Smartphone App Forensics

4½ days

Background

Smartphone and tablet devices submitted to forensic units present a veritable treasure trove of potential evidence generated through the use of pre-installed “1st party” and user-installed 3rd party apps. Unfortunately the relentless evolution of new and existing 3rd party apps means that commercial forensic tools cannot realistically decode, interpret and report all of the data of interest to investigators.

Course aims

Android and iOS platforms both make extensive use of SQLite, a free open-source database platform, to store data relating to first and third party apps. Analysis of SQLite databases can recover live and deleted data as well as often overlooked binary data such as thumbnail images. In addition to SQLite databases, iOS devices make use of Property List (plist) files to store application data and mobile forensic examiners need to be skilled in analysing and reporting data from both file formats.

Smartphone App Forensics is a 4½ day course designed to teach students how to recover evidence from smartphone and tablet applications. This includes first party apps, but the emphasis will be on developing skills and techniques for working with 3rd party apps which are unsupported by commercial forensic tools. Students will gain experience of working with data recovered from iOS, Android, Windows Phone and BlackBerry devices.

What you will learn

By the end of the course, students will be able to:

  • Use appropriate tools to view and recover evidence from SQLite databases and Property List (plist) files
  • Recover evidence from smartphone apps that are unsupported by commercial forensic tools
  • Recover deleted data from smartphone apps on Android, iOS and Windows Phone devices
  • Recover and interpret web browsing and mobile satnav artefacts from Android, iOS and Windows Phone devices
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).