Making sense of Android storage areas

Android devices provide storage via a removable microSD card, an eMMC chip soldered to the circuit board or in many cases both. Life would be easy if all Android device extractions showed the same folder path for those two storage areas but sadly that’s not the case. Variations in those folder paths between different Android devices, and different Android versions mean that working out exactly where a recovered file is physically located within an Android device is harder than it should be.
Which is why we’ve created www.controlf.net/sd within our Free Stuff area on the site. It lists the different folder paths that we’ve seen across different Android devices and versions for the removable microSD  card and also for the built-in eMMC storage. The hope is that the page will help examiners to make sense of the folder paths being reported in device extractions and be able to report them with more confidence.

2nd eMMC Device Forensics course sold out!

Our first two eMMC Device Forensics courses are sold out so added another course into the schedule running 28 November – 1 December in Leeds (UK).

Our new 4 day “eMMC Device Forensics” course will teach delegates how to utilise ‘Direct eMMC’ (also known as In-system Programming or ISP) to perform physical extractions of Android & Windows Phone handsets & tablets which may not be possible with commercial forensic tools. Not only that, the techniques can be applied to many TomTom satnav units as well as a range of other devices which use eMMC flash memory chips internally. Direct eMMC is similar to JTAG in that it is a non-destructive method for performing a physical extraction via connections on the printed circuit board of the device. Direct eMMC may be possible on devices where JTAG is not supported (or may not be possible due to damage to the device) meaning that less devices fall into the “too difficult” pile.

Get in touch to check availability on the November course.

New eMMC Device Forensics course

Mobile forensics has always involved having a “Plan B” (and more besides) for the all too frequent occasions when standard acquisition techniques don’t work. Locked devices and models which aren’t supported for a physical extraction within forensic tools often need just such a backup plan. We’re delighted to be launching a new course for exactly those devices in 2016.

Our new 4 day “eMMC Device Forensics” course will teach delegates how to utilise ‘Direct eMMC’ (also known as In-system Programming or ISP) to perform physical extractions of Android & Windows Phone handsets & tablets which may not be possible with commercial forensic tools. Not only that, the techniques can be applied to many TomTom satnav units as well as a range of other devices which use eMMC flash memory chips internally. Direct eMMC is similar to JTAG in that it is a non-destructive method for performing a physical extraction via connections on the printed circuit board of the device. Direct eMMC may be possible on devices where JTAG is not supported (or may not be possible due to damage to the device) meaning that less devices fall into the “too difficult” pile.

Our first course runs 11-14 July 2016 in Leeds. For more information on the course including costs, visit the course page here and get in touch to check availability.

Python scripts save you time

Simple Python scripts can automate what would otherwise be a time-consuming manual tasks in digital forensics; for example recovering evidence from unsupported binary file formats and exporting that information to a CSV file. Python is a powerful programming language which is ideally suited to digital forensics. Our 3 day Python Scripting 1 course is the quickest and easiest route to writing simple digital forensics scripts which will save you time.

Our next course runs 4-6 May 2015 at Wyboston Lakes (Bedfordshire, UK). Contact us now for availability.

SQLite everywhere!

Smartphone devices use SQLite databases to store calls, contacts and SMS but more importantly, 3rd party app data too. Understanding how to find, recover and report evidence from SQLite databases is essential for today’s mobile forensic examiners.

Our 4½ day Smartphone App Forensics course teaches delegates how to get the most from SQLite databases recovered from iOS, Android, BlackBerry and Windows Phone 8 devices. Students will get hands-on experience of generating reports for unsupported apps and recovering deleted app data which commercial forensic tools may miss.

Our next course runs at Wyboston Lakes (UK) on 4-8 January 2016. Contact us now to check availability.

Advanced Smartphone & Tablet Acquisition course success

Our new Advanced Smartphone & Tablet Acquisition course launched in February and we’ve had great feedback from delegates:

“Excellent course, extremely enjoyable”

“Very useful, very informative.  Excellent trainers”

Based on delegate feedback we have extended the course to 4½ days to give attendees more time to put into practice what they have learned.

Students learn how to bypass security mechanisms on Android, iOS and BlackBerry devices as well as exploit device backups to recover key evidence. We have limited places available on the next course running 16-20 November at Wyboston Lakes (UK)

Recover live & deleted data from Windows Phone devices

Windows Phone devices like the Nokia Lumia range are increasingly popular and can be tricky to acquire via a USB data cable. The good news however is that full physical extractions of many Windows Phone devices can be obtained via the JTAG interface (using connections on the circuit board of the device).

Delegates on our JTAG Dumping for Android & Windows Phone course learn how to safely disassemble handsets and dump the contents of their flash memory using RIFF Box. Delegates then gain hands on experience in the recovery of evidence from those dumps.

JTAG dumping is also an ideal solution for dealing with locked Android handsets where USB Debugging is disabled. Delegates leave the course able to perform physical extractions of such devices and (crucially) recover pattern, PIN and passwords from those dumps such that the devices can be accessed manually and data cable extractions performed.

Dates, locations and pricing can be found on the course page here.

Contact us to check availability.

Announcing new smartphone forensics courses for 2015

We wanted to fill you in on some exciting changes to our portfolio of training courses….

Since launching our Android & BlackBerry Forensics course in 2012, we have been teaching delegates not only how to bypass protection mechanisms on both Android & BlackBerry devices but also to make sense of the data they subsequently acquire from them. In the intervening years, adoption of smartphone devices in general has continued unabated and we’ve seen Windows Phone’s market share overtake that of BlackBerry.

The security mechanisms of iOS, Android, Windows Phone and BlackBerry devices mean that all four platforms can pose challenges to forensic examiners in terms of acquisition (and each requiring different solutions!) At the same time, the analysis of data recovered from smartphones has never been more important. Forensic examiners need to know how to recover data from apps which are unsupported by commercial forensic tools; they also need to master techniques to recover deleted data from the SQLite databases used by smartphone apps.

Control-F is changing its smartphone forensics training to better reflect market trends and the needs of our customer base. In January 2015 our existing Android & BlackBerry Forensics course will be replaced by two new 4-day training courses:
* Advanced Smartphone & Tablet Acquisition
* Smartphone App Forensics

As the names suggest, one course will focus on acquisition of smartphone devices (specifically device locks, backups and associated encryption), the other will focus purely on the analysis of data from pre-installed and 3rd party applications.

Advanced Smartphone & Tablet Acquisition will cover iOS, Android & BlackBerry devices (acquisition of Windows Phone devices is covered by our JTAG Dumping for Android & Windows Phone course)

On our Smartphone App Forensics course, delegates will get to work with data recovered from all four leading smartphone platforms (iOS, Android, Windows Phone and BlackBerry).

Click the course titles above to find out more about the courses as well as locations, dates and pricing. Or contact us by phone or email.

We look forward to seeing you on the courses in 2015!

Save money and time with a Control-F Training Pass

If you’re a law enforcement customer, you might like to know that we now offer a Training Pass. Our Training Pass not only gets you more training for your money, it simplifies the purchasing process by giving you more time and flexibility in deciding which staff member to send on which course. A Control-F Training Pass can be used to book any staff member, on any of our seven courses during the 2 year lifetime of the pass.

Find out more on our Training Pass page here.

SnapChat & Windows Phone Forensics

Control-F is scheduled to deliver another of the popular F3 training days on 1st October 2014. The morning session will focus on SnapChat forensics on iOS and Android devices and the afternoon will be spent looking at recovering evidence and interpreting artefacts from Windows Phone 8 devices. The workshop will be held in Dunchurch, Warwickshire.

F3 (First Forensic Forum) is a non-profit organisation that provides a way for private sector and law enforcement practitioners working in forensic computing to meet and share experience and knowledge. Information on booking will be sent to members by the F3 secretary in due course.