The most trusted source for computer security training, certification and research.

select a course
Baltimore, MD - July 27 - 31, 2009
Global Information Assurance Certification

Absolutely wonderful, both in presentation and content
-Don Seymour, TerpSys

SECURITY 563

Mobile Device Forensics

Monday, July 27, 2009 - Friday, July 31, 2009
Eoghan Casey, SANS Instructor
6 CPE Credits Per Day

This is a special beta course whose materials are still being fine-tuned. We are offering it at a discount at this event in exchange for the students' feedback and critique, which will help us improve and finalize the course's content and exercises.


Mobile device forensics is a rapidly evolving field, creating exciting opportunities for practitioners in corporate, criminal, and military settings. Designed for students who are both new to and already familiar with mobile device forensics, this hands-on course provides the core knowledge and skills that a Digital Forensic Investigator needs to process cell phones, PDAs, and other mobile devices. Using state-of-the art tools, you will learn how to forensically preserve, acquire and examine data stored on mobile devices and utilize the results for internal investigations or in civil/criminal litigation. This course covers techniques and tools in the context of an overall forensic methodology, providing you with the ability to obtain and utilize digital evidence on mobile devices. In addition, by teaching lessons learned from years of experience, we will help you handle common challenges in the field.

With the increasing prevalence of mobile devices, Digital Forensic Investigators are encountering them in a wide variety of cases. Investigators within organizations can find stolen data and incriminating communications on devices used by rogue employees. In civil and criminal cases, investigators can extract useful evidence from mobile devices, can get a clearer sense of which individuals were in cahoots, and can even show the location of key suspects at times of interest. IT auditors, managers, and lawyers all need to understand the vast potential of mobile device forensics. Because mobile devices can contain details about who was doing what, where and when, their usefulness as a source of information in an investigation should never be underestimated.

This course is structured as follows:
Day 1 (Fundamentals): Review of technology from a forensic perspective, forensic handling of mobile devices, and manual examination of mobile devices.
Day 2 (Mobile Device Internals): Hands-on exploration of mobile device operating systems and data storage using manufacturer and developer utilities. Perform forensic acquisitions and examinations of SIM cards.
Day 3 (Logical Acquisition and Analysis): Using forensic tools to acquire and analyze logical data from mobile devices. Compare forensic acquisition tools and validate completeness and accuracy of results.
Day 4 (Physical Acquisition and Analysis): Using forensic tools to acquire and analyze physical memory from mobile devices. Delving into memory contents and extracting data structures on mobile devices.
Day 5 (Advanced Forensics and the Forensic Challenge): Familiarization with more complicated and costly forensic acquisition and analysis techniques. A realistic hands-on investigative scenario bringing together lessons and techniques learned throughout the course.

Throughout this course we provide practical, hands-on exercises to give you ample opportunities to explore mobile devices and the data they contain.

By guiding you through progressively more intensive exercises with mobile devices, we familiarize you with the inner workings of these devices and show you the benefits and limitations of various approaches and tools. We not only demonstrate state-of-the-art mobile forensic tools and techniques, we peel back the layers of digital evidence on mobile devices to show what is going on behind the scenes. In this way, you obtain a deeper knowledge of the information you rely on when investigating cases involving mobile devices. This combination of teaching skills and knowledge will enable you to resolve investigations. The capstone exercise at the end of this course is designed to hone your mobile device forensics skills, and help you to apply them to an actual investigation.

Laptops are required for this course. A variety of devices will be available for you to work with during the course. You are also encouraged to bring used mobile devices and SIM cards from home to experiment with using the tools and techniques in this course, but it is not required.

Who Should Attend:
  • Information security professionals in corporate and government environments who are responsible for investigating internal misuse of mobile devices by employees, and for responding to attacks against and theft of mobile devices.
  • Forensic investigators who want to develop the ability to process mobile devices in a forensically sound manner and use the resulting evidence in their work.
  • IT managers who need to understand the relevance of mobile devices in security breaches, policy violations, criminal activities, civil suits, and any resulting proceedings.
  • IT auditors who need tools and techniques for investigating mobile devices to ensure they are not being misused in a way that puts an organization at risk.
  • Law enforcement agents who need to extract information from mobile devices in a wide variety of crimes, and for understanding the potential for locating victims/suspects, reconstructing their activities, and delving into their personal schedule, communications, calls, photos, videos, and other data stored on mobile devices.
  • Attorneys who need an understanding of the types of evidence that can be extracted from mobile devices, the forensic process for handling these devices, and the associated legal issues (e.g., privacy, authentication, integrity), and how the resulting findings can be used to build/strengthen a case.

Pre-requisites:
Students should have an understanding of fundamental principles and processes in digital forensics, including acquisition, examination and presentation of results. In addition, students should be familiar with reading and interpreting data in hexadecimal format.

This course will provide a wealth of information to advance my career in the IT field.
-Doreen Lawrence, Los Alamos National Lab

Author Statement

Mobile devices are becoming ubiquitous, delivering powerful technology into our pockets, keeping us connected wherever we are. Individuals store personal data on their PDAs, parents use GPS enabled devices to track their children, hospitals use handhelds to access medical data and support patient care, and companies give each employee a Blackberry to support their business. Being so closely tied to an individual's daily movements and activities, these portable devices are creating new security risks while providing valuable sources of evidence.

Corporate spies and data thieves have been caught using their mobile devices. Organized criminal groups have been infiltrated and unraveled through their use of mobile devices. A killer's mobile device showed his whereabouts at the time of the crime, and inadvertently recorded the sounds of his brutal acts. Sex offenders have video taped their crimes using mobile devices. Terrorists have been tracked down using traces of data recovered from cell phones attached to improvised explosive devices. Mobile devices have helped rescue kidnap victims before they came to harm. Many vice officers and courts consider mobile devices as an integral part of drug trafficking and dealing.

Using the proper methodology and tools, you can extract useful evidence from mobile devices and obtain records from network service providers to help avert an attack, further an investigation, or solve a crime.
- Eoghan Casey