Advanced Smartphone Forensics Course

INTRODUCTION

Mobile devices are often a key factor in criminal cases, intrusions, IP theft, security threats, accident reconstruction, and more. Understanding how to leverage the data from the device in a correct manner can make or break your case and your future as an expert. Advanced Smartphone Forensic Analysis will teach you those skills.

Every time the smartphone "thinks" or makes a suggestion, the data is saved. It's easy to get mixed up in what the forensic tools are reporting. Smartphone forensics is more than pressing the "find evidence" button and getting answers. Your team cannot afford to rely solely on the tools in your lab. You have to understand how to use them correctly to guide your investigation, instead of just letting the tool report what it believes happened on the device. It is impossible for commercial tools to parse everything from smartphones and understand how the data was put on the device. Examination and interpretation of the data is your job and this course will provide you and your organization with the capability to find and extract the correct evidence from smartphones with confidence.

This advanced smartphone forensic course provides examiners and investigators with advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. The course features 31 hands-on labs, a forensic challenge, and a bonus take-home case that allows students to analyze different datasets from smart devices and leverage the best forensic tools, methods, and custom scripts to learn how smartphone data hide and can be easily misinterpreted by forensic tools. Each lab is designed to teach you a lesson that can be applied to other smartphones. You will gain experience with the different data formats on multiple platforms and learn how the data are stored and encoded on each type of smart device. The labs will open your eyes to what you are missing by relying 100% on your forensic tools.

This course is continuously updated to keep up with the latest smartphone operating systems, third-party applications, acquisition short-falls, extraction techniques (jailbreaks and roots), malware and encryption. This intensive 10-days course offers the most unique and current instruction on the planet, and it will arm you with mobile device forensic knowledge you can immediately apply to cases you're working on the day you leave the course.

Smartphone technologies are constantly changing, and most forensic professionals are unfamiliar with the data formats for each technology. Take your skills to the next level: it's time for the good guys to get smarter and for the bad guys to know that their smartphone activity can and will be used against them!

COURSE OBJECTIVES

At the end of course participants should be able to:

• Select the most effective forensic tools, techniques, and procedures to effectively analyze smartphone data
• Reconstruct events surrounding a crime using information from smartphones, including timeline development and link analysis (e.g., who communicated with whom, where, and when)
• Understand how smartphone file systems store data, how they differ, and how the evidence will be stored on each device
• Interpret file systems on smartphones and locate information that is not generally accessible to users
• Identify how the evidence got onto the mobile device - we'll teach you how to know if the user created the data, which will help you avoid the critical mistake of reporting false evidence obtained from tools
• Incorporate manual decoding techniques to recover unparsed data stored on smartphones
• Tie a user to a smartphone on a specific date/time and at various locations
• Recover hidden or obfuscated communication from applications on smartphones
• Decrypt or decode application data that are not parsed by your forensic tools
• Detect smartphones compromised by malware and spyware using forensic methods
• Decompile and analyze mobile malware using open-source tools
• Handle encryption on smartphones and crack iOS backup files that were encrypted with iTunes
• Extract and use information from smartphones and their components from Android, iOS, and SD cards (bonus labs available focusing on BlackBerry, BlackBerry backups, locked Android, older Android iOS versions, older iOS devices, Nokia [Symbian], and SIM card decoding)
• Perform advanced forensic examinations of data structures on smartphones by diving deeper into underlying data structures that many tools do not interpret
• Analyze SQLite databases and raw data dumps from smartphones to recover deleted information
• Perform advanced data-carving techniques on smartphones to validate results and extract missing or deleted data
• Apply the knowledge you acquire during the course to conduct a full-day smartphone capstone event involving multiple devices and modeled after real-world smartphone investigations

DURATION

10 Days

WHO SHOULD ATTEND

The course targets:

• Police and other law enforcement personnel
• Information security professionals
• Defense and Security personnel
• Incident response teams
• Accident reconstruction investigators
• e-Business Security professionals
• Experienced digital forensic examiners
• Legal professionals
• Banking, Insurance, and other professionals
• Government agencies
• IT managers
• Digital Forensics Service Providers

COURSE CONTENT

• Malware and Spyware on Smartphones
• Mobile devices in incident-response cases
• Determining if malware or spyware exist
• Handling the isolation of the malware
• Decompiling malware to conduct in-depth analysis
• Determining what has been compromised
• Forensic Analysis of Smartphones and Their Components
• Android
• iOS
• SD cards
• Cloud-based backups and storage
• Cloud-synced data - Google and more
• Deep-Dive Forensic Examination of Smartphone File Systems and Data Structures
• Recovering deleted information from smartphones
• Examining SQLite databases in-depth
• Finding traces of user activities on smartphones
• Recovering data from third-party applications
• Tracing user online activities on smartphones (e.g., messaging and social networking)
• Examining application files of interest
• Manually decoding to recover missing data and verify results
• Developing SQL queries to parse databases of interest
• Understanding the user-based and smartphone-based artifacts
• Leveraging system and application usage logs to place the device in a location and state when applications were use
• Identifying devices that have intentionally been modified - deletion, wiping and hiding applications
• In-Depth Usage and Capabilities of the Best Smartphone Forensic Tools
• Using your tools in ways you didn't know were possible
• Leveraging custom scripts to parse deleted data
• Leveraging scripts to conduct forensic analysis
• Carving data
• Developing custom SQL queries
• Conducting physical and logical keyword searches
• Manually creating timeline generation and link analysis using information from smartphones
• Tool validation based on trusted datasets
• Using geolocation information from smartphones and smartphone components to place a suspect at a location when an artifact was created
• Handling Locked and Encrypted Devices
• Extracting evidence from locked smartphones
• Bypassing encryption (kernel and application level)
• Cracking passcodes
• Decrypting backups of smartphones
• Decrypting third-party application files
• Examining encrypted data from SD cards
• Incident Response Considerations for Smartphones
• How your actions can alter the device
• How to handle Hot and Cold devices
• How to prevent remote access on the device
• How to tie a user or activity to a device at a specific time
• How mobile device management can hurt as much as help you

THE END