For too long, investigators have been the neglected link in a chain which stretches from device seizure all the way to the courtroom. Investigators are passed huge volumes of data to review in multiple tools and expected to understand and locate data which could be critical to the investigation; all without the benefit of structured training.

Until now.

Control-F is launching two courses in the 4th quarter of 2023 to support investigators, analysts and anyone who needs to work with data extracted from mobile devices:

1. Understanding Mobile Forensic Data (UMFD) is an on-demand (self-paced) online course designed to teach delegates how data is recovered from mobile devices, the origins and reliability of such data and its relevance within an investigation.
2. Reviewing Mobile Forensic Data (RMFD) is a two-day classroom course designed to teach delegates how to navigate mobile forensic data in Cellebrite Reader, MSAB XAMN and Axiom Portable Cases.

 

Get in touch to find out more and to check availability.

Recovering web activity from a mobile device will be important in many investigations. Which sites has the user visited? Which pages on those sites did they access? What searches did they run?

Although pre-installed browsers like Safari and Chrome are well supported by commercial forensic tools, there is a very real chance that web activity in other apps could easily be missed during a forensic examination. A user might be accessing the web via a wide range of apps, and in some cases not even realising that they are doing so:

• A user may have installed a 3rd party web browser and chosen to use it instead of, or alongside, Safari or Chrome
• Apps like Outlook, Twitter and Instagram default to launching their own “in app browser” when users click on links within the app (e.g. within a direct message, tweet or post)
• Many apps which aren’t web browsers in the traditional sense, access data on the web  (and record their activity) – for example a parking app, a cinema app etc.

Our experience indicates that all three of these scenarios may mean that there is web activity on the device which might be extracted, but has not been decoded by commercial forensic tools.

However, we have good news!

Many Android apps utilise the open-source Chromium framework when they access the web – which means that lots of different apps are generating very similar (and decodable) artefacts.

In order to be allowed on the iOS App Store, all apps which browse the web must be based on the WebKit framework – again this means that different apps will produce similar artefacts.

We have released “shomium“, an open-source tool for locating, decoding and reporting web activity on mobile devices. It quickly identifies Chromium-based apps within full file system extractions of Android devices, and likewise alerts the user to Webkit-based apps within extractions of iOS devices.

Users can browse contents of the application’s web cache, decoded cookies and “local storage” and then generate HTML reports to pass to case officers and investigation teams.

You can download shomium from our GitHub repository now. We hope that it helps raise awareness of web activity which might otherwise “fly under the radar”. We welcome your feedback!

We’ve been delighted with the response from our customers to our entry-level Mobile Device Repair training which launched in July 2020. We were extremely busy during 2021 teaching delegates how to replace screens, repair data ports, power devices with dead batteries and much more.

Delegates have been asking us for “next level” training to help diagnose and repair more complex faults and we’re delighted to be able to announce new training address exactly that.

Intermediate Mobile Device Repair is a brand new 4½ day training course designed to teach delegates how to identify and repair common board-level faults which may prevent a device from powering on, or to “boot-loop” (repeated display of the Apple logo).

You can find more information about the course at www.controlf.net/imdr/

Our first course runs 23-27 May 2022 in Leeds.

Get in touch to check availability or to find out more about the course content.

We’re delighted to announce the release of a new online training programme targeted at operators of mobile forensic kiosks. Mobile Forensics for Kiosk Operators is a vendor-neutral online “on-demand” training course which means that it can be attended by delegates from any Internet-connected PC and at a time and pace of their choice.

Mobile Forensics for Kiosk Operators is designed to complement rather than replace product training from a kiosk vendor. Using easy to follow and visually engaging materials, the course steps delegates through fundamentals of mobile forensics: network isolation, locations of data on the device, logical vs. physical extractions, CSP data requests and much more. The course comprises approximately 1½ days worth of content and includes tests on the content of each module (certificates are automatically generated for successful candidates).

We realise that one size does not always fit all and for that reason we are offering the option of tailoring (by Control-F) an additional lesson in order to appropriately reflect organisation-specific policies and procedures.

You can find out more about the course at www.controlf.net/mfko or get in touch to enquire about free trial access to the course for evaluation purposes.

In light of recent government announcements, we are delighted to announce that we will be restarting classroom training from Monday 12th April 2021.

Just as with our restart last year, we have taken the necessary steps to ensure that our classroom environment is “Covid Secure” and delegates should be assured that appropriate social distancing and hygiene measures are in place.

Our course schedule has never been more “dynamic” so please do check the latest schedule here. We are constantly responding to customer demand and adding new course dates to try and reduce waiting times. Please get in touch to check the latest availability.