Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Practical Mobile Forensics
Practical Mobile Forensics

Practical Mobile Forensics: A hands-on guide to mastering mobile forensics for the iOS, Android, and the Windows Phone platforms , Third Edition

Arrow left icon
Profile Icon Mahalik Profile Icon Satish Bommisetty
Arrow right icon
€36.99
Full star icon Full star icon Full star icon Full star icon Half star icon 4.8 (8 Ratings)
Paperback Jan 2018 402 pages 3rd Edition
eBook
€20.98 €29.99
Paperback
€36.99
Subscription
Free Trial
Renews at €18.99p/m
Arrow left icon
Profile Icon Mahalik Profile Icon Satish Bommisetty
Arrow right icon
€36.99
Full star icon Full star icon Full star icon Full star icon Half star icon 4.8 (8 Ratings)
Paperback Jan 2018 402 pages 3rd Edition
eBook
€20.98 €29.99
Paperback
€36.99
Subscription
Free Trial
Renews at €18.99p/m
eBook
€20.98 €29.99
Paperback
€36.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Table of content icon View table of contents Preview book icon Preview Book

Practical Mobile Forensics

Introduction to Mobile Forensics

There is no doubt that mobile devices have become part of our lives and revolutionized the way we do most of our activities. As a result, a mobile device is now a huge repository that holds sensitive and personal information about its owner. This has, in turn, led to the rise of mobile device forensics, a branch of digital forensics that deals with retrieving data from a mobile device. This book will help you understand forensic techniques on three main platforms—Android, iOS, and Windows. We will go through various methods that can be followed to collect evidence from different mobile devices.

In this chapter, we will cover the following topics:

  • Introduction to mobile forensics
  • Challenges in mobile forensics
  • Mobile phone evidence extraction process
  • Mobile forensic approaches
  • Good forensic practices

Why do we need mobile forensics?

According to Statista reports, the number of mobile phone users in the world is expected to pass 5 billion by 2019. The world is witnessing technology and user migration from desktops to mobile phones. Most of the growth in the mobile market can be attributed to the continued demand for smartphones. The following graph, sourced from https://www.statista.com/, shows the actual and estimated growth of smartphones from the year 2009 to the year 2019:

>
Growth of smartphones from 2009 to 2019 in million units

According to an Ericsson report, global mobile data traffic will reach 71 exabytes per month by 2022, from 8.8 exabytes in 2017, a compound annual growth rate of 42 percent. Smartphones of today, such as the Apple iPhone and the Samsung Galaxy series, are compact forms of computers with high performance, huge storage, and enhanced functionality. Mobile phones are the most personal electronic device that a user accesses. They are used to perform simple communication tasks, such as calling and texting, while still providing support for internet browsing, email, taking photos and videos, creating and storing documents, identifying locations with GPS services, and managing business tasks. As new features and applications are incorporated into mobile phones, the amount of information stored on the devices is continuously growing. Mobile phones become portable data carriers, and they keep track of all your movements. With the increasing prevalence of mobile phones in people's daily lives and in crime, data acquired from phones becomes an invaluable source of evidence for investigations relating to criminal, civil, and even high- profile cases. It is rare to conduct a digital forensic investigation that does not include a phone. Mobile device call logs and GPS data were used to help solve the attempted bombing in Times Square, New York, in 2010. The details of the case can be found at: https://www.forensicon.com/forensics-blotter/cell-phone-email-forensics-investigation-cracks-nyc-times-square-car-bombing-case/.

The science behind recovering digital evidence from mobile phones is called mobile forensics. Digital evidence is defined as information and data that is stored on, received, or transmitted by an electronic device that is used for investigations. Digital evidence encompasses any and all digital data that can be used as evidence in a case.

Mobile forensics

Digital forensics is a branch of forensic science focusing on the recovery and investigation of raw data residing in electronic or digital devices. The goal of the process is to extract and recover any information from a digital device without altering the data present on the device. Over the years, digital forensics has grown, along with the rapid growth of computers and various other digital devices. There are various branches of digital forensics based on the type of digital device involved, such as computer forensics, network forensics, mobile forensics, and so on.

Mobile forensics is a branch of digital forensics related to the recovery of digital evidence from mobile devices. Forensically sound is a term used extensively in the digital forensics community to qualify and justify the use of a particular forensic technology or methodology. The main principle for a sound forensic examination of digital evidence is that the original evidence must not be modified. This is extremely difficult with mobile devices. Some forensic tools require a communication vector with the mobile device, and thus a standard write protection will not work during forensic acquisition. Other forensic acquisition methods may involve removing a chip or installing a bootloader on the mobile device prior to extracting data for forensic examinations. In cases where the examination or data acquisition is not possible without changing the configuration of the device, the procedure and the changes must be tested, validated, and documented. Following proper methodology and guidelines is crucial in examining mobile devices as it yields the most valuable data. As with any evidence gathering, not following the proper procedure during the examination can result in loss or damage of evidence or render it inadmissible in court.

The mobile forensics process is broken down into three main categories—seizure, acquisition, and examination/analysis. Forensic examiners face some challenges while seizing the mobile device as a source of evidence. At the crime scene, if the mobile device is found switched off, the examiner should place the device in a Faraday bag to prevent changes should the device automatically power on. Faraday bags are specifically designed to isolate the phone from the network. A Faraday bag can be found at: http://www.amazon.com/Black-Hole-Faraday-Bag-Isolation/dp/B0091WILY0.

If the phone is found switched on, switching it off has a lot of concerns attached to it. If the phone is locked by a PIN or password, or encrypted, the examiner will be required to bypass the lock or determine the PIN to access the device. Mobile phones are networked devices and can send and receive data through different sources, such as telecommunication systems, Wi-Fi access points, and Bluetooth. So, if the phone is in a running state, a criminal can securely erase the data stored on the phone by executing a remote wipe command. When a phone is switched on, it should be placed in a Faraday bag. If possible, prior to placing the mobile device in the Faraday bag, disconnect it from the network to protect the evidence by enabling the flight mode and disabling all network connections (Wi-Fi, GPS, hotspots, and so on). This will also preserve the battery, which will drain while in a Faraday bag, and protect against leaks in the Faraday bag. Once the mobile device is seized properly, the examiner may need several forensic tools to acquire and analyze the data stored on the phone.

Mobile device forensic acquisition can be performed using multiple methods, which are defined later. Each of these methods affects the amount of analysis required, which will be discussed in greater detail in the upcoming chapters. Should one method fail, another must be attempted. Multiple attempts and tools may be necessary in order to acquire the maximum data from the mobile device.

Mobile phones are dynamic systems that present a lot of challenges to the examiner in extracting and analyzing digital evidence. The rapid increase in the number of different kinds of mobile phones from different manufacturers makes it difficult to develop a single process or tool to examine all types of devices. Mobile phones are continuously evolving as existing technologies progress and new technologies are introduced. Furthermore, each mobile is designed with a variety of embedded operating systems. Hence, special knowledge and skills are required from forensic experts to acquire and analyze the devices.

Challenges in mobile forensics

One of the biggest forensic challenges when it comes to the mobile platform is the fact that data can be accessed, stored, and synchronized across multiple devices. As the data is volatile and can be quickly transformed or deleted remotely, more effort is required for the preservation of this data. Mobile forensics is different from computer forensics and presents unique challenges to forensic examiners.

Law enforcement and forensic examiners often struggle to obtain digital evidence from mobile devices. The following are some of the reasons:

  • Hardware differences: The market is flooded with different models of mobile phones from different manufacturers. Forensic examiners may come across different types of mobile models, which differ in size, hardware, features, and operating system. Also, with a short product development cycle, new models emerge very frequently. As the mobile landscape is changing each passing day, it is critical for the examiner to adapt to all the challenges and remain updated on mobile device forensic techniques across various devices.
  • Mobile operating systems: Unlike personal computers, where Windows has dominated the market for years, mobile devices widely use more operating systems, including Apple's iOS, Google's Android, RIM's BlackBerry OS, Microsoft's Windows Phone OS, HP's webOS, and many others. Even within these operating systems, there are several versions, which makes the task of the forensic investigator even more difficult.
  • Mobile platform security features: Modern mobile platforms contain built-in security features to protect user data and privacy. These features act as a hurdle during forensic acquisition and examination. For example, modern mobile devices come with default encryption mechanisms from the hardware layer to the software layer. The examiner might need to break through these encryption mechanisms to extract data from the devices. The FBI versus Apple encryption dispute was a watershed moment in this regard, where the security implementation of Apple prevented the FBI from breaking into the iPhone seized from an attacker in the San Bernardino case.
  • Preventing data modification: One of the fundamental rules in forensics is to make sure that data on the device is not modified. In other words, any attempt to extract data from the device should not alter the data present on that device. But this is not practically possible with mobiles because just switching on a device can change the data on that device. Even if a device appears to be in an off state, background processes may still run. For example, in most mobiles, the alarm clock still works even when the phone is switched off. A sudden transition from one state to another may result in the loss or modification of data.
  • Anti-forensic techniques: Anti-forensic techniques, such as data hiding, data obfuscation, data forgery, and secure wiping, make investigations on digital media more difficult.
  • Passcode recovery: If the device is protected with a passcode, the forensic examiner needs to gain access to the device without damaging the data on the device. While there are techniques to bypass the screen lock, they may not always work on all the versions.
  • Lack of resources: As mentioned earlier, with the growing number of mobile phones, the tools required by a forensic examiner would also increase. Forensic acquisition accessories, such as USB cables, batteries, and chargers for different mobile phones, have to be maintained in order to acquire those devices.
  • Dynamic nature of evidence: Digital evidence may be easily altered either intentionally or unintentionally. For example, browsing an application on the phone might alter the data stored by that application on the device.
  • Accidental reset: Mobile phones provide features to reset everything. Resetting the device accidentally while examining it may result in the loss of data.
  • Device alteration: The possible ways to alter devices may range from moving application data or renaming files, to modifying the manufacturer's operating system. In this case, the expertise of the suspect should be taken into account.
  • Communication shielding: Mobile devices communicate over cellular networks, Wi-Fi networks, Bluetooth, and infrared. As device communication might alter the device data, the possibility of further communication should be eliminated after seizing the device.
  • Lack of availability of tools: There is a wide range of mobile devices. A single tool may not support all the devices or perform all the necessary functions, so a combination of tools needs to be used. Choosing the right tool for a particular phone might be difficult.
  • Malicious programs: The device might contain malicious software or malware, such as a virus or a Trojan. Such malicious programs may attempt to spread over other devices over either a wired interface or a wireless one.
  • Legal issues: Mobile devices might be involved in crimes, which can cross geographical boundaries. In order to tackle these multijurisdictional issues, the forensic examiner should be aware of the nature of the crime and the regional laws.

The mobile phone evidence extraction process

Evidence extraction and forensic examination of each mobile device may differ. However, following a consistent examination process will assist the forensic examiner to ensure that the evidence extracted from each phone is well-documented and that the results are repeatable and defendable. There is no well-established standard process for mobile forensics.

However, the following figure provides an overview of process considerations for the extraction of evidence from mobile devices. All methods used when extracting data from mobile devices should be tested, validated, and well-documented:

Mobile phone evidence extraction process
A great resource for handling and processing mobile devices can be found at: http://digital-forensics.sans.org/media/mobile-device-forensic-process-v3.pdf.

As shown in the preceding figure, forensics on a mobile device includes several phases, from the evidence intake phase to the archiving phase. The following sections provide an overview of various considerations across all the phases.

The evidence intake phase

The evidence intake phase is the starting phase and entails request forms and paperwork to document ownership information and the type of incident the mobile device was involved in, and it outlines the type of data or information the requester is seeking. Developing specific objectives for each examination is the critical part of this phase. It serves to clarify the examiner's goals. Also, while seizing the device, care should be taken not to modify any data present on the device. At the same time, any opportunity that might help the investigation should not be missed. For example, at the time of seizing the device, if the device is unlocked, then try to disable the passcode.

The identification phase

The forensic examiner should identify the following details for every examination of a mobile device:

  • The legal authority
  • The goals of the examination
  • The make, model, and identifying information for the device
  • Removable and external data storage
  • Other sources of potential evidence

We will discuss each of them in the following sections.

The legal authority

It is important for the forensic examiner to determine and document what legal authority exists for the acquisition and examination of the device, as well as any limitations placed on the media prior to the examination of the device. For example, if the mobile device is being searched pursuant to a warrant, the examiner should be mindful of confining the search to the limitations of the warrant.

The goals of the examination

The examiner will identify how in-depth the examination needs to be based upon the data requested. The goal of the examination makes a significant difference in selecting the tools and techniques to examine the phone and increases the efficiency of the examination process.

The make, model, and identifying information for the device

As part of the examination, identifying the make and model of the phone assists in determining what tools would work with the phone. For all phones, the manufacturer, model number, carrier, and the current phone number associated with the cellular phone should be identified and documented.

Removable and external data storage

Many mobile phones provide an option to extend the memory with removable storage devices, such as the Trans Flash Micro SD memory expansion card. In cases when such a card is found in a mobile phone that is submitted for examination, the card should be removed and processed using traditional digital forensic techniques. It is wise to also acquire the card while in the mobile device to ensure that data stored on both the handset memory and card are linked for easier analysis. This will be discussed in detail in upcoming chapters.

Other sources of potential evidence

Mobile phones act as good sources of fingerprint and other biological evidence. Such evidence should be collected prior to the examination of the mobile phone to avoid contamination issues, unless the collection method will damage the device. Examiners should wear gloves when handling the evidence.

The preparation phase

Once the mobile phone model is identified, the preparation phase involves research regarding the particular mobile phone to be examined and the appropriate methods and tools to be used for acquisition and examination. This is generally done based on the device model, underlying operating system, its version, and so on. Also, choosing tools for examination of a mobile device will be determined by factors such as the goal of the examination, resources available, the type of cellular phone to be examined, and the presence of any external storage capabilities.

The isolation phase

Mobile phones are, by design, intended to communicate via cellular phone networks, Bluetooth, infrared, and wireless (Wi-Fi) network capabilities. When the phone is connected to a network, new data is added to the phone through incoming calls, messages, and application data, which modifies the evidence on the phone. Complete destruction of data is also possible through remote access or remote wiping commands. For this reason, isolation of the device from communication sources is important prior to the acquisition and examination of the device. Network isolation can be done by placing the phone in radio frequency shielding cloth and then putting the phone in airplane or flight mode. The airplane mode disables a device's communication channels, such as cellular radio, Wi-Fi, and Bluetooth. However, if the device is screen-locked, then this is not possible. Also, since Wi-Fi is now available in airplanes, some devices now have Wi-Fi access enabled in airplane mode. An alternate solution is isolation of the phone through the use of Faraday bags, which block radio signals to or from the phone. Faraday bags contain materials that block external static electrical fields (including radio waves). Thus, Faraday bags shield seized mobile devices from external interference to prevent wiping and tracking. To work more conveniently with the seized devices, Faraday tents and rooms also exist.

The processing phase

Once the phone has been isolated from communication networks, the actual processing of the mobile phone begins. The phone should be acquired using a tested method that is repeatable and is as forensically sound as possible. Physical acquisition is the preferred method as it extracts the raw memory data and the device is commonly powered off during the acquisition process. On most devices, the smallest number of changes occur to the device during physical acquisition. If physical acquisition is not possible or fails, an attempt should be made to acquire the filesystem of the mobile device. A logical acquisition should always be obtained as it may contain only the parsed data and provide pointers to examine the raw memory image. These acquisition methods are discussed in detail in later chapters.

The verification phase

After processing the phone, the examiner needs to verify the accuracy of the data extracted from the phone to ensure that data has not been modified. The verification of the extracted data can be accomplished in several ways.

Comparing extracted data to the handset data

Check whether the data extracted from the device matches the data displayed by the device. The data extracted can be compared to the device itself or a logical report, whichever is preferred. Remember, handling the original device may make changes to the only evidence—the device itself.

Using multiple tools and comparing the results

To ensure accuracy, use multiple tools to extract the data and compare results.

Using hash values

All image files should be hashed after acquisition to ensure that data remains unchanged. If filesystem extraction is supported, the examiner extracts the filesystem and then computes hashes for the extracted files. Later, any individually extracted file hash is calculated and checked against the original value to verify the integrity of it. Any discrepancy in a hash value must be explainable (for example, the device was powered on and then acquired again, thus the hash values are different).

The documenting and reporting phase

The forensic examiner is required to document throughout the examination process in the form of contemporaneous notes relating to what was done during the acquisition and examination. Once the examiner completes the investigation, the results must go through some form of peer review to ensure that the data is checked and the investigation is complete. The examiner's notes and documentation may include information such as the following:

  • The examination start date and time
  • The physical condition of the phone
  • Photos of the phone and individual components
  • Phone status when received—turned on or off
  • Phone make and model
  • Tools used for the acquisition
  • Tools used for the examination
  • Data found during the examination
  • Notes from peer review

The presentation phase

Throughout the investigation, it is important to make sure that the information extracted and documented from a mobile device can be clearly presented to any other examiner or to a court. Creating a forensic report of data extracted from the mobile device during acquisition and analysis is important. This may include data in both paper and electronic formats. Your findings must be documented and presented in a manner that the evidence speaks for itself when in court. The findings should be clear, concise, and repeatable. Timeline and link analysis, features offered by many commercial mobile forensic tools, will aid in reporting and explaining findings across multiple mobile devices. These tools allow the examiner to tie together the methods behind the communication of multiple devices.

The archiving phase

Preserving the data extracted from the mobile phone is an important part of the overall process. It is also important that the data is retained in a usable format for the ongoing court process, for future reference, should the current evidence file become corrupt, and for record-keeping requirements. Court cases may continue for many years before the final judgment is arrived at, and most jurisdictions require that data be retained for long periods of time for the purposes of appeals. As the field and methods advance, new methods for pulling data out of a raw, physical image may surface, and then the examiner can revisit the data by pulling a copy from the archives.

Practical mobile forensic approaches

Similar to any forensic investigation, there are several approaches that can be used for the acquisition and examination/analysis of data from mobile phones. The type of mobile device, the operating system, and the security setting generally dictate the procedure to be followed in a forensic process. Every investigation is distinct with its own circumstances, so it is not possible to design a single definitive procedural approach for all cases. The following details outline the general approaches followed in extracting data from mobile devices.

Overview of mobile operating systems 

One of the major factors in the data acquisition and examination/analysis of a mobile phone is the operating system. From low-end mobile phones to smartphones, mobile operating systems have come a long way with a lot of features. Mobile operating systems directly affect how the examiner can access the mobile device. For example, Android OS gives terminal-level access whereas iOS does not give such an option. A comprehensive understanding of the mobile platform helps the forensic examiner make sound forensic decisions and conduct a conclusive investigation. While there is a large range of smart mobile devices, with the demise of Blackberry, currently two main operating systems dominate the market, namely Google Android and Apple iOS (followed by Windows Phone at a distant third). More information can be found at: https://www.idc.com/promo/smartphone-market-share/os. This book covers forensic analysis of these three mobile platforms. We will provide a brief overview of the leading mobile operating systems.

Android

Android is a Linux-based operating system, and it's a Google open source platform for mobile phones. Android is the world's most widely used smartphone operating system. Sources show that Apple's iOS stands second (https://www.idc.com/promo/smartphone-market-share/os). Android has been developed by Google as an open and free option for hardware manufacturers and phone carriers. This makes Android the software of choice for companies who require a low-cost, customizable, lightweight operating system for their smart devices without developing a new OS from scratch. Android's open nature has further encouraged developers to build a large number of applications and upload them onto Google Play. Later, end users can download the application from Android Market, which makes Android a powerful operating system. It is estimated that Google Play Store has 3.3 million apps at the time of writing this book. More details on Android are covered in Chapter 7, Understanding Android.

iOS

iOS, formerly known as the iPhone operating system, is a mobile operating system developed and distributed solely by Apple Inc. iOS is evolving into a universal operating system for all Apple mobile devices, such as iPad, iPod touch, and iPhone. iOS is derived from OS X, with which it shares the Darwin foundation, and is therefore a Unix-like operating system. iOS manages the device hardware and provides the technologies required to implement native applications. iOS also ships with various system applications, such as Mail and Safari, which provide standard system services to the user. iOS native applications are distributed through AppStore, which is closely monitored by Apple. More details about iOS are covered in Chapter 2, Understanding the Internals of iOS Devices.

Windows Phone

Windows Phone is a proprietary mobile operating system developed by Microsoft for smartphones and pocket PCs. It is the successor to Windows Mobile and primarily aimed at the consumer market rather than the enterprise market. The Windows Phone OS is similar to the Windows desktop OS, but it is optimized for devices with a small amount of storage. Windows Phone basics and forensic techniques are discussed in Chapter 12, Windows Phone Forensics.

Mobile forensic tool leveling system

Mobile phone forensic acquisition and analysis involves manual effort and the use of automated tools. There are a variety of tools that are available for performing mobile forensics. All the tools have their pros and cons, and it is fundamental that you understand that no single tool is sufficient for all purposes. So, understanding various types of mobile forensic tools is important for forensic examiners.

When identifying the appropriate tools for the forensic acquisition and analysis of mobile phones, a mobile device forensic tool classification system developed by Sam Brothers (shown in the following figure) comes in handy for examiners:

Cellular phone tool leveling pyramid (Sam Brothers, 2009)

The objective of the mobile device forensic tool classification system is to enable an examiner to categorize forensic tools based on the examination methodology of the tool. Starting at the bottom of the classification and working upward, the methods and the tools generally become more technical, complex, and forensically sound, and require longer analysis times. There are pros and cons of performing an analysis at each layer. The forensic examiner should be aware of these issues and should only proceed with the level of extraction that is required. Evidence can be destroyed completely if the given method or tool is not properly utilized. This risk increases as you move up in the pyramid. Thus, proper training is required to obtain the highest success rate in data extraction from mobile devices.

Each existing mobile forensic tool can be classified under one or more of the five levels. The following sections contain a detailed description of each level.

Manual extraction

The manual extraction method involves simply scrolling through the data on the device and viewing the data on the phone directly through the use of the device's keypad or touchscreen. The information discovered is then photographically documented. The extraction process is fast and easy to use, and it will work on almost every phone. This method is prone to human error, such as missing certain data due to unfamiliarity with the interface. At this level, it is not possible to recover deleted information and grab all the data. There are some tools, such as Project-A-Phone, that have been developed to aid an examiner to easily document a manual extraction. However, this might also result in the modification of data. For example, viewing an unread SMS can mark it as read.

Logical extraction

Logical extraction involves connecting the mobile device to forensic hardware or to a forensic workstation via a USB cable, a RJ-45 cable, infrared, or Bluetooth. Once connected, the computer initiates a command and sends it to the device, which is then interpreted by the device processor. Next, the requested data is received from the device's memory and sent back to the forensic workstation. Later, the examiner can review the data. Most of the forensic tools currently available work at this level of the classification system. The extraction process is fast, easy to use, and requires little training for the examiners. On the flip side, the process may write data to the mobile and might change the integrity of the evidence. In addition, deleted data is not generally accessible with this procedure.

Hex dump

A hex dump, also referred to as a physical extraction, is achieved by connecting the device to the forensic workstation and pushing unsigned code or a bootloader into the phone and instructing the phone to dump memory from the phone to the computer. Since the resulting raw image is in binary format, technical expertise is required to analyze it. The process is inexpensive, provides more data to the examiner, and allows the recovery of deleted files from the device-unallocated space on most devices.

Chip-off

Chip-off refers to the acquisition of data directly from the device's memory chip. At this level, the chip is physically removed from the device and a chip reader or a second phone is used to extract data stored on it. This method is more technically challenging, as a wide variety of chip types are used in mobiles. The process is expensive and requires hardware-level knowledge as it involves the desoldering and heating of the memory chip. Training is required to successfully perform a chip-off extraction. Improper procedures may damage the memory chip and render all data unsalvageable. When possible, it is recommended that the other levels of extraction are attempted prior to chip-off, since this method is destructive in nature. Also, the information that comes out of memory is in a raw format and has to be parsed, decoded, and interpreted. The chip-off method is preferred in situations where it is important to preserve the state of memory exactly as it exists on the device. It is also the only option when a device is damaged but the memory chip is intact.

The chips on the device are often read using the Joint Test Action Group (JTAG) method. The JTAG method involves connecting to Test Access Ports (TAPs) on a device and instructing the processor to transfer the raw data stored on memory chips. The JTAG method is generally used with devices that are operational but inaccessible using standard tools. Both of these techniques also work even when the device is screen-locked.

Micro read

The micro read process involves manually viewing and interpreting data seen on the memory chip. The examiner uses an electron microscope and analyzes the physical gates on the chip and then translates the gate status to 0s and 1s to determine the resulting ASCII characters. The whole process is time-consuming and costly, and it requires extensive knowledge and training on memory and the filesystem. Due to the extreme technicalities involved in micro read, it would be only attempted for high-profile cases equivalent to a national security crisis after all other level extraction techniques have been exhausted. The process is rarely performed and is not well-documented at this time. Also, there are currently no commercial tools available to perform a micro read.

Data acquisition methods

Data acquisition is the process of imaging or otherwise extracting information from a digital device and its peripheral equipment and media. Acquiring data from a mobile phone is not as simple as a standard hard drive forensic acquisition. The following points break down the three types of forensic acquisition methods for mobile phones—physical, logical, and manual. These methods may have some overlap with a couple of levels discussed in the mobile forensics tool leveling system. The amount and type of data that can be collected will vary depending on the type of acquisition method being used. While we cover these methods in detail in the upcoming chapters, the following is a brief description of them.

Physical acquisition

Physical acquisition of a mobile device is nothing but a bit-by-bit copy of the physical storage. Physical extraction acquires information from the device by direct access to the flash memory. Flash memory is a non-volatile memory and is primarily used in memory cards and USB flash drives as solid-state storage. The process creates a bit-for-bit copy of an entire filesystem, similar to the approach taken in computer forensic investigations. A physical acquisition is able to acquire all of the data present on a device, including the deleted data and access to unallocated space on most devices.

Logical acquisition

Logical acquisition is about extracting the logical storage objects, such as files and directories, that reside on the filesystem. Logical acquisition of mobile phones is performed using the device manufacturer application programming interface to synchronize the phone's contents with a computer. Many of the forensic tools perform a logical acquisition. It is much easier for a forensic tool to organize and present the data extracted through logical acquisition. However, the forensic analyst must understand how the acquisition occurs and whether the mobile is modified in any way during the process. Depending on the phone and forensic tools used, all or some of the data is acquired. A logical acquisition is easy to perform and only recovers the files on a mobile phone and does not recover data contained in unallocated space.

Manual acquisition

With mobile phones, physical acquisition is usually the best option, and logical acquisition is the second-best option. Manual extraction should be the last option when performing the forensic acquisition of a mobile phone. Both logical and manual acquisition can be used to validate findings in the physical data. During manual acquisition, the examiner utilizes the user interface to investigate the contents of the phone's memory. The device is used normally through keypad or touchscreen and menu navigation, and the examiner takes pictures of each screen's contents. Manual extraction introduces a greater degree of risk in the form of human error, and there is a chance of deleting the evidence. Manual acquisition is easy to perform and only acquires the data that appears on a mobile phone.

Potential evidence stored on mobile phones

The range of information that can be obtained from mobile phones is detailed in this section. Data on a mobile phone can be found in a number of locations--SIM card, external storage card, and phone memory. In addition, the service provider also stores communication-related information. The book primarily focuses on data acquired from the phone memory. Mobile device data extraction tools recover data from the phone's memory. Even though data recovered during a forensic acquisition depends on the mobile model, in general, the following data is common across all models and useful as evidence. Note that most of the following artifacts contain date- and timestamps:

  • Address book: This contains contact names, phone numbers, email addresses, and so on
  • Call history: This contains dialed, received, missed calls, and call duration
  • SMS: This contains sent and received text messages
  • MMS: This contains media files such as sent and received photos and videos
  • E-mail: This contains sent, drafted, and received email messages
  • Web browser history: This contains the history of websites that were visited
  • Photos: This contains pictures that were captured using the mobile phone camera, those downloaded from the internet, and the ones transferred from other devices
  • Videos: This contains videos that are captured using the mobile camera, those downloaded from the internet, and the ones transferred from other devices
  • Music: This contains music files downloaded from the internet and those transferred from other devices
  • Documents: This contains documents created using the device's applications, those downloaded from the internet, and the ones transferred from other devices
  • Calendar: This contains calendar entries and appointments
  • Network communication: This contains GPS locations
  • Maps: This contains places the user visited, looked-up directions, and searched and downloaded maps
  • Social networking data: This contains data stored by applications, such as Facebook, Twitter, LinkedIn, Google+, and WhatsApp
  • Deleted data: This contains information deleted from the phone

Examination and analysis

This is the ultimate step in the investigation, which aims to uncover data that is present on the device. Examination is done by applying well-tested and scientific methods to conclusively establish the results. The analysis phase is focused on separating relevant data from the rest and to probe data which is of value to the underlying case. The examination process starts with a copy of the evidence acquired using some of the techniques described above, which will be covered in detail in the next chapters. Examination and analysis using third-party tools is generally performed by importing the device's memory dump into a mobile forensics tool which will automatically retrieve the results. Understanding the case is also crucial to perform a targeted analysis of the data. For example, a case about child pornography may require focusing on all of the images present on the device rather than looking at other artifacts.

It is important that the examiner has fair knowledge of how the forensic tools which are used for examination work. Proficient use of the features and options available in the tool will drastically speed up the examination process. Sometimes, due to programming flaws in the software, the tool may not be able to recognize or convert bits into a format comprehensible by the examiner. Hence, it is crucial that the examiner has the necessary skills to identify such situations and use alternate tools or software to construct the results. In some cases, the individual may purposefully tamper with the device information or may delete/hide some of the crucial data. Forensic analysts should understand the limitations of the tool and sometimes compensate for them to achieve the best possible results. To analyze the extracted data, the US Department of Justice has published the following suggestions (referenced directly from: https://www.ncjrs.gov/pdffiles1/nij/199408.pdf) in the publication Forensic Examination of Digital Evidence - A Guide for Law Enforcement:

  • Ownership and possession: Identify the individuals who created, modified, or accessed a file, and the ownership and possession of questioned data by placing the subject with the device at a particular time and date, locating files of interest in non-default locations, recovering passwords that indicate possession, and identifying contents of files that are specific to a user.
  • Application and file analysis: Identify information relevant to the investigation by examining file content, correlating files to installed applications, identifying relationships between files (for example, email files to email attachments), determining the significance of unknown file types, examining system configuration settings, and examining file metadata (for example, documents containing authorship identification).
  • Timeframe analysis: Determine when events occurred on the system to associate usage with an individual by reviewing any logs present and the date-/timestamps in the filesystem, such as the last modified time. Besides call logs, the date/time and content of messages and email can prove useful. Such data can also be corroborated with billing and subscriber records kept by the service provider.
  • Data hiding analysis: Detect and recover hidden data that may indicate knowledge, ownership, or intent by correlating file headers to file extensions to show intentional obfuscation; gaining access to password-protected, encrypted, and compressed files; and gaining access to steganographic information detected in images.

Rules of evidence

Courtrooms rely more and more on the information inside a mobile phone as vital evidence. Prevailing evidence in court requires a good understanding of the rules of evidence. Mobile forensics is a relatively new discipline and laws dictating the validity of evidence are not widely known and they also differ from country to country. However, there are five general rules of evidence that apply to digital forensics and need to be followed in order for evidence to be useful. Ignoring these rules makes evidence inadmissible, and your case could be thrown out. These five rules are: admissible, authentic, complete, reliable, and believable:

  • Admissible: This is the most basic rule and a measure of evidence validity and importance. The evidence must be preserved and gathered in such a way that it can be used in court or elsewhere. Many errors can be made that could cause a judge to rule a piece of evidence as inadmissible. For example, evidence that is gathered using illegal methods is commonly ruled inadmissible.
  • Authentic: The evidence must be tied to the incident in a relevant way to prove something. The forensic examiner must be accountable for the origin of the evidence.
  • Complete: When evidence is presented, it must be clear and complete, and should reflect the whole story. It is not enough to collect evidence that just shows one perspective of the incident. Presenting incomplete evidence is more dangerous than not providing any evidence at all, as it could lead to a different judgment.
  • Reliable: Evidence collected from the device must be reliable. This depends on the tools and methodology used. The techniques used and evidence collected must not cast doubt on the authenticity of the evidence. If the examiner used some techniques that cannot be reproduced, the evidence is not considered unless they were directed to do so. This would include possible destructive methods such as chip-off extraction.
  • Believable: A forensic examiner must be able to explain, with clarity and conciseness, what processes they used and the way the integrity of the evidence was preserved. The evidence presented by the examiner must be clear, easy to understand, and believable by the jury.

Good forensic practices

Good forensic practices apply to the collection and preservation of evidence. Following good forensic practices ensures that evidence will be accepted in a court as being authentic and accurate. Modification of evidence, either intentionally or accidentally, can affect the case. So, understanding the best practices is critical for forensic examiners.

Securing the evidence

With advanced smartphone features such as Find My iPhone and remote wipes, securing a mobile phone in a way that it cannot be remotely wiped is of great importance. Also, when the phone is powered on and has service, it constantly receives new data. To secure the evidence, use the right equipment and techniques to isolate the phone from all networks. With isolation, the phone is prevented from receiving any new data that would cause active data to be deleted. Depending on the case, sometimes traditional forensic measures, such as fingerprints or DNA testing, may also need to be applied to establish a connection between a mobile device and its owner. If the device is not handled in a secure manner, physical evidence may be unintentionally tampered with and may be rendered useless. It is also important to collect any peripherals, associated media, cables, power adapters, and other accessories that are present at the scene. At the scene of investigation, if the device is found to be connected to a personal computer, pulling it directly would stop the data transfer. Instead, it is recommended to capture the memory of the personal computer before pulling the device, as this contains significant details in many cases.

Preserving the evidence

As evidence is collected, it must be preserved in a state that is acceptable in court. Working directly on the original copies of evidence might alter it. So, as soon as you recover a raw disk image or files, create a read-only master copy and duplicate it. In order for evidence to be admissible, there must be a method to verify that the evidence presented is exactly the same as the original collected. This can be accomplished by creating a forensic hash value of the image. A forensic hash is used to ensure the integrity of an acquisition by calculating a cryptographically strong and non-reversible value of the image/data. After duplicating the raw disk image or files, compute and verify the hash values for the original and the copy to ensure that the integrity of the evidence is maintained. Any changes in hash values should be documented and explainable. All further processing or examination should be performed on copies of the evidence. Any use of the device might alter the information stored on the handset. So, only perform the tasks that are absolutely necessary.

Documenting the evidence and changes

Whenever possible, a record of all visible data should be created. It is recommended to photograph the mobile device along with any of the other media found, such as cables, peripherals, and so on. This will be helpful in case questions arise later on about the environment. Do not touch or lay hands on the mobile device when photographing it. Ensure that you document all the methods and tools that are used to collect and extract the evidence. Detail your notes so that another examiner can reproduce them. Your work must be reproducible; if not, a judge may rule it inadmissible. It's important to document the entire recovery process, including all the changes made during the acquisition and examination. For example, if the forensic tool used for the data extraction sliced up the disk image to store it, this must be documented. All changes to the mobile device, including power cycling and syncing, should be documented in your case notes.

Reporting

Reporting is the process of preparing a detailed summary of all the steps taken and conclusions reached as part of the examination. Reporting should include details about all the important actions performed by the examiner, results of the acquisition, and any inferences drawn from the results. Most of the forensic tools come with built-in reporting features which will autogenerate the reports while providing scope for customization at the same time. In general, the report may contain the following details:

  • Details of the reporting agency
  • Case identifier
  • Forensic investigator
  • Identity of the submitter
  • Date of evidence receipt
  • Details of the device seized for examination including serial number, make, and model
  • Details of the equipment and tools used in the examination
  • Description of steps taken during examination
  • Chain of custody documentation
  • Details of findings or issues identified
  • Evidence recovered during the examination, ranging from chat messages, browser history, and call logs to deleted messages, and so on
  • Any images captured during the examination
  • Examination and analysis information
  • Report conclusion

Summary

Mobile devices store a wide range of information, such as SMS, call logs, browser history, chat messages, location details, and so on. Mobile device forensics includes many approaches and concepts that fall outside the boundaries of traditional digital forensics. Extreme care should be taken while handling the device, right from the evidence intake phase to the archiving phase. Examiners responsible for mobile devices must understand the different acquisition methods and the complexities of handling the data during analysis. Extracting data from a mobile device is half the battle. The operating system, security features, and type of smartphone will determine the amount of access you have to the data. It is important to follow sound forensic practices and make sure that the evidence is unaltered during the investigation.

The next chapter will provide an insight into iOS forensics. You will learn about the filesystem layout, security features, and the way files are stored on an iOS device.

Left arrow icon Right arrow icon

Key benefits

  • •Get hands-on experience in performing simple to complex mobile forensics techniques.
  • •Retrieve and analyze data stored not only on mobile devices but also through the cloud and other connected mediums.
  • •A practical guide to leveraging the power of mobile forensics on popular mobile platforms with lots of tips, tricks, and caveats.

Description

Covering up-to-date mobile platforms, this book will focuses on teaching you the most recent techniques for investigating mobile devices. We delve mobile forensics techniques in iOS 9-11, Android 7-8 devices, and Windows 10. We will demonstrate the latest open source and commercial mobile forensics tools, enabling you to analyze and retrieve data effectively. You will learn how to introspect and retrieve data from the cloud, and document and prepare reports of your investigations. By the end of this book, you will have mastered the current operating systems and the relevant techniques to recover data from mobile devices by leveraging open source solutions.

Who is this book for?

If you are a forensics professional and are eager to widen your forensics skill set to mobile forensics then, this book is for you. Some understanding of digital forensics practices would do wonders.

What you will learn

  • •Discover the new techniques in practical mobile forensics
  • •Understand the architecture and security mechanisms present in iOS and Android platforms
  • •Identify sensitive files on the iOS and Android platforms
  • •Set up a forensic environment
  • •Extract data from the iOS and Android platforms
  • •Recover data on the iOS and Android platforms
  • •Understand the forensics of Windows devices
  • •Explore various third-party application techniques and data recovery techniques
Estimated delivery fee Deliver to Norway

Standard delivery 10 - 13 business days

€11.95

Premium delivery 3 - 6 business days

€16.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Jan 23, 2018
Length: 402 pages
Edition : 3rd
Language : English
ISBN-13 : 9781788839198
Vendor :
Apple
Category :
Concepts :
Tools :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Estimated delivery fee Deliver to Norway

Standard delivery 10 - 13 business days

€11.95

Premium delivery 3 - 6 business days

€16.95
(Includes tracking information)

Product Details

Publication date : Jan 23, 2018
Length: 402 pages
Edition : 3rd
Language : English
ISBN-13 : 9781788839198
Vendor :
Apple
Category :
Concepts :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 106.97
Practical Mobile Forensics
€36.99
Mobile Forensics Cookbook
€32.99
Windows Forensics Cookbook
€36.99
Total 106.97 Stars icon
Banner background image

Table of Contents

14 Chapters
Introduction to Mobile Forensics Chevron down icon Chevron up icon
Understanding the Internals of iOS Devices Chevron down icon Chevron up icon
Data Acquisition from iOS Devices Chevron down icon Chevron up icon
Data Acquisition from iOS Backups Chevron down icon Chevron up icon
iOS Data Analysis and Recovery Chevron down icon Chevron up icon
iOS Forensic Tools Chevron down icon Chevron up icon
Understanding Android Chevron down icon Chevron up icon
Android Forensic Setup and Pre-Data Extraction Techniques Chevron down icon Chevron up icon
Android Data Extraction Techniques Chevron down icon Chevron up icon
Android Data Analysis and Recovery Chevron down icon Chevron up icon
Android App Analysis, Malware, and Reverse Engineering Chevron down icon Chevron up icon
Windows Phone Forensics Chevron down icon Chevron up icon
Parsing Third-Party Application Files Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.8
(8 Ratings)
5 star 75%
4 star 25%
3 star 0%
2 star 0%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




Carlos A. Aug 02, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
excellent
Amazon Verified review Amazon
Paul Sanderson Jun 11, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Great book, comprehensively and well written by authors who clearly know there mobile forensics. Recommended!
Amazon Verified review Amazon
ReelOG Jan 13, 2020
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Book was in grwat condition. Great buy!!!
Amazon Verified review Amazon
vasquez grant Jun 07, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Excellent book! After reading this book I very good mobile Forensic foundation and I would definitely recommend this book for serious forensicators.
Amazon Verified review Amazon
Sergey Nikitin Apr 06, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
An excellent book for beginners forensic experts. This publication is very well updated, considers modern techniques and techniques for conducting research and obtaining data. It is important that we consider fresh and current versions of mobile operating systems and forensic software for their analysis. Available illustrations, and how to. I hope in the next edition there will be a detailed section about the analysis of malicious software for mobile operating systems. The book is well characterized by the word "practical guide"
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact [email protected] with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at [email protected] using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on [email protected] with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on [email protected] within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on [email protected] who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on [email protected] within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela