Since Android v6, improvements in device security have made it increasingly challenging for forensic examiners to secure physical extractions of Android devices. Stronger user locks and full disk encryption both present significant obstacles to the forensic examiner. At the same time, logical extractions are becoming less useful as apps such as WhatsApp and Facebook Messenger withdraw themselves from the Android backup technique utilised by forensic tools.
Gaining “root” (administrator level) access to an Android device submitted for a forensic examination has never been more important, yet the rooting tools needed were not designed for forensic use and carry the potential for rendering a device unusable (affectionately known as “bricking” the device).
Defeating Android Locks & Encryption is a 4½ day course designed to teach existing mobile device examiners how to secure extractions of current Android devices regardless of a user lock or device encryption being active. Delegates will learn how to use TWRP and Odin software tools to safely “root” Android devices and crucially, “unbrick” devices where errors occurred during the rooting process (ensuring user data is preserved).
During the course, the techniques will be applied to a range of Samsung models including locked and encrypted Galaxy S6 and S7 devices. The emphasis of the course will be to develop capabilities which go beyond those of established commercial forensic tools & techniques. Delegates will also learn how to combine high performance hardware with efficient password cracking strategies to recover passwords in the shortest time possible.
What you will learn
By the end of the course, delegates will be able to:
- Safely root Samsung Android devices to enable physical extractions
- Bypass user locks on current Samsung Android devices
- Use efficient password cracking strategies to crack complex PINs and passwords and decrypt encrypted partitions
- Bypass full disk encryption on current Samsung Android devices
- Explain & justify their actions in court
Who should attend?
This advanced level course is targeted at existing mobile examiners who have at least 12 months experience in mobile device forensics and have attended the Control-F Advanced Smartphone & Tablet Acquisition course or equivalent. Delegates will need to successfully complete a pre-course assessment to confirm their ability to use ‘hashcat’ and ADB commands.