Posts

Mobile Forensics for Kiosk Operators

Online on-demand

Background

Mobile forensic kiosks are widely deployed within law enforcement organisations. They can assist with reducing submissions to specialist digital forensic units, thereby cutting wait times for mobile forensic extractions to be performed and reducing submission backlogs. Kiosks provide pre-configured, easy to follow workflows to guide less experienced personnel through the steps involved in extracting data from mobile devices.

Kiosks deployments have the potential to deliver valuable time and cost savings but bring with them associated risks. They rely on complex volatile digital evidence being handled by staff with relatively little experience and formal training. Training abstractions and commitments for large numbers of staff and frontline deployments can be challenging. This often means that training programmes for kiosk operators tend to focus their limited time on the operation of the equipment and less on understanding the devices, extraction processes and resulting data. Inadequate training could lead to a kiosk operator allowing data to be remotely wiped from an exhibit, failing to extract vital data or missing an opportunity to escalate a complex device to specialist digital forensic colleagues.

Course aims

Mobile Forensics for Kiosk Operators is an on-demand (self-paced) online training course designed to help delegates understand where different data are stored and the extraction processes used in their recovery. Our on-demand delivery allows for flexibility both in where and when delegates complete the course, with learner progress being saved between sessions.

Delegates will learn how to ensure data is preserved in accordance with the ACPO Principles of Computer Based Evidence

Mobile Forensics for Kiosk Operators is “kiosk neutral” in that it is not specific to any particular kiosk supplier. The course content is suitable for law enforcement organisations in the UK and around the world. An optional additional lesson can be tailored (by Control-F) to introduce delegates to organisation-specific policies and procedures.

What you will learn

By the end of the course, delegates will be able to:

  • Isolate a mobile device to prevent it from being remotely wiped or receiving incoming data
  • Explain the differences between logical and physical extractions and identify situations when a physical extraction may be appropriate
  • Distinguish types of data that might reside on a mobile phone handset versus its SIM card or memory card
  • Provide guidance to colleagues on how to corroborate and enrich extracted data by means of Communications Service Provider requests

Who should attend

This entry-level course is targeted at new or existing operators of mobile forensic kiosks. Mobile Forensics for Kiosk Operators is not a replacement for “product training” supplied by the kiosk vendor – rather it is designed to complement such training and could be taken either before or after product training has been completed.

Technical requirements

This online course can be accessed from a desktop or laptop PC with an appropriate Internet connection.

Evaluation

Law enforcement organisations can apply for a test account which can be used to evaluate the course content.

Data Demystifier 1

4½ days • Online instructor-led

Background

Digital forensic software tools extract data from devices and present that data on screen for analysis, typically by means of a simple point-and-click interface. Such tools provide great benefits in simplifying both the acquisition and analysis phases of a mobile device examination, thereby allowing more devices to be processed in less time. However, this simplification has its drawbacks, most notably that forensic examiners are less likely to encounter, and therefore understand, the raw data stored on the device. This lack of understanding fundamentally limits an examiner’s ability to present evidence with confidence.

Course aims

Data Demystifier 1 is a 4½ day online instructor-led course designed to give existing digital forensic examiners a true understanding of the data recovered and decoded by forensic software tools.

Delegates will learn the fundamental encodings used for time and date information, text data (ASCII and Unicode) as well as the vital role played by file signatures in digital forensics.

Students will gain extensive experience in working with raw data within a hex editor: understanding offsets, Endian-ness, using regular expressions to search large device extractions, manually carving data of interest and then making sense of that data.

Developing an in-depth understanding of how electronic devices actually store data enables digital forensic examiners to not only corroborate the evidence presented by commercial forensic tools but also to recover and present evidence which such tools may have missed.

What you will learn

By the end of the course, students will be able to:

  • Confidently navigate raw data within a hex viewer and manually carve data of interest
  • Construct regular expressions to search for deleted media files within a physical extraction
  • Identify and interpret data encoded using Little Endian and Big Endian byte ordering
  • Attempt manual repair of unplayable MP4/3GP/MOV video files
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing digital forensic examiners who have at least 6 months of experience. Ideally, delegates would have previously attended either of the Control-F Foundation in Mobile Phone Forensics or Foundation in Securing Computer Evidence courses (or equivalent).

Technical requirements

Delegates will require a computer with a minimum 10MB Internet connection, a webcam and speakers (or headset). Delegates are strongly recommended to ensure they have access to dual monitors.

Smartphone App Forensics

4½ days • Classroom

Background

Smartphone and tablet devices submitted to forensic units present a veritable treasure trove of potential evidence generated through the use of pre-installed “1st party” and user-installed 3rd party apps. Unfortunately, the relentless evolution of new and existing 3rd party apps means that commercial forensic tools cannot realistically decode, interpret and report all of the data of interest to investigators.

Course aims

Android and iOS platforms both make extensive use of SQLite, a free open-source database platform, to store data relating to first and third party apps. Analysis of SQLite databases can recover live and deleted data as well as often overlooked binary data such as thumbnail images. In addition to SQLite databases, iOS devices make use of Property List (plist) files to store application data and mobile forensic examiners need to be skilled in analysing and reporting data from both file formats.

Smartphone App Forensics is a 4½ day course designed to teach delegates how to recover evidence from smartphone and tablet applications. This includes first party apps, but the emphasis will be on developing skills and techniques for working with 3rd party apps which are unsupported by commercial forensic tools. Delegates will gain experience of working with data recovered from iOS and Android devices.

What you will learn

By the end of the course, students will be able to:

  • Use appropriate tools to view and recover evidence from SQLite databases and Property List (plist) files
  • Locate, view & recover evidence from Property List (plist) files used by iOS and associated applications
  • Recover & interpret web browsing artefacts from smartphone devices
  • Manually decode smartphone apps
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Smartphone App Forensics

4½ days • Classroom

Background

Smartphone and tablet devices submitted to forensic units present a veritable treasure trove of potential evidence generated through the use of pre-installed “1st party” and user-installed 3rd party apps. Unfortunately the relentless evolution of new and existing 3rd party apps means that commercial forensic tools cannot realistically decode, interpret and report all of the data of interest to investigators.

Course aims

Android and iOS platforms both make extensive use of SQLite, a free open-source database platform, to store data relating to first and third party apps. Analysis of SQLite databases can recover live and deleted data as well as often overlooked binary data such as thumbnail images. In addition to SQLite databases, iOS devices make use of Property List (plist) files to store application data and mobile forensic examiners need to be skilled in analysing and reporting data from both file formats.

Smartphone App Forensics is a 4½ day course designed to teach delegates how to recover evidence from smartphone and tablet applications. This includes first party apps, but the emphasis will be on developing skills and techniques for working with 3rd party apps which are unsupported by commercial forensic tools. Delegates will gain experience of working with data recovered from iOS and Android devices.

What you will learn

By the end of the course, students will be able to:

  • Use appropriate tools to view and recover evidence from SQLite databases and Property List (plist) files
  • Locate, view & recover evidence from Property List (plist) files used by iOS and associated applications
  • Recover & interpret web browsing artefacts from smartphone devices
  • Manually decode smartphone apps
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Smartphone App Forensics

4½ days • Classroom

Background

Smartphone and tablet devices submitted to forensic units present a veritable treasure trove of potential evidence generated through the use of pre-installed “1st party” and user-installed 3rd party apps. Unfortunately the relentless evolution of new and existing 3rd party apps means that commercial forensic tools cannot realistically decode, interpret and report all of the data of interest to investigators.

Course aims

Android and iOS platforms both make extensive use of SQLite, a free open-source database platform, to store data relating to first and third party apps. Analysis of SQLite databases can recover live and deleted data as well as often overlooked binary data such as thumbnail images. In addition to SQLite databases, iOS devices make use of Property List (plist) files to store application data and mobile forensic examiners need to be skilled in analysing and reporting data from both file formats.

Smartphone App Forensics is a 4½ day course designed to teach delegates how to recover evidence from smartphone and tablet applications. This includes first party apps, but the emphasis will be on developing skills and techniques for working with 3rd party apps which are unsupported by commercial forensic tools. Delegates will gain experience of working with data recovered from iOS and Android devices.

What you will learn

By the end of the course, students will be able to:

  • Use appropriate tools to view and recover evidence from SQLite databases and Property List (plist) files
  • Locate, view & recover evidence from Property List (plist) files used by iOS and associated applications
  • Recover & interpret web browsing artefacts from smartphone devices
  • Manually decode smartphone apps
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Smartphone App Forensics

4½ days • Classroom

Background

Smartphone and tablet devices submitted to forensic units present a veritable treasure trove of potential evidence generated through the use of pre-installed “1st party” and user-installed 3rd party apps. Unfortunately the relentless evolution of new and existing 3rd party apps means that commercial forensic tools cannot realistically decode, interpret and report all of the data of interest to investigators.

Course aims

Android and iOS platforms both make extensive use of SQLite, a free open-source database platform, to store data relating to first and third party apps. Analysis of SQLite databases can recover live and deleted data as well as often overlooked binary data such as thumbnail images. In addition to SQLite databases, iOS devices make use of Property List (plist) files to store application data and mobile forensic examiners need to be skilled in analysing and reporting data from both file formats.

Smartphone App Forensics is a 4½ day course designed to teach delegates how to recover evidence from smartphone and tablet applications. This includes first party apps, but the emphasis will be on developing skills and techniques for working with 3rd party apps which are unsupported by commercial forensic tools. Delegates will gain experience of working with data recovered from iOS and Android devices.

What you will learn

By the end of the course, students will be able to:

  • Use appropriate tools to view and recover evidence from SQLite databases and Property List (plist) files
  • Locate, view & recover evidence from Property List (plist) files used by iOS and associated applications
  • Recover & interpret web browsing artefacts from smartphone devices
  • Manually decode smartphone apps
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Smartphone App Forensics

4½ days • Classroom

Background

Smartphone and tablet devices submitted to forensic units present a veritable treasure trove of potential evidence generated through the use of pre-installed “1st party” and user-installed 3rd party apps. Unfortunately the relentless evolution of new and existing 3rd party apps means that commercial forensic tools cannot realistically decode, interpret and report all of the data of interest to investigators.

Course aims

Android and iOS platforms both make extensive use of SQLite, a free open-source database platform, to store data relating to first and third party apps. Analysis of SQLite databases can recover live and deleted data as well as often overlooked binary data such as thumbnail images. In addition to SQLite databases, iOS devices make use of Property List (plist) files to store application data and mobile forensic examiners need to be skilled in analysing and reporting data from both file formats.

Smartphone App Forensics is a 4½ day course designed to teach delegates how to recover evidence from smartphone and tablet applications. This includes first party apps, but the emphasis will be on developing skills and techniques for working with 3rd party apps which are unsupported by commercial forensic tools. Delegates will gain experience of working with data recovered from iOS and Android devices.

What you will learn

By the end of the course, students will be able to:

  • Use appropriate tools to view and recover evidence from SQLite databases and Property List (plist) files
  • Locate, view & recover evidence from Property List (plist) files used by iOS and associated applications
  • Recover & interpret web browsing artefacts from smartphone devices
  • Manually decode smartphone apps
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Python Scripting 1

3 days • Classroom

Course aims

As digital forensic examiners expand their knowledge and understanding of forensic artefacts within PCs, mobile phones and other devices, so they repeatedly encounter key evidence which is not appropriately reported by commercial forensic tools. ‘Python Scripting 1’ is a 3 day course designed to teach students how to start writing simple scripts in Python with a strong emphasis on those aspects of the language which are relevant to digital forensics.

What you will learn

By the end of the course, students will be able to:

  • Write short Python scripts to open and process files of evidential interest
  • Write short Python scripts to recover thumbnail images from input files
  • Write short Python scripts to recover evidence from SQLite databases
  • Write short Python scripts to produce text and comma separated value (CSV) output

Who should attend?

The course assumes no prior knowledge of Python or any previous programming experience; however delegates must have previous experience of working with raw (hex) data and be confident navigating such data within a hex editor. As such, delegates should have previously attended the Control-F Demystifying Hex Data training course (or equivalent).

Python Scripting 1

3 days • Classroom

Course aims

As digital  forensic  examiners expand their knowledge and understanding of forensic artefacts within PCs, mobile phones and other devices, so they repeatedly encounter key evidence which is not appropriately reported by commercial forensic tools. ‘Python Scripting 1’ is a 3 day course designed to teach students how to start writing simple scripts in Python with a strong emphasis on those aspects of the language which are relevant to digital forensics.

What you will learn

By the end of the course, students will be able to:

  • Write short Python scripts to open and process files of evidential interest
  • Write short Python scripts to recover thumbnail images from input files
  • Write short Python scripts to recover evidence from SQLite databases
  • Write short Python scripts to produce text and comma separated value (CSV) output

Who should attend?

The course assumes no prior knowledge of Python or any previous programming experience; however delegates must have previous experience of working with raw (hex) data and be confident navigating such data within a hex editor. As such, delegates should have previously attended the Control-F Demystifying Hex Data training course (or equivalent).

Mobile Device Repair

4½ days • Classroom

Background

Being able to safely repair damaged mobile device exhibits in-house has become increasingly important for digital forensic units. Charging problems, cracked screens, faulty buttons or damaged data ports are common issues which may prevent successful data extraction. Digital forensic units need to be able to get devices working quickly and safely in order to prevent the inevitable delays, costs and continuity complications associated with taking a device outside the organisation to be fixed.

Faced with a “dead” device, a mobile examiner needs to be able to quickly identify the fault (or faults), confirm whether the repair(s) can and should be conducted in-house and establish the risks associated in undertaking
such work. Although YouTube is awash with “how to”  videos for device repair, undertaking such work without properly understanding the risks could easily mean that a vital evidential exhibit is further damaged by the attempted repair. Not only that, such videos assume that the actual fault with the device has been reliably identified.
Digital forensic units need staff who can quickly and accurately identify faults and then select the most pragmatic means of repair.

Course aims

Mobile Device Repair is a 4½ day course designed to teach mobile device examiners how to identify and repair common faults with mobile devices which might prevent data extraction. Students will learn a systematic and efficient approach to fault finding designed to quickly identify common obstacles to data extraction. The emphasis of the training is on performing the simplest and most cost effective repair possible in order to acquire data from the device. Students will gain experience in disassembling, repairing and re-assembling Android, iPhone, Windows Phone and feature phone devices. Importantly, the course will include instruction in the soldering techniques required to replace data ports which are integrated into the main circuit board of the device.

What you will learn

By the end of the course, delegates will be able to:

  • Identify and resolve charging and battery issues with mobile devices
  • Replace glued and non-glued screens on mobile devices
  • Replace modular and soldered components on mobile devices
  • Transplant circuit boards from damaged evidential exhibits into “donor” devices to facilitate data extraction
  • Explain and justify their actions in court

Who should attend?

This course is targeted at new or existing mobile device examiners. The course includes close work with small components and therefore requires good eyesight and a steady hand. Previous experience in handset disassembly and soldering would be beneficial but not essential.