses with you and learn anywhere, anytime.

Master

Learn and practice real-world skills and achieve your goals.

About This Course

Published 6/2014 English

Course Description

Welcome to Surviving Digital Forensics training series. If you deal with iPhone evidence then this class is for you. We are going to focus on learning how to deconstruct iOS third party applications. The concept is important to learn because, oftentimes, automated tools will miss this type of evidence or not parse it properly. We first spend some time learning how the evidence is organized and the tools (free or low cost of course!) to use to do it. Once we have become familiar with this we will learn how to break out chat from third party apps and manually connect the dots, convert machine times, translate database so it all makes sense and can be used as evidence. This is not that difficult to do, heck this class is about two hours, so you will be up and deconstructing in no time. Speaking of time, we will also have a special focus on learning how to bulk convert those pesky machine time values using nothing but Excel. So, the next time you pull 100+ chat messages from a third party app database you can quickly bulk translate them into UTC or your local time zone.

As with past SDF classes, the curriculum is split between a brief presentation to go over important points and familiarize you with the process. After that it is all hands on as we learn by doing. Videos will walk you through the process, step-by-step. All the source files for testing are provided.

What are the requirements?

  • Mac or PC (Mac with PC virtual machine preferred)
  • MS Excel (optional for machine time conversion)

What am I going to get from this course?

  • Learn how third party apps store their data
  • Learn where evidence files will most likely be within the app's directories
  • Learn what tools to use to examine app data
  • Learn how to identify and interpret chat databases
  • Learn how to bulk convert epoch times into UTC or your local time
  • Learn how to bulk decode chat and call flags, such as sent, received, opened, unopened, etc

What is the target audience?

  • Computer Forensic Analysts
  • IT Professionals
  • Students

What you get with this course?

Not for you? No problem.
30 day money back guarantee.

Forever yours.
Lifetime access.

Learn on the go.
Desktop, iOS and Android.

Get rewarded.
Certificate of completion.

Curriculum

Section 1: Welcome & Introduction
20:08

Before we get hands on, let's take a few moments to learn about the objects we will be working with. Once you understand how third party apps store the information we are looking for you may apply the technique to most any app.

Disclaimer!
1 page
Quiz #1
4 questions
Section 2: Getting setup to deconstruct!
03:40

We are going to use all low cost/ no cost tools in the practical exercises. The following will show you how I set my Windows and Mac systems for iOS app forensics.

Section 3: Textfree App Deconstruction
09:56

Let's look at the chat app we are going to be working with, Textfree. This module will show you what is looks like from a user's point-of-view and point out some interesting facts about it. No two chat apps are the same, however, if you can forensically deconstruct this one you have the skills the do the same to most other chat/ messaging apps.

Textfree Quiz
1 question
09:41

In this module we are going to take a closer look at the Plists associated with the app.

Plist Practical
1 page
Plist Quiz
2 questions
08:58

Textfree, like some other third party apps, allows users to make calls within the app. All information is stored within the app. Let's take a closer look.

Sqlite Database Practical
1 page
What type of database id call history stored in?
1 question
03:25

iOS apps usually stored dates and times in machine time. This is something your automated forensic tools decipher for you. Let's take a closer look a how to do this manually. Oftentimes I see this as the difference between making the case and not making the case and if your tool fails, this becomes a skill to have.

11:37

Now let's look at how these apps store messages and how to interpret the databases to turn the data into information.

Texting Evidence Practical
1 page
Texting Quiz
3 questions
01:33

Let's go through the deciphering process again but this time we will look at a different type of machine time common in iOS apps.

03:16

It is important to remember to explore other databases to make associations with the table evidence. In this module we will see how this is true with the Textfree app.

Section 4: Bulk decoding machine time using MS Excel
02:01

Exporting tables out of a database is fairly straightforward, but there are a few things to keep in mind in order to make life easier later. This module walks you through the process. Don't forget to download the attached document, it goes over al the steps we do in this section.

08:49

This section shows you the formula for bulk converting epoch time.

05:46

This section shows you the formula for bulk converting epoch time.

Time Conversion Practical
1 page
07:51

This section shows you the formula to bulk convert database flags.

Flag Conversion Practical
1 page
02:09

Let's take a closer look at that call log database and figure out a way to convert the machine time using MS Excel.

03:39

Let's take a closer look at that call log database and figure out a way to convert the machine time using MS Excel.

Epoch Quiz
2 questions
09:29

The flag conversion in this database is more complicated to write out, but typical of what you are tasked to do in manual app forensics. Let me walk you through the formula and then you can try it on your own.

Last Practical
1 page
Section 5: Conclusion
01:23

Thanks for joining me in another edition of the Surviving Digital Forensics series!

Check out other classes of the SDF series at http://sumuri.com/training/surviving-digital-forensics/

Follow me on Twitter @LeclairDF to get the latest happenings of the SDF series.

Check out our Blog at http://sumuri.com/about/news/

Check out our Youtube channel https://www.youtube.com/user/SumuriNews

Students Who Viewed This Course Also Viewed

  • Loading
  • Loading
  • Loading

Instructor Biography

Michael Leclair, Computer Forensic Analyst

Over twelve years of experience as a Computer Forensic Analyst, author and developer of computer forensic training and analysis tools. Specialties include: Windows forensics, Mac forensics, iOS forensics, Mac Server forensics & mobile device forensics. Creator of the "Surviving Digital Forensics" series and part of SUMURI's RECON for Mac OS X development team.

Certifications include: CFCE, CISSP, CCE, EnCE, A+, Network+

Regularly instruct law enforcement, government and corporate investigators both nationally and internationally in computer forensics.

Ready to start learning?
Take This Course