Posts

Foundation in Mobile Phone Forensics

4½ days

Course information

This 4½ day, entry level course is targeted at those just starting out in mobile forensics, or existing mobile device examiners who have not had the benefit of formal training.

Course aims

Foundation in Mobile Phone Forensics is a 4½ day training course designed to teach prospective or existing mobile phone examiners how to examine mobile devices in accordance with the ACPO Principles of Digital Computer Based Evidence. Without appropriate training, there is a significant risk that evidence may be lost or altered during the examination process, or that the examiner is discredited in court. The course will provide delegates with exposure to, and hands-on experience with, market leading phone forensic tools.

What you will learn

By the end of the course, students will be able to:

  • Safely retrieve evidence from SIM cards, mobile phone handsets and memory cards using forensic software tools
  • Identify key potential evidence which is not recovered by software tools and capture it in an appropriate way
  • Implement or enhance local standard operating procedures for the examination of mobile devices within their organisation
  • Explain and justify their actions in court

Who should attend?

This entry level course is targeted at those just starting out in mobile phone forensics, or existing mobile phone examiners who have not had the benefit of formal training.

Foundation in Securing Computer Evidence

4½ days

Background

Securing computer-based evidence is no longer simply a case of “pulling the plug” and imaging hard disk drives back in the office. The use of cloud storage, encryption and non-removable storage are commonplace and mean that a more considered and multi-pronged approach to acquiring data is required. Without a clear understanding of the way in which devices store digital data both locally and remotely, vital evidence can easily be missed, lost or altered during the acquisition process.

In addition to the technical complexities presented by current devices, the overwhelming volume of digital forensic submissions being made increases the need for triage-based approaches to assist in prioritising exhibits for analysis.

Course aims

Foundation in Securing Computer Evidence is a 4½ day hands-on course designed to teach delegates how to acquire data from a wide range of devices, whilst either powered on at a search scene or powered down back in the office. Delegates will learn how to image traditional spinning disk hard drives, SSDs and USB storage devices using established imaging tools but will also learn:

  • “Live forensic” techniques to acquire volatile RAM data, open encrypted containers and data held on cloud storage
  • “On-device imaging” techniques for dealing with storage devices which cannot or should not be removed from the host device (e.g. devices running Apple’s APFS file system, RAID configurations etc.)
  • Triage techniques for rapid identification of case-related material held on computer storage

What you will learn

By the end of the course, delegates will be able to:

  • Confidently secure evidence from a range of removable computer storage media in accordance with ACPO Principles of Computer Based Digital Evidence and ISO17025
  • Use a Linux boot disk to secure evidence from a computer whose storage media is difficult to remove or cryptographically bound to the host device
  • Perform on-scene capture of live data from device RAM, open encrypted local storage or cloud storage
  • Use forensic triage tools to identify relevant content in order to prioritise computer exhibits for evidential analysis
  • Explain and justify their actions in court

Who should attend?

This entry-level course is targeted at practitioners who are new to computer acquisition or existing staff who have not had the benefit of formal training. The course is designed to meet the needs of both lab-based staff as well as those required to secure evidence at a search scene.

Smartphone App Forensics

4½ days

Background

Smartphone and tablet devices submitted to forensic units present a veritable treasure trove of potential evidence generated through the use of pre-installed “1st party” and user-installed 3rd party apps. Unfortunately the relentless evolution of new and existing 3rd party apps means that commercial forensic tools cannot realistically decode, interpret and report all of the data of interest to investigators.

Course aims

Android and iOS platforms both make extensive use of SQLite, a free open-source database platform, to store data relating to first and third party apps. Analysis of SQLite databases can recover live and deleted data as well as often overlooked binary data such as thumbnail images. In addition to SQLite databases, iOS devices make use of Property List (plist) files to store application data and mobile forensic examiners need to be skilled in analysing and reporting data from both file formats.

Smartphone App Forensics is a 4½ day course designed to teach students how to recover evidence from smartphone and tablet applications. This includes first party apps, but the emphasis will be on developing skills and techniques for working with 3rd party apps which are unsupported by commercial forensic tools. Students will gain experience of working with data recovered from iOS, Android, Windows Phone and BlackBerry devices.

What you will learn

By the end of the course, students will be able to:

  • Use appropriate tools to view and recover evidence from SQLite databases and Property List (plist) files
  • Recover evidence from smartphone apps that are unsupported by commercial forensic tools
  • Recover deleted data from smartphone apps on Android, iOS and Windows Phone devices
  • Recover and interpret web browsing and mobile satnav artefacts from Android, iOS and Windows Phone devices
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Python Scripting 1

3 days

Course aims

As digital  forensic  examiners expand their knowledge and understanding of forensic artefacts within PCs, mobile phones and other devices, so they repeatedly encounter key evidence which is not appropriately reported by commercial forensic tools. ‘Python Scripting 1’ is a 3 day course designed to teach students how to start writing simple scripts in Python with a strong emphasis on those aspects of the language which are relevant to digital forensics.

What you will learn

By the end of the course, students will be able to:

  • Write short Python scripts to open and process files of evidential interest
  • Write short Python scripts to recover thumbnail images from input files
  • Write short Python scripts to recover evidence from SQLite databases
  • Write short Python scripts to produce text and comma separated value (CSV) output

Who should attend?

The course assumes no prior knowledge of Python or any previous programming experience; however delegates must have previous experience of working with raw (hex) data and be confident navigating such data within a hex editor. As such, delegates should have previously attended the Control-F Demystifying Hex Data training course (or equivalent).

Flash Memory Chip Removal (“chip off”)

4½ days

Background

Password-protected, damaged and unsupported devices can pose significant challenges to digital forensic units tasked with evidence recovery. In some situations the only viable option for recovery of evidence is the removal and reading of flash memory chips located within the device (“chip-off”). With the majority of modern devices utilising eMMC flash memory chips, chip-off has established itself as a cost effective method for dealing with locked and unsupported Android & Windows Phone devices.

Course aims

Successful removal of flash memory chips requires appropriate equipment and skilled techniques to ensure that the chip is not damaged during removal and that a full read of the device can be obtained. Flash Memory Chip Removal is a 4½ day course designed to teach delegates how to identify flash memory chips within electronic devices, safely de-solder these chips and extract the data they contain.

Specifically, delegates will learn techniques to assist in re-soldering flash memory chips to the device circuit board after data has been extracted from the chip. This process is ideally suited to locked devices where the PIN or password can be recovered from the extracted data and then entered into the re-assembled device in order to perform a manual or logical extraction.

Delegates will work with Android and Nokia Lumia models for which physical extractions cannot be performed with commercial forensic tools or direct eMMC (ISP) as these devices are most likely to require chip-off in order to extract data. In addition, delegates will gain experience in removing and reading UFS chips from Samsung Galaxy S6 devices.

What you will learn

By the end of the course, students will be able to:

  • Safely remove flash memory chips from Printed Circuit Boards (PCBs) of mobile devices
  • Successfully clean and “re-ball” flash memory chips in preparation for data recovery
  • Recover the contents of flash memory chips using appropriate software and hardware
  • Explain & justify their actions in court.

Who should attend?

Although previous experience of working with raw hex data from digital devices would be advantageous, it is not essential. Due to the close-up nature of the work, it is essential that delegates have very good eyesight and a steady hand! Previous experience of soldering would be beneficial but is by no means essential.

eMMC Device Forensics

4 days

Background

A significant proportion of the locked and/or unsupported mobile devices received by forensic units will contain standards-based eMMC (embedded MultiMedia Card) flash memory chips whose interface is well understood. In many cases, physical extractions of eMMC flash memory chips can be performed by means of connecting to specific points on the printed circuit board of the device. This technique is referred to as ‘Direct eMMC’ or In-system Programming (ISP) and allows physical extractions to be performed on a wide range of both Android & Windows Phone handsets and tablet computers (regardless of an active lock). The techniques can also be used to perform physical extractions of TomTom units and an ever increasing range of devices which utilise eMMC chips.

Course aims

eMMC Device Forensics is a 4 day course designed to teach existing mobile device examiners how to perform physical extractions of eMMC-based devices which cannot be acquired using established commercial forensic tools & techniques. Students will learn how to identify devices which can be safely acquired using Direct eMMC and develop their skills in extracting data from devices of varying complexities.

A key component of the course will be teaching students how to locate the Direct eMMC points on the circuit board of undocumented devices, such that they can utilise the techniques learned on the widest range of evidential exhibits back in the workplace.

What you will learn

By the end of the course, students will be able to:

  • Bypass locks on Android & Windows Phone handsets and tablets containing eMMC chips
  • Perform physical extractions of unsupported Android & Windows Phone handsets, TomTom units & tablet computers using ‘Direct eMMC’
  • Locate Direct eMMC points on the printed circuit boards of undocumented devices
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in mobile device forensics. The course includes close work with small components and therefore requires good eyesight and a steady hand. Previous experience in handset disassembly and soldering would be beneficial but not essential.

Defeating Android Locks & Encryption

4½ days

Background

Since Android v6, improvements in device security have made it increasingly challenging for forensic examiners to secure physical extractions of Android devices. Stronger user locks and full disk encryption both present significant obstacles to the forensic examiner. At the same time, logical extractions are becoming less useful as apps such as WhatsApp and Facebook Messenger withdraw themselves from the Android backup technique utilised by forensic tools.

Gaining “root” (administrator level) access to an Android device submitted for a forensic examination has never been more important, yet the rooting tools needed were not designed for forensic use and carry the potential for rendering a device unusable (affectionately known as “bricking” the device).

Course aims

Defeating Android Locks & Encryption is a 4½ day course designed to teach existing mobile device examiners how to secure extractions of current Android devices regardless of a user lock or device encryption being active. Delegates will learn how to use TWRP and Odin software tools to safely “root” Android devices and crucially, “unbrick” devices where errors occurred during the rooting process (ensuring user data is preserved).

During the course, the techniques will be applied to a range of Samsung models including locked and encrypted Galaxy S6 and S7 devices. The emphasis of the course will be to develop capabilities which go beyond those of established commercial forensic tools & techniques. Delegates will also learn how to combine high performance hardware with efficient password cracking strategies to recover passwords in the shortest time possible.

What you will learn

By the end of the course, delegates will be able to:

  • Safely root Samsung Android devices to enable physical extractions
  • Bypass user locks on current Samsung Android devices
  • Use efficient password cracking strategies to crack complex PINs and passwords and decrypt encrypted partitions
  • Bypass full disk encryption on current Samsung Android devices
  • Explain & justify their actions in court

Who should attend?

This advanced level course is targeted at existing mobile examiners who have at least 12 months experience in mobile device forensics and have attended the Control-F Advanced Smartphone & Tablet Acquisition course or equivalent. Delegates will need to successfully complete a pre-course assessment to confirm their ability to use ‘hashcat’ and ADB commands.

Advanced Smartphone & Tablet Acquisition

4½ days

Background

The explosion in smartphone and tablet device ownership over recent years has been a mixed blessing for digital forensic units. On the one hand, iOS and Android devices can provide a wealth of information about the owner’s communication, associates and whereabouts; but at the same time the built-in security mechanisms provided by such devices often present a significant challenge.

Course aims

Recovering data from smartphone and tablet devices requires experience in a wide range of tools and techniques in order to deal with active PINs and passwords and to ensure that the extraction has recovered vital app data. As increasing numbers of Android apps exclude themselves from the backup mechanisms used by commercial forensic tools, so mobile forensic examiners need to be able to assess the completeness of extractions and take necessary steps to recover “missing” data.

Advanced Smartphone & Tablet Acquisition is a 4½ day course designed to teach students how to bypass locks on Android, iOS and Windows Phone devices and then ensure maximum evidence recovery. Students will learn how to identify and recover evidence from PC backups of iOS devices and use the Google Android SDK to create backups of any Android device. Students gain hands-on experience of safely jailbreaking iPhone and iPad devices such that full filesystem extractions (including email) can be performed.

What you will learn

By the end of the course, students will be able to:

  • Bypass security mechanisms on iOS & Android devices
  • Use ADB commands to connect to and recover data from Android devices
  • Recover evidence from PC backups of iOS & Android devices
  • Crack Android patterns, PINs and passwords from physical extractions of locked devices
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).