Tag Archive for: Training pass

Reviewing Mobile Forensic Data

2 days • Classroom

Background

Data recovered from mobile devices plays a vital role in an increasing number of investigations. However, case teams face significant challenges in being able to navigate huge volumes of data in order to find items of relevance to their investigation. In addition, different devices may have been extracted using different forensic tools – each of which is accompanied by its own “reader” application. Investigators need to make efficient use of multiple reader applications such that they can locate relevant data and subsequently generate reports that can be used in evidence.

Course aims

Reviewing Mobile Forensic Data is a 2-day classroom course designed to teach delegates how to navigate mobile forensic data in MSAB XAMN, Cellebrite Reader and AXIOM Portable Cases. Data is routinely supplied by Digital Forensic Units and external Forensic Service Providers in all 3 formats; each of which brings its own challenges and opportunities. Reviewing Mobile Forensic Data aims to teach delegates how to confidently navigate data, and report against it, within all three tools.

Delegates will learn how to search and filter large extractions to identify and then tag relevant items such that they can be reviewed by colleagues. Delegates will also gain hands-on experience in producing reports of relevant data for evidential purposes.

Crucially, delegates will not only learn how to use the relevant software tools, they will gain experience in appropriate note-taking to ensure that an accurate record of any analysis is maintained for disclosure purposes.

What you will learn

By the end of the course, delegates will be able to:

  • Select an appropriate reader tool to open an extraction of a mobile device
  • Search and filter mobile forensic data using XAMN, Cellebrite Reader and AXIOM Portable Cases
  • Tag (or “bookmark”) relevant data using XAMN, Cellebrite Reader and AXIOM Portable Cases
  • Generate selective reports of relevant data
  • Keep appropriate notes of their actions

Who should attend?

This entry-level course is targeted at anyone who needs to review and interpret data recovered from mobile devices. This will include case teams, investigators and analysts.

Delegates are automatically enrolled on our online on-demand training package ‘Understanding Mobile Forensic Data’ (the course cost for Reviewing Mobile Forensic Data includes this component, so there is no additional charge) .

 

XAMN is a registered trademark of Micro Systemation AB. Cellebrite is a registered trademark of Cellebrite DI Ltd. AXIOM is a registered trademark of Magnet Forensics Investco Inc

Acquiring Challenging & Encrypted Devices

4½ days

Background

Increasingly robust security on desktop and laptop computers presents challenges for Digital Forensic Units. TPMs on Windows and Chromebook devices protect encryption keys, with similar mechanisms used on Apple Mac devices. Restrictions on the use of bootable media further complicate imaging when storage cannot be removed.

This has driven a shift towards live acquisition of decrypted data. While valuable, live acquisition offers limited options and increased risk. Without the necessary knowledge and skills, opportunities may be missed; worse still, device security mechanisms may be triggered, rendering data inaccessible.

Course aims

Acquiring Challenging & Encrypted Devices is a 4½-day course that teaches delegates how to secure decrypted data from Macs, Chromebooks, Windows PCs, and Microsoft Surface devices.

Underpinning the course is the process of accurately identifying the device and confirming its security configuration. Based on this, delegates can choose the most suitable acquisition method.

Delegates will learn to image devices to external media where possible and apply best-practice video capture techniques in situations where a live examination of the device is the only option.

Given the prevalence of BitLocker encryption, the course includes hands-on experience in exploiting software vulnerabilities to recover Volume Master Keys and hashed user credentials. Delegates will use these techniques to decrypt protected data and crack user passwords without disassembling the device, thereby preventing the activation of BitLocker Recovery Mode.

What you will learn

By the end of the course, delegates
will be able to:

  • Use video capture techniques to record manual examinations of Macs, Chromebooks and Surface devices
  • Use bootable media to acquire ‘Secure boot’ enabled devices and extract Windows account password hashes
  • Crack passwords for Windows accounts, ZIP files and PDF documents using free tools
  • Use free tools to decrypt BitLocker-encrypted volumes on TPM-protected devices
  • Explain and justify their actions in court

Who should attend?

This intermediate-level course is targeted at personnel responsible for securing digital evidence from computer devices, either in a
lab environment or at the scene. Delegates should have at least 6 months’ experience in computer acquisition and have previously attended the Control-F course ‘Foundation in Securing Computer Evidence’ (or equivalent).

 

Rework for Mobile Device Repair

Background

Mobile devices can be damaged either through normal use, deliberate snapping or failure of specific chips which are vital to the device powering up successfully. Consequently, digital forensic units are routinely faced with mobile devices which cannot be powered on to a stable state such that data can be extracted using commercial forensic tools. Where possible and practical, such devices need to be repaired by removing and replacing the damaged or faulty chips on the device’s printed circuit board (PCB). These techniques are referred to as “rework” within the electronics industry.

Course aims

Successful removal and replacement of chips from a mobile device PCB requires appropriate equipment and skilled techniques to ensure that the circuit board and surrounding components are not damaged in the process. This may include desoldering using specialist hot air tools, preparation of replacement chips using stencilling techniques and re-soldering of the replacement chip (again with skilled use of hot air).

Rework for Mobile Device Repair is a 4½ day course designed to teach delegates how to safely de-solder faulty chips from an iPhone PCB and resolder working replacements. The intention being to return a device to a bootable state where data can be extracted using commercial forensic tools.

Delegates will also learn how to repair damage to pads on the underside of any chip caused by accidental or intentional physical damage. Delegates will be working primarily on iPhone models (including those with “stacked” PCBs), however the techniques taught on the course can be used on any PCB with surface mounted chips.

The course also includes hands-on experience in chip-off techniques for data extraction from feature (“burner”) phones as well as eMMC flash memory chips from unencrypted legacy Android devices, satnavs and vehicle systems.

What you will learn

By the end of the course, students will be able to:

  • Safely remove and replace iPhone chips to repair faults which prevent data extraction
  • Successfully clean and “re-ball” chips in preparation for repair
  • Repair broken pads on printed circuit boards (PCBs) caused by physical damage to a mobile device
  • Recover the contents of flash memory chips
  • Explain and justify their actions in court

Who should attend?

Delegates must have previous soldering experience. Ideally this will have been achieved by attending our Mobile Device Repair course (or other Control-F courses involving hand soldering).

Rework for Mobile Device Repair sits alongside our Intermediate Mobile Device Repair course which focuses on the diagnosis of board-level faults that may necessitate chip removal. Digital forensic units will gain maximum benefit where staff have attended Intermediate Mobile Device Repair and Rework for Mobile Device Repair.

Mobile Device Repair

Background

Being able to safely repair damaged mobile device exhibits in-house has become increasingly important for digital forensic units. Charging problems, cracked screens, faulty buttons or damaged data ports are common issues which may prevent successful data extraction. Digital forensic units need to be able to get devices working quickly and safely in order to prevent the inevitable delays, costs and continuity complications associated with taking a device outside the organisation to be fixed.

Faced with a “dead” device, a mobile examiner needs to be able to quickly identify the fault (or faults), confirm whether the repair(s) can and should be conducted in-house and establish the risks associated in undertaking
such work. Although YouTube is awash with “how to”  videos for device repair, undertaking such work without properly understanding the risks could easily mean that a vital evidential exhibit is further damaged by the attempted repair. Not only that, such videos assume that the actual fault with the device has been reliably identified.
Digital forensic units need staff who can quickly and accurately identify faults and then select the most pragmatic means of repair.

Course aims

Mobile Device Repair is a 4½ day course designed to teach mobile device examiners how to identify and repair common faults with mobile devices which might prevent data extraction. Students will learn a systematic and efficient approach to fault finding designed to quickly identify common obstacles to data extraction. The emphasis of the training is on performing the simplest and most cost effective repair possible in order to acquire data from the device. Students will gain experience in disassembling, repairing and re-assembling Android, iPhone, Windows Phone and feature phone devices. Importantly, the course will include instruction in the soldering techniques required to replace data ports which are integrated into the main circuit board of the device.

What you will learn

By the end of the course, delegates will be able to:

  • Identify and resolve charging and battery issues with mobile devices
  • Replace glued and non-glued screens on mobile devices
  • Replace modular and soldered components on mobile devices
  • Transplant circuit boards from damaged evidential exhibits into “donor” devices to facilitate data extraction
  • Explain and justify their actions in court

Who should attend?

This course is targeted at new or existing mobile device examiners. The course includes close work with small components and therefore requires good eyesight and a steady hand. Previous experience in handset disassembly and soldering would be beneficial but not essential.

Intermediate Mobile Device Repair

Background

Android and iOS devices typically need to be in a bootable state in order for data to be extracted using commercial forensic tools. Digital forensic units routinely encounter devices which are sufficiently damaged that extraction cannot take place – the device either fails to start at all or repeatedly displays the Apple logo (a “boot loop”). Although the replacement of broken screens and batteries within digital forensic units has become widespread, a subset of damaged devices require more complex fault-finding and repair techniques.

Course aims

The printed circuit board (PCB) within a mobile device is home to many tiny electronic components which work together to ensure that the device can boot and function normally. The failure of a single component on the PCB (for example, due to excess power) may lead to the device not powering at all, or “boot looping”.

Intermediate Mobile Device Repair is a 4½ day course designed to teach delegates how to identify and repair common board-level faults. Delegates will learn how to recognise components on a PCB and determine whether they have failed. They will then learn micro-soldering techniques to remove or replace faulty components in order to return a device to a bootable condition such that data can be extracted.

Delegates will gain vital hands-on experience of interpreting circuit board schematics and utilising them to locate short circuits which can then be repaired.

Delegates will primarily be working on iPhones during the course, however the techniques taught can also be used to troubleshoot and repair Android devices.

What you will learn

By the end of the course, students will be able to:

  • Identify specific components on a printed circuit board (PCB) and explain their function
  • Successfully diagnose PCB-level faults which prevent data extraction
  • Replace faulty PCB components including screen, touch and data port connectors
  • Diagnose and resolve short circuits on a PCB
  • Explain & justify their actions in court

Who should attend?

Delegates must have previous experience of mobile device repair and soldering. Ideally this will have been achieved by attending our Mobile Device Repair course.

Intermediate Mobile Device Repair sits alongside our Rework for Mobile Device Repair course. The fault-finding skills required to identify faulty chips is taught on Intermediate Mobile Device Repair – the replacement of those chips using hot air techniques is taught on Rework for Mobile Device Repair. Digital forensic units will gain maximum benefit where staff have attended Intermediate Mobile Device Repair and Rework for Mobile Device Repair.

Foundation in Securing Computer Evidence

Background

Securing computer-based evidence is no longer simply a case of “pulling the plug” and imaging hard disk drives back in the office. The use of cloud storage, encryption and non-removable storage are commonplace and mean that a more considered and multi-pronged approach to acquiring data is required. Without a clear understanding of the way in which devices store digital data both locally and remotely, vital evidence can easily be missed, lost or altered during the acquisition process.

In addition to the technical complexities presented by current devices, the overwhelming volume of digital forensic submissions being made increases the need for triage-based approaches to assist in prioritising exhibits for analysis.

Course aims

Foundation in Securing Computer Evidence is a 4½ day hands-on course designed to teach delegates how to acquire data from a wide range of devices, whilst either powered on at a search scene or powered down back in the office. Delegates will learn how to image traditional spinning disk hard drives, SSDs and USB storage devices using established imaging tools but will also learn:

  • “Live forensic” techniques to acquire volatile RAM data, open encrypted containers and data held on cloud storage
  • “On-device imaging” techniques for dealing with storage devices which cannot or should not be removed from the host device (e.g. devices running Apple’s APFS file system, RAID configurations etc.)
  • Triage techniques for rapid identification of case-related material held on computer storage

What you will learn

By the end of the course, delegates will be able to:

  • Confidently secure evidence from a range of removable computer storage media in accordance with ACPO Principles of Computer Based Digital Evidence and ISO17025
  • Use a Linux boot disk to secure evidence from a computer whose storage media is difficult to remove or cryptographically bound to the host device
  • Perform on-scene capture of live data from device RAM, open encrypted local storage or cloud storage
  • Use forensic triage tools to identify relevant content in order to prioritise computer exhibits for evidential analysis
  • Explain and justify their actions in court

Who should attend?

This entry-level course is targeted at practitioners who are new to computer acquisition or existing staff who have not had the benefit of formal training. The course is designed to meet the needs of both lab-based staff as well as those required to secure evidence at a search scene.

Smartphone App Forensics

Background

Smartphone and tablet devices submitted to forensic units present a veritable treasure trove of potential evidence generated through the use of pre-installed “1st party” and user-installed 3rd party apps. Unfortunately the relentless evolution of new and existing 3rd party apps means that commercial forensic tools cannot realistically decode, interpret and report all of the data of interest to investigators.

Course aims

Android and iOS platforms both make extensive use of SQLite, a free open-source database platform, to store data relating to first and third party apps. Analysis of SQLite databases can recover live and deleted data as well as often overlooked binary data such as thumbnail images. In addition to SQLite databases, iOS devices make use of Property List (plist) files to store application data and mobile forensic examiners need to be skilled in analysing and reporting data from both file formats.

Smartphone App Forensics is a 4½ day course designed to teach delegates how to recover evidence from smartphone and tablet applications. This includes first party apps, but the emphasis will be on developing skills and techniques for working with 3rd party apps which are unsupported by commercial forensic tools. Delegates will gain experience of working with data recovered from iOS and Android devices.

What you will learn

By the end of the course, students will be able to:

  • Use appropriate tools to view and recover evidence from SQLite databases and Property List (plist) files
  • Locate, view & recover evidence from Property List (plist) files used by iOS and associated applications
  • Recover & interpret web browsing artefacts from smartphone devices
  • Manually decode smartphone apps
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Python Scripting 1

3 days

Course aims

As digital  forensic  examiners expand their knowledge and understanding of forensic artefacts within PCs, mobile phones and other devices, so they repeatedly encounter key evidence which is not appropriately reported by commercial forensic tools. ‘Python Scripting 1’ is a 3 day course designed to teach students how to start writing simple scripts in Python with a strong emphasis on those aspects of the language which are relevant to digital forensics.

What you will learn

By the end of the course, students will be able to:

  • Write short Python scripts to open and process files of evidential interest
  • Write short Python scripts to recover thumbnail images from input files
  • Write short Python scripts to recover evidence from SQLite databases
  • Write short Python scripts to produce text and comma separated value (CSV) output

Who should attend?

The course assumes no prior knowledge of Python or any previous programming experience; however delegates must have previous experience of working with raw (hex) data and be confident navigating such data within a hex editor.

Foundation in Mobile Phone Forensics

Course information

This 4½ day, entry level course is targeted at those just starting out in mobile forensics, or existing mobile device examiners who have not had the benefit of formal training.

Course aims

Foundation in Mobile Phone Forensics is a 4½ day training course designed to teach prospective or existing mobile phone examiners how to examine mobile devices in accordance with the ACPO Principles of Digital Computer Based Evidence. Without appropriate training, there is a significant risk that evidence may be lost or altered during the examination process, or that the examiner is discredited in court. The course will provide delegates with exposure to, and hands-on experience with, market leading phone forensic tools.

What you will learn

By the end of the course, students will be able to:

  • Safely retrieve evidence from SIM cards, mobile phone handsets and memory cards using forensic software tools
  • Identify key potential evidence which is not recovered by software tools and capture it in an appropriate way
  • Implement or enhance local standard operating procedures for the examination of mobile devices within their organisation
  • Explain and justify their actions in court

Who should attend?

This entry level course is targeted at those just starting out in mobile phone forensics, or existing mobile phone examiners who have not had the benefit of formal training.