Posts

Acquiring Challenging Computer Devices

/in /by

2 days

Background

The forensic acquisition of computer devices has been made more challenging through the shift from removable hard disk and solid-state drives to “soldered on” flash memory storage. The inability to remove (and image) the storage is further compounded in some devices by the presence of encryption and dedicated security chips, both of which can hamper acquisition via bootable media.

This situation presents multiple challenges to those tasked with forensically acquiring computers. If active encryption is not identified and addressed at seizure, it may be impossible to subsequently decrypt data held on the device. Without the necessary knowledge and specialist tools, “secure boot” features within Windows, Mac and Chromebook devices may prevent any data from being recovered from the device. Even worse, failing to follow correct procedures when acquiring a Chromebook can lead to irretrievable loss of data from the device.

Course aims

Acquiring Challenging Computer Devices is a 2 day course designed to teach delegates how to acquire Microsoft Surface Pro, Apple Mac and Chromebook devices. Fundamental to successful acquisition is not only the accurate identification of the device type, but in the case of Apple Mac devices, determining which specific security platform the device utilises (notably T2 and M1 chips). Once the security platform has been confirmed, appropriate steps can be taken to enable data acquisition.

Delegates will learn how to identify the presence of active BitLocker encryption on Surface Pro devices, perform live acquisitions of powered-on devices and take appropriate action to capture BitLocker recovery keys (which may be essential to subsequent analysis). During what is a highly practical course, delegates will create and use bootable media to recover data from both Chromebook and Surface Pro devices. 

What you will learn

By the end of the course, delegates will be able to:

  • Recognise if BitLocker is enabled on a Microsoft Surface Pro and use bootable media to acquire it
  • Capture decrypted logical backups of Chromebook devices
  • Distinguish between T2 and M1 series Apple computers and perform forensic acquisitions of both
  • Explain & justify their actions in court

Who should attend?

This intermediate level course is targeted at personnel responsible for forensically acquiring computer devices within a lab environment as well as those tasked with securing digital evidence “at scene”.  Delegates should have at least 6 months experience in computer acquisition and have previously attended the Control-F Foundation in Securing Computer Evidence (or equivalent).

 

Acquiring Challenging Computer Devices

/in /by

2 days

Background

The forensic acquisition of computer devices has been made more challenging through the shift from removable hard disk and solid-state drives to “soldered on” flash memory storage. The inability to remove (and image) the storage is further compounded in some devices by the presence of encryption and dedicated security chips, both of which can hamper acquisition via bootable media.

This situation presents multiple challenges to those tasked with forensically acquiring computers. If active encryption is not identified and addressed at seizure, it may be impossible to subsequently decrypt data held on the device. Without the necessary knowledge and specialist tools, “secure boot” features within Windows, Mac and Chromebook devices may prevent any data from being recovered from the device. Even worse, failing to follow correct procedures when acquiring a Chromebook can lead to irretrievable loss of data from the device.

Course aims

Acquiring Challenging Computer Devices is a 2 day course designed to teach delegates how to acquire Microsoft Surface Pro, Apple Mac and Chromebook devices. Fundamental to successful acquisition is not only the accurate identification of the device type, but in the case of Apple Mac devices, determining which specific security platform the device utilises (notably T2 and M1 chips). Once the security platform has been confirmed, appropriate steps can be taken to enable data acquisition.

Delegates will learn how to identify the presence of active BitLocker encryption on Surface Pro devices, perform live acquisitions of powered-on devices and take appropriate action to capture BitLocker recovery keys (which may be essential to subsequent analysis). During what is a highly practical course, delegates will create and use bootable media to recover data from both Chromebook and Surface Pro devices. 

What you will learn

By the end of the course, delegates will be able to:

  • Recognise if BitLocker is enabled on a Microsoft Surface Pro and use bootable media to acquire it
  • Capture decrypted logical backups of Chromebook devices
  • Distinguish between T2 and M1 series Apple computers and perform forensic acquisitions of both
  • Explain & justify their actions in court

Who should attend?

This intermediate level course is targeted at personnel responsible for forensically acquiring computer devices within a lab environment as well as those tasked with securing digital evidence “at scene”.  Delegates should have at least 6 months experience in computer acquisition and have previously attended the Control-F Foundation in Securing Computer Evidence (or equivalent).

 

Foundation in Mobile Phone Forensics

/in /by

4½ days

Course information

This 4½ day, entry level course is targeted at those just starting out in mobile forensics, or existing mobile device examiners who have not had the benefit of formal training.

Course aims

Foundation in Mobile Phone Forensics is a 4½ day training course designed to teach prospective or existing mobile phone examiners how to examine mobile devices in accordance with the ACPO Principles of Digital Computer Based Evidence. Without appropriate training, there is a significant risk that evidence may be lost or altered during the examination process, or that the examiner is discredited in court. The course will provide delegates with exposure to, and hands-on experience with, market leading phone forensic tools.

What you will learn

By the end of the course, students will be able to:

  • Safely retrieve evidence from SIM cards, mobile phone handsets and memory cards using forensic software tools
  • Identify key potential evidence which is not recovered by software tools and capture it in an appropriate way
  • Implement or enhance local standard operating procedures for the examination of mobile devices within their organisation
  • Explain and justify their actions in court

Who should attend?

This entry level course is targeted at those just starting out in mobile phone forensics, or existing mobile phone examiners who have not had the benefit of formal training.

Foundation in Securing Computer Evidence

/in /by

4½ days

Background

Securing computer-based evidence is no longer simply a case of “pulling the plug” and imaging hard disk drives back in the office. The use of cloud storage, encryption and non-removable storage are commonplace and mean that a more considered and multi-pronged approach to acquiring data is required. Without a clear understanding of the way in which devices store digital data both locally and remotely, vital evidence can easily be missed, lost or altered during the acquisition process.

In addition to the technical complexities presented by current devices, the overwhelming volume of digital forensic submissions being made increases the need for triage-based approaches to assist in prioritising exhibits for analysis.

Course aims

Foundation in Securing Computer Evidence is a 4½ day hands-on course designed to teach delegates how to acquire data from a wide range of devices, whilst either powered on at a search scene or powered down back in the office. Delegates will learn how to image traditional spinning disk hard drives, SSDs and USB storage devices using established imaging tools but will also learn:

  • “Live forensic” techniques to acquire volatile RAM data, open encrypted containers and data held on cloud storage
  • “On-device imaging” techniques for dealing with storage devices which cannot or should not be removed from the host device (e.g. devices running Apple’s APFS file system, RAID configurations etc.)
  • Triage techniques for rapid identification of case-related material held on computer storage

What you will learn

By the end of the course, delegates will be able to:

  • Confidently secure evidence from a range of removable computer storage media in accordance with ACPO Principles of Computer Based Digital Evidence and ISO17025
  • Use a Linux boot disk to secure evidence from a computer whose storage media is difficult to remove or cryptographically bound to the host device
  • Perform on-scene capture of live data from device RAM, open encrypted local storage or cloud storage
  • Use forensic triage tools to identify relevant content in order to prioritise computer exhibits for evidential analysis
  • Explain and justify their actions in court

Who should attend?

This entry-level course is targeted at practitioners who are new to computer acquisition or existing staff who have not had the benefit of formal training. The course is designed to meet the needs of both lab-based staff as well as those required to secure evidence at a search scene.

Foundation in Securing Computer Evidence

/in /by

4½ days

Background

Securing computer-based evidence is no longer simply a case of “pulling the plug” and imaging hard disk drives back in the office. The use of cloud storage, encryption and non-removable storage are commonplace and mean that a more considered and multi-pronged approach to acquiring data is required. Without a clear understanding of the way in which devices store digital data both locally and remotely, vital evidence can easily be missed, lost or altered during the acquisition process.

In addition to the technical complexities presented by current devices, the overwhelming volume of digital forensic submissions being made increases the need for triage-based approaches to assist in prioritising exhibits for analysis.

Course aims

Foundation in Securing Computer Evidence is a 4½ day hands-on course designed to teach delegates how to acquire data from a wide range of devices, whilst either powered on at a search scene or powered down back in the office. Delegates will learn how to image traditional spinning disk hard drives, SSDs and USB storage devices using established imaging tools but will also learn:

  • “Live forensic” techniques to acquire volatile RAM data, open encrypted containers and data held on cloud storage
  • “On-device imaging” techniques for dealing with storage devices which cannot or should not be removed from the host device (e.g. devices running Apple’s APFS file system, RAID configurations etc.)
  • Triage techniques for rapid identification of case-related material held on computer storage

What you will learn

By the end of the course, delegates will be able to:

  • Confidently secure evidence from a range of removable computer storage media in accordance with ACPO Principles of Computer Based Digital Evidence and ISO17025
  • Use a Linux boot disk to secure evidence from a computer whose storage media is difficult to remove or cryptographically bound to the host device
  • Perform on-scene capture of live data from device RAM, open encrypted local storage or cloud storage
  • Use forensic triage tools to identify relevant content in order to prioritise computer exhibits for evidential analysis
  • Explain and justify their actions in court

Who should attend?

This entry-level course is targeted at practitioners who are new to computer acquisition or existing staff who have not had the benefit of formal training. The course is designed to meet the needs of both lab-based staff as well as those required to secure evidence at a search scene.

Smartphone App Forensics

/in /by

4½ days • Classroom

Background

Smartphone and tablet devices submitted to forensic units present a veritable treasure trove of potential evidence generated through the use of pre-installed “1st party” and user-installed 3rd party apps. Unfortunately, the relentless evolution of new and existing 3rd party apps means that commercial forensic tools cannot realistically decode, interpret and report all of the data of interest to investigators.

Course aims

Android and iOS platforms both make extensive use of SQLite, a free open-source database platform, to store data relating to first and third party apps. Analysis of SQLite databases can recover live and deleted data as well as often overlooked binary data such as thumbnail images. In addition to SQLite databases, iOS devices make use of Property List (plist) files to store application data and mobile forensic examiners need to be skilled in analysing and reporting data from both file formats.

Smartphone App Forensics is a 4½ day course designed to teach delegates how to recover evidence from smartphone and tablet applications. This includes first party apps, but the emphasis will be on developing skills and techniques for working with 3rd party apps which are unsupported by commercial forensic tools. Delegates will gain experience of working with data recovered from iOS and Android devices.

What you will learn

By the end of the course, students will be able to:

  • Use appropriate tools to view and recover evidence from SQLite databases and Property List (plist) files
  • Locate, view & recover evidence from Property List (plist) files used by iOS and associated applications
  • Recover & interpret web browsing artefacts from smartphone devices
  • Manually decode smartphone apps
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Smartphone App Forensics

/in /by

4½ days • Classroom

Background

Smartphone and tablet devices submitted to forensic units present a veritable treasure trove of potential evidence generated through the use of pre-installed “1st party” and user-installed 3rd party apps. Unfortunately, the relentless evolution of new and existing 3rd party apps means that commercial forensic tools cannot realistically decode, interpret and report all of the data of interest to investigators.

Course aims

Android and iOS platforms both make extensive use of SQLite, a free open-source database platform, to store data relating to first and third party apps. Analysis of SQLite databases can recover live and deleted data as well as often overlooked binary data such as thumbnail images. In addition to SQLite databases, iOS devices make use of Property List (plist) files to store application data and mobile forensic examiners need to be skilled in analysing and reporting data from both file formats.

Smartphone App Forensics is a 4½ day course designed to teach delegates how to recover evidence from smartphone and tablet applications. This includes first party apps, but the emphasis will be on developing skills and techniques for working with 3rd party apps which are unsupported by commercial forensic tools. Delegates will gain experience of working with data recovered from iOS and Android devices.

What you will learn

By the end of the course, students will be able to:

  • Use appropriate tools to view and recover evidence from SQLite databases and Property List (plist) files
  • Locate, view & recover evidence from Property List (plist) files used by iOS and associated applications
  • Recover & interpret web browsing artefacts from smartphone devices
  • Manually decode smartphone apps
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Smartphone App Forensics

/in /by

4½ days • Classroom

Background

Smartphone and tablet devices submitted to forensic units present a veritable treasure trove of potential evidence generated through the use of pre-installed “1st party” and user-installed 3rd party apps. Unfortunately, the relentless evolution of new and existing 3rd party apps means that commercial forensic tools cannot realistically decode, interpret and report all of the data of interest to investigators.

Course aims

Android and iOS platforms both make extensive use of SQLite, a free open-source database platform, to store data relating to first and third party apps. Analysis of SQLite databases can recover live and deleted data as well as often overlooked binary data such as thumbnail images. In addition to SQLite databases, iOS devices make use of Property List (plist) files to store application data and mobile forensic examiners need to be skilled in analysing and reporting data from both file formats.

Smartphone App Forensics is a 4½ day course designed to teach delegates how to recover evidence from smartphone and tablet applications. This includes first party apps, but the emphasis will be on developing skills and techniques for working with 3rd party apps which are unsupported by commercial forensic tools. Delegates will gain experience of working with data recovered from iOS and Android devices.

What you will learn

By the end of the course, students will be able to:

  • Use appropriate tools to view and recover evidence from SQLite databases and Property List (plist) files
  • Locate, view & recover evidence from Property List (plist) files used by iOS and associated applications
  • Recover & interpret web browsing artefacts from smartphone devices
  • Manually decode smartphone apps
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Rework for Mobile Device Repair

/in /by

4½ days

Background

Mobile devices can be damaged either through normal use, deliberate snapping or failure of specific chips which are vital to the device powering up successfully. Consequently, digital forensic units are routinely faced with mobile devices which cannot be powered on to a stable state such that data can be extracted using commercial forensic tools. Where possible and practical, such devices need to be repaired by removing and replacing the damaged or faulty chips on the device’s printed circuit board (PCB). These techniques are referred to as “rework” within the electronics industry.

Course aims

Successful removal and replacement of chips from a mobile device PCB requires appropriate equipment and skilled techniques to ensure that the circuit board and surrounding components are not damaged in the process. This may include desoldering using specialist hot air tools, preparation of replacement chips using stencilling techniques and re-soldering of the replacement chip (again with skilled use of hot air).

Rework for Mobile Device Repair is a 4½ day course designed to teach delegates how to safely de-solder faulty chips from an iPhone PCB and resolder working replacements. The intention being to return a device to a bootable state where data can be extracted using commercial forensic tools.

Delegates will also learn how to repair damage to pads on the underside of any chip caused by accidental or intentional physical damage. Delegates will be working primarily on iPhone models (including those with “stacked” PCBs), however the techniques taught on the course can be used on any PCB with surface mounted chips.

The course also includes hands-on experience in chip-off techniques for data extraction from feature (“burner”) phones as well as eMMC flash memory chips from unencrypted legacy Android devices, satnavs and vehicle systems.

What you will learn

By the end of the course, students will be able to:

  • Safely remove and replace iPhone chips to repair faults which prevent data extraction
  • Successfully clean and “re-ball” chips in preparation for repair
  • Repair broken pads on printed circuit boards (PCBs) caused by physical damage to a mobile device
  • Recover the contents of flash memory chips
  • Explain and justify their actions in court

Who should attend?

Delegates must have previous soldering experience. Ideally this will have been achieved by attending our Mobile Device Repair course (or other Control-F courses involving hand soldering).

Rework for Mobile Device Repair sits alongside our Intermediate Mobile Device Repair course which focuses on the diagnosis of board-level faults that may necessitate chip removal. Digital forensic units will gain maximum benefit where staff have attended Intermediate Mobile Device Repair and Rework for Mobile Device Repair.

Rework for Mobile Device Repair

/in /by

4½ days

Background

Mobile devices can be damaged either through normal use, deliberate snapping or failure of specific chips which are vital to the device powering up successfully. Consequently, digital forensic units are routinely faced with mobile devices which cannot be powered on to a stable state such that data can be extracted using commercial forensic tools. Where possible and practical, such devices need to be repaired by removing and replacing the damaged or faulty chips on the device’s printed circuit board (PCB). These techniques are referred to as “rework” within the electronics industry.

Course aims

Successful removal and replacement of chips from a mobile device PCB requires appropriate equipment and skilled techniques to ensure that the circuit board and surrounding components are not damaged in the process. This may include desoldering using specialist hot air tools, preparation of replacement chips using stencilling techniques and re-soldering of the replacement chip (again with skilled use of hot air).

Rework for Mobile Device Repair is a 4½ day course designed to teach delegates how to safely de-solder faulty chips from an iPhone PCB and resolder working replacements. The intention being to return a device to a bootable state where data can be extracted using commercial forensic tools.

Delegates will also learn how to repair damage to pads on the underside of any chip caused by accidental or intentional physical damage. Delegates will be working primarily on iPhone models (including those with “stacked” PCBs), however the techniques taught on the course can be used on any PCB with surface mounted chips.

The course also includes hands-on experience in chip-off techniques for data extraction from feature (“burner”) phones as well as eMMC flash memory chips from unencrypted legacy Android devices, satnavs and vehicle systems.

What you will learn

By the end of the course, students will be able to:

  • Safely remove and replace iPhone chips to repair faults which prevent data extraction
  • Successfully clean and “re-ball” chips in preparation for repair
  • Repair broken pads on printed circuit boards (PCBs) caused by physical damage to a mobile device
  • Recover the contents of flash memory chips
  • Explain and justify their actions in court

Who should attend?

Delegates must have previous soldering experience. Ideally this will have been achieved by attending our Mobile Device Repair course (or other Control-F courses involving hand soldering).

Rework for Mobile Device Repair sits alongside our Intermediate Mobile Device Repair course which focuses on the diagnosis of board-level faults that may necessitate chip removal. Digital forensic units will gain maximum benefit where staff have attended Intermediate Mobile Device Repair and Rework for Mobile Device Repair.