SANS Digital Forensics and Incident Response Blog

SANS Mobile Device Forensics


The debut of SANS SEC563 Mobile Device Forensics course in Baltimore this month was very well-received. Attendees included information security professionals from private sector organizations, as well as forensic practitioners and government and law enforcement. Reactions from attendees demonstrate the value and practical usefulness of this course.

- Robert Sutton, Security Alchemist in a corporate environment

"Any business that is currently using or looking to deploy mobile devices on a corporate network should have an understanding of the security implications associated with this technology. The SANS 563 course provides an in-depth hands-on examination of those risks including; methods available for acquisition and analysis of data in a forensically sound manner. This course provided me with a solid foundation which I can apply immediately in my workspace. A particularly valuable benefit of attending this course was the opportunity to network with experts in the field of forensics, particularly around mobile devices.

The course emphasized solid forensic practices in mobile phone investigation as well as reporting. Stepping thru the logical and physical acquisition of memory with such a variety of devices is challenging to say the least; the class addresses the strengths and weaknesses for many of the mobile forensic tools being utilized in the field. The availability of open source vs. commercially available tools was a particularly useful and beneficial aspect of the class, and being able to use them in a lab environment with expert instruction was extremely helpful. The discussion regarding various mobile devices (including the most popular in the market) and how they are used and managed in the corporate environment provided valuable hands-on knowledge. Anyone looking to further their skills in Mobile Device Forensics would benefit from SANS 563"

The course covers a lot of ground, including CDMA and GSM cell phones, Blackberry, Windows Mobile, and iPhone. A comprehensive methodology for processing mobile devices as sources of evidence is emphasized throughout the course, and the hands-on exercises utilize a mix of free and commercial tools, including Cellebrite, XRY and XACT.

In addition to covering the fundamentals, the course delves into the technologies, data structures, and physical memory on various mobile devices. By peeling back the layers of digital evidence on mobile devices, this course provides you with a deeper knowledge of the information you rely on when investigating cases involving mobile devices.

- Heather Mahalik, Senior Forensic Specialist, Basis Technology:

"The SANS SEC563 Mobile Device Forensics Course was one of the best non-vendor specific courses I have attended. Over the past 7 years, I have attended multiple course that graze over forensic topics. This course, unlike the others, ensures that the students not only understand the topics, but actually get hands-on experience. The best feature of this course that I use in my everyday work environment is the Physical Acquisition/Analysis section. I have yet to find a cell phone specific training that has offered the amount of knowledge, information and hands-on exercises regarding Physical Acquisitions of cell phones as the SANS Mobile Device Forensics Course. I would recommend this course to examiners who are interested in really getting data off cell phone and not leaving the capabilities up to the tools."

The combination of teaching skills and knowledge, with hands-on exercises throughout the course, will enable you to resolve investigations. The capstone exercise at the end of this course is designed to tie everything together and hone your mobile device forensics skills, and help you to apply them to an actual investigation. The depth and breadth of the course and the usefulness of the hands-on exercises is captured in the following testimonial from a government contractor.

"I attended the SANS 563 Mobile Device Forensics course debut, from 27 — 31 July, 2009. The course was very informative, and a great introduction to the art of forensic analysis on mobile phones. The course covered a large cross-section of the cell phone world, with topics running the gamut from GSM to CDMA; from Windows Mobile to the iPhone. There was a ton of hands-on time with actual devices and the tools used to examine them. One of the most beneficial aspects for me was the final "project," where the class split into teams and had to investigate a simulated case under severe time constraints. This provided significant insight into the proper workflow of a mobile forensic investigator and gave us firsthand knowledge of the things that are truly important in an investigation. The importance of record keeping and using the right tool for the job, which were emphasized throughout the course, became much more apparent in a hands-on scenario. Overall, I found the course extremely beneficial, and have already applied some of the lessons I learned to my work."

We have enhanced the course flow and materials based on feedback from debut participants, which will benefit those who take the course in San Diego from September 16-20, 2009.

Only a limited number of seats are still available, so register now.



Posted September 4, 2009 at 8:31 AM | Permalink | Reply

nintendo ds r4

Hello all''
It was really nice article about mobile i really like this''
So i will definitely read the whole''''