Posts

Advanced Smartphone & Tablet Acquisition

4½ days

Background

The explosion in smartphone and tablet device ownership over recent years has been a mixed blessing for digital forensic units. On the one hand, iOS and Android devices can provide a wealth of information about the owner’s communication, associates and whereabouts; but at the same time the built-in security mechanisms provided by such devices often present a significant challenge.

Course aims

Recovering data from smartphone and tablet devices requires experience in a wide range of tools and techniques in order to deal with active PINs and passwords and to ensure that the extraction has recovered vital app data. As increasing numbers of Android apps exclude themselves from the backup mechanisms used by commercial forensic tools, so mobile forensic examiners need to be able to assess the completeness of extractions and take necessary steps to recover “missing” data.

Advanced Smartphone & Tablet Acquisition is a 4½ day course designed to teach students how to bypass locks on Android, iOS and Windows Phone devices and then ensure maximum evidence recovery. Students will learn how to identify and recover evidence from PC backups of iOS devices and use the Google Android SDK to create backups of any Android device. Students gain hands-on experience of safely jailbreaking iPhone and iPad devices such that full filesystem extractions (including email) can be performed.

What you will learn

By the end of the course, students will be able to:

  • Bypass security mechanisms on iOS & Android devices
  • Use ADB commands to connect to and recover data from Android devices
  • Recover evidence from PC backups of iOS & Android devices
  • Crack Android patterns, PINs and passwords from physical extractions of locked devices
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Advanced Smartphone & Tablet Acquisition

4½ days

Background

The explosion in smartphone and tablet device ownership over recent years has been a mixed blessing for digital forensic units. On the one hand, iOS and Android devices can provide a wealth of information about the owner’s communication, associates and whereabouts; but at the same time the built-in security mechanisms provided by such devices often present a significant challenge.

Course aims

Recovering data from smartphone and tablet devices requires experience in a wide range of tools and techniques in order to deal with active PINs and passwords and to ensure that the extraction has recovered vital app data. As increasing numbers of Android apps exclude themselves from the backup mechanisms used by commercial forensic tools, so mobile forensic examiners need to be able to assess the completeness of extractions and take necessary steps to recover “missing” data.

Advanced Smartphone & Tablet Acquisition is a 4½ day course designed to teach students how to bypass locks on Android, iOS and Windows Phone devices and then ensure maximum evidence recovery. Students will learn how to identify and recover evidence from PC backups of iOS devices and use the Google Android SDK to create backups of any Android device. Students gain hands-on experience of safely jailbreaking iPhone and iPad devices such that full filesystem extractions (including email) can be performed.

What you will learn

By the end of the course, students will be able to:

  • Bypass security mechanisms on iOS & Android devices
  • Use ADB commands to connect to and recover data from Android devices
  • Recover evidence from PC backups of iOS & Android devices
  • Crack Android patterns, PINs and passwords from physical extractions of locked devices
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Advanced Smartphone & Tablet Acquisition

4½ days

Background

The explosion in smartphone and tablet device ownership over recent years has been a mixed blessing for digital forensic units. On the one hand, iOS and Android devices can provide a wealth of information about the owner’s communication, associates and whereabouts; but at the same time the built-in security mechanisms provided by such devices often present a significant challenge.

Course aims

Recovering data from smartphone and tablet devices requires experience in a wide range of tools and techniques in order to deal with active PINs and passwords and to ensure that the extraction has recovered vital app data. As increasing numbers of Android apps exclude themselves from the backup mechanisms used by commercial forensic tools, so mobile forensic examiners need to be able to assess the completeness of extractions and take necessary steps to recover “missing” data.

Advanced Smartphone & Tablet Acquisition is a 4½ day course designed to teach students how to bypass locks on Android, iOS and Windows Phone devices and then ensure maximum evidence recovery. Students will learn how to identify and recover evidence from PC backups of iOS devices and use the Google Android SDK to create backups of any Android device. Students gain hands-on experience of safely jailbreaking iPhone and iPad devices such that full filesystem extractions (including email) can be performed.

What you will learn

By the end of the course, students will be able to:

  • Bypass security mechanisms on iOS & Android devices
  • Use ADB commands to connect to and recover data from Android devices
  • Recover evidence from PC backups of iOS & Android devices
  • Crack Android patterns, PINs and passwords from physical extractions of locked devices
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Smartphone App Forensics

4½ days

Background

Smartphone and tablet devices submitted to forensic units present a veritable treasure trove of potential evidence generated through the use of pre-installed “1st party” and user-installed 3rd party apps. Unfortunately the relentless evolution of new and existing 3rd party apps means that commercial forensic tools cannot realistically decode, interpret and report all of the data of interest to investigators.

Course aims

Android and iOS platforms both make extensive use of SQLite, a free open-source database platform, to store data relating to first and third party apps. Analysis of SQLite databases can recover live and deleted data as well as often overlooked binary data such as thumbnail images. In addition to SQLite databases, iOS devices make use of Property List (plist) files to store application data and mobile forensic examiners need to be skilled in analysing and reporting data from both file formats.

Smartphone App Forensics is a 4½ day course designed to teach students how to recover evidence from smartphone and tablet applications. This includes first party apps, but the emphasis will be on developing skills and techniques for working with 3rd party apps which are unsupported by commercial forensic tools. Students will gain experience of working with data recovered from iOS, Android, Windows Phone and BlackBerry devices.

What you will learn

By the end of the course, students will be able to:

  • Use appropriate tools to view and recover evidence from SQLite databases and Property List (plist) files
  • Recover evidence from smartphone apps that are unsupported by commercial forensic tools
  • Recover deleted data from smartphone apps on Android, iOS and Windows Phone devices
  • Recover and interpret web browsing and mobile satnav artefacts from Android, iOS and Windows Phone devices
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Smartphone App Forensics

4½ days

Background

Smartphone and tablet devices submitted to forensic units present a veritable treasure trove of potential evidence generated through the use of pre-installed “1st party” and user-installed 3rd party apps. Unfortunately the relentless evolution of new and existing 3rd party apps means that commercial forensic tools cannot realistically decode, interpret and report all of the data of interest to investigators.

Course aims

Android and iOS platforms both make extensive use of SQLite, a free open-source database platform, to store data relating to first and third party apps. Analysis of SQLite databases can recover live and deleted data as well as often overlooked binary data such as thumbnail images. In addition to SQLite databases, iOS devices make use of Property List (plist) files to store application data and mobile forensic examiners need to be skilled in analysing and reporting data from both file formats.

Smartphone App Forensics is a 4½ day course designed to teach students how to recover evidence from smartphone and tablet applications. This includes first party apps, but the emphasis will be on developing skills and techniques for working with 3rd party apps which are unsupported by commercial forensic tools. Students will gain experience of working with data recovered from iOS, Android, Windows Phone and BlackBerry devices.

What you will learn

By the end of the course, students will be able to:

  • Use appropriate tools to view and recover evidence from SQLite databases and Property List (plist) files
  • Recover evidence from smartphone apps that are unsupported by commercial forensic tools
  • Recover deleted data from smartphone apps on Android, iOS and Windows Phone devices
  • Recover and interpret web browsing and mobile satnav artefacts from Android, iOS and Windows Phone devices
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Smartphone App Forensics

4½ days

Background

Smartphone and tablet devices submitted to forensic units present a veritable treasure trove of potential evidence generated through the use of pre-installed “1st party” and user-installed 3rd party apps. Unfortunately the relentless evolution of new and existing 3rd party apps means that commercial forensic tools cannot realistically decode, interpret and report all of the data of interest to investigators.

Course aims

Android and iOS platforms both make extensive use of SQLite, a free open-source database platform, to store data relating to first and third party apps. Analysis of SQLite databases can recover live and deleted data as well as often overlooked binary data such as thumbnail images. In addition to SQLite databases, iOS devices make use of Property List (plist) files to store application data and mobile forensic examiners need to be skilled in analysing and reporting data from both file formats.

Smartphone App Forensics is a 4½ day course designed to teach students how to recover evidence from smartphone and tablet applications. This includes first party apps, but the emphasis will be on developing skills and techniques for working with 3rd party apps which are unsupported by commercial forensic tools. Students will gain experience of working with data recovered from iOS, Android, Windows Phone and BlackBerry devices.

What you will learn

By the end of the course, students will be able to:

  • Use appropriate tools to view and recover evidence from SQLite databases and Property List (plist) files
  • Recover evidence from smartphone apps that are unsupported by commercial forensic tools
  • Recover deleted data from smartphone apps on Android, iOS and Windows Phone devices
  • Recover and interpret web browsing and mobile satnav artefacts from Android, iOS and Windows Phone devices
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Smartphone App Forensics

4½ days

Background

Smartphone and tablet devices submitted to forensic units present a veritable treasure trove of potential evidence generated through the use of pre-installed “1st party” and user-installed 3rd party apps. Unfortunately the relentless evolution of new and existing 3rd party apps means that commercial forensic tools cannot realistically decode, interpret and report all of the data of interest to investigators.

Course aims

Android and iOS platforms both make extensive use of SQLite, a free open-source database platform, to store data relating to first and third party apps. Analysis of SQLite databases can recover live and deleted data as well as often overlooked binary data such as thumbnail images. In addition to SQLite databases, iOS devices make use of Property List (plist) files to store application data and mobile forensic examiners need to be skilled in analysing and reporting data from both file formats.

Smartphone App Forensics is a 4½ day course designed to teach students how to recover evidence from smartphone and tablet applications. This includes first party apps, but the emphasis will be on developing skills and techniques for working with 3rd party apps which are unsupported by commercial forensic tools. Students will gain experience of working with data recovered from iOS, Android, Windows Phone and BlackBerry devices.

What you will learn

By the end of the course, students will be able to:

  • Use appropriate tools to view and recover evidence from SQLite databases and Property List (plist) files
  • Recover evidence from smartphone apps that are unsupported by commercial forensic tools
  • Recover deleted data from smartphone apps on Android, iOS and Windows Phone devices
  • Recover and interpret web browsing and mobile satnav artefacts from Android, iOS and Windows Phone devices
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Foundation in Securing Computer Evidence

4½ days

Background

Securing computer-based evidence is no longer simply a case of “pulling the plug” and imaging hard disk drives back in the office. The use of cloud storage, encryption and non-removable storage are commonplace and mean that a more considered and multi-pronged approach to acquiring data is required. Without a clear understanding of the way in which devices store digital data both locally and remotely, vital evidence can easily be missed, lost or altered during the acquisition process.

In addition to the technical complexities presented by current devices, the overwhelming volume of digital forensic submissions being made increases the need for triage-based approaches to assist in prioritising exhibits for analysis.

Course aims

Foundation in Securing Computer Evidence is a 4½ day hands-on course designed to teach delegates how to acquire data from a wide range of devices, whilst either powered on at a search scene or powered down back in the office. Delegates will learn how to image traditional spinning disk hard drives, SSDs and USB storage devices using established imaging tools but will also learn:

  • “Live forensic” techniques to acquire volatile RAM data, open encrypted containers and data held on cloud storage
  • “On-device imaging” techniques for dealing with storage devices which cannot or should not be removed from the host device (e.g. devices running Apple’s APFS file system, RAID configurations etc.)
  • Triage techniques for rapid identification of case-related material held on computer storage

What you will learn

By the end of the course, delegates will be able to:

  • Confidently secure evidence from a range of removable computer storage media in accordance with ACPO Principles of Computer Based Digital Evidence and ISO17025
  • Use a Linux boot disk to secure evidence from a computer whose storage media is difficult to remove or cryptographically bound to the host device
  • Perform on-scene capture of live data from device RAM, open encrypted local storage or cloud storage
  • Use forensic triage tools to identify relevant content in order to prioritise computer exhibits for evidential analysis
  • Explain and justify their actions in court

Who should attend?

This entry-level course is targeted at practitioners who are new to computer acquisition or existing staff who have not had the benefit of formal training. The course is designed to meet the needs of both lab-based staff as well as those required to secure evidence at a search scene.

Foundation in Securing Computer Evidence

4½ days

Background

Securing computer-based evidence is no longer simply a case of “pulling the plug” and imaging hard disk drives back in the office. The use of cloud storage, encryption and non-removable storage are commonplace and mean that a more considered and multi-pronged approach to acquiring data is required. Without a clear understanding of the way in which devices store digital data both locally and remotely, vital evidence can easily be missed, lost or altered during the acquisition process.

In addition to the technical complexities presented by current devices, the overwhelming volume of digital forensic submissions being made increases the need for triage-based approaches to assist in prioritising exhibits for analysis.

Course aims

Foundation in Securing Computer Evidence is a 4½ day hands-on course designed to teach delegates how to acquire data from a wide range of devices, whilst either powered on at a search scene or powered down back in the office. Delegates will learn how to image traditional spinning disk hard drives, SSDs and USB storage devices using established imaging tools but will also learn:

  • “Live forensic” techniques to acquire volatile RAM data, open encrypted containers and data held on cloud storage
  • “On-device imaging” techniques for dealing with storage devices which cannot or should not be removed from the host device (e.g. devices running Apple’s APFS file system, RAID configurations etc.)
  • Triage techniques for rapid identification of case-related material held on computer storage

What you will learn

By the end of the course, delegates will be able to:

  • Confidently secure evidence from a range of removable computer storage media in accordance with ACPO Principles of Computer Based Digital Evidence and ISO17025
  • Use a Linux boot disk to secure evidence from a computer whose storage media is difficult to remove or cryptographically bound to the host device
  • Perform on-scene capture of live data from device RAM, open encrypted local storage or cloud storage
  • Use forensic triage tools to identify relevant content in order to prioritise computer exhibits for evidential analysis
  • Explain and justify their actions in court

Who should attend?

This entry-level course is targeted at practitioners who are new to computer acquisition or existing staff who have not had the benefit of formal training. The course is designed to meet the needs of both lab-based staff as well as those required to secure evidence at a search scene.

Foundation in Securing Computer Evidence

4½ days

Background

Securing computer-based evidence is no longer simply a case of “pulling the plug” and imaging hard disk drives back in the office. The use of cloud storage, encryption and non-removable storage are commonplace and mean that a more considered and multi-pronged approach to acquiring data is required. Without a clear understanding of the way in which devices store digital data both locally and remotely, vital evidence can easily be missed, lost or altered during the acquisition process.

In addition to the technical complexities presented by current devices, the overwhelming volume of digital forensic submissions being made increases the need for triage-based approaches to assist in prioritising exhibits for analysis.

Course aims

Foundation in Securing Computer Evidence is a 4½ day hands-on course designed to teach delegates how to acquire data from a wide range of devices, whilst either powered on at a search scene or powered down back in the office. Delegates will learn how to image traditional spinning disk hard drives, SSDs and USB storage devices using established imaging tools but will also learn:

  • “Live forensic” techniques to acquire volatile RAM data, open encrypted containers and data held on cloud storage
  • “On-device imaging” techniques for dealing with storage devices which cannot or should not be removed from the host device (e.g. devices running Apple’s APFS file system, RAID configurations etc.)
  • Triage techniques for rapid identification of case-related material held on computer storage

What you will learn

By the end of the course, delegates will be able to:

  • Confidently secure evidence from a range of removable computer storage media in accordance with ACPO Principles of Computer Based Digital Evidence and ISO17025
  • Use a Linux boot disk to secure evidence from a computer whose storage media is difficult to remove or cryptographically bound to the host device
  • Perform on-scene capture of live data from device RAM, open encrypted local storage or cloud storage
  • Use forensic triage tools to identify relevant content in order to prioritise computer exhibits for evidential analysis
  • Explain and justify their actions in court

Who should attend?

This entry-level course is targeted at practitioners who are new to computer acquisition or existing staff who have not had the benefit of formal training. The course is designed to meet the needs of both lab-based staff as well as those required to secure evidence at a search scene.