Bachelor theses
Forensic analysis of mobile application data
Author
Šárka Nádvorníková
Year
2024
Type
Bachelor thesis
Supervisor
Ing. Marián Svetlík
Reviewers
Mgr. Dominik Novák
Department
Summary
This thesis contains research about methods of mobile forensics, specifically dealing with mobile phones running Android and iOS operating systems. It describes the architecture of said operating systems and the methods they offer for managing application data. It also presents some relevant topics such as file encryption, backup systems, and privilege escalation. Next, it provides an analysis of mobile phone storage, methods of accessing it, and locations where application data is stored. The result of this is a description of the standard file system structure that is accessible to every application for storing its data.
The next part of this thesis is dedicated to methods of mobile forensic analysis, specifically the methods of acquiring data from the devices, since this part is the most distinct from classic digital forensics. The methods are divided into groups according to the difficulty and the effect they have on the device. The stage of analyzing the data then consists of identifying relevant files and exploring their contents.
Previous findings are then demonstrated using the WhatsApp application. This application was chosen because its data is a rich source of information and is also well-described in many other papers. This part serves as a basis for the next chapter, which involves manual analysis of a different application.
For that, the chosen application is Vinted. Results of the analysis are a description of found data and a script that creates a PDF document with the most relevant information.
Time stamps analysis in chosen file systems
Author
Mykhailo Otamas
Year
2025
Type
Bachelor thesis
Supervisor
Ing. Marián Svetlík
Reviewers
Ing. Simona Fornůsek, Ph.D.
Department
Summary
The number of cybercrimes continues to rise each year, increasing the importance of
accurate detection of data manipulation and the reconstruction of timelines. This bachelor's thesis
focuses on the analysis of timestamps in the most widely used file systems, with the practical part
dedicated exclusively to NTFS.
The first half of the thesis provides an overview of current file systems,
describing the structure of their metadata, the behavior of their timestamps, and possible tampering methods,
along with detection techniques. This section presents one of the few available Czech summaries of relevant
information on the topic.
The second, practical part is devoted to testing the behavior of timestamps in NTFS.
The results partially differ from previous similar studies; however, they do not contradict
the existing rules for detecting timestamp manipulation.
The author experienced significant
personal growth in understanding file system metadata initially having only a basic knowledge of how metadata is stored in ext4.
The outcome of this work includes a set of recommendations for forensic analysts based
on the conducted tests, as well as a summary of findings that may serve as a foundation
for developing new rules for detecting timestamp tampering.
Use and detection of anti-forensics techniques
Author
Prokop Parůžek
Year
2025
Type
Bachelor thesis
Supervisor
Ing. Marián Svetlík
Reviewers
Ing. Simona Fornůsek, Ph.D.
Department
Summary
The thesis deals with an introduction to digital forensics analysis, but mainly
with techniques, whose main goal is its hindering, and how to defend aga-
inst them. The theoretical part contains an enumeration of some anti-forensics
techniques, their impact on forensics analysis, and some recommendations on
how to defend against them. The practical part continues with testing the
USBkill and BUSkill tools, which are designated to hinder the acquisition pro-
cess. And its impact on the analysis and systems that use them. The summary
of the results can be interpreted as that, if set up properly these techniques
are highly effective, but correct settings of RAM wiping are complicated and
even then it doesnt guarantee full protection.
Analysis of deleted data in mobile applications
Author
Elnar Yantay
Year
2025
Type
Bachelor thesis
Supervisor
Ing. Marián Svetlík
Reviewers
Mgr. Dominik Novák
Department
Summary
Mobile apps use a variety of storage to manage their data, and removing it doesn't necessarily mean permanently deleting it. This thesis focuses on data management methods in Android and iOS operating systems, with a particular focus on the SQLite database system. Not only methods of data storage and deletion are analyzed, but also technical aspects related to the possibility of recovering already deleted records from database structures. The practical part focuses on the forensic analysis of the Viber application, including verification of the possibility of recovering deleted data. The research results contribute to a deeper understanding of data security issues in mobile applications.
Analysis of encrypted data in digital forensics
Author
Matěj Martan
Year
2025
Type
Bachelor thesis
Supervisor
Ing. Marián Svetlík
Reviewers
Ing. Josef Kokeš, Ph.D.
Department
Summary
This thesis deals with data encryption from the perspective of digital forensics. The first part is devoted to the mapping of the most used encryption algorithms occurring in common file types and their analysis from the security point of view. In the next part, the brute force attack and its problems are explained to the reader, along with other techniques for breaking encryption. Next, an analysis of password recovery tools is performed, focusing on capabilities, supported algorithms and performance. In the last section, an attack on several types of encrypted files with different password strengths and different types of attacks is demonstrated using the Hashcat tool. The results show how differences in the format and password strength used fundamentally affect the effectiveness of the attack.
Master theses
Analysis of encrypted files and volumes in digital forensics
Author
Matěj Borský
Year
2025
Type
Master thesis
Supervisor
Ing. Marián Svetlík
Reviewers
Ing. Josef Kokeš, Ph.D.
Department
Summary
This thesis focuses on the analysis of methods for working with encrypted files and volumes within the field of digital forensic analysis. It examines encrypted files and volumes commonly used across various applications and operating systems. The thesis describes different encryption methods and analyses their implementation in file formats such as ZIP, PDF, and OOXML, as well as in encrypted volumes using technologies like BitLocker, LUKS, and VeraCrypt. It also evaluates the use of these methods in both open-source and commercial forensic tools. Furthermore, the described methods are implemented in a module for the Autopsy tool, extending its capabilities to support the analysis of encrypted files and volumes. The module primarily focuses on metadata extraction and the subsequent generation of decryption keys. The thesis also outlines methods for verifying password correctness and the potential for decrypting encrypted content.