Provided by SANS
Specialism
Certification
GASF Certification
Qualification level
GASF Certification
Location
Live/Online
Study type
Distance learning
Duration
View Website
Price
View Website

About the course

FOR585: Advanced Smartphone Forensics will help you understand:

  1. Where key evidence is located on a smartphone
  2. How the data got onto the smartphone
  3. How to recover deleted mobile device data that forensic tools miss
  4. How to decode evidence stored in third-party applications
  5. How to detect, decompile, and analyze mobile malware and spyware
  6. Advanced acquisition terminology and free techniques to gain access to data on smartphones
  7. How to handle locked or encrypted devices, applications, and containers

 

 

SMARTPHONES HAVE MINDS OF THEIR OWN.

DON'T MAKE THE MISTAKE OF REPORTING SYSTEM EVIDENCE, SUGGESTIONS, OR APPLICATION ASSOCIATIONS AS USER ACTIVITY.

IT'S TIME TO GET SMARTER!

 

A smartphone lands on your desk and you are tasked with determining if the user was at a specific location at a specific date and time. You rely on your forensic tools to dump and parse the data. The tools show location information tying the device to the place of interest. Are you ready to prove the user was at that location? Do you know how to take this further to place the subject at the location of interest at that specific date and time? Tread carefully, because the user may not have done what the tools are showing!

 

Mobile devices are often a key factor in criminal cases, intrusions, IP theft, security threats, accident reconstruction, and more. Understanding how to leverage the data from the device in a correct manner can make or break your case and your future as an expert. FOR585: Advanced Smartphone Forensics will teach you those skills.

Every time the smartphone "thinks" or makes a suggestion, the data are saved. It's easy to get mixed up in what the forensic tools are reporting. Smartphone forensics is more than pressing the "find evidence" button and getting answers. Your team cannot afford to rely solely on the tools in your lab. You have to understand how to use them correctly to guide your investigation, instead of just letting the tool report what it believes happened on the device. It is impossible for commercial tools to parse everything from smartphones and understand how the data were put on the device. Examination and interpretation of the data is your job and this course will provide you and your organization with the capability to find and extract the correct evidence from smartphones with confidence.

This in-depth smartphone forensic course provides examiners and investigators with advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. The course features 27 hands-on labs, a forensic challenge, and a bonus take-home case that allow students to analyze different datasets from smart devices and leverage the best forensic tools, methods, and custom scripts to learn how smartphone data hide and can be easily misinterpreted by forensic tools. Each lab is designed to teach you a lesson that can be applied to other smartphones. You will gain experience with the different data formats on multiple platforms and learn how the data are stored and encoded on each type of smart device. The labs will open your eyes to what you are missing by relying 100% on your forensic tools.

FOR585 is continuously updated to keep up with the latest malware, smartphone operating systems, third-party applications, acquisition shortfalls, and encryption. This intensive six-day course offers the most unique and current instruction on the planet, and it will arm you with mobile device forensic knowledge you can immediately apply to cases you're working on the day you leave the course.

Smartphone technologies are constantly changing, and most forensic professionals are unfamiliar with the data formats for each technology. Take your skills to the next level: it's time for the good guys to get smarter and for the bad guys to know that their smartphone activity can and will be used against them!

 

SMARTPHONE DATA CAN'T HIDE FOREVER - IT'S TIME TO OUTSMART THE MOBILE DEVICE!

 

Course Syllabus

FOR585.1: Malware Forensics, Smartphone Overview, and SQLite Introduction

Overview

Focus: Although smartphone forensic concepts are similar to those of digital forensics, smartphone file system structures differ and require specialized decoding skills to correctly interpret the data acquired from the device. On this first course day, students will apply what they know to smartphone forensic handling, device capabilities, acquisition methods, and SQLite database examination and query development. Students will also become familiar with the forensic tools required to complete comprehensive examinations of smartphone data structures. Malware affects a plethora of smartphone devices. This section will examine various types of malware, how it exists on smartphones, and how to identify and analyze it. Most commercial smartphone tools help you identify malware, but none of them will allow you to tear down the malware to the level we cover in class. Up to five labs will be conducted on this first day alone!

 

All examiners today have to address the existence of malware on smartphones. Often the only questions relating to an investigation may be whether a given smartphone was compromised, how, and what can be done to fix it. It is important for examiners to understand malware and how to identify its existence on the smartphone.

 

Smartphones will be introduced and defined to set our expectations for what we can recover using digital forensic methodologies. We review the properties of Flash memory in mobile devices and demonstrate the pros and cons from a forensic perspective. We provide approaches for dealing with common challenges such as encryption, passwords, and damaged devices. Students will learn how to process and decode data on mobile devices from a forensic perspective, then learn tactics to recover information that even forensic tools may not always be able to retrieve.

 

The SIFT Workstation has been specifically loaded with a set of smartphone forensic tools that will be your primary toolkit and working environment for the week.

 

Exercises

 

  • SIFT Workstation: Laboratory setup
  • Hands-on demonstrations and familiarization with smartphone forensic tools
  • Two malware labs: Malware analysis, and unpacking and analyzing .apk malware files
  • JTAG/ISP password cracking lab: Load and crack an Android password from a JTAG image
  • Introduction to SQLite database forensics and drafting simple SQL queries

 

CPE/CMU Credits: 6

Topics

The SIFT Workstation

Malware and Spyware Forensics

  • Different Types of Common Malware
  • Common Locations on Smartphones
  • How to Determine a Compromise
  • How to Recover from a Compromise
    • What Was Affected?
    • How to Isolate?
  • How to Analyze Using Reverse-Engineering Methodologies

 

Introduction to Smartphones

  • Smartphone Components and Identifiers
  • Assessing Capabilities of Evidential Devices
  • Common File Systems
  • Forensic Impact of Flash Memory
  • Data Storage Broken Down and Defined

 

Smartphone Handling

  • Preserving Smartphone Evidence
  • Preventing Data Destruction

 

Forensic Acquisition Concepts of Smartphones

  • Logical Acquisition
  • File System Acquisition
  • Physical Acquisition
  • Advanced Methods Acquisition
  • Advanced Acquisition Techniques

 

Smartphone Forensic Tool Overview

  • Physical and Logical Keyword Searching
  • Data Carving
  • Exporting and Bookmarking Data
  • Malware Scanning
  • SQLite Examination

 

Smartphone Components

  • SIM Card Overview and Examination
  • SD Card Handling and Examination

 

Introduction to SQLite

  • How SQLite Databases Function
  • How Data Are Stored in These Files
  • How to Examine SQLite Databases
  • How to Create Simple Queries to Parse Information of Interest

 

Bonus Materials

  • Malware/Spyware Cheat Sheet
  • APK Decompiling Cheat Sheet
  • Acquisition of Smartphones Using Tools Provided in SIFT VM
  • Acquisition of SIM Cards
  • Relevant White Papers and Guides
  • Bonus Lab: SIM Card Data Decoding

FOR585.2: Android Forensics

Overview

Focus: Android devices are among the most widely used smartphones in the world, which means they will surely be part of an investigation that will come across your desk. Unfortunately, gaining access to these devices isn't as easy as it used to be. Android devices contain substantial amounts of data that can be decoded and interpreted into useful information. However, without honing the appropriate skills for bypassing locked Androids and correctly interpreting the data stored on them, you will be unprepared for the rapidly evolving world of smartphone forensics.

 

Digital forensic examiners must understand the file system structures of Android devices and how they store data in order to extract and interpret the information they contain. On this course day we will delve into the file system layout on Android devices and discuss common areas containing files of evidentiary value. Traces of user activities on Android devices are covered, as is recovery of deleted data residing in SQLite records and raw data files.

 

During hands-on exercises, you will use smartphone forensic tools to extract, decode, and analyze a wide variety of information from Android devices. You will use your SQLite examination skills, taught in the first course section, to draft queries to parse information that the commercial tools cannot support.

 

Exercises

  • Manually crack a lockcode on an Android device
  • Manually decode and extract information from Android file systems and logical acquisitions
  • Introduction to manually parsing third-party applications and deep-dive decoding and recovery of user activities on Android devices
  • Manually decode and interpret data recovered from a physical dump of an Android device

 

CPE/CMU Credits: 6

Topics

Android Forensic Overview

  • Android Architecture and Components
  • NAND Flash Memory in Android Devices
  • Android File System Overview
  • Full Disk Encryption vs. File-Based Encryption

 

Handling Locked Android Devices

  • Security Options on Android
  • Methods for Bypassing Locked Android Devices
  • Demonstration of Bypassing Android Security and Encryption
  • Practical Tips for Accessing Locked Android Devices

 

Android File System Structures

  • Defining Data Structure Layout
    • Physical
    • File System
    • Logical/backup
  • Data Storage Formats
  • Parsing and Carving Data
  • Physical and Logical Keyword Searches

 

Android Evidentiary Locations

  • Primary Evidentiary Locations
  • Unique File Recovery
  • Parsing SQLite Database Files
  • Manual Decoding of Android Data

 

Traces of User Activity on Android Devices

  • How Android Applications Store Data
  • Deep Dive into Data Structures on Android Smartphones
    • SMS/MMS
    • Calls, Contacts, and Calendar
    • E-mail and Web Browsing
    • Location Information
    • Third-Party Applications
  • Salvaging Deleted SQLite Records
  • Salvaging Deleted Data from Raw Images on Android Devices

 

Bonus Materials

  • Android Cheat Sheet
  • Android Acquisition Methods
  • Relevant White Papers and Guides
  • Hands-on Lab to pull data from an Android device

FOR585.3: Android Backups and iOS Device Forensics

Overview

Focus: Android backups can be created for forensic analysis or by a user. Smartphone examiners need to understand the file structures and how to parse these data. Additionally, Android and Google cloud data store tons of valuable information. You will find Google artifacts from iOS users as well. Apple iOS devices contain substantial amounts of data (including deleted records) that can be decoded and interpreted into useful information. Proper handling and parsing skills are needed for bypassing locked iOS devices and correctly interpreting the data. Without iOS instruction, you will be unprepared to deal with the iOS device that will likely be a major component of a forensic investigation.

 

We start this section by examining Android backups and cloud data associated with Android and Google. Methods for extracting and examining cloud data are covered and demonstrated. The section then flows into iOS devices. Digital forensic examiners must understand the file system structures and data layouts of Apple iOS devices in order to extract and interpret the information they contain. To learn how to do this, we delve into the file system layout on iOS devices and discuss common areas containing files of evidentiary value. Encryption, decryption, file parsing, and traces of user activities are covered in detail.

 

During hands-on exercises, students will use smartphone forensic tools and methods to extract and analyze a wide variety of information from Android backups and iOS devices. Students will also be required to manually decode data that were deleted or are unrecoverable using smartphone forensic tools.

 

 

Exercises

  • Examine and decode data from an Android backup
  • Manually decode and extract information from iOS file system and logical acquisitions
  • Introduction to manually parsing third-party applications and deep-dive decoding and recovery of user activities on iOS devices
  • Place the user behind the artifact based upon location information and other traces found on file system dumps from iOS devices

 

CPE/CMU Credits: 6

Topics

Android Backup Files

  • Overview of Backup File Forensics
  • File Structures of Android Backups
  • Locked Android Backups
  • Data of Interest
  • Android and Google Cloud Data Extraction and Analysis

 

iOS Forensic Overview and Acquisition

  • iOS Architecture and Components
  • NAND Flash Memory in iOS Devices
  • iOS File Systems
  • iOS Versions
  • iOS Encryption

 

iOS File System Structures

  • Defining Data Structure Layout
    • Physical
    • File System
    • Logical
  • Data Storage Formats
  • Parsing and Carving Data
  • Physical and Logical Keyword Searches

 

iOS Evidentiary Locations

  • Primary Evidentiary Locations
  • Unique File Recovery
  • Parsing SQLite Database Files
  • Manual Decoding of iOS Data

 

Handling Locked iOS Devices

  • Security Options on iOS
  • Current Acquisition Issues
  • Demonstration of Bypassing iOS Security
  • Practical Tips for Accessing Locked iOS Devices

 

Traces of User Activity on iOS Devices

  • How iOS Applications Store Data
  • Apple Watch Forensics
  • Deep Dive into Data Structures on iOS Devices
    • SMS/MMS
    • Calls, Contacts, and Calendar
    • E-mail and Web Browsing
    • Location Information
    • Third-Party Applications
  • Salvaging Deleted SQLite Records
  • Salvaging Deleted Data from Raw Images

 

Bonus Materials

  • Android Cheat Sheet
  • iOS Cheat Sheet
  • Hands-on Lab to Pull Data from an iOS device
  • Manually Decode and Interpret Data from iOS Physical Data Dumps
  • Manually Examine an Older File System Dump from an iOS Device
  • iOS Acquisition Methods
  • Relevant White Papers and Guides

FOR585.4: iOS Backups, Windows, and BlackBerry 10 Forensics

Overview

Focus: iOS backups are extremely common and are found in the cloud and on hard drives. Not only do users create backups, we often find that our best data can be derived from creating an iOS backup for forensic investigation. We realize that not everyone examines BlackBerry and Windows Phone devices, which is why we are focusing primarily on BlackBerry 10, Windows Phone 8 and 10, and application usage at the end of the section. Both the Windows Phone and BlackBerry 10 sections highlight pieces of evidence that can be found on multiple smartphones. BlackBerry smartphones are designed to protect user privacy, but techniques taught on this course day will enable the investigator to go beyond what the tools decode and manually recover data residing in database files of BlackBerry device file systems. The day ends with the students challenging themselves using tools and methods learned throughout the week to recover user data from a wiped Windows phone before embarking on a BlackBerry 10 lab that covers tying SIM cards and application usage to a device.

 

iOS backup files are commonly part of digital forensic investigations. This course day provides students with a deep understanding of backup file contents, manual decoding, and parsing and cracking of encrypted backup file images.

 

Forensic examiners must understand the concept of interpreting and analyzing the information on a variety of smartphones, as well as the limitations of existing methods for extracting data from these devices. This course day covers how to handle encryption issues, Windows Phone artifacts, BlackBerry Enterprise Server data, and locked devices. Manual decoding of Windows Phone and BlackBerry 10 data will provide access to a vast amount of data that forensic tools seem to miss.

 

During hands-on exercises, students will use smartphone forensic tools and other methods to extract and analyze a wide range of information from iOS backups, Windows phones, and BlackBerry 10 devices. Students will be required to manually decode data that were wiped, encrypted, or deleted, or that are unrecoverable using smartphone forensic tools.

 

Exercises

  • Advanced backup file forensic exercise involving an iOS backup file that requires manual decoding and carving to recover data missed by smartphone forensic tools
  • Advanced backup file forensic exercise involving an iOS 10+ backup file that requires manual decoding and carving to recover data missed by smartphone forensic tools
  • Recover any traces of user activity from a wiped Windows phone
  • Manually decode and extract information from a BlackBerry 10 image

 

CPE/CMU Credits: 6

Topics

iOS Backup File Forensics

  • Why This Is Relevant
  • Creating and Parsing Backup Files
  • iCloud vs. iTunes Data
  • Verifying Backup File Data
  • Decrypting Locked iOS Backup Files
  • Accessing iCloud backups and Cloud sync data

 

Windows Phone/Mobile Forensics

  • Windows Phone
  • Evidentiary Locations
  • Manual Recovery and Parsing

 

BlackBerry 10 Forensics

  • BlackBerry 10 Architecture
  • Parsing Device Specific Files
  • Unique File Recovery

 

Bonus Materials

  • iOS Cheat Sheet
  • BlackBerry 10 Cheat Sheet
  • Windows Phone Cheat Sheet
  • BlackBerry Acquisition Methods
  • Backup File Acquisition Methods
  • Relevant White Papers and Guides
  • Bonus Lab: BlackBerry Backup File Examination
  • Bonus Lab: BlackBerry Device Forensics (Legacy OS 7 Device)

FOR585.5: Third-Party Application and Knock-Off Forensics

Overview

Focus: This day starts with third-party applications across all smartphones and is designed to teach students how to leverage third-party application data and preference files to support an investigation. The rest of the day focuses heavily on secure chat applications, recovering deleted application data and attachments, mobile browser artifacts, and knock-off phone forensics. The skills learned in this section will provide you with advanced methods for decoding data stored in third-party applications across all smartphones. We will show you what the commercial tools miss and teach you how to recover these artifacts yourself.

 

During hands-on exercises, students will use smartphone forensic tools to extract and analyze third-party application files of interest and then have to manually dig and recover data that are missed. Students will be required to manually decode data that were deleted or are unrecoverable using smartphone forensic tools and custom SQLite queries that they write themselves. The hands-on exercises will be a compilation of everything you have learned up until now in the course and will require the manual decoding of third-party application data from multiple smartphones. The knock-off forensics lab will be a mini-lab to test your knowledge on handling devices that may appear on your desk for examination. At the culmination of this section, you will have proven to yourself that you have the skill set to recover artifacts that the forensic tools cannot recover.

 

Exercises

  • Advanced third-party application exercise requiring students to use skills learned during the first four days of the course to manually decode communications stored in third-party application files across multiple smartphones
  • Recover attachments using an exercise that requires students to write more complex SQL queries to recover attachments from the smartphone
  • Recover deleted data from Chat applications using an exercise challenging students to develop techniques to locate and recover deleted content
  • Browser analysis exercise requiring students to manually examine third-party browser activity that the commercial tools may not parse
  • Knock-off phone exercise requiring manual decoding of a knock-off handset physically acquired using the Cellebrite CHINEX.

 

CPE/CMU Credits: 6

Topics

Third-Party Applications Overview

  • Common Applications Across Smartphones

 

Third-Party Application Artifacts

  • How to Locate
  • Data Format
  • Manual Recovery
  • Decoding Methods

 

Messaging Applications and Recovering Attachments

  • How to Locate
  • Data Format
  • Manual Recovery
  • Decoding Methods
  • SQL Query Development

 

Secure Chat Applications

  • How to Locate
  • Data Format
  • Manual Recovery
  • Decoding Methods

 

Mobile Browsers

  • Third-Party Browser Overview
  • How to Locate
  • Data Format
  • Manual Recovery

 

Knock-off Phone Forensics

  • Knock-off Phone Overview
  • Forensic Analysis
  • Evidentiary Locations
  • Manual Decoding of Knock-off File System Data

 

Bonus Materials

  • Mobile Device Repair
  • Bonus Lab: Nokia (Symbian) Forensics

FOR585.6: Smartphone Forensic Capstone Exercise

Overview

Focus: This final course day will test all that you have learned during the course. Working in small groups, students will examine three smartphone devices and solve a scenario relating to a real-world smartphone forensic investigation. Each group will independently analyze the three smartphones, manually decode data, answer specific questions, form an investigation hypothesis, develop a report, and present findings.

 

By requiring student groups to present their findings to the class, this capstone exercise will test your understanding of the techniques taught during the week. The findings should be technical and include manual recovery steps and the thought process behind the investigative steps. Students will also be expected to prepare an executive summary of their findings.

 

Exercises

Each group will be asked to answer the key questions listed below during the capstone exercise, just as they would during a real-world digital investigation.

 

Identification and Scoping

  • Who is responsible for the crime?
  • What devices are involved?
  • Which individuals are involved?

 

Forensic Examination

  • What were the key communications between individuals?
  • What methods were used to secure the communication?
  • Were any of the mobile devices compromised by malware?
  • Were cloud data involved?
  • Did the users attempt to conceal or delete artifacts or data?

 

Forensic Reconstruction

  • What is the motive?
  • In addition, students will be required to generate a forensic report, and only the top team will win the forensic challenge.

 

Bonus Materials

  • A take-home case involving a different scenario with three new smartphones
  • Questions for take-home case
  • Answers for take-home case

CPE/CMU Credits: 6

 

Who Should Attend

FOR585 is designed for students who are both new to and experienced with smartphone and mobile device forensics. The course provides the core knowledge and hands-on skills that a digital forensic investigator needs to process smartphones and other mobile devices. The course is a must for:

 

  • Experienced digital forensic examiners who want to extend their knowledge and experience to forensic analysis of mobile devices, especially smartphones
  • Media exploitation analysts who need to master Tactical Exploitation or Document and Media Exploitation operations on smartphones and mobile devices by learning how individuals used their smartphones, who they communicated with, and what files they accessed
  • Information security professionals who respond to data breach incidents and intrusions
  • Incident response teams tasked with identifying the role that smartphones played in a breach
  • Law enforcement officers, federal agents, and detectives who want to master smartphone forensics and expand their investigative skills beyond traditional host-based digital forensics
  • Accident reconstruction investigators who need to determine how a phone was accessed or used during specific periods of time
  • IT auditors who want to learn how smartphones can expose sensitive information
  • Graduates of SANS SEC575, SEC563, FOR500 (formerly FOR408), FOR508, FOR572, FOR526, FOR610, or FOR518 who want to take their skills to the next level.

Prerequisites

There is no prerequisite for this course, but a basic understanding of digital forensic file structures and terminology will help the student grasp topics that are more advanced. Previous training in mobile device forensic acquisition is also useful, but not required. We do not teach basic acquisition methods in class, but we do provide instructions in the course material.

 

What You Will Receive

Smartphone Analysis Windows SIFT Workstation

 

  • A SIFT Windows virtual machine (Smartphone Version) is used with all hands-on exercises to teach students how to examine and investigate information on smartphones. The SIFT virtual machine design for this course contains free and open-source tools, easily matching any modern forensic tool suite.

     

Smartphone Analysis Tool Licenses

    • Oxygen Detective License
    • UFED4PC License
    • Physical Analyzer License
    • BlackLight License
    • Magnet AXIOM License
    • Andriller License
    • Forensic Toolkit for SQLite License
    • Elcomsoft Cloud eXplorere License
    • Elcomsoft Phone Password Breaker License
    • Elcomsoft Phone Viewer License
    • Open-Source Tools
    • Bonus Acquisition Tools upon Request

64 GB Course USB

  • 64 GB USB 3.0 loaded with the Windows SIFT workstation (Smartphone Version), bonus labs, bonus course material, utilities, cheatsheets, IPA/APK files, and other documentation

SANS Advanced Smartphone Forensic Exercise Workbook

  • The course exercise book is 349 pages and contains detailed step-by-step instructions and examples to help you become a master smartphone examiner

FOR585: Advanced Smartphone Forensics Will Prepare You And Your Team To:

  • Select the most effective forensic tools, techniques, and procedures to effectively analyze smartphone data
  • Reconstruct events surrounding a crime using information from smartphones, including manual timeline development and link analysis (e.g., who communicated with whom, where, and when) without relying on a tool
  • Understand how smartphone file systems store data, how they differ, and how the evidence will be stored on each device
  • Interpret file systems on smartphones and locate information that is not generally accessible to users
  • Identify how the evidence got onto the mobile device - we'll teach you how to know if the user created the data, which will help you avoid the critical mistake of reporting false evidence obtained from tools
  • Incorporate manual decoding techniques to recover deleted data stored on smartphones and mobile devices
  • Tie a user to a smartphone at a specific date/time and at various locations
  • Recover hidden or obfuscated communication from applications on smartphones
  • Decrypt or decode application data that are not parsed by your forensic tools
  • Detect smartphones compromised by malware and spyware using forensic methods
  • Decompile and analyze mobile malware using open-source tools
  • Handle encryption on smartphones and bypass, crack, and/or decode lock codes manually recovered from smartphones, including cracking iOS backup files that were encrypted with iTunes
  • Understand how data is stored on smartphone components (SD cards) and how encrypted data can be examined by leveraging the smartphone
  • Extract and use information from smartphones and their components, including Android, iOS, BlackBerry 10, Windows Phone, Chinese knock-offs, and SD cards (bonus labs available focusing on BlackBerry, BlackBerry backups, Nokia [Symbian], iOS File System, iOS Physical, and SIM card decoding)
  • Perform advanced forensic examinations of data structures on smartphones by diving deeper into underlying data structures that many tools do not interpret
  • Analyze SQLite databases and raw data dumps from smartphones to recover deleted information
  • Perform advanced data-carving techniques on smartphones to validate results and extract missing or deleted data
  • Manually extract BLOBs from SQLite databases trying to hide data
  • Apply the knowledge you acquire during the course to conduct a full-day smartphone capstone event involving multiple devices and modeled after real-world smartphone investigations
  • Challenge yourself by completing the 6 bonus labs and the take-home case designed to model real-work smartphone investigations

Contact the course provider:

Phone number
Enquire by email
Visit website