FOR585: Advanced Smartphone Forensics
I finally know what I have been missing! I did not know I was ignorant.
Mark G., Department of Justice
FOR585 provides forensics investigators with the mentality and set of tools required to forensically examine most types of devices.
Steve Bone, MOD
FOR585: Advanced Smartphone Forensics will help you understand:
- Where key evidence is located on a smartphone
- How the data got onto the smartphone
- How to recover deleted mobile device data that most forensic tools miss
- How to decode evidence stored in third-party applications
- How to detect, decompile, and analyze mobile malware and spyware
- How to handle locked or encrypted devices, applications, and containers
SMARTPHONES HAVE MINDS OF THEIR OWN.
DON'T MAKE THE MISTAKE OF REPORTING SYSTEM EVIDENCE AS USER ACTIVITY.
IT'S TIME TO GET SMARTER!
A smartphone lands on your desk and you are tasked with determining if the user was at a specific location at a specific date and time. You rely on your forensic tools to dump and parse the data. The tools show location information tying the device to the place of interest. Are you ready to prove the user was at that location? Do you know how to take this further to place the subject at the location of interest at that specific date and time? Tread carefully, because the user may not have done what the tools are showing!
Mobile devices are often a key factor in criminal cases, intrusions, IP theft, security threats, and more. Understanding how to leverage the data from the device in a correct manner can make or break your case and your future as an expert. FOR585: Advanced Smartphone Forensics will teach you those skills.
Every time the smartphone "thinks" or makes a suggestion, the data is saved. It's easy to get mixed up in what the forensic tools are reporting. Smartphone forensics is more than pressing the "find evidence" button and getting answers. Your team cannot afford to rely solely on the tools in your lab. You have to understand how to use them correctly to guide your investigation, instead of just letting the tool report what it believes happened on the device. It is impossible for commercial tools to parse everything from smartphones and understand how the data were put on the device. Examining and interpreting the data is your job, and this course will provide you and your organization with the capability to find and extract the correct evidence from smartphones with confidence.
This in-depth smartphone forensic course provides examiners and investigators with advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. The course features 17 hands-on labs that allow students to analyze different datasets from smart devices and leverage the best forensic tools and custom scripts to learn how smartphone data hide and can be easily misinterpreted by forensic tools. Each lab is designed to teach you a lesson that can be applied to other smartphones. You will gain experience with the different data formats on multiple platforms and learn how the data is stored and encoded on each type of smart device. The labs will open your eyes to what you are missing by relying 100% on your forensic tools.
FOR585 is continuously updated to keep up with the latest malware, smartphone operating systems, third-party applications, and encryption. This intensive six-day course offers the most unique and current instruction available, and it will arm you with mobile device forensic knowledge you can apply immediately to cases you're working on the day you leave the course.
Smartphone technologies are constantly changing, and most forensic professionals are unfamiliar with the data formats for each technology. Take your skills to the next level: it's time for the good guys to get smarter and for the bad guys to know that their texts and apps can and will be used against them!
SMARTPHONE DATA CAN'T HIDE FOREVER - IT'S TIME TO OUTSMART THE MOBILE DEVICE!
FOR585 Course Topics
Malware and Spyware on Smartphones
- Determining if malware or spyware exist
- Handling the isolation of the malware
- Decompiling malware to conduct in-depth analysis
- Determining what has been compromised
Forensic Analysis of Smartphones and Their Components
- Windows Phone
- Nokia (Symbian)
- Chinese knock-offs
- SD and SIM cards
- Cloud-based backups and storage
Deep-Dive Forensic Examination of Smartphone File Systems and Data Structures
- Recovering deleted information from smartphones
- Examining SQLite databases in-depth
- Finding traces of user activities on smartphones
- Recovering data from third-party applications
- Tracing user online activities on smartphones (e.g., messaging and social networking)
- Examining event logs
- Manual decoding to recover missing data and verify results
- Understanding the user-based and smartphone-based artifacts
In-Depth Usage and Capabilities of the Best Smartphone Forensic Tools
- Using your tools in ways you didn't know was possible
- Leveraging custom scripts to parse deleted data
- Data carving
- Conducting physical and logical keyword searches
- Manually creating timeline generation and link analysis using information from smartphones
- Plotting geolocation information from smartphones and smartphone components
Handling Locked and Encrypted Devices
- Extracting evidence from locked smartphones
- Bypassing encryption (kernel and application level)
- Decrypting backups of smartphones
- Decrypting third-party application files
- Manually cracking lockdown files for smartphones
- Examining encrypted data from SD cards
Incident Response Considerations on Smartphones
- How your actions can alter the device
- Determining whether a memory capture can be conducted on the smartphone
- How to prevent remote access on the device
For multi-course live training events, there will be a set up time from 8:00-9:00am on the first day only to make sure that computers are configured correctly to make the most of class time. All students are strongly encouraged to attend.
|FOR585.1: Smartphone Overview and Malware Forensics|
Focus: Although smartphone forensic concepts are similar to those of digital forensics, smartphone file system structures differ and require specialized decoding skills to interpret correctly the data acquired from the device. On this first course day, students will apply what they know to smartphone forensic handling, device capabilities, acquisition methods, and data encoding concepts of smartphone components. Students will also become familiar with the forensic tools required to complete comprehensive examinations of smartphone data structures. Malware affects a plethora of smartphone devices. This section will examine various types of malware, how it exists on smartphones, and how to identify and analyze it. Most commercial tools help you identify malware, but none of them will allow you to tear down the malware to the level we cover in class. Up to five labs will be conducted on this first day alone!
All examiners today have to address the existence of malware on smartphones. Often the only questions relating to an investigation may be whether a given smartphone was compromised, how, and what can be done to fix it. It is important for examiners to understand malware and how to identify its existence on the smartphone.
Smartphones will be introduced and categorized to set our expectations for what we can recover using digital forensic methodologies. We review the properties of Flash memory in mobile devices and demonstrate the pros and cons from a forensic perspective. We provide approaches for dealing with common challenges such as encryption, passwords, and damaged devices. Students will learn how to process and decode data on mobile devices from a forensic perspective, then learn tactics to recover information that even forensic tools may not always be able to retrieve.
The SIFT Workstation has been specifically loaded with a set of smartphone forensic tools that will be your primary toolkit and working environment for the week.
CPE/CMU Credits: 6
The SIFT Workstation
Malware and Spyware Forensics
Introduction to Smartphones
Forensic Acquisition Concepts of Smartphones
Smartphone Forensic Tools Overview
|FOR585.2: Android Forensics|
Focus: Android devices are among the most widely used smartphones in the world, which means they will surely be part of an investigation that will come across your desk. Android devices contain substantial amounts of data that can be decoded and interpreted into useful information. However, unless you hone the appropriate skills for bypassing locked Androids and correctly interpreting the data stored on them, you will be unprepared for the rapidly evolving world of smartphone forensics.
Digital forensic examiners must understand the file system structures of Android devices and how they store data in order to extract and interpret the information they contain. On this course day we will delve into the file system layout on Android devices and discuss common areas containing files of evidentiary value. Traces of user activities on Android devices are covered, as is recovery of deleted data residing in SQLite records and raw data files.
During hands-on exercises, you will use smartphone forensic tools to extract, decode, and analyze a wide variety of information from Android devices.
CPE/CMU Credits: 6
Android Forensics Overview
Handling Locked Android Devices
Android File System Structures
Android Evidentiary Locations
Traces of User Activity on Android Devices
|FOR585.3: iOS Forensics|
Focus: Apple iOS devices contain substantial amounts of data (including deleted records) that can be decoded and interpreted into useful information. Proper handling and parsing skills are needed for bypassing locked iOS devices and correctly interpreting the data. Without iOS instruction, you will be unprepared to deal with the iOS device that will likely be a major component in a forensic investigation.
Digital forensic examiners must understand the file system structures and data layouts of Apple iOS devices in order to extract and interpret the information they contain. To learn how to do this, we delve into the file system layout on iOS devices and discuss common areas containing files of evidentiary value. Encryption, decryption, file parsing, and traces of user activities are covered in detail.
During hands-on exercises, students will use smartphone forensic tools to extract and analyze a wide variety of information from iOS devices. Students will also be required to decode data manually that were deleted or are typically unrecoverable using smartphone forensic tools.
CPE/CMU Credits: 6
iOS Forensic Overview and Acquisition
iOS File System Structures
iOS Evidentiary Locations
Handling Locked iOS Devices
Traces of User Activity on iOS Devices
|FOR585.4: Backup File and BlackBerry Forensics|
Focus: We realize that not everyone examines BlackBerry devices. However, this section highlights pieces of evidence that can be found on multiple smartphones. Most importantly, we cover encrypted data on SD cards and how those data need to be acquired and examined. BlackBerry smartphones are designed to protect user privacy, but techniques taught in this section will enable the investigator to go beyond what the tools decode and manually recover data residing in database files of BlackBerry device file systems. Backup smartphone images are commonly found on external media and the cloud, and may be the only forensic acquisition method for newer iOS devices that are locked. Learning how to access and parse data from encrypted backup files may be the only lead to smartphone data relating to your investigation.
Forensic examiners must understand the concept of interpreting and analyzing the information on smartphones, as well as the limitations of existing methods for extracting data from these devices. This course day covers how to handle encryption issues, BlackBerry Enterprise Server data, and locked devices. Manual decoding of BlackBerry data will provide access to a vast amount of data that forensic tools seem to miss.
Both BlackBerry and iOS backup files are commonly part of digital forensic investigations. This section provides students with a deep understanding of backup file contents, manual decoding, and parsing and cracking of encrypted backup file images.
During hands-on exercises, students will use smartphone forensic tools to extract and analyze a wide variety of information from BlackBerry devices, SD cards with encrypted data, and iOS and BlackBerry backup files. Students will be required to manually decode data that were encrypted or deleted, or that are unrecoverable using smartphone forensic tools.
CPE/CMU Credits: 6
Backup File Forensics Overview
Common File Formats For Smartphone Backups (Cloud and Disk-based)
Creating and Parsing Backup Files
Evidentiary Locations on Backup Files (Focus on iOS and BlackBerry Backup Files)
Locked Backup Files
BlackBerry Forensic Overview
BlackBerry File System, Evidentiary Locations and Forensic Analysis
|FOR585.5: Third-Party Application and Other Smartphone Device Forensics|
Focus: This day starts with third-party applications across all smartphones and is designed to teach students how to leverage third-party application data and preference files to support an investigation. Next, other smartphones not afforded a full day of instruction are discussed and labs for each are provided. Given the prevalence of other types of smartphones around the world, it is critical for examiners to develop a foundation of understanding about data storage on multiple devices. You must acquire skills for handling and parsing data from uncommon smartphone devices. This course day will prepare you to deal with "misfit" smartphone devices and provide you with advanced methods for decoding data stored in third-party applications across all smartphones. The day ends with the students challenging themselves using tools and methods learned throughout the week to recover user data from a wiped Windows Phone.
This course day will cover other smartphone devices such as Nokia (Symbian), Chinese knock-offs, and Windows phones. These devices retain information about user activities that can be relevant in a digital investigation, including e-mail, web browsing, user-created files, and registry entries. We will cover techniques for parsing common data structures on these smartphone devices and recovering deleted items.
During hands-on exercises, you will use smartphone forensic tools to extract and analyze a wide variety of information from Chinese knock-off and Nokia phones. Students will be required to manually decode data that were deleted or are unrecoverable using smartphone forensic tools. The third-party application hands-on exercise will be a compilation of everything you have learned up until now in the course and will require the manual decoding of third-party application data from multiple smartphones. The Windows Phone lab requires knowledge learned on each day of the course to recover user data manually from a wiped device.
CPE/CMU Credits: 6
Third-Party Applications on Smartphones Overview
Third-Party Application Locations on Smartphones
Decoding Third-Party Application Data on Smartphones
Knock-off Phone Forensics
Nokia (Symbian) Forensics
Windows Phone/Mobile Forensics
|FOR585.6: Smartphone Forensic Capstone Exercise|
Focus: This final course day will test all that you have learned during the course. Working in small groups, students will examine three smartphone devices and solve a scenario relating to a real-world smartphone forensic investigation. Each group will independently analyze the three smartphones, manually decode data, answer specific questions, form an investigation hypothesis, develop a report, and present findings.
By requiring student groups to present their findings to the class, this capstone exercise will test your understanding of the techniques taught during the week. The findings should be technical and include manual recovery steps and the thought process behind the investigative steps. An executive summary of findings is also expected.
Each group will be asked to answer the key questions listed below during the capstone exercise, just as they would during a real-world digital investigation:
Identification and Scoping
In addition, students will be required to generate a forensic report.
CPE/CMU Credits: 6
!!IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE INSTRUCTIONS!!
Before coming to class, carefully read and follow these instructions precisely.
Each student participating in this course needs a properly configured 64-bit system. For your core operating system, you may use any 64-bit version of Windows, Mac OSX, or Linux that also is able to install and run VMware virtualization products.
It is critical that your CPU and operating system support 64 bits so that our 64-bit guest virtual machine will run on your laptop.
Please download and install VMware Workstation 12.0, VMware Fusion 8.0, or VMware Player 12.0 on your system prior to beginning the class. (Note: This is required to prevent issues with USB 3.0 ports.) If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.
Mandatory Hardware Requirements
Mandatory Software Requirements
IN SUMMARY, BEFORE YOU BEGIN THIS COURSE YOU SHOULD:
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
|Who Should Attend|
FOR585 is designed to be valuable for students regardless of whether they are new to or experienced with smartphone and mobile device forensics. The course provides the core knowledge and hands-on skills that a digital forensic investigator needs to process smartphones and other mobile devices. The course is a must for:
There is no prerequisite for this course, but a basic understanding of file system structures and forensic terminology will help the student grasp topics that are more advanced. Previous training in mobile device forensic acquisition methods is also useful, but not required.
|Other Courses People Have Taken|
|What You Will Receive|
|FOR585: Advanced Smartphone Forensics Will Prepare You And Your Team To:|
|Hands-On Training & Labs|
This course features 17 hands-on labs and a final forensic challenge to ensure that students not only learn the material, but can also execute techniques to manually recover data. The labs cover the following topics:
|Quotes from Former Students|
"This is the most advanced mobile device training that I know of and is greatly needed. It is currently the only course being taught at this level!" - Scott McNamee, DoS/CACI
"As an experienced user of the tools, I found FOR585 very instructional on how and why these tools give the results they do during an examination." - Charles Cox, FBI Computer Analysis and Response Team
"FOR585 is the best out there." - Andy Nind, British Army
"This course is worth it, even for a novice like myself." - S. Gentry, Adobe
"This course was very high-quality training that provided exactly what was advertised!...Great BlackBerry lab. I have never dug this deep in a BlackBerry before." - C. McCollom, Clark County Sheriff's Office
"This was an awesome class! Amazing amount of material and the capstone tied it all together." - D. Mayer, Broomsfield Police Department
"I finally know what I have been missing! I did not know where I was ignorant." - Mark G., Department of Justice
"If I could afford it I would take this course every year. I am sure I would learn new things as the course evolves to new technology." - Jim Stapleton, student
"I have been working with phones since 2009, and [instructor] Heather [Mahalik] very casually showed me how much I don't know. Excellent!" - Harbin Combee, MPDC