Tag Archive for: Wyboston

Smartphone App Forensics

Background

Smartphone and tablet devices submitted to forensic units present a veritable treasure trove of potential evidence generated through the use of pre-installed “1st party” and user-installed 3rd party apps. Unfortunately the relentless evolution of new and existing 3rd party apps means that commercial forensic tools cannot realistically decode, interpret and report all of the data of interest to investigators.

Course aims

Android and iOS platforms both make extensive use of SQLite, a free open-source database platform, to store data relating to first and third party apps. Analysis of SQLite databases can recover live and deleted data as well as often overlooked binary data such as thumbnail images. In addition to SQLite databases, iOS devices make use of Property List (plist) files to store application data and mobile forensic examiners need to be skilled in analysing and reporting data from both file formats.

Smartphone App Forensics is a 4½ day course designed to teach delegates how to recover evidence from smartphone and tablet applications. This includes first party apps, but the emphasis will be on developing skills and techniques for working with 3rd party apps which are unsupported by commercial forensic tools. Delegates will gain experience of working with data recovered from iOS and Android devices.

What you will learn

By the end of the course, students will be able to:

  • Use appropriate tools to view and recover evidence from SQLite databases and Property List (plist) files
  • Locate, view & recover evidence from Property List (plist) files used by iOS and associated applications
  • Recover & interpret web browsing artefacts from smartphone devices
  • Manually decode smartphone apps
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Foundation in Mobile Phone Forensics

Course information

This 4½ day, entry level course is targeted at those just starting out in mobile forensics, or existing mobile device examiners who have not had the benefit of formal training.

Course aims

Foundation in Mobile Phone Forensics is a 4½ day training course designed to teach prospective or existing mobile phone examiners how to examine mobile devices in accordance with the ACPO Principles of Digital Computer Based Evidence. Without appropriate training, there is a significant risk that evidence may be lost or altered during the examination process, or that the examiner is discredited in court. The course will provide delegates with exposure to, and hands-on experience with, market leading phone forensic tools.

What you will learn

By the end of the course, students will be able to:

  • Safely retrieve evidence from SIM cards, mobile phone handsets and memory cards using forensic software tools
  • Identify key potential evidence which is not recovered by software tools and capture it in an appropriate way
  • Implement or enhance local standard operating procedures for the examination of mobile devices within their organisation
  • Explain and justify their actions in court

Who should attend?

This entry level course is targeted at those just starting out in mobile phone forensics, or existing mobile phone examiners who have not had the benefit of formal training.

Python Scripting 1

3 days

Course aims

As digital  forensic  examiners expand their knowledge and understanding of forensic artefacts within PCs, mobile phones and other devices, so they repeatedly encounter key evidence which is not appropriately reported by commercial forensic tools. ‘Python Scripting 1’ is a 3 day course designed to teach students how to start writing simple scripts in Python with a strong emphasis on those aspects of the language which are relevant to digital forensics.

What you will learn

By the end of the course, students will be able to:

  • Write short Python scripts to open and process files of evidential interest
  • Write short Python scripts to recover thumbnail images from input files
  • Write short Python scripts to recover evidence from SQLite databases
  • Write short Python scripts to produce text and comma separated value (CSV) output

Who should attend?

The course assumes no prior knowledge of Python or any previous programming experience; however delegates must have previous experience of working with raw (hex) data and be confident navigating such data within a hex editor.

Reviewing Mobile Forensic Data

2 days • Classroom

Background

Data recovered from mobile devices plays a vital role in an increasing number of investigations. However, case teams face significant challenges in being able to navigate huge volumes of data in order to find items of relevance to their investigation. In addition, different devices may have been extracted using different forensic tools – each of which is accompanied by its own “reader” application. Investigators need to make efficient use of multiple reader applications such that they can locate relevant data and subsequently generate reports that can be used in evidence.

Course aims

Reviewing Mobile Forensic Data is a two-day classroom course designed to teach delegates how to navigate mobile forensic data in MSAB XAMN, Cellebrite Reader and AXIOM Portable Cases. Data is routinely supplied by Digital Forensic Units and external Forensic Service Providers in all 3 formats; each of which brings its own challenges and opportunities. Reviewing Mobile Forensic Data aims to teach delegates how to confidently navigate data, and report against it, within all three tools.

Delegates will learn how to search and filter large extractions to identify and then “tag” relevant items such that they can be reviewed by colleagues. Delegates will also gain hands-on experience in producing reports of relevant data for evidential purposes.

Crucially, delegates will not only learn how to use the relevant software tools, they will gain experience in appropriate note-taking to ensure that an accurate record of any analysis is maintained for disclosure purposes.

What you will learn

By the end of the course, delegates will be able to:

  • Select an appropriate reader tool to open an extraction of a mobile device
  • Search and filter mobile forensic data using XAMN, Cellebrite Reader and AXIOM Portable Cases
  • Tag (“bookmark”) relevant data using XAMN, Cellebrite Reader and AXIOM Portable Cases
  • Generate selective reports of relevant data
  • Keep appropriate notes of their actions

Who should attend?

This intermediate level course is targeted at anyone who needs to review and interpret data recovered from mobile devices. This will include case teams, investigators and analysts.

Delegates must have successfully completed our online on-demand training course ‘Understanding Mobile Forensic Data’ before attending ‘Reviewing Mobile Forensic Data’.

 

XAMN is a registered trademark of Micro Systemation AB. Cellebrite is a registered trademark of Cellebrite DI Ltd. AXIOM is a registered trademark of Magnet Forensics Investco Inc