A course teaching the forensic analysis of social media applications in iOS using open source tools and methods (meaning no commercial tools are required to complete this course).
The focus of the course is on the analysis of an iPhone backup with the goal of extracting forensic artefacts related to social media applications (Facebook, Facebook Messenger, WhatsApp and Instagram). It will also include Python scripting to process and manipulate plist files, as well as using SQL queries to extract interesting data in a correct context from the applications’ databases.
This course will teach you how to obtain a backup of an iPhone, how to find interesting locations within that backup, and how to automate these processes using Python & SQL.
You don’t need an iPhone to take this course. All tasks can be performed on Mac, Windows, or a Linux distro of your choice.
Why this course?
Mobile forensics is an important focus of digital forensic investigations. The quickly changing nature of mobile software requires the knowledge to be updated often.
Why take it now?
According to Apple, 2020 is the year where iPhone usage hit a significant milestone; 13 years after the release of the first iPhone, there are currently a billion active iPhones in the world.
The popularity of Apple products does not seem to fade. This means that effective and reliable extraction of forensic artefacts from iPhones is a must in every investigator’s toolbox.
Who is this course for?
Anyone wanting to dive into mobile forensics.
What skills will you gain?
- How to produce an iPhone image using iTunes (if you don’t have access to an iPhone, a backup file will be provided for you)
- How to extract and contextualise the data of interest using SQL and Python
- You will be able to extract forensic artefacts from popular social media applications such as
- Facebook Messenger
- You will be comfortable using Python to process and manipulate plist files
- At the end of the course you’ll be pointed to further work materials and resources to make sure you are able to continue with your own research.
What will you learn about?
- Overview of iPhone forensics
- You will understand the structure of an iPhone backup
- how to identify important files and data of interest in the backup
- where to look for social media artefacts in the backup
What tools will you use?
- For macOS:
DB Browser for Sqlite
- Python 3
- Text editor of choice (e.g. Atom)
COURSE IS SELF-PACED, AVAILABLE ON DEMAND
DURATION: 18 hours
CPE POINTS: On completion you get a certificate granting you 18 CPE points.
Main iOS version used: 14.2 (course developed late 2020/early 2021)
- Accessible even after you finish the course
- No preset deadlines
- Materials are video, labs, and text
- All videos captioned
What should you know before you join?
- An interest in digital forensics
- Basic familiarity with Python scripting
- (preferable) previous exposure to SQL
What will you need?
- Text editor, e.g. Atom
- SQL database viewer – e.g. DB Browser for Sqlite
- You don’t need an iPhone to take this course
If you wish to create your own iPhone backup, you will need a laptop with updated iTunes installed. However, this is not a prerequisite – you can participate in the course even if you don’t have access to an iPhone. An iPhone image will be provided.
Module 1: General introduction to mobile forensics
General introduction to mobile forensics, the practical part including creating your own image of an iPhone device and looking at the general files to identify content of interest.
An image will also be provided in case someone does not have an iPhone but still wants to participate.
- Basic principles of digital forensics (briefly)
- iPhone backup structure including main universal files of interest
- Creating images of iPhone devices
- Checklist of the setup, if all the needed tools are installed, before moving on to practical exercises
- Manipulating plists using Python
- Extracting basic artifacts from the image
Module 1 exercises:
- Create your own iPhone image [extra – an image will be provided in case you do not have access to an iPhone]
- Extract some non confidential information and fill in an open-ended quiz to prove the homework was done
- Create a script to process a plist file
Module 2: Instagram, Facebook & Facebook Messenger, WhatsApp (2 parts)
Extracting forensic artefacts from the Instagram/Facebook/Facebook Messenger/WhatsApp mobile app.
Each of the social media applications will have its own module which will include:
- Identifying files of interest connected to the particular social media application
- Learning to analyse & correlate backup data using SQL and Python
- Extract application-specific artefacts including, but not limited to:
- WhatsApp: text messages, calls, group chat memberships
- Facebook: Messenger messages, reactions, calls, activity within the Facebook application
- Instagram: direct messages, profile and account information
- Automating extraction of any attachments like text files, PDFs, images from said files
These modules will feature exercises in SQL queries and Python scripting, and to keep the course accessible I will probably create some basic introduction/revision materials for this at the very beginning of the module.
Module 2 exercises:
The students will be provided with a backup of an iPhone in order to complete homework exercises, and another one for the final exam.
The students will also be encouraged to make their own backups and experiment with them, but for the sake of privacy and ease of grading of the exercises, all homework and the exam will be based on common images.
Module 3: Common sources of artefacts such as notifications databases
There are a couple of databases and files that can potentially store forensic artefacts pertaining to all the above applications, such as the notifications database. As the last part of the course, we will take a look at these locations in the backup to make sure we get all the information that can help in our forensic investigation.
The biggest objective of this module is to practice contextualization of your findings and keep creative and ‘open minded’ when looking for artefacts.
Module 3 exercises:
As before – practical questions based on forensic work to be conducted.
A final exam will be practical. It will consist of an instructor-provided iPhone backup and a number of questions to answer by performing.a forensic analysis of the backup.
Your instructor: Kinga Kięczkowska
I work as a security engineer for a large cybersecurity vendor and live in Edinburgh, Scotland. After hours I experiment with digital forensics and blog about it at kieczkowska.com.
I studied Cybersecurity & Digital Forensics and completed my dissertation on the forensic potential of centralised thumbnail caches in macOS.
I also run the Women in Cyber Security Scotland (WiCS) meetup.
If you have any questions, please contact us at [email protected].