Who is Using Cyberthreat Intel & How? Take Survey - Enter to Win iPad

DFIRCON East 2014

Fort Lauderdale, FL | Mon, Nov 3 - Sat, Nov 8, 2014

FOR585: Advanced Smartphone Forensics

It is rare to conduct a digital forensics investigation that does not include a smartphone or mobile device. Such a device may be the only source of digital evidence tracing an individual's movements and motives, and may provide access to the who, what, when, where, why and how behind a case. FOR585: Advanced Smartphone Forensics teaches real-life, hands-on skills that enable digital forensics examiners, law enforcement officers and information security professionals to handle investigations involving even the most complex smartphones available today.

The course focuses on smartphones as sources of evidence, providing the necessary skills to handle mobile devices in a forensically sound manner, understand the different technologies, discover malware and analyze the results for use in digital investigations by diving deeper into the file systems of each smartphone. Students will be able to obtain actionable intelligence and recover and analyze data that commercial tools often miss for use in internal investigations, criminal and civil litigation and security breach cases.

The hands-on exercises in this course cover the best tools currently available to conduct smartphone and mobile device forensics, and provide detailed instructions on how to manually decode data that tools sometimes overlook. The course will prepare you to recover and reconstruct events relating to illegal or unauthorized activities, determine if a smartphone has been compromised with malware or spyware, and provide your organization the capability to use evidence from smartphones.

This intensive six-day course will take your mobile device forensics knowledge and abilities to the next level. Smartphone technologies are new and the data formats are unfamiliar to most forensics professionals. It is time for the good guys to get smarter and for the bad guys to know that their texts and apps can and will be used against them!

You Will Learn:

  • Smartphone Capabilities: Determine the who, what, when, where, why and how of a case! Who used a smartphone? What did the user do on a smartphone? Where was the smartphone located at key times? What online activities did the user conduct using a smartphone, and when?
  • How to Recover Deleted Data: Use manual decoding techniques to recover deleted data stored on smartphones and mobile devices.
  • How to Detect Data Stored in Third-Party Applications: Who did the user communicate with using a smartphone and why are these activities sometimes hidden?
  • How to Detect Malware: How to detect smartphones compromised by malware using forensics methods

Course Topics Include:

Forensic Analysis of Smartphones and Their Components

Devices

  • Android
  • iOS devices
  • BlackBerry devices
  • Windows phone/mobile
  • Nokia (Symbian) devices
  • Chinese knock-off devices
  • SIM Cards
  • SD Cards

Deep-Dive Forensics Examination of Smartphone File Systems and Data Structures

  • Recovering deleted information from smartphones
  • Examining SQLite databases in-depth
  • Finding traces of user activities on smartphones
  • Recovering data from third-party applications
  • Tracing user online activities on smartphones (e.g., messaging and social networking)
  • Examining event logs
  • Manual decoding to recover missing data or to verify results

Identification of Malware and Spyware on Smartphones

  • Determining if malware or spyware exist
  • Handling the isolation of the malware
  • Determining what has been compromised

In-depth Usage and Capabilities of the Best Smartphone Forensics Tools

  • Data carving
  • Conducting physical and logical keyword searches
  • Conducting timeline generation and link analysis using information from smartphones
  • Reporting

Plotting geolocation information from smartphones and GPS devices

Handling Locked Devices

  • Extracting evidence from locked smartphones
  • Decrypting backups of smartphones
  • Accessing locked SIM cards

Incident Response Considerations on Smartphones

Course Syllabus
Course Contents InstructorsSchedule
  FOR585.1: Smartphone Overview and Malware Forensics Cindy Murphy Mon Nov 3rd, 2014
9:00 AM - 5:00 PM
Overview

Focus: Although smartphone forensics concepts are similar to those of digital forensics, smartphone file system structures differ and require specialized decoding skills to correctly interpret the data acquired from the device. On the first course day students will apply what they already know to smartphone forensics handling, device capabilities, acquisition methods and data encoding concepts of smartphone components. Students will also become familiar with the forensics tools required to complete comprehensive examinations of smartphone data structures. Malware affects a plethora of smartphone devices. This section will examine various types of malware, how it exists on smartphones and how to identify it.

The existence of malware on smartphones is a reality that all examiners today must address. Often the only questions relating to an investigation may be whether a given smartphone was compromised, how, and what can be done to fix it? It is important for examiners to understand malware and how to identify its existence on the smartphone.

Smartphones will be introduced and defined to set our expectations for what we can recover using digital forensics methodologies. We review the properties of Flash memory in mobile devices and demonstrate the pros and cons from a forensics perspective. We provide approaches for dealing with common challenges such as encryption, passwords and damaged devices. Students will learn how to process and decode data on mobile devices from a forensics perspective, then learn tactics to recover information that even forensics tools may not always be able to retrieve.

The SIFT Workstation has been specifically loaded with a set of smartphone forensics tools that will be your primary toolkit and working environment for the week.

Exercises
  • SIFT Workstation - Laboratory setup.
  • Hands-on demonstrations and familiarization with Smartphone forensics tools.
  • Two malware labs: Malware analysis, and unpacking and analyzing .apk malware files
  • Introduction to data decoding - Manually decoding data records.

CPE/CMU Credits: 6

Topics

The SIFT Workstation

Malware and Spyware Forensics

  • Different Types of Common Malware
  • Common Locations on Smartphones
  • How to Determine a Compromise
  • How to Recover from a Compromise
    • What Was Affected?
    • How to Isolate

Introduction to Smartphones

  • Smartphone Components and Identifiers
  • Assessing Capabilities of Evidential Devices
  • Common File Systems
  • Forensics Impact of Flash Memory
  • Data Storage Broken Down and Defined

Smartphone Handling

  • Preserving Smartphone Evidence
  • Preventing Data Destruction

Forensics Acquisition Concepts of Smartphones

  • Logical Acquisition
  • File System Acquisition
  • Physical Acquisition
  • Advanced Methods Acquisition

Smartphone Forensics Tool Overview

  • Physical and Logical Keyword Searching
  • Data Carving
  • Exporting and Bookmarking Data
  • Malware Scanning
  • Reporting

Smartphone Components

  • SIM Card Handling and Examination
  • SD Card Handling and Examination
  • Manual Decoding of Recovered Data

Materials

  • Malware Cheat Sheets
  • Mobile Device Repair
  • Acquisition of Smartphones
  • Acquisition of SIM Cards
  • Relevant White Papers and Guides
 
  FOR585.2: Android Forensics Cindy Murphy Tue Nov 4th, 2014
9:00 AM - 5:00 PM
Overview

Focus: Android devices are among the most widely used smartphones in the world, which means they will surely be part of an investigation that will come across your desk. Android devices contain substantial amounts of data that can be decoded and interpreted into useful information. However, without honing the appropriate skills for bypassing locked Androids and correctly interpreting the data stored on them, you will be unprepared for the rapidly evolving world of smartphone forensics.

Digital forensics examiners must understand the file system structures of Android devices and how they store data in order to extract and interpret the information they contain. On this course day we will delve into the file system layout on Android devices and discuss common areas containing files of evidentiary value. Traces of user activities on Android devices are covered, as is recovery of deleted data residing in SQLite records and raw data files.

During hands-on exercises, you will use smartphone forensics tools to extract, decode and analyze a wide variety of information from Android devices.

Exercises
  • Manually decoding and extracting information from Android file systems and logical acquisitions.
  • Introduction to manually parsing third-party applications and deep-dive decoding and recovery of user activities on Android devices.

CPE/CMU Credits: 6

Topics

Android Forensics Overview

  • Android Architecture and Components
  • NAND Flash Memory in Android Devices
  • Android File System Overview

Android File System Structures

  • Define Data Structure Layout
    • Physical
    • File System
    • Logical
  • Data Storage Formats
  • Parsing and Carving Data
  • Physical and Logical Keyword Searches

Android Evidentiary Locations

  • Primary Evidentiary Locations
  • Unique File Recovery
  • Parsing SQLite Database Files
  • Manual Decoding of Android Data

Handling Locked Android Devices

  • Security Options on Android
  • Obtaining Unlock Information
  • Demonstration of Bypassing Android Security
  • Practical Tips for Accessing Locked Android Devices

Traces of User Activity on Android Devices

  • How Android Applications Store Data
  • Deep Dive into Data Structures on Android Smartphones
    • SMS/MMS
    • Calls, Contacts and Calendar
    • E-mail and Web Browsing
    • Location Information
  • Salvaging Deleted SQLite Records
  • Salvaging Deleted Data from Raw Images on Android Devices

Materials

  • Android Cheat Sheet
  • Android Acquisition Methods
  • Relevant White Papers and Guides
 
  FOR585.3: iOS Forensics Cindy Murphy Wed Nov 5th, 2014
9:00 AM - 5:00 PM
Overview

Focus: Apple iOS devices are no longer restricted to the United States, but are in use worldwide. iOS devices contain substantial amounts of data, including deleted records, that can be decoded and interpreted into useful information. Proper handling and parsing skills are needed for bypassing locked iOS devices and correctly interpreting the data. Without iOS instruction, you will be unprepared to deal with the iOS device that will likely be a major component in a forensics investigation.

Digital forensics examiners must understand the file system structures and data layouts of Apple iOS devices in order to extract and interpret the information they contain. To learn how to do this, we delve into the file system layout on iOS devices and discuss common areas containing files of evidentiary value. Encryption, decryption, file parsing and traces of user activities are covered in detail.

During hands-on exercises, students will use smartphone forensics tools to extract and analyze a wide variety of information from iOS devices. Students will also be required to manually decode data that were deleted or are unrecoverable using smartphone forensics tools.

Exercises
  • Manually decoding and extracting information from iOS file system and logical acquisitions.
  • Introduction to manually parsing third-party applications and deep-dive decoding and recovery of user activities on iOS devices.

CPE/CMU Credits: 6

Topics

iOS Forensics Overview and Acquisition

  • iOS Architecture and Components
  • NAND Flash Memory in iOS Devices
  • iOS File Systems
  • iOS Versions
  • iOS Encryption

Handling Locked iOS Devices

  • Security Options on iOS
  • Current Acquisition Issues
  • Demonstration of Bypassing iOS Security
  • Practical Tips for Accessing Locked iOS Devices

iOS File System Structures

  • Define Data Structure Layout
    • Physical
    • File System
    • Logical
  • Data Storage Formats
  • Parsing and Carving Data
  • Physical and Logical Keyword Searches

iOS Evidentiary Locations

  • Primary Evidentiary Locations
  • Unique File Recovery
  • Parsing SQLite Database Files
  • Manual Decoding of Android Data

Traces of User Activity on iOS Devices

  • How iOS Applications Store Data
  • Deep Dive into Data Structures on iOS Devices
    • SMS/MMS
    • Calls, Contacts and Calendar
    • E-mail and Web Browsing
    • Location Information
  • Salvaging Deleted SQLite Records
  • Salvaging Deleted Data from Raw Images

Materials

  • iOS Cheat Sheet
  • iOS Acquisition Methods
  • Relevant White Papers and Guides
 
  FOR585.4: Backup File and BlackBerry Forensics Cindy Murphy Thu Nov 6th, 2014
9:00 AM - 5:00 PM
Overview

Focus: BlackBerry smartphones are designed to protect user privacy, but techniques taught in this section will enable the investigator to go beyond what the tools decode and manually recover data residing in database files of BlackBerry device file systems. Backup file systems are commonly found on external media and can be the only forensics acquisition method for newer iOS devices that are locked. Learning how to access and parse data from encrypted backup files may be the only lead to smartphone data relating to your investigation.

Forensics examiners must understand the concept of interpreting and analyzing the information on smartphones, as well as the limitations of existing methods for extracting data from these devices. This section covers how to handle encryption issues, BlackBerry Enterprise Server data, and locked devices. Manual decoding of BlackBerry data will provide access to a vast amount of data that forensics tools seem to miss.

Both BlackBerry and iOS backup files are commonly a part of digital forensics investigations. This section provides students with a deep understanding of backup file contents, manual decoding, and parsing and cracking of encrypted backup file images.

During hands-on exercises, students wills use smartphone forensics tools to extract and analyze a wide variety of information from BlackBerry devices and iOS and BlackBerry backup files. Students will be required to manually decode data that were encrypted or deleted, or that are unrecoverable using smartphone forensics tools.

Exercises
  • Advanced backup file forensics exercise containing both an iOS and BlackBerry backup file requiring manual decoding and carving to recover data missed by smartphone forensics tools.
  • Manually decoding and extracting information from a BlackBerry file system and physical data dump.

CPE/CMU Credits: 6

Topics

Backup File Forensics Overview

  • Why This Is Relevant
  • Common File Formats For Smartphone Backups
    • iOS
    • BlackBerry
    • Android
    • Nokia

Creating and Parsing Backup Files

  • Examiner-created Backup Files
  • User-created Backup Files
  • Verifying Backup File Data
  • Using Smartphone Forensics Tools for Parsing
    • Pros and Cons

Evidentiary Locations on Backup Files (Focus on iOS and BlackBerry Backup Files)

  • What Is Missed by Smartphone Forensics Tools
  • Examining Event Logs
  • Examining Database and PList Files
  • Manual Decoding of Evidentiary Data

Locked Backup Files

  • Decrypting Locked iOS Backup Files
  • Decrypting Locked BlackBerry Backup Files

BlackBerry Forensics Overview

  • BlackBerry Architecture and Components
  • Malware on BlackBerry Smartphones

BlackBerry Forensics Acquisition and Best Practices

  • Practical Guidelines for Acquiring BlackBerry Smartphones
  • File System Acquisition
  • Physical Acquisition Approaches
  • Challenges of BlackBerry Forensics Acquisition

BlackBerry File System and Evidentiary Locations

  • File System Forensics on BlackBerry Smartphones
  • Primary Evidentiary Locations
  • Parsing Device Specific Files
  • BlackBerry 10

BlackBerry Forensics Analysis

  • Recovering Data from Physical Acquisitions
  • Unique File Recovery
  • Keyword Searching
  • Manual Decoding of BlackBerry Data
  • BlackBerry 10 OS

Materials

  • BlackBerry Cheat Sheets
  • BlackBerry Acquisition Methods
  • Backup File Acquisition Methods
  • Relevant White Papers and Guides
 
  FOR585.5: Third-Party Application and Other Smartphone Device Forensics Cindy Murphy Fri Nov 7th, 2014
9:00 AM - 5:00 PM
Overview

Focus: Given the prevalence of other types of smartphones around the world, it is critical for examiners to develop a foundation of understanding about data storage on multiple devices. Nokia smartphones running the Symbian operating system may no longer be manufactured, but they still exist in the wild. You must acquire skills for handling and parsing data from uncommon smartphone devices. This day of instruction will prepare you to deal with "misfit" smartphone devices and provide you with advanced methods for decoding data stored in third-party applications across all smartphones.

This day will cover other smartphone devices such as Nokia (Symbian), Chinese knock-offs and Windows phones. These devices retain information about user activities that can be relevant in a digital investigation, including e-mail, web browsing, user-created files and registry entries. We will cover techniques for parsing common data structures on these smartphone devices and recovering deleted items.

During hands-on exercises, you will use smartphone forensics tools to extract and analyze a wide variety of information from a Chinese knock-off phone. Students will be required to manually decode data that were deleted or are unrecoverable using smartphone forensics tools. The third-party application hands-on exercise will be a compilation of everything you have learned up until now in the course and will require the manual decoding of third-party application data from multiple smartphones.

Exercises
  • Advanced third-party application exercise requiring students to use skills learned during the first four days of the course to manually decode communications stored in third-party application files across multiple smartphones.
  • Knock-off phone exercise requiring manual decoding of a knock-off handset physically acquired using the Cellebrite CHINEX.
  • A Nokia lab requiring manual parsing and identification of devices based upon file system dumps from multiple devices. This lab challenges students to put together several concepts learned during the week.
  • Bonus Lab: Decoding and recovering a passcode from a locked Android acquired using JTAG /chip-off methodologies.

CPE/CMU Credits: 6

Topics

Third-Party Applications on Smartphones Overview

  • Common Applications Across Smartphones

Third-Party Application Locations on Smartphones

  • How to Locate
  • Data Format

Decoding Third-Party Application Data on Smartphones

  • Manual Recovery
  • Decoding Methods

Knock-off Phone Forensics

  • Knock-off Phone Overview
  • Forensics Analysis
  • Evidentiary Locations
  • Manual Decoding of Knock-off File System Data

Nokia (Symbian) Forensics

  • Symbian Features Overview
  • Evidentiary Locations

Windows Phone/Mobile Forensics

  • Overview of Windows Phone/Mobile
  • Evidentiary Locations

JTAG (Bonus Section)

  • An Introduction to JTAG Methods Using the RIFF Box
 
  FOR585.6: Smartphone Forensics Capstone Exercise Cindy Murphy Sat Nov 8th, 2014
9:00 AM - 5:00 PM
Overview

Focus: This section will test all that you have learned during thecourse. Working in small groups, students will examine three smartphone devices and solve a scenario relating to a real-world smartphone forensics investigation. Each group will independently analyze the three smartphones, manually decode data, answer specific questions, form an investigation hypothesis, develop a report and present findings.

By requiring student groups to present their findings to the class, this Capstone Exercise will test your understanding of the techniques taught during the week. The findings should be technical and include manual recovery steps and the thought process behind the investigative steps. An executive summary of findings is also expected.

Exercises

Each group will be asked to answer the key questions listed below during the capstone exercise, just as they would during a real-world digital investigation:

Identification and Scoping:

  • What is the criminal operation?
  • What devices are involved?
  • Which individuals are involved?

Forensics Examination:

  • What are the key communications between individuals?
  • What methods were used to secure the communication?
  • Were any of the mobile devices compromised by malware?

Forensics Reconstruction:

  • Generate a forensics report
  • What is the motive?

CPE/CMU Credits: 6

 
Additional Information
 
  Laptop Required

IMPORTANT!! BRING YOUR OWN SYSTEM CONFIGURED USING THESE INSTRUCTIONS!!

A properly configured 64-bit system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions carefully.

As your core operating system (OS) you can use any 64-bit version of Windows, MacOSX, or Linux that also can install and run VMware virtualization products.

It is critical that your central processing unit (CPU) and operating system support 64 bit, so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article provides good instructions for Windows users to determine more about CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.

Please download and install VMware Workstation 10.0, VMware Fusion 6.0, or VMware Player 6.0 on your system prior to beginning the class. (Note: This is required to prevent issues with USB 3.0 ports.) If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.

MANDATORY FOR585 SYSTEM HARDWARE REQUIREMENTS:

  • CPU: 64-bit Intel x64 2.0+ GHz processor or higher-based system is required for this class (Important - Please Read: a 64-bit system processor is mandatory)
  • Wireless 802.11 B/G/N networking capability (required for labs and licensing)
  • 8 gigabytes of RAM minimum (more RAM is recommended due to virtual machine requirements)
  • 100 gigabytes of free space on your system hard drive
  • USB 2.0 port(s) or higher
  • Students should have the capability to have Local Administrator Access within their host operating system

MANDATORY FOR585 SYSTEM SOFTWARE REQUIREMENTS:

Install the following on your host Windows machine (if Mac/Linux host, install inside Windows VM):

  1. Install MS Office 2010 (demo version for 60-day free trial - You need Excel 2007 or higher for this class, no exceptions)
  2. Install VMware Workstation 10, VMware Fusion 6.0, or VMware Player 6.0 (higher versions are okay)
  3. Download and install 7Zip

IN SUMMARY, BEFORE YOU BEGIN THIS COURSE YOU SHOULD:

  1. Bring the proper system hardware (64-bit/8 gigabyte RAM) and operating system configuration
  2. Install VMware (Workstation, Player or Fusion), MS Office and 7Zip

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend

FOR585 is designed for students who are both new to and experienced with mobile device forensics. The course provides the core knowledge and hands-on skills that a digital forensics investigator needs to process smartphones and other mobile devices. The course is a must for:

  • Experienced digital forensics analysts who want to extend their knowledge and experience to forensics analysis of mobile devices, especially smartphones.
  • Media exploitation analysts who need to master Tactical Exploitation or Document and Media Exploitation (DOMEX) operations on smartphones and mobile devices by learning how individuals used their smartphones, who they communicated with and what files they accessed.
  • Information security professionals who respond to data breach incidents and intrusions.
  • Incident response teams tasked with identifying the role that smartphones played in a breach.
  • Law enforcement officers, federal agents or detectives who want to master smartphone forensics and expand their investigative skills beyond traditional host-based digital forensics.
  • IT auditors who want to learn how smartphones can expose sensitive information.
  • SANS SEC575, FOR408 or FOR508 graduates looking to take their skills to the next level.
 
  Prerequisites

While FOR408 is not required prior to taking this course, a basic understanding of digital forensics file structures will help the student grasp topics that are more advanced. FOR585 covers advanced topics that should enhance all skill sets of those interested in digital forensics.

 
  Other Courses People Have Taken

Other Courses People Have Taken

FOR585 is an ideal course for graduates of SANS SEC575, FOR408 or FOR508 who are looking to take their skills to the next level.

 
  What You Will Receive
  • A SIFT Workstation Smartphone Version Windows Virtual Machine is used with all hands-on exercises in class. The workstation is used to teach students how to examine and investigate information on smartphones. SIFT contains free and open-source tools, easily matching any modern forensics tool suite.
  • Windows 8 Standard License.
  • Oxygen Forensics Demo License.
  • Microsystemation XRY Demo License.
  • Cellebrite Physical Analyzer Demo License.
  • Course USB loaded with case examples, exercises and documentation.
 
  You Will Be Able To
  • Extract and use information from smartphones and mobile devices, including Android, iOS, BlackBerry, Windows Phone, and Symbian and Chinese knock-off devices.
  • Understand how to detect hidden malware and spyware on smartphones and extract information related to security breaches, cyber espionage and advanced threats involving smartphones
  • Prevent loss or destruction of valuable data on smartphones by learning proper handling of these devices.
  • Learn a variety of acquisition methods for smartphones with an understanding of the advantages and limitations of each acquisition approach.
  • Interpret file systems on smartphones and locate information that is not generally accessible to users.
  • Recover artifacts of user activities from third-party applications on smartphones.
  • Recover location-based and GPS information from smartphones.
  • Perform advanced forensics examinations of data structures on smartphones by diving deeper into underlying data structures that many tools do not interpret.
  • Analyze SQLite databases and raw data dumps from smartphones to recover deleted information.
  • Perform advanced data-carving techniques on smartphones to validate results and extract missing or deleted data.
  • Reconstruct events surrounding a crime using information from smartphones, including timeline development and link analysis (who communicated with whom, locations at particular times).
  • Decrypt locked backup files and bypass smartphone locks.
  • Apply the knowledge you acquire during the six days to conduct a full-day smartphone capstone event involving multiple devices and modeled after real-world smartphone investigations.
 
  Hands-on Training

This course features 14 hands-on labs and a final forensics challenge to enure the student not only learns the material, but can execute techniques to manually recover data. The labs include:

  • Malware and Spyware - Two labs were designed to teach the student how to manually decompact and staticly analyze malware recovered from an Android device. The processes used here reach beyond the commercial forensic kits and methods.
  • Android Analysis - Two labs were designed to teach the students how to manually carve for deleted data, validate tool results and parse third-party application files for user created data not commonly parsed by commercial forensic tools. Open source methods are utilized and highlighted were possible.
  • iOS Analysis - Two labs were designed to teach the students how to manually carve for deleted data, validate tool results and parse third-party application files for user created data not commonly parsed by commercial forensic tools.
  • Backup File Analysis - Two labs were designed to teach the student how to parse data from iOS and BlackBerry backup files. These labs will drive the student to parse data from database files, records, plist and third-party application data.
  • BlackBerry Analysis - An all encompassing lab where several images are provided to allow the student to obtain the "full picture" on what is captured during various acquisition methods, how data is manually carved and parsed and how BlackBerry proprietary formats can affect their investigations.
  • Third-Party Application Anaysis, Knock-Off Phone Analysis and JTAG Password Cracking - The labs included in the fifth day of the course were built to challenge the students to examine third-party applications pulled from multiple smartphone devices, handle knock-off devices that are not commonly parse by commercial tools and examine a JTAG image from an Android device.
  • Smartphone Forensics Capstone - The final challenge was built to test what the students learned in the course and features multiple smartphone devices used in various locations involving communication, third-party applications, internet history, cloud and network activity, shared data and more! This capstone encourages the students to dig deep and showcase what they learned in FOR585 and can immediately apply to their work when returning from the class.
 
  Press & Reviews

"This is the most advanced mobile device training that I know of and is greatly needed. It is currently the only course being taught at this level!" - Scott McNamee DoS /CACI

"As an experienced user of the tools, I found FOR585 very instructional on how and why these tools give the results they do during an examination." - SA Charles Cox, FBI Computer Analysis and Response Team

"FOR585 is the best out there." - Andy Nind, British Army

"'What didn't I find?' That is one of the most relevant questions in any forensics examination. By just running forensics tools, even multiple tools, you still cannot answer that simple question. SANS 585 does not just teach you how to examine a device in specific tools, it teaches you the mindset of examining mobile devices. It is a constant reminder that an examiner needs to know what to look for, not just where to click. For those new to mobile forensics, it is a fantastic starting point that will help examiners transition into non-computer forensics. For those with previous mobile device experience, it can reveal what tools and other methods may have missed when examining different families of mobile devices." - Anonymous

"This course is worth it, even for a novice like myself." - S. Gentry, Adobe

"This course was very high-quality training that provided exactly what was advertised! Great BlackBerry lab. I have never dug this deep in a BlackBerry before." - C. McCollom, Clark County Sheriff's Office

"This was an awesome class! Amazing amount of material and the capstone tied it all together." - D. Mayer, Broomsfield Police Department

"Heather [Mahalik] is a great instructor. The only downside will be not being able to bring her back to my office so we can pick her brain every day!" - C. McCollom, Clark County Sheriff's Office

"I finally know what I have been missing! I did not know I was ignorant." - Mark G., Department of Justice

 

Author Statement

Digital forensics investigations almost always involve a smartphone or mobile device. Often, the smartphone is the only form of digital evidence relating to the investigation. Knowing how to recover all of the data residing on the smartphone is now an expectation in our field, and examiners must understand the fundamentals of smartphone handling, data recovery, accessing locked devices and manually recovering data hiding in the background on the device. FOR585: Advanced Smartphone Forensics provides the required knowledge to beginners in mobile device forensics and mobile device experts. This course has something to offer everyone! - Heather Mahalik

One thing is clear no matter whether you work in law enforcement or the private sector: the importance of evidence obtained from smartphones and other mobile devices has become crucial to all kinds of investigations. Solid foundational knowledge, skills and techniques in mobile device forensics are no longer optional. Developed by passionate practitioners with a high level of experience in the field, FOR585: Advanced Smartphone Forensics provides the elements you need to succeed in your investigations and thrive in the rapidly changing mobile device forensics environment. - Cindy Murphy

Eighty-five percent of the world's population today has a mobile phone. In the United States alone, almost half of these devices are smartphones. The tools and techniques for acquiring and analyzing these devices are changing every day. As the handsets become more sophisticated in the storage and obfuscation of personal user data, the tools and practitioners are in a race to uncover data related to investigations. The concepts covered in FOR585: Advanced Smartphone Forensics will not only highlight some of the best tools available for acquiring and analyzing the smart devices on the market today, they will also provide examiners with best practices and techniques for delving deeper into smart devices as new applications and challenges arise. FOR585 keeps students ahead of the curve! - Domenica Crognale

Pricing
Price Options
$5,095