FOR585: Smartphone Forensic Analysis In-Depth will help you understand:
- Where key evidence is located on a smartphone
- How the data got onto the smartphone
- How to recover deleted mobile device data that forensic tools miss
- How to decode evidence stored in third-party applications
- How to detect, decompile, and analyze mobile malware and spyware
- Advanced acquisition terminology and techniques to gain access to data on smartphones
- How to handle locked or encrypted devices, applications, and containers
- How to properly examine databases containing application and mobile artifacts
- How to create, validate, and verify the tools against real datasets
SMARTPHONES HAVE MINDS OF THEIR OWN.
DON'T MAKE THE MISTAKE OF REPORTING SYSTEM EVIDENCE, SUGGESTIONS, OR APPLICATION ASSOCIATIONS AS USER ACTIVITY.
IT'S TIME TO GET SMARTER!
A smartphone lands on your desk and you are tasked with determining if the user was at a specific location on a specific date and at a specific time. You rely on your forensic tools to dump and parse the data. The tools show location information tying the device to the place of interest. Are you ready to prove the user was at that location? Do you know how to take this further to place the subject at the location of interest on that specific date and at that time? Tread carefully, because the user may not have done what the tools are showing!
This in-depth smartphone forensic course provides examiners and investigators with advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. Mobile devices are often a key factor in criminal cases, intrusions, IP theft, security threats, accident reconstruction, and more. Understanding how to leverage the data from the device in a correct manner can make or break your case and your future as an expert. FOR585: Smartphone Forensic Analysis In-Depth will teach you those skills.
Every time the smartphone "thinks" or makes a suggestion, the data are saved. It's easy to get mixed up in what the forensic tools are reporting. Smartphone forensics is more than pressing the "find evidence" button and getting answers. Your team cannot afford to rely solely on the tools in your lab. You have to understand how to use them correctly to guide your investigation, instead of just letting the tool report what it believes happened on the device. It is impossible for commercial tools to parse everything from smartphones and understand how the data were put on the device. Examination and interpretation of the data is your job and this course will provide you and your organization with the capability to find and extract the correct evidence from smartphones with confidence.
FOR585 features 31 hands-on labs, a forensic challenge, and a bonus take-home case that allow students to analyze different datasets from smart devices and leverage the best forensic tools, methods, and custom scripts to learn how smartphone data hide and can be easily misinterpreted by forensic tools. Each lab is designed to teach you a lesson that can be applied to other smartphones. You will gain experience with the different data formats on multiple platforms and learn how the data are stored and encoded on each type of smart device. The labs will open your eyes to what you are missing by relying 100% on your forensic tools.
This intensive six-day course is continuously updated to keep up with the latest malware, smartphone operating systems, third-party applications, acquisition shortfalls, extraction techniques (jailbreaks and roots), malware, and encryption. FOR585 offers the most unique and current instruction on the planet, and it will arm you with mobile device forensic knowledge you can immediately apply to cases you're working on the day you get back to work.
Smartphone technologies are constantly changing, and most forensic professionals are unfamiliar with the data formats for each technology. Take your skills to the next level: it's time for the good guys to get smarter and for the bad guys to know that their smartphone activity can and will be used against them!
SMARTPHONE DATA CAN'T HIDE FOREVER - IT'S TIME TO OUTSMART THE MOBILE DEVICE!
You Will Be Able To
- Select the most effective forensic tools, techniques, and procedures to effectively analyze smartphone data
- Reconstruct events surrounding a crime using information from smartphones, including timeline development and link analysis (e.g., who communicated with whom, where, and when)
- Understand how smartphone file systems store data, how they differ, and how the evidence will be stored on each device
- Interpret file systems on smartphones and locate information that is not generally accessible to users
- Identify how the evidence got onto the mobile device - we'll teach you how to know if the user created the data, which will help you avoid the critical mistake of reporting false evidence obtained from tools
- Incorporate manual decoding techniques to recover deleted data stored on smartphones and mobile devices
- Tie a user to a smartphone on a specific date/time and at various locations
- Recover hidden or obfuscated communication from applications on smartphones
- Decrypt or decode application data that are not parsed by your forensic tools
- Detect smartphones compromised by malware and spyware using forensic methods
- Decompile and analyze mobile malware using open-source tools
- Handle encryption on smartphones and bypass, crack, and/or decode lock codes manually recovered from smartphones, including cracking iOS backup files that were encrypted with iTunes
- Understand how data are stored on smartphone components (SD cards) and how encrypted data can be examined by leveraging the smartphone
- Extract and use information from smartphones and their components, including Android, iOS, BlackBerry 10, Windows Phone, Chinese knock-offs, and SD cards (bonus labs available focusing on BlackBerry, BlackBerry backups, Nokia [Symbian], and SIM card decoding)
- Perform advanced forensic examinations of data structures on smartphones by diving deeper into underlying data structures that many tools do not interpret
- Analyze SQLite databases and raw data dumps from smartphones to recover deleted information
- Perform advanced data-carving techniques on smartphones to validate results and extract missing or deleted data
- Apply the knowledge you acquire during the course to conduct a full-day smartphone capstone event involving multiple devices and modeled after real-world smartphone investigations
FOR585 Course Topics
- Malware and Spyware on Smartphones
- Mobile devices in incident-response cases
- Determining if malware or spyware exist
- Handling the isolation of the malware
- Decompiling malware to conduct in-depth analysis
- Determining what has been compromised
- Forensic Analysis of Smartphones and Their Components
- SD cards
- Cloud-based backups and storage
- Cloud-synced data - Google and more
- Devices that have intentionally been modified - deleting, wiping, and hiding applications
- Deep-Dive Forensic Examination of Smartphone File Systems and Data Structures
- Recovering deleted information from smartphones
- Examining SQLite databases in-depth
- Finding traces of user activities on smartphones
- Recovering data from third-party applications
- Tracing user online activities on smartphones (e.g., messaging and social networking)
- Examining application files of interest
- Manually decoding to recover missing data and verify results
- Developing SQL queries to parse databases of interest
- Understanding the user-based and smartphone-based artifacts
- Leveraging system and application usage logs to place the device in a location and state when applications were use
- In-Depth Usage and Capabilities of the Best Smartphone Forensic Tools
- Using your tools in ways you didn't know were possible
- Leveraging custom scripts to parse deleted data
- Leveraging scripts to conduct forensic analysis
- Carving data
- Developing custom SQL queries
- Conducting physical and logical keyword searches
- Manually creating timeline generation and link analysis using information from smartphones
- Tool validation based on trusted datasets
- Using geolocation information from smartphones and smartphone components to place a suspect at a location when an artifact was created
- Handling Locked and Encrypted Devices
- Extracting evidence from locked smartphones
- Bypassing encryption (kernel and application level)
- Cracking passcodes
- Decrypting backups of smartphones
- Decrypting third-party application files
- Examining encrypted data from SD cards
- Incident Response Considerations for Smartphones
- How your actions can alter the device
- How to handle Hot and Cold devices
- How to prevent remote access on the device
- How to tie a user or activity to a device at a specific time
- How mobile device management can hurt as much as help you
FOR585 features 31 hands-on labs and a final forensic challenge to ensure that students not only learn the material, but can also execute techniques to manually recover data. Some labs allow you to "choose your own adventure" so that students who may need to focus on a specific device can select relevant labs and go back to the others as time permits. The labs cover the following topics:
- Malware and Spyware -- Two labs are designed to teach students how to identify, manually decompile, and analyze malware recovered from an Android device. The processes used here reach beyond commercial forensic kits and methods. Bonus IPA and APK files are provided for practice. Two additional bonus labs are available on the USB.
- Android Analysis -- Four labs are designed to teach students how to manually crack locked devices, carve for deleted data, validate tool results, place the user behind an artifact, and parse third-party application files for user-created data not commonly parsed by commercial forensic tools. Open-source methods are utilized and highlighted where possible. An additional lab teaches students how to manually crack lockcodes from Android devices. A bonus lab encourages students to manually interact with a live device to pull relevant information using free methods.
- iOS Analysis -- Five labs are designed to teach students how to manually carve for deleted data, validate tool results, manually parse plists and databases of interest, and parse third-party application files for user-created data not commonly parsed by commercial forensic tools. In addition, methods for "tricking" your tools into parsing data from encrypted images are built into the labs. A bonus lab encourages students to manually interact with a live device to pull relevant information using free methods. There are other bonus iOS labs on the course USB.
- Backup File Analysis -- Three labs are designed to teach students how to parse data from iOS and Android backup files. These labs will drive students to parse data from databases, plists, and third-party application data. A bonus lab on BlackBerry backups is provided.
- Wiped Phone Analysis -- This is one of the more challenging labs for students, as the device used will have been wiped prior to acquisition. Students will be able to test all of the methods they learned during the course to see what can really be recovered from a wiped smartphone.
- BlackBerry 10 Analysis -- This all-encompassing lab provides students with a chance to tie external media (SIM cards) to a device, understand how data are manually carved and parsed, and understand how BlackBerry 10 applications differ from Android and iOS. Will you be able to identify a BlackBerry running Android applications? The methods used in this lab will apply to other smartphones that contain SIM cards and leverage third-party applications (Android, Windows Phone, Nokia, etc.)
- Knock-off Phone Analysis -- This lab focuses on handling knock-off devices, understanding the file system, and decoding the data not parsed by commercial tools.
- Third-Party Application Analysis -- These labs challenge students to examine third-party applications pulled from multiple smartphone devices, and to manually parse applications that are not commonly parsed by commercial tools.
- Parsing Application Databases -- These three labs provide students the opportunity to write SQL queries to parse tables of interest and to recover attachments associated with chats, deleted chats, and data from secure chat applications. The labs will challenge students to dig deep beyond what a commercial tool can offer.
- Browser Analysis -- This lab is focused on showing similarities and differences between computer and mobile browser artifacts. Your commercial tools may be good at parsing some evidence, but this lab will highlight what is missed!
- Smartphone Forensic Capstone -- The final challenge tests all that students have learned in the course. It features multiple smartphone devices used in various locations involving communication, third-party applications, Internet history, cloud and network activity, shared data, and more. The exercise encourages students to dig deep and showcase what they learned in FOR585 so that they can immediately apply it to their work when returning to their jobs.
There is no prerequisite for this course, but a basic understanding of digital forensic file structures and terminology will help the student grasp topics that are more advanced. Previous vendor training in mobile device forensic acquisition is also useful, but not required. We do not teach basic acquisition methods in class, but we do provide instructions about them in the bonus course material. This class focuses on analysis, advanced access methods and understanding smartphone artifacts.
What You Will Receive
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
This is common sense, but we will say it anyway: Back up your system before class. Better yet, do not have any sensitive data stored on the system. SANS cannot be responsible for your system or data.
MANDATORY FOR585 SYSTEM HARDWARE REQUIREMENTS
- CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory).
- CRITICAL NOTE: Apple systems using the M1 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
- It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows that will detect whether your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
- BIOS settings must be set to enable virtualization technology, such as "Intel-VT."
- Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary. Test it!
- 16 gigabytes of RAM or higher is mandatory for this class (Important - Please Read: 16 gigabytes of RAM or higher of RAM is mandatory and minimum.)
- USB 3.0 Type-A port is required. At least one open and working USB 3.0 Type-A port is required. (A Type-C to Type-A adapter may be necessary for newer laptops.) (Note: Some endpoint protection software prevents the use of USB devices - test your system with a USB drive before class to ensure you can load the course data.)
- 200 gigabytes of free space on your system hard drive is required. This space is critical to host the VMs we distribute.
- Local administrator access is required. This is absolutely required. Don't let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
- Wireless 802.11 capability
MANDATORY FOR585 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS
- Host Operating System: Latest version of Windows 10 or macOS 10.15.x
- Please note: It is necessary to fully update your host operating system prior to the class to ensure that you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS
- Download and install VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+ on your system prior to the start of the class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.
- Download and install 7Zip (for Windows Hosts) or Keka (macOS).
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.