Mobile Forensics Course Catalogue

(1)

(2)

Mobile Device Forensics 101

Beginner • Three-Day Instructor-Led Course

For more information contact: [email protected]

This three-day course provides the knowledge and skills necessary for entry level mobile device examiner to gain a basic understanding of how cellular devices store data, how cellular networks function, collecting evidence and preserving it, methods for radio frequency interruption, troubleshooting connections, verifying results, and the forensic process.

Prerequisites:

To obtain the maximum benefit from this class, you should meet the following requirements:

• Able to understand course curriculum presented in English

• Perform basic operations on a personal computer

• Have a basic knowledge of computer forensic investigations and acquisition procedures

• Be familiar with the Microsoft Windows environment Class Materials and Software:

You will receive the associated materials prior to the course.

During this three-day, hands-on class, participants will review the following:

• History of Mobile Forensics and device examinations • Cellular Networks

• Legal Considerations (US classes only) • Subscriber Identify Modules

• GSM, CDMA, and iDEN Handsets • Call Detail Records

• Troubleshooting your connections • Commercial Software Acquisitions • Verifying your findings

• Your Forensic Process

The class includes multiple hands-on labs that allow students to apply what they have learned in the workshop.

(3)

Mobile Device Forensics 101

Beginner • Three-Day Instructor-Led Course

Module 1: Introduction

Topics:

• Software used in this course o Oxygen Forensic Suite o Cellebrite

o MPE+ o Utilities

• Course Overview

Module 2: Overview of Mobile Forensics

Objectives:

• Provide a brief history of mobile phone examinations

• List the types of data you should look for on mobile devices

• List the different software applications used in this course for mobile device examination

• Describe methods of extracting data manually (if no software applications are available)

Module 3: Cellular Networks Objectives:

• Explain how mobile phones communicate on cellular networks

• Explain how cell sites are configured • Provide a brief history of mobile network technology (2G, 3G, and 4G)

• Identify the parts of a cellular network

Module 4: Legal Issues

Objectives:

• Provide an overview of case laws that deal with legal issues regarding device and electronic data seizure

• Identify what paperwork is needed to:

o Conduct physical exams of seized devices

o Obtain historical records from the cell phone provider

o Retrieve live location information

Module 5: Subscriber Identity Module Cards

Objectives:

• Locate the following types of data contained on a Subscriber Identity Module (SIM) card:

o International Mobile Subscriber Identity (IMSI)

o Integrated Circuit Card Identifier (ICC-ID)

o User’s stored phone numbers (AND)

o Dialed numbers (LND)

o SMS text messages (SMS)

o Deleted SMS messages

o Area where the user last powered down the phone (LOCI)

o electronic data seizure

Module 6: Using SimCon – SIM Card Recovery

Objectives:

• Use SIMCon (SIM Content Controller) to analyze and recover data from SIM cards • Recover deleted text messages that are stored on the card

• Enter a PIN code if the card is PIN protected

• Unlock the card using a PUK code if the card is PIN protected and you do not know the PIN

• Read both SIM and USIM cards

• Print a report of the files that are of evidentiary value

• Export items to files that can be imported in popular spreadsheet programs

(4)

Mobile Device Forensics 101

Beginner • Three-Day Instructor-Led Course

Module 7: Handsets

Objectives:

• Recognize the following types of mobile handsets and identify where you can find data on them:

o GSM

o iDEN

o TDMA

o CDMA

Module 8: Processing Guidelines

Objectives:

• Follow forensically sound processes to examine and extract data from mobile devices

• Validate the software you are using to examine the device

• Follow proper processes to examine the mobile phone

o Isolate the device from the network

o Locate lock codes, phonebook, ESN, and so on

o Locate key files

o Validate the examination process • Create a Forensic SIM Mobile Phone Examiner Plus

Module 9: Troubleshooting

Objectives:

• Troubleshoot the following common problems:

o Communication

o Software

o Cables and connections

o Data that cannot be extracted

o Products that work while others don’t

Module 10: Software/Hardware

Objectives:

• Examine mobile phones using the following software:

o Oxygen Forensic Suite

o Mobile Phone Examiner Plus

o Cellebrite (Overview Only)

Module 11: Manual Examinations

Objectives:

• Explore the following manual methods of examining mobile devices when software is not available or when software does not work:

o Fernico ZRT

o Project-a-Phone

o Making screenshots

Module 12: Case Presentation

Objectives:

• Present the case after you have examined the devices and extracted data

(5)

Mobile Phone Examiner Plus

Beginner • Three-Day Instructor-Led Course

This course trains participants how to effectively use MPE+ to process evidence from mobile devices, which can include GPS devices and removal storage. This course covers the following topics: the MPE+ interface,

collections from handsets and SIM cards, extraction of physical data from various device types like iOS and Android, parsing data, searching, bookmarking, visualization, incorporation of MPE+ Tablet and Investigator, export and reporting.

Prerequisites:

To obtain the maximum benefit from this class, you should meet the following requirements: • Able to understand course curriculum presented in English

• Attend the AccessData MDF 101 course or equivalent experience with MPE+ and FTK

• Have previous investigative experience in mobile forensic case work

Class Materials and Software:

(6)

Mobile Phone Examiner Plus

Beginner • Three-day Instructor-Led Course

Topics:

• Student Introductions

• Helpful information

• Upgrades and Support

• MPE+ Certifications

• Course Outline Module 2: MPE+ Interface

Objectives:

• Discuss different licensing options

• Discuss and learn the MPE+ Interface

• Import and export data

o Import multiple formats

o Break down the AD1 forensic container Lab:

• Participants import an AD1 image into MPE+, then recover specific information and artifacts. Participants then export the parsed information to a separate AD1 image file.

Module 3: MPE+ Data Acquisition Objectives:

• Discuss processing guidelines

• Extract data from a SIM and USIM (UICC)

• Extract data from a mobile device

• Extract data from a smart device

o iOS

o Android Lab:

• Participants conduct an extraction of a SIM card and a mobile phone with MPE+, then navigate the exported data to collect specific artifacts.

Participants also use MPE+ to create a forensic SIM card and parse data from an iTunes backup file.

Module 4: MPE+ Advanced Features Objectives:

• Utilize the following features in MPE+ o Image mounting

o SQL Builder

o SQLite dataset viewer o Native file export

o pythonScripter o Data parsers o Filtering data

o SQLite processing features o Visualization

o Alerts Lab:

• Participants have hands-on opportunity to work with advanced features in MPE+. During the labs in this course, participants perform the following:

o Mount an image

o Carve data from unallocated space in a mobile device’s file system

o Parse Android, iOS, and BlackBerry IPD images

o Read iOS and Android SQLite database files

o Use FreeFile parser to recover deleted text from free pages in SQLite database files

o Create filters to narrow data results

o Export native files and folders

o Create timeline and social

visualization charts, then format the data in a cluster chart

Module 5: MPE+ Reporting Objectives:

• Discuss the various report formats

• Discuss adding bookmarked items to a report

• Explain exporting vs. report preview

• Learn to generate a final report

• Use MPE+ Investigator

Module 6: MPE+ Velocitor Objectives:

• Discuss the challenges of Chinese handsets

• Discuss binary extractions

• Discuss the hardware utilized for extraction

• Explain .BIN and .AD1 Velocitor files Lab:

• Participants extract a physical image from a phone with a Chinese chipset using MPE+ Velocitor. Students conduct a forensic analysis of the .AD1 image and create a report of their findings.

(7)

iOS Forensic Analysis

Intermediate • Instructor-Led Course

This course provides the knowledge and skills necessary for mobile device examiners to gain a understanding of how iOS devices store data. We will uncover the ways to capture the data from these devices and perform a forensic analysis on the data with automated tools as well as manually so that the examiner may verify the findings of the tools they are using.

This course uses a multi-tool approach to iOS forensics. We use both free and paid applications and teach the skills needed to find and process the data with the aid of specialized software tools. There is no single tool that will process every cellular device in its entirety. You will be trained to know where information lies on the iOS device and other locations where data may be located.

During this course, participants will review the following: • History of iOS

• Plists and SQLite

• iTunes including backups and iCloud • Jailbroken devices

• SMS breakdown • iMessage

• Call Log Breakdown

• Commercial Software Acquisitions • Verifying your findings

Prerequisites:

• Attendance at the MDF 101 Course or equivalent • Perform basic operations on a personal computer

• Have a basic knowledge of mobile device forensic investigations and acquisition procedures • Be familiar with the Microsoft Windows environment

(8)

iOS Forensic Analysis

Intermediate • Instructor-Led Course

Module 1: Objectives

• Discuss the history of iOS

• Review Apple’s iDevices and their generations along with their capabilities

• Discuss “Jail Broken” iOS device and their significance in mobile device forensics • Cydia and other third party stores

• Discuss iTunes and its importance in forensic examinations

• Discuss the different types of iTunes backups • Challenges of encrypted backups

• Introduction to SQLite and Plists, including different types of Plists and the challenges associated with them

• Parse iTunes backup files with free and commercial tools

• Breaking down and carving for Plists in hex Module 2:

Objectives

•Discuss the iOS file system and partition configuration

• Methods and challenges when extracting files from an iOS device

• Discuss Device Firmware Update (DFU) mode • Demonstrate the use of MPE+ in extracting evidence from an iOS device

• Navigate and locate to key evidence locations within the iOS file system

• Discuss SQLite Schema and the importance of Tables to forensic examiners

• Demonstrate “flag” and other items of interest within the SQLite table structure

Module 3: Objectives:

• Discuss the importance of validating automated forensic software

• Diving in the hexadecimal data contained within a SQLite database which includes SMS, Call History, Contacts, etc.

• Locating the offsets of important data in order to conduct a proper validation • Recognizing and locating “deleted” data contained within a SQLite database (Continued)

(9)

BlackBerry Forensic Analysis

Intermediate • Instructor-Led Course

This course covers the particulars of the hardware, which includes the stored data available for analysis and the BlackBerry backup file. This course also discusses the best options to capture the data from BlackBerry devices. You as the examiner will be armed with the ability to perform forensic analysis both using automated tools and manual methods (result verification).

This course uses a multiple-tool approach to mobile phone forensics. It uses both free and commercial applications and teaches the skills needed to find and process data with the aid of specialized software tools. There is no single tool that will entirely process every cellular device. Syntricate trains you to know where

information is located on cell phones and how to extract that information—-both with and without tools—so you can obtain the maximum amount of data from mobile devices.

Prerequisites:

This course is intended for forensic professionals and law enforcement personnel who must conduct mobile device examinations utilizing multiple tools and a tested forensic process. To obtain the maximum benefit from this class, you should meet the following requirements:

• Able to understand course curriculum presented in English

• Attend the AccessData MDF 101 course or equivalent

• Be familiar with Blackberry devices Class Materials and Software:

(10)

BlackBerry Forensic Analysis

Intermediate • Instructor-Led Course

Topics:

• Software used in this course

o BlackBerry Desktop Software o ABCAmber BlackBerry Converter /

BlackBerry Backup Explorer o BlackBerry Simulator o MPE+

o FTK o Rubus

• Course Outline Module 2: BlackBerry History

Objectives:

• Describe the progression of the keyboard styles, model numbers, and style names

• Locate model information including user manuals

• Identify network formats Module 3: BlackBerry Hardware Objectives:

• Describe the information contained on the device label

• Explain information found on the external memory card

• Explain why network isolation is important and the result of installing the handset battery

Module 4: Data Contents Objectives:

• Understand and prevent content wipe

• Describe the complications of a locked handset • Identify which carrier is associated with the handset

• Understand the many databases contained on the BlackBerry

• Understand the BBM process, including backup and logging

Module 5: Desktop Software

Objectives:

• Set up and configure a simulator

• Locate the current version of the software based on country of origin and operating system

• Properly install the software so as to avoid data contamination

• Create a backup file and document the process

Module 6: Backup Files

Objectives:

• Identify the unique phrasing of the file header for a keyword search on a computer • Identify the content differences between a Windows and a Mac backup file

• Resolve the issue of an encrypted backup file

Module 7: Tools

Objectives:

• Identify the unique phrasing of the file header for a keyword search on a computer • Identify the content differences between a Windows and a Mac backup file

• Resolve the issue of an encrypted backup file

Lab:

• Export BlackBerry backup files • Use MPE+ to process a BlackBerry

• Process files into FTK Module 8: Practical

Objectives:

• This final practical tests participants’ comprehension of the entire course

(11)

Android Analysis

Intermediate • Instructor-Led Course

This course covers the internals of Android devices, the way the OS is designed, and the way that the devices store data. We will uncover the way to capture these devices’ data. In the end, you as the examiner will be armed with the ability to perform forensic analysis both using automated tools as well as manually (to double check the results of the tools).

This course uses a multiple-tool approach to mobile phone forensics. We use both free and paid applications and teach the skills needed to find and process data with the aid of specialized software tools. There is no single tool that will process every cellular device in its entirety. Syntricate trains you to know where information lies on cell phones and how to extract that information—both with and without tools—so you can obtain the maximum amount of data from mobile devices.

Prerequisites:

This course is intended for forensic professionals and law enforcement personnel who must conduct mobile device examinations utilizing multiple tools and a tested forensic process. To obtain the maximum benefit from this class, you should meet the following requirements:

• Able to understand course curriculum presented in English • Attend the MDF 101 Course or equivalent

• Have previous investigative experience in mobile forensic case work • Be familiar with Android devices

• Be familiar with working in hex

(12)

Android Analysis

Intermediate • Instructor-Led Course

Module 1: Class Overview Objectives

• Software used in this course o Android SDK and Eclipse o MPE+

o FTK

o SQLite DB Viewer o Command line

• Course outline Module 2: Android Overview Objectives:

• Review basic principles of the Android device and the Android operating system

• Describe how Android uses NAND to store data

• Describe the Dalvik VM in Android

• Outline the usage and installation of the Android SDK and emulator

• Discuss SD cards and Emulated SD cards Module 3: Forensic Process

Objectives:

• Recommend ways to collect an Android device

• Challenges of network isolation with Android

• Gathering information about specific Android devices

• Validation and Reporting Module 4: Android SDK and Eclipse Objectives:

• SDK and Eclipse installation and overview

• Discuss the Android Debug Bridge

• Android Virtual Devices and forensics

• Discuss the purpose of the USB debugging Module 5: Android File Systems

Objectives:

• Outline the various file systems used by Android

• Discuss the forensic challenges of YAFFS

• Discuss the “other” file systems used by Android

• How can examiners utilize the Android temp memory

Module 6: Android Partitions Objectives:

• What partitions can an examiner expect to find on an Android device

• Discuss where Android typically stores files of interest and what partition they may be located

• Discuss files of interest that may be located on a SD card

• Discuss what it means to be “root” Module 7: Android Logical Acquisition Objectives:

• Discuss the tools to extract data from an Android device

• Troubleshoot connectivity issues the examiner may encounter

• Learn the different “modes” when connecting an Android device

• Discuss ADB conflicts

Module 8: Android Physical Acquisition Objectives:

• Discuss the tools and techniques used to extract physically from an Android device

• Discuss NAND vs DD physical extractions

• The recovery partition and what does it mean

• Challenges of custom ROMs

Module 9: Location of SQLite files of interest Objectives:

• Discuss where key SQLite files live in the file system

• Discuss and locate column “flag” meanings

• Discuss tables Lab:

• Using various tools, parse SQLite database files

• Locate and understand their “links” to other tables

(13)

Android Analysis

Intermediate • Instructor-Led Course

Module 10: SQLite hex breakdown Objectives:

• Compare and discuss parsed SQLite data with that found in hex

• Discuss deleted data Lab:

• Manually parse SQLite database files

• Locate and examine deleted data in hex (Continued)

(14)

SIM Forensic Analysis

Intermediate • Instructor-Led Course

This course provides the knowledge and skills necessary to extract and analyze the data found on SIM cards. “SIM” cards are used in mobile phones, tablet computers (iPad and Android), and laptop computers. Students will be exposed to SIM, USIM, R-UIM, CSIM, and UICC technologies as it applies to mobile devices, learn the SIM file system structure, learn artifact locations for “key” functions of the SIM, describe the naming convention of files stored on a SIM. Students will also learn how the automated forensic suites are creating a “Forensic SIM” by finding the needed files in hex, reading them, and then writing them to a SIM.

Prerequisites:

(15)

SIM Forensic Analysis

Intermediate • Instructor-Led Course

Module 1: Introduction Objectives:

• Workshop objectives

• Modules overview

• Install required applications Module 2: SIM Overview Objectives: • SIM Specifications o PIN o PUK o CPU o Flash • USIM • R-UIM • CSIM • UICC

Module 3: File System Objectives:

• Master File, Dedicated Files, and Elementary Files • Artifact Locations o SMS o Call History o Location Information o Card Identity o Subscriber Identity o Phone Book o Forbidden Networks Module 4: Forensic SIM

Objectives:

• MPE+

• AD Mobile SIM Xplorer

o Manual Creation of Forensic SIM

• APDU Commands Module 5: File Carving Objectives:

• SIM file naming convention

• Locating “hidden” files on a SIM

• Manual interpretation

o SMS

o Call History (Continued)

(16)

Android Malware

Advanced • One-Day Instructor-Led Course

This one-day course provides the knowledge and skills necessary to analyze Malware within the Android operating system. It will help students understand the Android operating system, the vulnerabilities, Android Malware types, distribution points, APK file and modification, static vs dynamic analysis, and methods to uncover Malware on a mobile device.

During this course, participants will review the following: • Android Operating System

o Dalvik VM

o APK files

o Permissions

o File Locations • Android Malware

o Types and distribution • Android Analysis

o Static

o Dynamic Prerequisites:

You will receive the associated materials prior to the course. Topics:

 Android OS types/version  Vulnerabilities and Permissions  Root/Non Root Malware Types  Malware Distribution Points  APK Overview

 Locating the Malware on the device  APK file dissection

 Static Analysis using Apkinspector  Dynamic Analysis using Wireshark  Determining what the Malware is doing  Comparison of Malware and normal APKs