Ing. Marián Svetlík

Ing. Marián Svetlík

Mgr. Dominik Novák

Department of Information Security

This thesis contains research about methods of mobile forensics, specifically dealing with mobile phones running Android and iOS operating systems. It describes the architecture of said operating systems and the methods they offer for managing application data. It also presents some relevant topics such as file encryption, backup systems, and privilege escalation. Next, it provides an analysis of mobile phone storage, methods of accessing it, and locations where application data is stored. The result of this is a description of the standard file system structure that is accessible to every application for storing its data. The next part of this thesis is dedicated to methods of mobile forensic analysis, specifically the methods of acquiring data from the devices, since this part is the most distinct from classic digital forensics. The methods are divided into groups according to the difficulty and the effect they have on the device. The stage of analyzing the data then consists of identifying relevant files and exploring their contents. Previous findings are then demonstrated using the WhatsApp application. This application was chosen because its data is a rich source of information and is also well-described in many other papers. This part serves as a basis for the next chapter, which involves manual analysis of a different application. For that, the chosen application is Vinted. Results of the analysis are a description of found data and a script that creates a PDF document with the most relevant information.

Thesis on DSpace

Ing. Marián Svetlík

Ing. Simona Fornůsek, Ph.D.

Department of Information Security

The number of cybercrimes continues to rise each year, increasing the importance of accurate detection of data manipulation and the reconstruction of timelines. This bachelor's thesis focuses on the analysis of timestamps in the most widely used file systems, with the practical part dedicated exclusively to NTFS. The first half of the thesis provides an overview of current file systems, describing the structure of their metadata, the behavior of their timestamps, and possible tampering methods, along with detection techniques. This section presents one of the few available Czech summaries of relevant information on the topic. The second, practical part is devoted to testing the behavior of timestamps in NTFS. The results partially differ from previous similar studies; however, they do not contradict the existing rules for detecting timestamp manipulation. The author experienced significant personal growth in understanding file system metadata initially having only a basic knowledge of how metadata is stored in ext4. The outcome of this work includes a set of recommendations for forensic analysts based on the conducted tests, as well as a summary of findings that may serve as a foundation for developing new rules for detecting timestamp tampering.

Ing. Marián Svetlík

Ing. Simona Fornůsek, Ph.D.

Department of Information Security

The thesis deals with an introduction to digital forensics analysis, but mainly with techniques, whose main goal is its hindering, and how to defend aga- inst them. The theoretical part contains an enumeration of some anti-forensics techniques, their impact on forensics analysis, and some recommendations on how to defend against them. The practical part continues with testing the USBkill and BUSkill tools, which are designated to hinder the acquisition pro- cess. And its impact on the analysis and systems that use them. The summary of the results can be interpreted as that, if set up properly these techniques are highly effective, but correct settings of RAM wiping are complicated and even then it doesnt guarantee full protection.

Ing. Marián Svetlík

Mgr. Dominik Novák

Department of Information Security

Mobile apps use a variety of storage to manage their data, and removing it doesn't necessarily mean permanently deleting it. This thesis focuses on data management methods in Android and iOS operating systems, with a particular focus on the SQLite database system. Not only methods of data storage and deletion are analyzed, but also technical aspects related to the possibility of recovering already deleted records from database structures. The practical part focuses on the forensic analysis of the Viber application, including verification of the possibility of recovering deleted data. The research results contribute to a deeper understanding of data security issues in mobile applications.

Ing. Marián Svetlík

Ing. Josef Kokeš, Ph.D.

Department of Information Security

This thesis deals with data encryption from the perspective of digital forensics. The first part is devoted to the mapping of the most used encryption algorithms occurring in common file types and their analysis from the security point of view. In the next part, the brute force attack and its problems are explained to the reader, along with other techniques for breaking encryption. Next, an analysis of password recovery tools is performed, focusing on capabilities, supported algorithms and performance. In the last section, an attack on several types of encrypted files with different password strengths and different types of attacks is demonstrated using the Hashcat tool. The results show how differences in the format and password strength used fundamentally affect the effectiveness of the attack.

Ing. Marián Svetlík

Ing. Josef Kokeš, Ph.D.

Department of Information Security

This thesis focuses on the analysis of methods for working with encrypted files and volumes within the field of digital forensic analysis. It examines encrypted files and volumes commonly used across various applications and operating systems. The thesis describes different encryption methods and analyses their implementation in file formats such as ZIP, PDF, and OOXML, as well as in encrypted volumes using technologies like BitLocker, LUKS, and VeraCrypt. It also evaluates the use of these methods in both open-source and commercial forensic tools. Furthermore, the described methods are implemented in a module for the Autopsy tool, extending its capabilities to support the analysis of encrypted files and volumes. The module primarily focuses on metadata extraction and the subsequent generation of decryption keys. The thesis also outlines methods for verifying password correctness and the potential for decrypting encrypted content.