Advanced Smartphone and Tablet Acquisition

Background

The prevalence of smartphone and tablet devices is a mixed blessing for digital forensic units. On the one hand, iPhone, iPad and Android devices can provide a wealth of information about the owner’s communication, associates and whereabouts; but at the same time the built-in security mechanisms provided by such devices often present a significant challenge.

Course aims

Many Android apps exclude themselves from the backup mechanisms used by commercial forensic tools and additionally, device manufacturers and 3rd party app developers provide easy to use app protection and data hiding features. It is increasingly important that mobile forensic examiners can assess the completeness of extractions and take necessary steps to recover missing, hidden or protected data.

Not only is data being more tightly secured within mobile devices, increasing amounts of data are being stored in the cloud, either by the device itself or by apps installed on it. Today’s forensic examiners need to be aware of the breadth and depth of data held within the cloud and how it can be recovered for evidential use.

Advanced Smartphone & Tablet Acquisition is a 4½ day course designed to teach attendees how to ensure maximum evidence recovery. Delegates will learn how to identify and recover evidence from encrypted PC backups of iOS devices and use the Google Android SDK to recover data from any Android device. Importantly, delegates will gain hands-on experience in recovering data for apps such as WhatsApp and Facebook Messenger which exclude themselves from the backup process as well as techniques for dealing with data hiding mechanisms including Samsung Secure Folder and Huawei PrivateSpace. In addition to device extraction techniques, delegates will gain practical experience in the potential benefits of, and obstacles to, recovering cloud-based data.

What you will learn

By the end of the course, students will be able to:

  • Use adb commands to connect to, and recover data from Android devices
  • Crack passwords for “secure” applications using custom wordlists
  • Use data from the iOS keychain to decrypt data from vault & secure messaging apps
  • Identify the use of data hiding techniques on Android devices which may prevent data extraction via forensic tools
  • Explain & justify your actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in mobile device forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).