Acquiring Challenging Computer Devices

2 days

Background

The forensic acquisition of computer devices has been made more challenging through the shift from removable hard disk and solid-state drives to “soldered on” flash memory storage. The inability to remove (and image) the storage is further compounded in some devices by the presence of encryption and dedicated security chips, both of which can hamper acquisition via bootable media.

This situation presents multiple challenges to those tasked with forensically acquiring computers. If active encryption is not identified and addressed at seizure, it may be impossible to subsequently decrypt data held on the device. Without the necessary knowledge and specialist tools, “secure boot” features within Windows, Mac and Chromebook devices may prevent any data from being recovered from the device. Even worse, failing to follow correct procedures when acquiring a Chromebook can lead to irretrievable loss of data from the device.

Course aims

Acquiring Challenging Computer Devices is a 2 day course designed to teach delegates how to acquire Microsoft Surface Pro, Apple Mac and Chromebook devices. Fundamental to successful acquisition is not only the accurate identification of the device type, but in the case of Apple Mac devices, determining which specific security platform the device utilises (notably T2 and M1 chips). Once the security platform has been confirmed, appropriate steps can be taken to enable data acquisition.

Delegates will learn how to identify the presence of active BitLocker encryption on Surface Pro devices, perform live acquisitions of powered-on devices and take appropriate action to capture BitLocker recovery keys (which may be essential to subsequent analysis). During what is a highly practical course, delegates will create and use bootable media to recover data from both Chromebook and Surface Pro devices. 

What you will learn

By the end of the course, delegates will be able to:

  • Recognise if BitLocker is enabled on a Microsoft Surface Pro and use bootable media to acquire it
  • Capture decrypted logical backups of Chromebook devices
  • Distinguish between T2 and M1 series Apple computers and perform forensic acquisitions of both
  • Explain & justify their actions in court

Who should attend?

This intermediate level course is targeted at personnel responsible for forensically acquiring computer devices within a lab environment as well as those tasked with securing digital evidence “at scene”.  Delegates should have at least 6 months experience in computer acquisition and have previously attended the Control-F Foundation in Securing Computer Evidence (or equivalent).

 

IT Technician

Salary range £20,000 to £24,000 (depending on experience)

Are you the unofficial tech support for friends and family? The one people call on to set up their new laptop or to work out why they can’t connect to the internet? Constantly being asked for your opinion on the merits of iPhone over Android?

In other words, are you interested in tech and wishing you could find a job where you can indulge your passion and become an integral part of the team?

Then read on. We have the IT Technician job for you!

About you

  • A-level or equivalent in IT-related subject?
  • Clear and confident communicator?
  • Able to manage multiple ongoing work activities and meet deadlines?
  • Take pride in your work and work environment?

About the role

This full-time Monday to Friday role supports the internal and classroom IT of our busy digital forensics training company. This is an office-based role at our Wyboston Lakes headquarters on the Cambridgeshire/Bedfordshire border with a requirement for occasional travel to a company location in Leeds.

Reporting to the Digital Learning Manager, you’ll be taking responsibility for overseeing the classroom and office IT infrastructure, encompassing the following (this is not an exhaustive list and other responsibilities may be added as you grow into your role):

  • Supporting users of our online digital learning portal
  • Preparation and commissioning of new IT hardware and associated software
  • Managing updates to the PC “build” for the training classroom
  • Restoring classroom PCs after a training course has run and loading necessary files for the next course
  • Assisting the Digital Learning Manager in the deployment and maintenance of virtual labs and virtual classroom environments
  • Overseeing and testing IT backup systems
  • Testing training devices (mobile phones, tablets etc.) with new versions of PC software tools to identify any potential issues or  incompatibilities
  • Preparing USB drives and related devices for use during training courses
  • Working with our IT service providers to support our internal IT requirements
  • Assisting in the administration and support of our Learning Management System – this can be taught
  • Licence management including updating licence keys
  • Maintaining the Company’s asset management system
  • Working with colleagues on R&D testing – creating scenario content, testing apps etc

This is a perfect role for you if you’re setting out in your IT career, you’re interested in tech and you have (or can develop!) an interest in digital forensics. It’s one of those roles where you can learn a lot and you’ll be surrounded by colleagues who want to support you and help you to develop.

About us
The Company offers digital forensics training to mobile phone and computer examiners, mainly in UK police forces but also to private companies and overseas law enforcement organisations. We’re getting really busy with more demand than ever for our courses and you know what that means – lots of IT support needed!

Benefits

  • Competitive salary
  • Performance-based annual salary review
  • Defined contribution pension scheme
  • 22 days annual leave + 8 public holidays, increasing by 1 day per year of service (up to max. of 25 days annual leave + 8 public holidays)
  • Flexitime
  • Health cash plan
  • Paid time off for volunteering

Interested?

Get in touch with your CV – we’re waiting to hear from you! Please note that we are planning to recruit during September and October with the expectation of a November start date.

Reviewing Mobile Forensic Data

2 days • Classroom

Background

Data recovered from mobile devices plays a vital role in an increasing number of investigations. However, case teams face significant challenges in being able to navigate huge volumes of data in order to find items of relevance to their investigation. In addition, different devices may have been extracted using different forensic tools – each of which is accompanied by its own “reader” application. Investigators need to make efficient use of multiple reader applications such that they can locate relevant data and subsequently generate reports that can be used in evidence.

Course aims

Reviewing Mobile Forensic Data is a two-day classroom course designed to teach delegates how to navigate mobile forensic data in MSAB XAMN, Cellebrite Reader and AXIOM Portable Cases. Data is routinely supplied by Digital Forensic Units and external Forensic Service Providers in all 3 formats; each of which brings its own challenges and opportunities. Reviewing Mobile Forensic Data aims to teach delegates how to confidently navigate data, and report against it, within all three tools.

Delegates will learn how to search and filter large extractions to identify and then “tag” relevant items such that they can be reviewed by colleagues. Delegates will also gain hands-on experience in producing reports of relevant data for evidential purposes.

Crucially, delegates will not only learn how to use the relevant software tools, they will gain experience in appropriate note-taking to ensure that an accurate record of any analysis is maintained for disclosure purposes.

What you will learn

By the end of the course, delegates will be able to:

  • Select an appropriate reader tool to open an extraction of a mobile device
  • Search and filter mobile forensic data using XAMN, Cellebrite Reader and AXIOM Portable Cases
  • Tag (“bookmark”) relevant data using XAMN, Cellebrite Reader and AXIOM Portable Cases
  • Generate selective reports of relevant data
  • Keep appropriate notes of their actions

Who should attend?

This intermediate level course is targeted at anyone who needs to review and interpret data recovered from mobile devices. This will include case teams, investigators and analysts.

Delegates must have successfully completed our online on-demand training course ‘Understanding Mobile Forensic Data’ before attending ‘Reviewing Mobile Forensic Data’.

 

XAMN is a registered trademark of Micro Systemation AB. Cellebrite is a registered trademark of Cellebrite DI Ltd. AXIOM is a registered trademark of Magnet Forensics Investco Inc

Understanding Mobile Forensic Data

1½ days • Online on-demand

Background

Data recovered from mobile devices plays a vital role in an increasing number of investigations. Our mobile devices contain an imprint of how we live our lives: who we know, where we go, what we think and what we do. Being able to explore and analyse the data behind that imprint gives investigators a unique insight into the whereabouts, actions and opinions of both victims and defendants.

Yet mobile forensics is far from simple. The types and volume of data which can be recovered depend upon a host of factors. Not only that, the data which can be recovered has origins in multiple sources – some reliable, some less so. Mobile forensic data can seem bewildering or overwhelming, meaning that there is a real risk that valuable data may be overlooked.

Course aims

Understanding Mobile Forensic Data is an on-demand (self-paced) online course designed to teach delegates how data is recovered from mobile devices, the origins and reliability of such data and its relevance within an investigation.

Delegates will learn about the differences between logical, physical and full filesystem extractions as well as why some of those techniques may not be available in some situations. Through the use of engaging and interactive visual content, delegates will learn where location data and time and date information present in mobile devices originate from. Crucially, the course will highlight data which once recovered from a mobile device should be corroborated or enriched with data from other sources (for example, a Communications Service Provider).

What you will learn

By the end of the course, delegates will be able to:

  • Explain what a digital forensic artefact is and provide three examples
  • Explain how logical and ‘full filesystem’ extractions of the same device might differ
  • Give two examples of mobile forensic data which require corroboration via a Communications Service Provider
  • Evaluate competing strategies for progressing an investigation using digital forensic data

Who should attend?

This entry-level course is targeted at anyone who needs to understand the origins, scope and relevance of data recovered from mobile devices. This will include frontline police officers, investigators, analysts, case officers, senior police officers, lawyers, judges and more. 

Successful completion of this course is a pre-requisite for attendance of our classroom training course ‘Reviewing Mobile Forensic Data’.

Course access and duration

This online course can be accessed from a desktop or laptop PC with an appropriate internet connection and comprises approximately 1½ days content. Our on-demand delivery allows for flexibility both in where and when delegates complete the course, with learner progress being saved between sessions.

Acquiring Challenging Computer Devices

2 days

Background

The forensic acquisition of computer devices has been made more challenging through the shift from removable hard disk and solid-state drives to “soldered on” flash memory storage. The inability to remove (and image) the storage is further compounded in some devices by the presence of encryption and dedicated security chips, both of which can hamper acquisition via bootable media.

This situation presents multiple challenges to those tasked with forensically acquiring computers. If active encryption is not identified and addressed at seizure, it may be impossible to subsequently decrypt data held on the device. Without the necessary knowledge and specialist tools, “secure boot” features within Windows, Mac and Chromebook devices may prevent any data from being recovered from the device. Even worse, failing to follow correct procedures when acquiring a Chromebook can lead to irretrievable loss of data from the device.

Course aims

Acquiring Challenging Computer Devices is a 2 day course designed to teach delegates how to acquire Microsoft Surface Pro, Apple Mac and Chromebook devices. Fundamental to successful acquisition is not only the accurate identification of the device type, but in the case of Apple Mac devices, determining which specific security platform the device utilises (notably T2 and M1 chips). Once the security platform has been confirmed, appropriate steps can be taken to enable data acquisition.

Delegates will learn how to identify the presence of active BitLocker encryption on Surface Pro devices, perform live acquisitions of powered-on devices and take appropriate action to capture BitLocker recovery keys (which may be essential to subsequent analysis). During what is a highly practical course, delegates will create and use bootable media to recover data from both Chromebook and Surface Pro devices. 

What you will learn

By the end of the course, delegates will be able to:

  • Recognise if BitLocker is enabled on a Microsoft Surface Pro and use bootable media to acquire it
  • Capture decrypted logical backups of Chromebook devices
  • Distinguish between T2 and M1 series Apple computers and perform forensic acquisitions of both
  • Explain & justify their actions in court

Who should attend?

This intermediate level course is targeted at personnel responsible for forensically acquiring computer devices within a lab environment as well as those tasked with securing digital evidence “at scene”.  Delegates should have at least 6 months experience in computer acquisition and have previously attended the Control-F Foundation in Securing Computer Evidence (or equivalent).

 

Rework for Mobile Device Repair

Background

Mobile devices can be damaged either through normal use, deliberate snapping or failure of specific chips which are vital to the device powering up successfully. Consequently, digital forensic units are routinely faced with mobile devices which cannot be powered on to a stable state such that data can be extracted using commercial forensic tools. Where possible and practical, such devices need to be repaired by removing and replacing the damaged or faulty chips on the device’s printed circuit board (PCB). These techniques are referred to as “rework” within the electronics industry.

Course aims

Successful removal and replacement of chips from a mobile device PCB requires appropriate equipment and skilled techniques to ensure that the circuit board and surrounding components are not damaged in the process. This may include desoldering using specialist hot air tools, preparation of replacement chips using stencilling techniques and re-soldering of the replacement chip (again with skilled use of hot air).

Rework for Mobile Device Repair is a 4½ day course designed to teach delegates how to safely de-solder faulty chips from an iPhone PCB and resolder working replacements. The intention being to return a device to a bootable state where data can be extracted using commercial forensic tools.

Delegates will also learn how to repair damage to pads on the underside of any chip caused by accidental or intentional physical damage. Delegates will be working primarily on iPhone models (including those with “stacked” PCBs), however the techniques taught on the course can be used on any PCB with surface mounted chips.

The course also includes hands-on experience in chip-off techniques for data extraction from feature (“burner”) phones as well as eMMC flash memory chips from unencrypted legacy Android devices, satnavs and vehicle systems.

What you will learn

By the end of the course, students will be able to:

  • Safely remove and replace iPhone chips to repair faults which prevent data extraction
  • Successfully clean and “re-ball” chips in preparation for repair
  • Repair broken pads on printed circuit boards (PCBs) caused by physical damage to a mobile device
  • Recover the contents of flash memory chips
  • Explain and justify their actions in court

Who should attend?

Delegates must have previous soldering experience. Ideally this will have been achieved by attending our Mobile Device Repair course (or other Control-F courses involving hand soldering).

Rework for Mobile Device Repair sits alongside our Intermediate Mobile Device Repair course which focuses on the diagnosis of board-level faults that may necessitate chip removal. Digital forensic units will gain maximum benefit where staff have attended Intermediate Mobile Device Repair and Rework for Mobile Device Repair.

Mobile Forensics for Kiosk Operators

Online on-demand

Background

Mobile forensic kiosks are widely deployed within law enforcement organisations. They can assist with reducing submissions to specialist digital forensic units, thereby cutting wait times for mobile forensic extractions to be performed and reducing submission backlogs. Kiosks provide pre-configured, easy to follow workflows to guide less experienced personnel through the steps involved in extracting data from mobile devices.

Kiosks deployments have the potential to deliver valuable time and cost savings but bring with them associated risks. They rely on complex volatile digital evidence being handled by staff with relatively little experience and formal training. Training abstractions and commitments for large numbers of staff and frontline deployments can be challenging. This often means that training programmes for kiosk operators tend to focus their limited time on the operation of the equipment and less on understanding the devices, extraction processes and resulting data. Inadequate training could lead to a kiosk operator allowing data to be remotely wiped from an exhibit, failing to extract vital data or missing an opportunity to escalate a complex device to specialist digital forensic colleagues.

Course aims

Mobile Forensics for Kiosk Operators is an on-demand (self-paced) online training course designed to help delegates understand where different data are stored and the extraction processes used in their recovery. Our on-demand delivery allows for flexibility both in where and when delegates complete the course, with learner progress being saved between sessions.

Delegates will learn how to ensure data is preserved in accordance with the ACPO Principles of Computer Based Evidence

Mobile Forensics for Kiosk Operators is “kiosk neutral” in that it is not specific to any particular kiosk supplier. The course content is suitable for law enforcement organisations in the UK and around the world. An optional additional lesson can be tailored (by Control-F) to introduce delegates to organisation-specific policies and procedures.

What you will learn

By the end of the course, delegates will be able to:

  • Isolate a mobile device to prevent it from being remotely wiped or receiving incoming data
  • Explain the differences between logical and physical extractions and identify situations when a physical extraction may be appropriate
  • Distinguish types of data that might reside on a mobile phone handset versus its SIM card or memory card
  • Provide guidance to colleagues on how to corroborate and enrich extracted data by means of Communications Service Provider requests

Who should attend

This entry-level course is targeted at new or existing operators of mobile forensic kiosks. Mobile Forensics for Kiosk Operators is not a replacement for “product training” supplied by the kiosk vendor – rather it is designed to complement such training and could be taken either before or after product training has been completed.

Technical requirements

This online course can be accessed from a desktop or laptop PC with an appropriate Internet connection.

Evaluation

Law enforcement organisations can apply for a test account which can be used to evaluate the course content.

Data Demystifier 1

4½ days • Online instructor-led

Background

Digital forensic software tools extract data from devices and present that data on screen for analysis, typically by means of a simple point-and-click interface. Such tools provide great benefits in simplifying both the acquisition and analysis phases of a mobile device examination, thereby allowing more devices to be processed in less time. However, this simplification has its drawbacks, most notably that forensic examiners are less likely to encounter, and therefore understand, the raw data stored on the device. This lack of understanding fundamentally limits an examiner’s ability to present evidence with confidence.

Course aims

Data Demystifier 1 is a 4½ day online instructor-led course designed to give existing digital forensic examiners a true understanding of the data recovered and decoded by forensic software tools.

Delegates will learn the fundamental encodings used for time and date information, text data (ASCII and Unicode) as well as the vital role played by file signatures in digital forensics.

Students will gain extensive experience in working with raw data within a hex editor: understanding offsets, Endian-ness, using regular expressions to search large device extractions, manually carving data of interest and then making sense of that data.

Developing an in-depth understanding of how electronic devices actually store data enables digital forensic examiners to not only corroborate the evidence presented by commercial forensic tools but also to recover and present evidence which such tools may have missed.

What you will learn

By the end of the course, students will be able to:

  • Confidently navigate raw data within a hex viewer and manually carve data of interest
  • Construct regular expressions to search for deleted media files within a physical extraction
  • Identify and interpret data encoded using Little Endian and Big Endian byte ordering
  • Attempt manual repair of unplayable MP4/3GP/MOV video files
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing digital forensic examiners who have at least 6 months of experience. Ideally, delegates would have previously attended either of the Control-F Foundation in Mobile Phone Forensics or Foundation in Securing Computer Evidence courses (or equivalent).

Technical requirements

Delegates will require a computer with a minimum 10MB Internet connection, a webcam and speakers (or headset). Delegates are strongly recommended to ensure they have access to dual monitors.

App Investigator 1

4½ days • Online instructor-led

Background

Smartphone and tablet devices submitted to forensic units present a veritable treasure trove of potential evidence generated through the use of pre-installed “1st party” and user-installed 3rd party apps. Unfortunately, the relentless evolution of new and existing 3rd party apps means that commercial forensic tools cannot realistically decode, interpret and report all of the data of interest to investigators.

Course aims

Android and iOS platforms both make extensive use of SQLite, a free open-source database platform, to store data relating to first and third party apps. Analysis of SQLite databases can recover live and deleted data as well as often overlooked binary data such as thumbnail images. In addition to SQLite databases, iOS devices make use of Property List (plist) files to store application data and mobile forensic examiners need to be skilled in analysing and reporting data from both file formats.

App Investigator 1 is an instructor-led online course designed to teach delegates how to recover evidence from smartphone and tablet applications. This includes first party apps, but the emphasis will be on developing skills and techniques for working with 3rd party apps which are unsupported by commercial forensic tools. Delegates will gain experience of working with data recovered from iOS and Android devices.

What you will learn

By the end of the course, students will be able to:

  • Locate view and recover evidence from SQLite databases used by smartphone applications
  • Maximise evidence recovery from SQLite databases through appropriate handling and analysis of associated Write Ahead Logging (WAL) files
  • Locate, view & recover evidence from Property List (plist) files used by iOS and associated applications
  • Manually decode smartphone apps
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Technical requirements

Delegates will remotely log in to a Control-F PC to undertake the training and as such will require a computer with a minimum 10MB Internet connection. Prior to the course a technical trial will be conducted with prospective delegates to ensure that the remote login capability is compatible with their IT infrastructure.

Delegates will also require a webcam, speakers (or headset). Delegates are strongly recommended to ensure they have access to dual monitors (one screen for remote access and a second to view the training materials).

 

Mobile Device Repair

Background

Being able to safely repair damaged mobile device exhibits in-house has become increasingly important for digital forensic units. Charging problems, cracked screens, faulty buttons or damaged data ports are common issues which may prevent successful data extraction. Digital forensic units need to be able to get devices working quickly and safely in order to prevent the inevitable delays, costs and continuity complications associated with taking a device outside the organisation to be fixed.

Faced with a “dead” device, a mobile examiner needs to be able to quickly identify the fault (or faults), confirm whether the repair(s) can and should be conducted in-house and establish the risks associated in undertaking
such work. Although YouTube is awash with “how to”  videos for device repair, undertaking such work without properly understanding the risks could easily mean that a vital evidential exhibit is further damaged by the attempted repair. Not only that, such videos assume that the actual fault with the device has been reliably identified.
Digital forensic units need staff who can quickly and accurately identify faults and then select the most pragmatic means of repair.

Course aims

Mobile Device Repair is a 4½ day course designed to teach mobile device examiners how to identify and repair common faults with mobile devices which might prevent data extraction. Students will learn a systematic and efficient approach to fault finding designed to quickly identify common obstacles to data extraction. The emphasis of the training is on performing the simplest and most cost effective repair possible in order to acquire data from the device. Students will gain experience in disassembling, repairing and re-assembling Android, iPhone, Windows Phone and feature phone devices. Importantly, the course will include instruction in the soldering techniques required to replace data ports which are integrated into the main circuit board of the device.

What you will learn

By the end of the course, delegates will be able to:

  • Identify and resolve charging and battery issues with mobile devices
  • Replace glued and non-glued screens on mobile devices
  • Replace modular and soldered components on mobile devices
  • Transplant circuit boards from damaged evidential exhibits into “donor” devices to facilitate data extraction
  • Explain and justify their actions in court

Who should attend?

This course is targeted at new or existing mobile device examiners. The course includes close work with small components and therefore requires good eyesight and a steady hand. Previous experience in handset disassembly and soldering would be beneficial but not essential.