New training for investigators

For too long, investigators have been the neglected link in a chain which stretches from device seizure all the way to the courtroom. Investigators are passed huge volumes of data to review in multiple tools and expected to understand and locate data which could be critical to the investigation; all without the benefit of structured training.

Until now.

Control-F is launching two courses in the 4th quarter of 2023 to support investigators, analysts and anyone who needs to work with data extracted from mobile devices:

  1. Understanding Mobile Forensic Data (UMFD) is an on-demand (self-paced) online course designed to teach delegates how data is recovered from mobile devices, the origins and reliability of such data and its relevance within an investigation.
  2. Reviewing Mobile Forensic Data (RMFD) is a two-day classroom course designed to teach delegates how to navigate mobile forensic data in Cellebrite Reader, MSAB XAMN and Axiom Portable Cases.


Get in touch to find out more and to check availability.

Successfully acquire Macs, Chromebooks and Surface Pros

Illustration of an Apple M1 chip

We’re delighted to be announcing the launch of our new Acquiring Challenging Computer Devices training course.

This 2 day, intermediate-level course picks up where our entry-level Foundation in Securing Computer Evidence course leaves off in providing simple explanations (and hands-on experience) of acquiring data from Macs, Chromebooks and Surface Pro devices.

The combination of “soldered on” storage and security chips (like the T2 and M1 chips in recent Apple Mac computers) mean that traditional imaging approaches for these types of devices simply don’t work.

You can read more about the course contents, target audience, locations and pricing on the course page here.

Our first courses run during the week commencing 31 October, so get in touch if you’d like to check availability.

Just how much of the web activity on a mobile device are you seeing?

Recovering web activity from a mobile device will be important in many investigations. Which sites has the user visited? Which pages on those sites did they access? What searches did they run?

Although pre-installed browsers like Safari and Chrome are well supported by commercial forensic tools, there is a very real chance that web activity in other apps could easily be missed during a forensic examination. A user might be accessing the web via a wide range of apps, and in some cases not even realising that they are doing so:

  • A user may have installed a 3rd party web browser and chosen to use it instead of, or alongside, Safari or Chrome
  • Apps like Outlook, Twitter and Instagram default to launching their own “in app browser” when users click on links within the app (e.g. within a direct message, tweet or post)
  • Many apps which aren’t web browsers in the traditional sense, access data on the web  (and record their activity) – for example a parking app, a cinema app etc.

Our experience indicates that all three of these scenarios may mean that there is web activity on the device which might be extracted, but has not been decoded by commercial forensic tools.

However, we have good news!

Many Android apps utilise the open-source Chromium framework when they access the web – which means that lots of different apps are generating very similar (and decodable) artefacts.

In order to be allowed on the iOS App Store, all apps which browse the web must be based on the WebKit framework – again this means that different apps will produce similar artefacts.

We have released “shomium“, an open-source tool for locating, decoding and reporting web activity on mobile devices. It quickly identifies Chromium-based apps within full file system extractions of Android devices, and likewise alerts the user to Webkit-based apps within extractions of iOS devices.

Screenshot of shomium tool displaying decoded web artefacts

Users can browse contents of the application’s web cache, decoded cookies and “local storage” and then generate HTML reports to pass to case officers and investigation teams.

You can download shomium from our GitHub repository now. We hope that it helps raise awareness of web activity which might otherwise “fly under the radar”. We welcome your feedback!

Attributing media files using our new open source tool “mift”

For many years Control-F has produced and shared many Python scripts, making them available to delegates attending our training courses.  These scripts cover a multitude of functions, such as assisting with repetitive forensic tasks, or helping to report artefacts which might be missed by commercial forensic tools. We are proud to now be going one-step further in announcing our new, free, open-source tool, “mift”.


mift” is an open-source software tool designed to assist digital forensic examiners in understanding the context of media files on iOS and Android devices. mift can help explain:

  • How a media file within the DCIM/100APPLE folder on an iOS device came to be there (taken by the device camera, created via an app, sent vs. received etc.)
  • Whether an image file has been shared via the cloud – and if it has, which device it was shared from
  • Which primary image a recovered thumbnail image relates to
  • Which website a user was visiting when a screenshot was taken
  • And more!

Although the image in the screenshot below is located alongside camera photos in the folder DCIM/100APPLE, the “Application_Package” and “Original_Filename” metadata confirm that the image was created by the camera within the messaging app Telegram.

Screenshot of an image being viewed in mift and associated metadata being displayed to the user

mift can highlight valuable data which may not be fully decoded and presented by commercial forensic tools. It has already been used by customers to support evidential investigations, and the feedback has been extremely positive. You can get a flavour of its capabilities from an introductory guide available here.

mift is an open-source tool – which means that it is not only free, it’s inner workings are open to scrutiny and review. It’s just one of a series of tools we’re making available via our GitHub repository.


Take a look and get in touch. We’d love to hear your feedback!

New “Intermediate Mobile Device Repair” training opens in May 2022

Course logo for Intermediate Mobile Device Repair

We’ve been delighted with the response from our customers to our entry-level Mobile Device Repair training which launched in July 2020. We were extremely busy during 2021 teaching delegates how to replace screens, repair data ports, power devices with dead batteries and much more.

Delegates have been asking us for “next level” training to help diagnose and repair more complex faults and we’re delighted to be able to announce new training address exactly that.

Intermediate Mobile Device Repair is a brand new 4½ day training course designed to teach delegates how to identify and repair common board-level faults which may prevent a device from powering on, or to “boot-loop” (repeated display of the Apple logo).

You can find more information about the course at

Our first course runs 23-27 May 2022 in Leeds.

Get in touch to check availability or to find out more about the course content.

Evolution of our chip-off training

Protective shield being removed using hot air

We’re excited to announce the next chapter in our delivery of chip-off training, a field that we’ve been supporting our customers in for over 8 years.

Although recovery of unencrypted data via chip-off is still viable for some devices, it is much less of an opportunity than it once was. However, the ability to be able to de-solder and replace chips on mobile device circuit boards is still highly relevant for digital forensic units and forensic service providers.

We have gone right back to the drawing board and the end result is that a new Rework for Mobile Device Repair course will replace “Flash Memory Chip Removal”. The duration, cost and location of the training remains the same – but the emphasis shifts dramatically to repairing devices rather than data extraction via a chip reader.

You can find more information about the course at

Our first course runs 21-25 February and is already nearly full.

Get in touch to check availability or to find out more about the course content.


Vendor-neutral online training for kiosk operators

Mobile Forensics for Kiosk Operators course iconWe’re delighted to announce the release of a new online training programme targeted at operators of mobile forensic kiosks. Mobile Forensics for Kiosk Operators is a vendor-neutral online “on-demand” training course which means that it can be attended by delegates from any Internet-connected PC and at a time and pace of their choice.

Mobile Forensics for Kiosk Operators is designed to complement rather than replace product training from a kiosk vendor. Using easy to follow and visually engaging materials, the course steps delegates through fundamentals of mobile forensics: network isolation, locations of data on the device, logical vs. physical extractions, CSP data requests and much more. The course comprises approximately 1½ days worth of content and includes tests on the content of each module (certificates are automatically generated for successful candidates).

Screenshot of interactive SIM card exercise

An example interactive activity from the course

We realise that one size does not always fit all and for that reason we are offering the option of tailoring (by Control-F) an additional lesson in order to appropriately reflect organisation-specific policies and procedures.

You can find out more about the course at or get in touch to enquire about free trial access to the course for evaluation purposes.

Kevin Mansell’s monster fundraising bike ride

Photo of Kevin at the finish lineControl-F Managing Director is taking a day off today after riding 250km (155 miles) in the Dulux London Revolution cycle event at the weekend. Kevin was raising money for The Wave Project – a charity who help children build their self confidence and self esteem through surf therapy at 33 locations across the UK.

Over the past 10 years, surf therapy has become an established form of therapeutic support for both mental and physical health. It is recognised by the NHS in the UK as an effective form of therapy for children and young people at risk of mental ill-health and is also used by the Police and Blue Light services as therapy for serving officers and professionals.

You can read more about why Kevin chose to support The Wave Project at

Classroom training re-opens Monday 12th April

In light of recent government announcements, we are delighted to announce that we will be restarting classroom training from Monday 12th April 2021.

Just as with our restart last year, we have taken the necessary steps to ensure that our classroom environment is “Covid Secure” and delegates should be assured that appropriate social distancing and hygiene measures are in place.

Our course schedule has never been more “dynamic” so please do check the latest schedule here. We are constantly responding to customer demand and adding new course dates to try and reduce waiting times. Please get in touch to check the latest availability.

We are recruiting

Control-F is now looking for a Technical Specialist to join our small but growing team. We need someone to take responsibility for research and development, ensuring that both training and service offerings are leading edge.

Find out more about the role here.