Smartphone App Forensics

4½ days • Classroom

Background

Smartphone and tablet devices submitted to forensic units present a veritable treasure trove of potential evidence generated through the use of pre-installed “1st party” and user-installed 3rd party apps. Unfortunately, the relentless evolution of new and existing 3rd party apps means that commercial forensic tools cannot realistically decode, interpret and report all of the data of interest to investigators.

Course aims

Android and iOS platforms both make extensive use of SQLite, a free open-source database platform, to store data relating to first and third party apps. Analysis of SQLite databases can recover live and deleted data as well as often overlooked binary data such as thumbnail images. In addition to SQLite databases, iOS devices make use of Property List (plist) files to store application data and mobile forensic examiners need to be skilled in analysing and reporting data from both file formats.

Smartphone App Forensics is a 4½ day course designed to teach delegates how to recover evidence from smartphone and tablet applications. This includes first party apps, but the emphasis will be on developing skills and techniques for working with 3rd party apps which are unsupported by commercial forensic tools. Delegates will gain experience of working with data recovered from iOS and Android devices.

What you will learn

By the end of the course, students will be able to:

  • Use appropriate tools to view and recover evidence from SQLite databases and Property List (plist) files
  • Locate, view & recover evidence from Property List (plist) files used by iOS and associated applications
  • Recover & interpret web browsing artefacts from smartphone devices
  • Manually decode smartphone apps
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).