Affiliate disclosure

Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases — at no additional cost to you.

Chapter 24 — Further Reading

Foundations (🔬 / deeper)

  • Apple Platform Security Guide (Apple, current edition). The authoritative primary source for the Secure Enclave and UID, Data Protection classes, the keychain, Effaceable Storage, and the AFU/BFU mechanics that govern every iOS acquisition decision in this chapter. Read the "Encryption and Data Protection" sections; everything in the iOS half traces back here.
  • Android Open Source Project — "Encryption" and "Security" documentation (source.android.com). The counterpart for File-Based Encryption (fscrypt), metadata encryption, Credential- vs Device-Encrypted storage, and the TEE/StrongBox model — precise on which behavior arrived in which Android release.
  • Tamma, Mahalik, Bommisetty & Skulkin, Practical Mobile Forensics (Packt, latest edition). The standard practitioner text: iOS and Android acquisition, the backup formats, artifact parsing, and tool workflows, at the level this chapter introduces.

Approachable explanations (everyone)

  • EFF — Surveillance Self-Defense, phone-security guides (ssd.eff.org). Plain-language framing of why device encryption protects users — the same mechanism that walls you out is the one protecting them. Useful vocabulary for explaining the wall to non-technical stakeholders.
  • SANS DFIR "Smartphone Forensics" poster and blog (Heather Mahalik and team). A one-page map of where mobile artifacts live and which tools reach them; pin it above the bench.
  • iLEAPP / ALEAPP (Alexis Brignoni, github.com/abrignoni). Open-source iOS and Android parsers that turn an extraction into an HTML/CSV report — knowledgeC/usage, significant locations, RCS (bugle_db), Wi-Fi, Health, and hundreds more. Read the source to cite your methodology and to validate commercial output. 🔍 🛡️
  • APOLLO — Apple Pattern of Life Lazy Output'er (Sarah Edwards, mac4n6). Correlates knowledgeC.db, routined, and Biome streams into a pattern-of-life timeline; the deep dive on iOS device-activity artifacts. 🔍
  • libimobiledevice (libimobiledevice.org). Open-source idevicebackup2/ideviceinfo for the encrypted-backup workflow in the chapter's tool demo. 💾 🔍
  • Cellebrite UFED/Physical Analyzer · Magnet AXIOM · MSAB XRY/XAMN · Oxygen Detective. The commercial field standard for extraction, decoding, and deleted-record recovery; their training blogs track the moving target of model/OS support. 🔍 🛡️
  • WiGLE (wigle.net). The public wardriving database for resolving a Wi-Fi BSSID to a physical location — the move that turns a Wi-Fi join into independent geolocation. 🔍 📜
  • Riley v. California (2014) and Carpenter v. United States (2018). Read the opinions, not summaries; they define the warrant landscape for phone data and cell-site location. 📜

Reference (this book)

  • Appendix D — Forensic Artifact Locations: the iOS/Android database paths (sms.db, bugle_db, knowledgeC.db, Photos.sqlite, Health) collected for quick lookup.
  • Appendix C — Tool Reference: Cellebrite, AXIOM, XRY, iLEAPP/ALEAPP, libimobiledevice.
  • Appendix E — Legal Frameworks Reference: Riley, Carpenter, compelled decryption, and warrant-scope doctrine.
  • Appendix F — Chain of Custody and Report Templates: the mobile-specific "what the acquisition changed" disclosure.
  • Chapter 11 — Mobile Device Recovery: the recovery sibling — same hardware, different authority and posture.
  • Chapter 29 — Encrypted Device Forensics: the full encryption treatment this chapter previews.

Do, don't just read

  • Parse a real test image. Download one of Josh Hickman's public Android/iOS test images (thebinaryhick.blog) and run iLEAPP/ALEAPP end to end — then open the same database in a SQLite browser and confirm the parser's output by hand. One afternoon teaches more than a chapter of reading.
  • Beat the 31-year bug. Convert a knowledgeC.db seconds value and an sms.db nanoseconds value with the Cocoa epoch (978307200), prove they resolve to the same instant, and validate against a known event before you ever trust a tool's timestamp column.
  • Recover a "deleted" message. Make your own SQLite database, insert and DELETE a row, then inspect the freelist and -wal to recover it — and write the two sentences explaining where it came from and why that proves deletion.
  • Geolocate a BSSID. Look up a known access point's BSSID on WiGLE and see how precisely a single Wi-Fi join can place a device.

Next: Chapter 25 — The Legal Framework: the warrants, consent, compelled-decryption, and scope questions you met all through this chapter, given the full treatment — because the most technically perfect extraction is worthless if the authority behind it does not hold.