New training for investigators

For too long, investigators have been the neglected link in a chain which stretches from device seizure all the way to the courtroom. Investigators are passed huge volumes of data to review in multiple tools and expected to understand and locate data which could be critical to the investigation; all without the benefit of structured training.

Until now.

Control-F is launching two courses in the 4th quarter of 2023 to support investigators, analysts and anyone who needs to work with data extracted from mobile devices:

  1. Understanding Mobile Forensic Data (UMFD) is an on-demand (self-paced) online course designed to teach delegates how data is recovered from mobile devices, the origins and reliability of such data and its relevance within an investigation.
  2. Reviewing Mobile Forensic Data (RMFD) is a two-day classroom course designed to teach delegates how to navigate mobile forensic data in Cellebrite Reader, MSAB XAMN and Axiom Portable Cases.


Get in touch to find out more and to check availability.

Digital Learning Developer/eLearning Course Developer (remote-based)

This is a contract position for four months starting in May 2023. We are looking for an experienced Digital Learning Developer who will be responsible for working closely with our Digital Learning Manager to deliver the build of a future online course for Control-F.

About You

You’ll be an experienced Digital Learning Developer with demonstrable experience and a good level of competency in using Articulate 360, in particular Articulate Storyline.

In addition, you’ll need demonstrable experience of Vyond as well as an understanding of various e-learning course formats, SCORM, xAPI and cmi5.

If you have design experience and are able to contribute to the design and development of content, that would be extremely useful but not essential.

You’ll be creative and able to work with a forward-thinking mindset. It’s not enough that something you build works for right now – we want to make sure it’s future-proofed (insofar as is possible).

We’re looking for someone self-motivated, with good project management skills and the ability to work to agreed timescales. Ideally, you’ll have experience of working remotely although depending on location, there is the possibility of you spending some time in our offices and/or meeting up with the Digital Learning Manager to discuss progress against agreed objectives.

Overall, you’ll have a high degree of comfort working in a collaborative and rapidly changing environment.

What’s involved

You’ll take a combination of storyboard designs and textual specifications for course materials and transfer them into Articulate Storyline to develop the interactive course content.

You’ll also use animation software tools like Vyond to generate media-related content for use throughout the course. We see this as being a significant part of the project, where an understanding of blending both Vyond and Storyline content would be advantageous.

You’ll be given brand guidelines and direction on art style and we’d like you to be able to add some graphic design elements to the material, with some opportunities and freedom for creative suggestions and solutions.

It’s important to know that while we have our own inhouse style that we’ll expect you to work to, you’ll need to be comfortable working within guidelines that are currently evolving and being updated to meet our latest vision.

The challenges

If you’re not used to working with a client remotely, we realise that could present a challenge initially and we’ll do what we can to make sure that the working relationship goes smoothly.

We’ve already highlighted that our inhouse style is undergoing a review and update, so that will be part of the challenge for you when you work with us.

About Us

Control-F is a digital forensics company offering scheduled and on-site training courses to digital forensic examiners, primarily in law enforcement. We are a small business with a big reputation and our team are driven and motivated to achieve and maintain our high standards.

The future

There is a possibility of a digital learning role on an employed basis and we would be delighted to discuss this future role with you if it was of interest.

Vacancy for another Course Manager

We’re recruiting for another Course Manager – this time, based at our offices at Wyboston Lakes.


If you’re passionate about digital forensics and want to educate and inspire others, maybe you’re the person we’re looking for….

Course Manager vacancy

If you’re passionate about digital forensics and want to educate and inspire others, maybe you’re the person we’re looking for….

Successfully acquire Macs, Chromebooks and Surface Pros

Illustration of an Apple M1 chip

We’re delighted to be announcing the launch of our new Acquiring Challenging Computer Devices training course.

This 2 day, intermediate-level course picks up where our entry-level Foundation in Securing Computer Evidence course leaves off in providing simple explanations (and hands-on experience) of acquiring data from Macs, Chromebooks and Surface Pro devices.

The combination of “soldered on” storage and security chips (like the T2 and M1 chips in recent Apple Mac computers) mean that traditional imaging approaches for these types of devices simply don’t work.

You can read more about the course contents, target audience, locations and pricing on the course page here.

Our first courses run during the week commencing 31 October, so get in touch if you’d like to check availability.

Course Manager (office-based)

Control-F is now looking for an office-based Course Manager to join our small but growing team.  We need someone to take responsibility for creating, delivering and maintaining training course content, ensuring that both materials and delivery remain current, engaging and accurate.

The role

You’ll be project managing course development activities across the company’s training portfolio, encompassing the following the design and delivery of new training courses; authoring, updating and maintaining existing training course materials and delivering training course content to customers at various locations, including our classroom at Wyboston Lakes.


About you

You’ll have previous hands-on experience as a digital forensics practitioner using MSAB XRY and Cellebrite UFED and will have recognised training courses under your belt (you might have a digital forensics degree, but this isn’t essential). You’ll also have excellent written English and be a clear and confident verbal communicator. Not only that, you’ll be comfortable managing multiple ongoing work activities to ensure that deadlines are met.

If you have experience of the following, they would be a huge advantage:

  • Oxygen Detective
  • FTK Imager and other computer acquisition tools
  • SQL and SQLite databases
  • Delivering digital forensics training
  • Creating and editing professional PowerPoint, Word, Publisher and Google documents
  • Programming experience in Python, C/C++ or Java
  • Reverse engineering

As a person, you’ll be comfortable in the classroom spotlight and good at building rapport with others. You’ll be working within a small team of people who pay attention to the detail and have a “can do” customer-focused attitude.

About us

We’re a digital forensics company offering scheduled and on-site training courses to digital forensic examiners, primarily in law enforcement. We’re based just 30 minutes drive from Cambridge, the heart of “Silicon Fen”.

What we’re offering

In return, our Course Manager will have a competitive salary, performance-based annual review, defined contribution pension scheme, 22 days a year annual leave (plus 8 Bank Holidays), the ability to work flexitime, a health cash plan and paid time off for volunteering.


We are a small business with a big reputation in our field and we’d love to welcome you to join us.  You can download the job description read more about the courses we’re currently offering or contact us for more details and an ‘off the record’ chat about the role.

Just how much of the web activity on a mobile device are you seeing?

Recovering web activity from a mobile device will be important in many investigations. Which sites has the user visited? Which pages on those sites did they access? What searches did they run?

Although pre-installed browsers like Safari and Chrome are well supported by commercial forensic tools, there is a very real chance that web activity in other apps could easily be missed during a forensic examination. A user might be accessing the web via a wide range of apps, and in some cases not even realising that they are doing so:

  • A user may have installed a 3rd party web browser and chosen to use it instead of, or alongside, Safari or Chrome
  • Apps like Outlook, Twitter and Instagram default to launching their own “in app browser” when users click on links within the app (e.g. within a direct message, tweet or post)
  • Many apps which aren’t web browsers in the traditional sense, access data on the web  (and record their activity) – for example a parking app, a cinema app etc.

Our experience indicates that all three of these scenarios may mean that there is web activity on the device which might be extracted, but has not been decoded by commercial forensic tools.

However, we have good news!

Many Android apps utilise the open-source Chromium framework when they access the web – which means that lots of different apps are generating very similar (and decodable) artefacts.

In order to be allowed on the iOS App Store, all apps which browse the web must be based on the WebKit framework – again this means that different apps will produce similar artefacts.

We have released “shomium“, an open-source tool for locating, decoding and reporting web activity on mobile devices. It quickly identifies Chromium-based apps within full file system extractions of Android devices, and likewise alerts the user to Webkit-based apps within extractions of iOS devices.

Screenshot of shomium tool displaying decoded web artefacts

Users can browse contents of the application’s web cache, decoded cookies and “local storage” and then generate HTML reports to pass to case officers and investigation teams.

You can download shomium from our GitHub repository now. We hope that it helps raise awareness of web activity which might otherwise “fly under the radar”. We welcome your feedback!

Attributing media files using our new open source tool “mift”

For many years Control-F has produced and shared many Python scripts, making them available to delegates attending our training courses.  These scripts cover a multitude of functions, such as assisting with repetitive forensic tasks, or helping to report artefacts which might be missed by commercial forensic tools. We are proud to now be going one-step further in announcing our new, free, open-source tool, “mift”.


mift” is an open-source software tool designed to assist digital forensic examiners in understanding the context of media files on iOS and Android devices. mift can help explain:

  • How a media file within the DCIM/100APPLE folder on an iOS device came to be there (taken by the device camera, created via an app, sent vs. received etc.)
  • Whether an image file has been shared via the cloud – and if it has, which device it was shared from
  • Which primary image a recovered thumbnail image relates to
  • Which website a user was visiting when a screenshot was taken
  • And more!

Although the image in the screenshot below is located alongside camera photos in the folder DCIM/100APPLE, the “Application_Package” and “Original_Filename” metadata confirm that the image was created by the camera within the messaging app Telegram.

Screenshot of an image being viewed in mift and associated metadata being displayed to the user

mift can highlight valuable data which may not be fully decoded and presented by commercial forensic tools. It has already been used by customers to support evidential investigations, and the feedback has been extremely positive. You can get a flavour of its capabilities from an introductory guide available here.

mift is an open-source tool – which means that it is not only free, it’s inner workings are open to scrutiny and review. It’s just one of a series of tools we’re making available via our GitHub repository.


Take a look and get in touch. We’d love to hear your feedback!

New “Intermediate Mobile Device Repair” training opens in May 2022

Course logo for Intermediate Mobile Device Repair

We’ve been delighted with the response from our customers to our entry-level Mobile Device Repair training which launched in July 2020. We were extremely busy during 2021 teaching delegates how to replace screens, repair data ports, power devices with dead batteries and much more.

Delegates have been asking us for “next level” training to help diagnose and repair more complex faults and we’re delighted to be able to announce new training address exactly that.

Intermediate Mobile Device Repair is a brand new 4½ day training course designed to teach delegates how to identify and repair common board-level faults which may prevent a device from powering on, or to “boot-loop” (repeated display of the Apple logo).

You can find more information about the course at

Our first course runs 23-27 May 2022 in Leeds.

Get in touch to check availability or to find out more about the course content.

Evolution of our chip-off training

Protective shield being removed using hot air

We’re excited to announce the next chapter in our delivery of chip-off training, a field that we’ve been supporting our customers in for over 8 years.

Although recovery of unencrypted data via chip-off is still viable for some devices, it is much less of an opportunity than it once was. However, the ability to be able to de-solder and replace chips on mobile device circuit boards is still highly relevant for digital forensic units and forensic service providers.

We have gone right back to the drawing board and the end result is that a new Rework for Mobile Device Repair course will replace “Flash Memory Chip Removal”. The duration, cost and location of the training remains the same – but the emphasis shifts dramatically to repairing devices rather than data extraction via a chip reader.

You can find more information about the course at

Our first course runs 21-25 February and is already nearly full.

Get in touch to check availability or to find out more about the course content.