Category Archives: iOS

How the Grinch stole Apple Maps artifacts… or did he just hide them?

Happy Holidays everyone! Tis the time to be relaxing with family or just sitting in your office writing a blog. 🙂 This post is brought to you thanks to a FOR585 Advanced Smartphone Forensic alumni who could not locate an artifact he learned about in class. This artifact is tied to Apple Maps on iOS devices. The file of interest is the GeoHistory.mapsdata, which was introduced with iOS 8 and has been tracking the Apple Maps data since.  This file replaced the legacy history.mapsdata file. This file was required for examination in his case. When he couldn’t find it, he reached out and sent me on a frenzy of testing. Since his question arrived in my inbox, I have been obsessed with figuring out what the “Grinch” did with it.

What I tested (thank you to my brave family and friends for letting me dump your phones for this research):

*Note: Some of the devices below are syncing with iCloud and some are not. I wanted to be thorough and make sure that the Grinch didn’t take the file to the cloud…

  • iPhone 6s with a fresh install of 10.0.2
  • iPhone 7 updated from previous iOS versions running 10.0.2
  • iPhone 6s updated from previous iOS versions running 10.0.2
  • iPhone 7 updated from previous iOS versions running 10.2
  • iPhone 6s with a fresh install of 9.3 – jailbroken
  • iPhone 6s+ with a fresh install of 10.1.1
  • iPhone 6 updated from previous iOS versions running 10.1.1
  • iPhone 6s+ updated from previous iOS versions running 10.2
  • iPhone 7 updated from previous iOS versions running 10.1.1

For each of these devices, I opened Apple Maps and searched for items I could easily identify:

  • Radio City Music Hall, NYC
  • Malvern Buttery

Additionally, I sent my mother in law to the grocery store and had her literally use Apple Maps on her iPhone 6 running 10.1.1 to ensure the data would “stick.”

Once all data was populated, I conducted both iTunes backups, Cellebrite Physical Analyzer File System dumps (Methods 1 and 2 for non-jailbroken devices, Method 3 for jailbroken devices, and Method 1 for devices running 10.2) and BlackLight for acquisition of the data. I tried parsing the data dumps in BlackLight, Oxygen Detective, Magnet IEF, Cellebrite Physical Analyzer and manual examination to ensure I wasn’t overlooking something. I pulled my own cloud data with Elcomsoft and searched for the file in those backups with some luck – wait for that at the end.

When I manually examined the file system of the backups, I started to see major inconsistencies. The GeoHistory.mapsdata file was sometimes present and sometimes not. The history.mapsdata file was there no matter what.  Based upon my experience with iOS device forensics, it seems that when Apple no longer uses a file, the file persists and is no longer updated. When Apple wants to protect a file, they encrypt it and/or make it inaccessible without a full physical image, which is currently not possible on new devices without a jailbreak.

Below is a list of the phones from above showing which devices presented access to the GeoHistory.mapsdata file. (Note: Additional testing was done by Sarah Edwards and Lee Crognale on their devices to confirm my findings – thanks a ton ladies.)

  • iPhone 6s with a fresh install of 10.0.2 – GeoHistory.mapsdata was present and contained Apple Maps data
  • iPhone 7 updated from previous iOS versions running 10.0.2 – NO GeoHistory.mapsdata
  • iPhone 6s updated from previous iOS versions running 10.0.2 – GeoHistory.mapsdata was present and contained Apple Maps data
  • iPhone 7 updated from previous iOS versions running 10.2 – NO GeoHistory.mapsdata 
  • iPhone 6s with a fresh install of 9.3 – jailbroken – GeoHistory.mapsdata was present and contained Apple Maps data
  • iPhone 6s+ with a fresh install of 10.1.1 – NO GeoHistory.mapsdata
  • iPhone 6 updated from previous iOS versions running 10.1.1 – NO GeoHistory.mapsdata
  • iPhone 6s+ updated from previous iOS versions running 10.2 – NO GeoHistory.mapsdata
  • iPhone 7 updated from previous iOS versions running 10.1.1 – NO GeoHistory.mapsdata

Here are some examples of what I was expecting to see:

Example 1: An iPhone that has been updated to iOS 10+.  We know it has been updated because we see the historical History.mapsdata file as well as the GeoHistory.mapsdata.

Example 2: Examining the Hex of the GeoHistory.mapsdata. Below we can see my search for Malvern Buttery.

Example 3: What the data may look like – NOT GOOD! While the file, History.mapsdata, contains legacy searches in Apple Maps, it does not contain any data since iOS 8.

Continuous searching for locations that I populated in Apple Maps lead to two files that seemed to store the most recent search conducted and manual location entry in Apple Maps, but lacked additional artifacts.  The first is /mobile/Applications/group.com.apple.Maps/Library/Preferences/group.com.apple.Maps.plist.  In the example below, I used Apple Maps to search for a location in Sedona, AZ. Keep in mind that this was the most recent Apple Maps search on the device at that point in time ( I was running iOS 10.1.1). Nothing I searched for after that was found in this file.

The second location was mobile/Applications/com.apple.Maps/Library/Preferences/com.apple.Maps.plist. This was the only location where I could find my search for Radio City Music Hall. There was nothing of interest other than the fact that the location was listed with a bunch of yelp reviews.

My current location was not captured, which normally occurs in the .mapsdata files. I think this plist is tracking the last search within Apple Maps where the goup.com.apple.Maps.plist seemed to save the last manual entry in Apple Maps. Again, this is an assumption which requires further testing and research.

From the device side, it seems that the Grinch has stolen the GeoHistory.mapsdata from the following devices/versions:

  • The iPhone 7 running any version starting with 10.0.2 – EVEN devices that have been updated from previous iOS versions.
  • Any iPhone running iOS 10.1.1
  • WARNING: iOS 10.2 presents us with major hurdles and potentially missing artifacts that span beyond the GeoHistory.mapsdata.  Get ready to learn ways around this… check out how it looks in Physical Analyzer below.

From the iCloud perspective. I used Elcomsoft Phone Breaker to extract my iCloud data. I had three snapshots in the cloud from two different iOS versions. (Keep in mind you need legal authority, consent or some form of permission to access cloud data.) What I found is even more confusing.

  • iPhone 7 backup from iOS 10.2 – GeoHistory.mapsdata was present but not updated with current Apple Maps data
  • iPhone 7 backup from iOS 10.1.1 – No GeoHistory.mapsdata

Not sure why the file is not present with 10.1.1 or where the Grinch put it, but I promise to keep searching.  I plan to focus research on iOS 10.2, cloud data and additional location artifacts for the FOR585 course update and will blog on findings. I may even do a SANS webcast after the baby and I get settled in (yes, I am due to have a baby in 24 days.)

In the meantime, please test on your own devices and let me know if you find where the Grinch placed this file, if that is even possible. Also, make sure you always validate your findings and your tools. I know I taught my student the right way because he was manually digging to find the truth. That’s what mobile forensics is all about even when the results are not what we expect and the artifacts we need are stolen by the mean Grinch!

I’m really hoping that 2017 brings us a new artifact that is storing this data or we find a way to access this missing file. Happy Holidays!

A glimpse of iOS 10 from a smartphone forensic perspective

I immediately installed and started using iOS 10.0.1 when the full release was available. For this testing, I used my non-jailbroken iPhone 6S and iTunes 12.4.2.4 with the addition of free and commerical tools. My intention is to share my initial thoughts on what is different in iOS 10 and what to expect when you see a device running this version. For more in depth details, analysis tips and tricks on iOS, refer to for585.com/course.

I expected major artifact location changes in iOS 10.  I based this assumption on the fact that iOS 7 to iOS 8 was drastic in artifact changes. Nothing really changed when we upgraded to iOS 9, so I assumed… I’m happy to report that upon my initial research, I haven’t found drastic changes for most files of interest. I plan to keep digging here, just to be sure. As capabilities increase, we know that log files and usage artifacts are left on the device. These need to be researched further.

One major change I have noticed is with the structure of the iOS device backup. Below is an example of the new file structure.

backup_structure

A few things of interest:

  1. The Manifest.mbdb is now a SQLite database file – Manifest.db
  2. Instead of seeing all of files or “strings of letters” representing backup file contents, you now have folders containing these files, as shown above in the boxed area.

Once I had my backup, I starting digging through the files and panicked!  Everything of interest appeared to be encrypted. This includes simple things like contacts, call logs, SMS and locations pulled from Apple maps.  I frantically sent a Tweet seeing if this is what others were seeing and heard nothing. My tools all flopped. After the panic subsided, I decided to launch iTunes and take a look at my settings. Here is what I saw… The pesky box to Encrypt iPhone backup was checked even though I have been backing up to iCloud for as long as I can remember. Good think I remembered the password.

itunes_issue

I was confused by this for several reasons. One, most of the commercial tools prompt you to enter a backup password and decode the data when this setting is enabled. Also, encrypting a backup and knowing the password provides us additional access to data – not blocks us from it!  What could be going wrong? Could it be examiner error? Next, I did what most examiners would do and attempted to force my tools to parse this image. I launched UFED Physical Analyzer, IEF and BlackLight and entered the password (don’t worry, my passwords are much stronger than this, but I used a “dummy” one for this example.)

ufed-pw_prompt

To my surprise, all of the databases of interest were still encrypted even after I asked the tool to decrypt my data with the correct passcode. To my dismay, nothing of interest was parsed, other than the Info.plist and Manifest.plist files. Even the Manifest.db was encrypted. Below you can see that the file system was parsed and accessible, but the databases and files of interest were encrypted, so this isn’t very helpful.

encrypted_backup

(Once opened, the History.db looked like this)

encrypted_safari

So now what? If you know the user’s backup password or can crack it, the password can be removed in iTunes. I tried this and then backed my phone up again.

First, I launched iTunes and unchecked the box for Encrypt iPhone Backup. I correctly entered my password.

itunes1

The encryption was removed.

itunes2

When I loaded this unencrypted version of my iOS backup file into forensic tools, some crashed, but I did have success in others.  The first think I noticed was that the Manifest.db was no longer encrypted.

manifest

This gave me hope. I started examining the files that were previously encrypted within the iOS backup and found that they too, were accessible. Below, the CallHistory.storedata shows my call logs. When I initially created my backup, this file, like the Safari History.db, was encrypted!

callhistory

I have reported these issues and concerns to the vendors and they are working on the issue. Here are some things they provided me in the meantime.

  1. Do not update to the latest version of iTunes if you are creating backups as forensic images. It causes issues.
  2. Do not select to “Encrypt” the backup in Physical Analyzer when obtaining an Advanced Logical Extraction. That too will render your data encrypted.
  3. Hope that the user never used iTunes encryption!

If you come across an encrypted iOS backup file, try to crack it. Personally, I rely on Elcomsoft tools to handle this.  If you crack the password, you will manually have to remove the iTunes restriction and back the data up again until the tools adapt to handle iOS 10 backup file encryption.

In the meantime, practice on your own device and sign up for FOR585 Advanced Smartphone Forensics, where we cover topics like bypassing encryption and cover the cool artifacts of iOS. Happy iOS hunting!

for585.com/course

GASF

Can’t Crack into that iOS device?

Good afternoon everyone! One of the most common questions I get is in regards to accessing locked iOS devices. My first response is always, “it depends.” Anyone who conducts smartphone forensics on a regular basis knows that nothing is consistent and that there always seems to be a way around a hurdle, but that is not always true when dealing with iOS.

For newer 64-bit iOS devices, if they are locked and you don’t have access to the passcode, the pairing/lockdown file and the device is not jailbroken, you are going to have a hard time successfully getting into the device.  I recommend trying all tools available to you, just to make sure you have tried everything! Elcomsoft provides physical support for jailbroken 64-bit devices, and it may work for you, so try it if you have access to the tool. Or ask for a demo! You never know when it may be your lucky day.

Before researching your options, you have to know the version on the device, if you don’t know the version, you can obtain in on a Mac by using libimobiledevice from http://www.libimobiledevice.org/ and running ideviceinfo.  This method will work on locked iOS devices, enabling the examiner to identify the iOS version they are facing on the device.  Simply follow these steps:

  1. Launch Terminal

2.  Type the  command below to create the libimobiledevice-macosx directory on the user’s desktop and place the libimobiledevice command-line tools into it.

$ git clone https://github.com/benvium/libimobiledevice-macosx.git~/Desktop/libimobiledevice-macosx/

3.  Navigate to the libimobiledevice-macosx directory, as follows:

$ cd ~/Desktop/libimobiledevice-macosx/

4.  Create and edit the .bash_profile file using the nano command, as follows:

$ nano ~/.bash_profile

5.  Add the following two lines to the .bash_profile file, as follows:

export DYLD_LIBRARY_PATH=~/Desktop/libimobiledevice-
macosx/:$DYLD_LIBRARY_PATH

PATH=${PATH}:~/Desktop/libimobiledevice-macosx/

6.  Press Ctrl + X, y and hit Enter

7.  Return to the terminal and run the following command:

$ source ~/.bash_profile

Your device information will be displayed. 🙂

On a Windows platform (version 7 or later), simply plug the iOS device into a PC that does not have iTunes installed and follow these steps:

  1. Plug the iOS device into the PC

2.  Go to My Computer

3.  Right click on the iOS device

4.  Select Properties

apple

 

 

 

 

 

 

 

 

 

Today, Dylan Dorow, kindly shared some useful cheat-sheets on what’s currently possible for locked iOS devices.  They are attached below and are available for download in my Reading Room. These are extremely useful when trying to decide what is possible for accessing a locked iOS device.

iDevice_Make_Model_and_iOS_version iOS_Device_Bypass_WorkFlow

Good luck cracking those devices! And make sure you stay current on what the tools are capable of supporting because it changes quickly!

What are your forensic tools really good at?

Happy Saturday everyone! Several of my SANS FOR585 students have asked me to document my opinions on what tools I like and how I find them to be helpful. Again, I am not including every single tool out there or highlighting all of their capabilities, so if one is missing that you find useful, please post in the comments. This is simply a quick blog to highlight what has helped me in the past 6+ months.

I am not going to dive too deep into acquisition. There are so many tools and methods available that most people can figure out a way to get the data. I recommend you always get a physical dump and logical or backup to help you parse the data. Pick your poison on obtaining the data (Cellebrite, MSAB, Lantern, Blacklight, ViaExtract, flasher boxes…. it goes on and on). Each tool has their pros and cons and it’s a bad idea to only have one tool in your toolbox. Smartphones are beasts and security is getting stronger. Make sure you test your tools and test them often. Don’t let one hurdle knock you down. Try to trick your tool into working for you if needed.

I think the easiest way to write this blog is to include highlights and then touch on them. What is your tool really good for based upon my experience:

Commercial Solutions (Not in any particular order):

  • IEF Mobile – Great for Internet evidence and parsing 3rd party application data. One of the best iOS app parsers out there.
  • Physical Analyzer – Probably the best analytical platform out there specific to smartphone tools. It doesn’t parse everything, but it gives us a platform for analysis where we can make it find the evidence with some manual carving and hex searches.  Best physical search feature for locating data in raw hex.
  • MSAB XRY/XACT – One of the only tools that provides access to the raw files during a logical acquisition. Guess what, to recover data that the tools don’t parse you need the raw files. This tool give you access to them!
  • Lantern – Great Facebook app support. Seems to parse more data than the others on specific iOS devices.
  • Blacklight – Great tool that can run on a Mac! Great support for iOS devices. Haven’t you heard that you should examine a Mac with a Mac? A wise examiner once told me that and it still resonates with me.
  • Mobilyze – Best triage tool for iOS and Android.
  • MPE+ – The SQLite builder is a great feature when manually examining databases from 3rd party apps.
  • Oxygen – The best tool for BlackBerry. Acquires the event log and provides a secure way to create a BB backup file. Also counts out all those nasty little databases for you. I also like how Oxygen parses 3rd Party Apps.

Open Source and Other Solutions (Not in any particular order):

  • Andriller – This is one of my new favorites. This tool can crack passcodes and provides parsers for iOS, Android and Windows 3rd Party Application files. Free for LE and well worth it for everyone else. The fee is small the results are huge! https://andriller.com/
  • Now Secure CE (used to be ViaExtract CE) – Andrew Hoog was kind to release this awesome tool. It provides acquisition support for free! Parsers are pretty kick-ass too. Check it out. https://www.nowsecure.com/forensics/community/
  • Sanderson Forensics tools – Great SQLite support! The SQLite Forensic Toolkit is so useful in recovering deleted data and for converting those pesky timestamps. http://www.sandersonforensics.com/forum/content.php
  • Parsers developed by the community. Mari DeGrazia (http://az4n6.blogspot.com/)and Adrian Leong (http://cheeky4n6monkey.blogspot.com/) are rockstars and often give back by developing scripts to help us sift through application and smartphone data. Check out their blogs to see what has been helping us sift through the massive amounts of data.
  • Autopsy – The Android Analyzer module supports parsing commonly missed items from Android devices. It also gives you access to the File System directory tree faster than any commercial tool out there. http://sleuthkit.org/autopsy/

I am sure I have forgotten to give credit to some where it’s due, so I am requesting that you help me out. What tools really help you and how? Is there one that is strong with Base64 decoding? What about the double Base64? Don’t know what that means??? Take FOR585 and Cindy Murphy and I will teach you.  If you need more references on how to use the tools and the open source/free solutions, read the following books:

Practical Mobile Forensics

Learning Android Forensics

Learning iOS Forensics

Good luck and keep digging in that Hex! The data is there and it’s your job to find it.

Has the smartphone finally outsmarted us?

I originally posted this on the SANS blog, but figured I would share below as well. Special thanks to Cindy Murphy, Adrian Leong, Maggie Gaffney, Shafik Punja, JoAnne Gibb, Brian McGarry and the Cellebrite developers who worked tirelessly on the WP8 device discussed in this blog!

Has the smartphone finally outsmarted us?

I can honestly say that the most common question I am asked by examiners, investigators, students and even my neighbors is, “which phone is the most secure?” Obviously, the concern behind the question varies. Some want to secure their own device, and others, like myself, want to prove everyone in DFIR wrong by cracking into the toughest and most secure devices.

Smartphone security has gotten drastically stronger in 2014. This year, we are expecting even more challenges when examining smartphones. When thinking about the forensic aspects of smartphone security and encryption, we have to consider two things:

  1. How are we going to get access to the data?
  2. Even if we get a dump of the device, can we decrypt and examine the data?
  3. What happens if I can access the data, but the application data is encrypted?

Let’s look at a few devices to consider our options. First, Windows Phone 8 (WP8) brought us new issues that commercial forensic kits could not fully support. The good news is that these devices only comprise approximately 2.5% of the smartphone market. The bad news – criminals still use them! My co-author for FOR585, Cindy Murphy, worked with others in DFIR to get over this hurdle when it really mattered. A criminal investigation forced Cindy into action when she realized the critical part of the crime was a Nokia 520 running WP8. Cindy essentially formed a “team” to divide and conquer on this WP8 device. They successfully obtained a JTAG image of the device and manually parsed the data. FYI, if you haven’t looked at a smartphone dump in awhile, it’s no longer just a few files you need to sift through like legacy mobile device images. You are now looking at a small hard drive of evidence needing to be manually parsed. This task alone could take a lot of patience and a really long time.

What makes WP8 devices so secure compared to the others? WP8 devices brought change that we, smartphone examiners, haven’t faced in the past. This is the first OS introduced into the smartphone community that utilized BitLocker technology to support data encryption on the device with AES 128, which utilizes a Trust Platform Module (TPM) to protect the encryption key once the data is secure. These two factors have caused heartache for us smartphone examiners who have one of these devices appear in our evidence lineup. Fortunately, Cindy and her “team” were able to obtain a physical image, bypass the encryption and parse the relevant evidence to support her criminal investigation. Their work can be found here: http://dfir.to/Win8Phone-Forensics If you haven’t read this paper, you should!

Cindy and her “team” worked directly with Cellebrite developers to provide a recent release supporting the Nokia 520 and similar WP8 devices, thus making your life easier.   In FOR585 we stress the importance on understanding how the data is stored and parsed by your tool. One tool cannot uncover and decode all data on a smartphone. It’s your job to learn the file system structures, data formats, encoding schemas and all of the other fun bit of smartphone forensics. Additionally, in Cindy’s case, one single tool did not parse or interpret all of the data from this device. The smartphone forensic tools could not handle the data dump. You will find this is true for some smartphones, so you need to understand all concepts of smartphone data. Your toolbox must contain both smartphone forensic tools as well as standard DFIR tools (yes, the same ones your learned about in FOR408 and FOR572).

Here are some cheat sheet locations where evidence on the WP8 resides (for more details on how to manually parse the data, please refer to the referenced paper, above):

SMS and Contacts:

Users\WPCOMMSERVICES\APPDATA\Local\Unistore\store.vol

MMS:

SharedData\Comms\Unistore\Data

Call Logs:

Users\WPCOMMSERVICES\APPDATA\Local\UserData\phone

Internet History and Cookies:

Users\DefApps\APPDATA\INTERNETEXPLORER\INetCahe\.

Multimedia Files:

Users\Public\Pictures\CamerRoll\.

Application data and other traces of user activity were located on this device and required manual examination, custom Python scripts and intensive reconfiguration of raw data. Keep in mind that all 3rd party applications are different, store data with different obfuscation levels and require manual parsing (aka, don’t trust your tool – be smarter than it and validate your findings).

Now let’s consider the other devices that are trying to outsmart us. BlackBerry has always been secure. Pre-paid phones have locked data ports and knock-off devices are counterfeit, so support is inconsistent. iOS devices containing the A5-A8 chips are difficult if they are locked. There are methods for bypassing the lock, such as using the host computer Lockdown files as well as attempting to crack the PIN with the IP-BOX. If the user doesn’t back up their iOS device with a computer and uses a complex passcode… let’s just say you may not be getting access to that device, unless of course it’s jailbroken and not 64-bit. So may considerations, right?

Then there is Android Lollipop, which introduced the first default full disk encryption for this OS. How this will change our methods is TBD. I suggest you sign up for a FOR585 class to see how these devices can be accessed when you seem to have been outsmarted.

When considering which SANS course to take next, consider this – smartphone operating systems contain file systems similar to those discussed in FOR408 and FOR518, but need to be handled in a unique way. What about network traffic on smartphones? Here’s something to consider that you may have learned in FOR572 that should lead you to take FOR585 next.

“This class is critical for any forensicator in 2015,” said Phil Hagen, SANS Certified Instructor and course lead for FOR572, Advanced Network Forensics and Analysis.  “One thing we focus on from the network side is to hunt for adversaries in an environment and identify which endpoints require detailed examination.  When those are workstations or servers, the analysis path is very well-established.  However, if that endpoint is a modern mobile device, a forensicator must have the skills necessary to perform a comprehensive examination.  With ’smart’ mobile devices, the techniques are often vastly different than those required for traditional computing devices.”

References:

[1] http://dfir.to/Win8Phone-Forensics

[2] Practical Mobile Forensics

Heather Mahalik serves as a PM and leads the forensic effort for Oceans Edge, Inc. She has spent over twelve years conducing computer crime investigations ranging counter-intelligence to high profile criminal investigations. She is a Certified Instructor, course lead and co-author of FOR585 Advanced Smartphone Forensics and co-author of FOR518 Mac Forensic Analysis at the SANS Institute. Heather is co-author of Practical Mobile Forensics, by Packt Publishing. Find her on Twitter @HeatherMahalik and on her personal website/blog smarterforensics.com.

Want your own copy of Practical Mobile Forensics for $5?

Hey everyone,

It’s the Holidays, so why not treat yourself to a copy of Practical Mobile Forensics? You can get the eBook for $5 until January 6th directly from Packt!  This book was designed to help both new and experienced examiners capture and analyze data from mobile devices.  Our goal was to use Open Source solutions as much as possible.  Check out the book and happy forensicating!

The link to purchase the book for $5 is

Happy Holidays!

Heather

Win A Free Copy of Packt’s Practical Mobile Forensics

I am pleased to announce that Packt Publishing is organizing a giveaway especially for you.   All you need to do is just comment below the post for a chance to win a free e-copy of Practical Mobile Forensics.  Two lucky winners will be selected.

book

Overview of Practical Mobile Forensics

  • Clear and concise explanations for forensic examinations of mobile devices
  • Master the art of extracting data, recovering deleted data, bypassing screen locks, and much more
  • The first and only guide covering practical mobile forensics on multiple platforms

How to Enter?

Simply post your expectations from this book as a comment or Tweet. You could be one of the 2 lucky participants to win the copy.

DeadLine: The contest will close on 09/25/04. Winners will be contacted by email, so be sure to use your real email address when you comment or contact me directly with it – hmahalik@smarterforensics.com.

Practical Mobile Forensics is RELEASED!

Happy Tuesday everyone. I am happy to say that Practical Mobile Forensics is officially released. http://www.packtpub.com/practical-mobile-forensics/book

This book was written by three of us hoping to guide those new to mobile forensics and those looking to branch into mobile device forensics. We provide practical methods for acquiring and analyzing data from smartphones and place an emphasis on open source tools, where possible.

Speaking of open source, the latest version of Autopsy is available and can be downloaded here: http://sourceforge.net/projects/autopsy/files/autopsy/3.1.0%20Beta%201/. This is a beta version, so your feedback is greatly appreciated.  Let me know what you think of the Android module. What is missing? Where should we focus our efforts?