Major Update

FOR585: Smartphone Forensic Analysis In-Depth

GIAC Advanced Smartphone Forensics (GASF)
GIAC Advanced Smartphone Forensics (GASF)
  • In Person (6 days)
  • Online
36 CPEs

FOR585: Smartphone Forensic Analysis In-Depth course provides examiners and investigators with advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. The course is continuously updated to keep up with the latest file formats, malware, smartphone operating systems, third-party applications, acquisition shortfalls, extraction techniques (how to get full file system or physical access) and encryption. It offers the most unique and current instruction to arm you with mobile device forensic knowledge you can immediately apply to cases you're working on the day you get back to work. 22 labs, bonus labs + CTF

What You Will Learn

FOR585: Smartphone Forensic Analysis In-Depth Will Help you Understand:

  • Where key evidence is located on a smartphone
  • How the data got onto the smartphone - was it AI, was it user created, was it synced
  • How to recover deleted or unparsed data that forensic tools miss
  • How to decode evidence stored in third-party applications
  • How to detect, decompile, and analyze mobile malware and spyware
  • Advanced acquisition terminology and techniques to gain access to data on smartphones
  • How to handle locked or encrypted devices, applications, and containers
  • How to properly examine databases, protobofs, leveldbs, and other file formats containing application and mobile artifacts
  • How to craft SQLite queries and modify python scripts to conduct mobile forensics
  • How to create, validate, and verify the tools and scripts against real datasets
  • How to manually parse application data when commercial tools don't support them
Smartphones Have Minds of Their Own. Don't Make the Mistake of Reporting System Evidence, AI Created Date, Incorrect Locations, Smartphone Suggestions, or Application Cache as User Activity.
It's Time to Get Smarter!

A smartphone lands on your desk and you are tasked with determining if the user was at a specific location at a specific date and time. You rely on your forensic tools to dump and parse the data. The tools show location information tying the device to the place of interest. Are you ready to prove the user was at that location? Do you know how to take this further to place the subject at the location of interest at that specific date and time? Tread carefully, because the user may not have done what the tools are showing!

Mobile devices are often a key factor in criminal cases, intrusions, IP theft, security threats, accident reconstruction, and more. Understanding how to leverage the data from the device in a correct manner can make or break your case and your future as an expert. FOR585: Smartphone Forensic Analysis In-Depth will teach you those skills.

Every time the smartphone "thinks" or makes a suggestion, the data is saved. It's easy to get mixed up in what the forensic tools are reporting. Smartphone forensics is more than pressing the "find evidence" button and getting answers. Your team cannot afford to rely solely on the tools in your lab. You must understand how to use them correctly to guide your investigation, instead of just letting the tool report what it believes happened on the device. It is impossible for commercial tools to parse everything from smartphones and understand how the data was put on the device. Consider AI vs human - how can a tool determine that level of granularity from a data set? Examination and interpretation of the data is your job, and this course will provide you and your organization with the capability to find and examine the correct evidence from smartphones with confidence.

This in-depth smartphone forensic course provides examiners and investigators with advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. The course features 23 hands-on labs, a forensic challenge, bonus labs, and a bonus take-home case that allows students to analyze different datasets from smart devices and leverage the best forensic tools, methods, and custom scripts to learn how smartphone data hide and can be easily misinterpreted by forensic tools. Each lab is designed to teach you a lesson that can be applied to other smartphones. You will gain experience with the different data formats on multiple platforms and learn how the data are stored and encoded on each type of smart device. The labs will open your eyes to what you are missing by relying 100% on your forensic tools. The course will also introduce community created tools that are designed to parse specific artifacts that compliment commercial tools.

FOR585 is continuously updated to keep up with the latest smartphone operating systems, third-party applications, acquisition short-falls, extraction techniques (jailbreaks and roots), file format changes, malware and encryption. This intensive six-day course offers the most unique and current instruction on the planet, and it will arm you with mobile device forensic knowledge you can immediately apply to cases you're working on the day you leave the course.

Smartphone technologies are constantly changing, and most forensic professionals are unfamiliar with the data formats for each technology. Take your skills to the next level: it's time for the good guys to get smarter and for the bad guys to know that their smartphone activity can and will be used against them!

Smartphone Data Can't Hide Forever - It's Time To Outsmart The Mobile Device!

"This should be the course all cell examiners take once they are experienced with basic cell phone extraction and analysis." Matt L, FOR585 student

What Is Smartphone Forensics?

  • The ability to examine or analyze data from mobile devices
  • The art of creating a pattern of life from mobile device extractions
  • The ability to place a person or device at a location and state what was happening on the device at that moment in time.

Business Takeaways

  • Understand Android and iOS artifacts that aid in investigations
  • Understand application artifacts on iOS and Android devices
  • Leverage smartphone usage to determine device locations when "something" occurred
  • Gain insight to how a device is used - car connections, data syncing, hands-free, watches, etc.
  • Decrease potentials of malware infecting mobile devices by understanding how infections occur and how to investigate malware that lands on mobile devices
  • Gain a deep understanding of SQLite databases and how a bulk of smartphone data exists on devices
  • Better understand commercial tools your company is already using and utilize the free scripts the course provides to fill the gaps these tools might have
  • Gain experience in creating SQLite queries and python scripting for forensic examination
  • Stay ahead of mobile technology changes and investigative trends with the SANS FOR585 Alumni Community Group

Skills Learned

  • Select the most effective forensic tools, techniques, and procedures to effectively analyze smartphone data
  • Reconstruct events surrounding a crime using information from smartphones, including timeline development and link analysis (e.g., who communicated with whom, where, and when)
  • Understand how smartphone file systems store data, how they differ, and how the evidence will be stored on each device
  • Interpret file systems on smartphones and locate information that is not generally accessible to users
  • Identify how the evidence got onto the mobile device - we'll teach you how to know if the user created the data, if it was AI created or synced data which will help you avoid the critical mistake of reporting false evidence obtained from tools
  • Incorporate manual decoding techniques to recover unparsed data stored on smartphones
  • Tie a user to a smartphone on a specific date/time and at various locations
  • Recover hidden or obfuscated communication from applications on smartphones
  • Decrypt or decode application data that are not parsed by your forensic tools
  • Detect smartphones compromised by malware and spyware using forensic methods
  • Decompile and analyze mobile malware using open-source tools
  • Handle encryption on smartphones and crack iOS backup files that were encrypted with iTunes
  • Extract and use information from smartphones and their components from Android, iOS, application directories, and SD cards
  • Perform advanced forensic examinations of data structures on smartphones by diving deeper into underlying data structures that many tools do not interpret
  • Analyze SQLite databases and raw data dumps from smartphones to recover deleted information
  • Perform advanced data-carving techniques on smartphones to validate results and extract missing or deleted data
  • Apply the knowledge you acquire during the course to conduct a full-day smartphone capstone event involving multiple devices and modeled after real-world smartphone investigations

Hands-On Smartphone Forensic Analysis In-Depth Training

FOR585 features 23+ hands-on labs and a final forensic challenge to ensure that students not only learn the material, but can also execute techniques to manually recover data. Some labs allow you to "choose your own adventure" so that students who may need to focus on a specific device can select relevant labs and go back to the others as time permits.

The labs cover the following topics:

  • Malware and Spyware - Two labs are designed to teach students how to identify, manually decompile, and analyze malware recovered from an Android device. The processes used here reach beyond commercial forensic kits and methods. Bonus IPA and APK files are provided for practice. Two additional bonus labs are available on
  • Android Analysis - Four labs are designed to teach students how to determine files of interest, carve for data and locations, validate tool results, place the user behind an artifact, and parse third-party application files for user-created data not commonly parsed by commercial forensic tools. Open-source methods are utilized and highlighted where possible. A bonus lab encourages students to interact with the device via ADB. Additional bonus labs are also available.
  • iOS Analysis - Four labs are designed to teach students how to determine files of interest, carve for data and locations, validate tool results, manually parse plists and databases of interest, and parse third-party application files for user-created data not commonly parsed by commercial forensic tools. In addition, ArtEx, a free tool is introduced and used in labs to show the simplicity of understanding iOS artifacts. A bonus lab encourages students to manually interact with a live device to pull relevant information using free methods. There are other bonus iOS labs on the course USB.
  • Cloud data and Backup File Analysis - Two labs are designed to teach students how to parse data from cloud data and backup files. These labs will drive students to parse data from databases, plists, and third-party application data.
  • Evidence Destruction Analysis - This is one of the more challenging labs for students, as the device used will have been tampered with prior to acquisition. Students will be able to test all of the methods they learned during the course to see what can really be recovered from an altered smartphone.
  • Third-Party Application Analysis - These four labs challenge students to examine third-party applications pulled from multiple smartphone devices, and to manually parse applications that are not commonly parsed by commercial tools. Bonus labs are provided for those who want more.
  • Parsing Application Databases - These three labs provide students the opportunity to write SQL queries to parse tables of interest and to recover attachments associated with chats, deleted chats, and data from secure chat applications. The labs will challenge students to dig deep beyond what a commercial tool can offer. A lab leveraging a query with the ability to write or modify a python script will challenge students to understand how the tools parse data.
  • Browser Analysis - This lab is focused on manually parsing mobile browser artifacts. Your commercial tools may be good at parsing some evidence, but this lab will highlight what is missed, especially when private browsing, tor or incognito modes are used.
  • SQLite Queries - Several labs require SQLite analysis. Two labs are designed to teach students how to write queries, join tables, and conduct analysis.
  • Smartphone Forensic Capstone - The final challenge tests all that students have learned in the course. It features multiple smartphone devices used in various locations involving communication, third-party applications, Internet history, cloud and network activity, shared data, and more. The exercise encourages students to dig deep and showcase what they learned in FOR585 so that they can immediately apply it to their work when returning to their jobs.

Syllabus Summary

  • Section 1: Understanding smartphone terminology to include acquisition methods, components, data storage and more. SQLite database analysis and query creating is covered in-depth.
  • Section 2: A deep dive into Android forensics covering everything from encryption, data storage, device identifiers to advanced logging files used for analysis.
  • Section 3: A deep dive into iOS forensics covering everything from encryption, data storage, device identifiers to advanced logging files used for analysis.
  • Section 4: Acquisition and analysis methods for cloud and backup data artifacts are covered to include the common nuances when dealing with cloud data. Malware, spyware, and evidence destruction are covered for both iOS and Android. Methods on how to conquer devices with these additional hurdles are highlighted in this section.
  • Section 5: Instruction is provided on parsing third-party application data when forensic tools cannot provide the answers. Tips and tricks are taught for managing large application datasets that contain data of interest.
  • Section 6: A test of all you learned is covered by participating in the course capstone challenge. A cold case is provided to see if you can take what you learned and apply logic on different datasets to solve the crime.

Additional Free Resources

What You Will Receive

  • A FOR585 Windows virtual machine (Smartphone Version) is used with all hands-on exercises to teach students how to examine and investigate information on smartphones. The FOR585 virtual machine designed for this course contains free and open-source tools, custom and community scripts, commercial tools used in the class as well as bonus tools that may aid in your investigations.
  • Cellebrite Inseyets Physical Analyzer License - 120 days
  • Magnet AXIOM License - 90 days
  • Elcomsoft Cloud eXplorer License
  • Elcomsoft Phone Password Breaker License
  • Elcomsoft Phone Viewer License
  • Open-Source Tools
  • Two (2) - 64 GB Course USBs/ISO Images
  • Class repository of bonus documentation, tips, and more
  • Forensic Capstone data, bonus labs, bonus course material, utilities, bonus IPA/APK files, and other documentation
  • SANS Advanced Smartphone Forensic eWorkbook
  • The course exercise book (eWorkbook) is packed full of questions and scenarios and contains detailed step-by step instructions and examples to help you become a better smartphone examiner.

Course topics

  • Malware and Spyware on Smartphones
    • Mobile devices in incident-response cases
    • Mobile devices in ransomware cases
    • Detecting malware and spyware
    • Handling the isolation of the malware
    • Decompiling malware to conduct in-depth analysis
    • Determining what has been compromised
  • Forensic Anaylsis of Smartphones and Their Components
    • Android
    • iOS
    • SD cards
    • Cloud-based backups and storage
    • Cloud-synced data - Google, Meta, and more
  • Deep-Dive Forensic Examination of Smartphone File Systems and Data Structures
    • Recovering deleted information from smartphones
    • Examining SQLite databases in-depth
    • Finding traces of user activities on smartphones
    • Detecting AI vs human behavior on smartphones
    • Recovering data from third-party applications
    • Tracing user online activities on smartphones (e.g., messaging, logins, location artifacts, social networking, and more)
    • Examining application files of interest
    • Manually decoding files to recover missing data and verify results
    • Developing SQL queries to parse databases of interest
    • Understanding the user-based and smartphone-based artifacts
    • Leveraging system and application usage logs to place the device in a location and state when applications were use
    • Identifying devices that have intentionally been modified - deletion, wiping and hiding applications
  • In-Depth Usage and Capabilities of the Best Smartphone Forensic Tools
    • Using your tools in ways you didn't know were possible
    • Leveraging custom scripts to parse deleted data
    • Leveraging scripts to conduct forensic analysis
    • Modifying scripts to meet your forensic needs
    • Carving data
    • Developing custom SQL queries to include table joins and attach capabilities
    • Conducting physical and logical keyword searches
    • Manually creating timeline generation and link analysis using information from smartphones
    • Tool validation based on trusted datasets
    • Using geolocation information from smartphones and smartphone components to place a suspect at a location when an artifact was created
    • Examining files types often used by Android and iOS - protobufs, SQLite, REALM, xml, ABX, SEG-B, and more.
  • Handling Locked and Encrypted Devices
    • Best practices for extracting evidence from locked smartphones
    • Understanding encryption (kernel and application level)
    • Cracking passcodes on backup files
    • Decrypting backups of smartphones
    • Decrypting third-party application files
    • Methods for examining encrypted data from SD cards
  • Considerations for Smartphone Handling
    • How your actions can alter the device
    • How to handle Hot and Cold devices
    • How to prevent remote access on the device
    • How to tie a user or activity to a device at a specific time
    • How mobile device management can hurt as much as help you
  • Incident Response Techniques for Smartphones
    • How to quickly timeline events of interest
    • How to determine the vulnerability entry point
    • Detecting malware or malicious applications
    • Following the trail from installation to exfil for malicious applications

What Comes Next?

Depending on your current role or future plans, one of these courses is a great next step in your digital forensics and incident response journey:

Syllabus (36 CPEs)

Download PDF
  • Overview

    Focus: Although smartphone forensic concepts are similar to those of digital forensics, smartphone file system structures differ and require specialized decoding skills to correctly interpret the data acquired from the device. On this first course day, students will apply what they know to smartphone forensic handling, device capabilities, smartphone components, common file formats used for data storage, SQLite database examination, and query development. Students will become familiar with the most popular forensic tools required to complete comprehensive examinations of smartphone data structures.

    Smartphone data from iOS and Android will be introduced and defined to set our expectations for what we can recover using digital forensic methodologies. We quickly review smartphone concepts and the forensic implications of each. We provide approaches for dealing with common challenges such as encryption, passwords, and damaged devices. Students will be taught methodologies for handling devices in different states, such as HOT or COLD devices. We will discuss how to process and decode data on mobile devices from a forensic perspective, then learn tactics to recover information that even forensic tools may not always be able to retrieve.

    Forensic examiners must understand the concept of interpreting and analyzing the information on a variety of smartphones, in a variety of file formats, as well as the limitations of existing methods for extracting data from these devices. This course day is packed full of knowledge and covers how to handle encryption issues, smartphone components, bonus material on misfit devices (ones you may not commonly see), and SQLite overview, query language, and table joins.

    The FOR585 Virtual Machine used in class has been specifically loaded with a set of smartphone forensic tools that will be your primary toolkit and working environment for the week.

    • FOR585 Virtual Machine Setup and Lab Data Integration
    • Hands-on demonstrations and familiarization with smartphone forensic tools
    • Smartphone Components Lab
    • Familiarization with Inseyets Physical Analyzer with an android extraction
    • Familiarization with AXIOM with an iOS backup extraction
    • Introduction to SQLite database forensics and drafting of simple SQL queries
    • Advanced SQLite database forensics with table joins and complex queries
    • A bonus lab on understanding how SQLite databases use a .wal file for temporary storage
    • Course Resources
    • The FOR585 VM
    • Smartphone Fundamentals
      • Smartphone Components and Identifiers
      • Assessing Capabilities of Evidential Devices
      • Common File Systems
      • Forensic Impact of Flash Memory
      • Data Storage Broken Down and Defined
      • Encryption Explained
      • SIM Card Overview and Examination
      • SD Card Handling and Examination
    • Smartphone Handling and Acquisition Terminology
      • Preserving Smartphone Evidence
      • Preventing Data Destruction
      • How to Handle HOT and COLD Devices
      • Logical Acquisition
      • File System Acquisition
      • Full File System Acquisition
      • Physical Acquisition
      • Advanced Acquisition Methods and Techniques
    • Cellebrite Physical Analyzer Fundamentals
      • Physical, Advanced, and Global Keyword Searching
      • Key Features
      • Tips and Tricks
      • Learning how to dDve Beyond the Surface Within the Tool
    • AXIOM Fundamentals
      • All Content and Logical Keyword Searching
      • Key Features
      • Tips and Tricks
      • Learning How to Dive Beyond the Surface Within the Tool
    • File Formats Overview
      • Understanding common file formats stored on Android and iOS devices
      • How to Examine and Decode Data from These Files
    • SQLite Overview
      • How SQLite Databases Function
      • How Data are Stored in These Files
      • How to Examine SQLite Databases
      • How to Create Queries and Table Joins to Parse Information of Interest
    • Bonus Materials
      • Modify an SQLite Database and Learn How Data Exists in a .WAL vs the Database
      • Relevant White Papers and Guides
      • Smartphone Cheat Sheets
      • Relevant White Papers and Guides
      • Bonus Labs in Class Resources
  • Overview


    Android devices are among the most widely used smartphones in the world, which means they surely will be part of an investigation that comes across your desk. Unfortunately, gaining access to these devices isn't as easy as it used to be. Android devices contain substantial amounts of data that can be decoded and interpreted into useful information. However, without honing the appropriate skills to acquire the best dataset and correctly interpret the data stored on them, you will be unprepared for the rapidly evolving world of smartphone forensics. Android data acquired using tools may exist in various formats. Often data will be missing if a Full File System acquisition is not obtained. Smartphone examiners need to understand the file structures and how to parse the data.


    Digital forensic examiners must understand the file system structures of Android devices and how they store data in order to extract and interpret the information they contain. On this course day we will delve into the file system layout on Android devices and discuss common areas containing files of evidentiary value. Traces of user activities on Android devices are covered, as is recovery of deleted data residing in SQLite records and raw data files. The level of encryption and database VACUUM will determine what is recoverable and for how long. Some artifacts are perishable and only retain data for as little as 24 hours. Time to evidence matters and FOR585 will get you there.

    During hands-on exercises, you will use smartphone forensic tools to carve, decode, and analyze a wide variety of information from Android devices. You will use the SQLite examination skills you learned in the first course section to draft queries to parse information that commercial tools cannot support. When all else fails and the tools cannot extract information from newer Android devices, we will use ADB to manually interact and extract data of interest. We'll demonstrate methods to help you say who, what, where, when, and how data was created on an Android device.

    • Manually decoding and extracting information from a Full File System acquisition
    • Manually parsing third-party applications and conducting deep-dive decoding and recovery of user activities on Android devices
    • Manually decoding and interpreting data associated to device locations
    • Leveraging scripts and free tools to triage large extractions from Android devices
    • Analyzing log files to identify device syncing and Cloud activity
    • Android Overview and Acquisition Considerations
      • Android Architecture and Components
      • NAND Flash Memory in Android Devices
      • Android File System Overview
      • Full Disk Encryption vs. File-based Encryption
      • Data Storage Formats
      • Security Options on Android
      • Practical Tips for Accessing Locked Android Devices
    • Basic Device Information
      • Device Identifiers
      • SIM Usage
      • Other Common Files that Store Identifiers of Interest
    • Native Applications
      • Common Google Applications of Interest
      • Samsung Applications of Interest
      • Android Applications of Interest
    • Location Artifacts
      • Location Artifacts You Can Trust and Why
      • How to Carve for Location Artifacts
      • How to Correlate Artifacts to Key Evidence
    • Native Logs and Advanced Analysis
      • Using Android Artifacts to Examine Traces of User Activity
      • Connection Data
      • System Logs of Interest
      • Uncovering Traces Left Behind
      • Salvaging Deleted SQLite Records
      • Salvaging Deleted Data from Raw Images on Android Devices
      • Putting the pieces together for Android artifacts
    • Android Fitness and Health Applications
      • Understanding Android Health Data and Common Applications
      • Dive Into Artifacts Containing Android Health Artifacts
    • Bonus Materials
      • Android Cheat Sheets
      • Location Cheat Sheets
      • Android Acquisition Methods
      • Relevant White Papers and Guides
      • Hands-on Lab to Pull Data Using ADB from an Android Device
      • Bonus Labs
  • Overview


    Apple iOS devices contain substantial amounts of data that can be decoded and interpreted into useful information. Proper handling and parsing skills are needed to extract information from iOS devices and correctly interpret the data. This course section will cover extraction techniques using jailbreaks and exploits to obtain a Full File System acquisition. Without iOS instruction, you will be unprepared to deal with the iOS device that will likely be a major component in a forensic investigation.


    This section dives right into iOS devices. Digital forensic examiners must understand the file system structures and data layouts of Apple iOS devices in order to extract and interpret the information they contain. To learn how to do this, we delve into the file system layout on iOS devices and discuss common areas containing files of evidentiary value. We'll cover encryption, decryption, file parsing, and traces of user activities in detail.

    During hands-on exercises, students will use smartphone forensic tools, ArtEx and other open source tools to extract and analyze a wide variety of information from iOS devices. Students will also be required to manually decode data that were marked for deletion or are unrecoverable using smartphone forensic tools and scripts supporting iOS device forensics.

    • Manually decoding and extracting information from iOS file system acquisition
    • Extracting information from a Full File System extraction
    • Leveraging community scripts and free tools to quickly analyze and timeline a Full File System extraction from an iOS device
    • Manually parsing third-party applications and conducting deep-dive decoding and recovery of user activities on iOS devices
    • Placing the user behind the artifact based on location information and other traces found on file system dumps from iOS devices
    • iOS Overview and Device Acquisition Considerations
      • iOS Architecture and Components
      • NAND Flash Memory in iOS Devices
      • iOS File Systems
      • iOS Versions
      • iOS Encryption
      • iOS Exploits and Jailbreaks
      • Interacting live on jailbroken devices
      • Data Storage Formats
      • Encryption on iOS
      • Practical Tips for Accessing Locked iOS Devices
    • Basic Device Information
      • Device Identifiers
      • SIM Usage
      • Other Common Files that Store Identifiers of Interest
    • Native Applications
      • Diving into Applications Common on iOS Devices
      • Understanding File Path Changes
      • Understanding How Data are Stored
    • Native Logs
      • Primary Evidentiary Locations
      • Native Applications that Track User Activity
      • Apple Watch Forensics
      • Manual Decoding of Files of Interest
    • Location Artifacts
      • Location Artifacts You Can Trust and Why
      • How to Carve for Location Artifacts
      • How to Correlate Artifacts to Key Evidence
    • Advanced Analysis
      • Deep Dive into Data Structures on iOS Devices
      • Putting the pieces together for iOS artifacts
      • System Logs of Interest
      • Piecing the Puzzle Together
    • Bonus Materials
      • iOS Cheat Sheet
      • Location Cheat Sheet
      • Hands-on Lab to Pull Data from an iOS Device Leveraging libimobiledevice
      • iOS Acquisition Methods
      • Relevant White Papers and Guides
      • Bonus Labs
  • Overview


    iOS backups are extremely common and are found in the cloud and on hard drives. Users create backups, and we often find that our best data can be derived from creating an iOS backup for forensic investigation. Android backups differ a bit as users do not commonly backup outside of Network Service Providers and Google. This section will cover methodologies to extract backups and cloud data and analyze the artifacts for each. Malware affects a plethora of smartphone devices. We will examine various types of malware, how it exists on smartphones, and how to identify and analyze it. Most commercial smartphone tools help you identify malware, but none of them will allow you to tear down the malware to the level we cover in this class. We'll conduct five labs on this day alone! The day ends with students challenging themselves using tools and methods learned throughout the week to recover user data from intentionally altered smartphone data (deleting, wiping, and hiding of data).


    Cloud data, Takeout extractions, and iOS backup files are commonly part of digital forensic investigations. This course day provides students with a deep understanding of backup file and cloud contents, manual decoding, and parsing and cracking of encrypted backup file images. The methods learned during the previous course day are applied to the beginning of this section, as iOS backup files are essentially file system extractions. Examiners today must address the existence of malware on smartphones. Often the only questions relating to an investigation may be whether a given smartphone was compromised, how, and what can be done to fix it. It is important for examiners to understand malware and how to identify its existence on the smartphone.

    During hands-on exercises, students will use smartphone forensic tools and other methods to extract and analyze a wide range of information from two encrypted iOS backups, an Android device containing mobile malware, and a device that was intentionally manipulated by the user. Students will be required to manually decode data that were wiped, encrypted, or deleted, or that are unrecoverable using smartphone forensic tools.

    • Advanced backup file forensic exercise involving an iOS 17 encrypted backup file that requires manual decoding to conduct analysis
    • Database analysis focused on uncovering the truth behind iOS images and how they exist on the device
    • Two malware labs: Malware detection and analysis on a Full File System Android extraction and unpacking and analyzing .apk malware file
    • Recovering any traces of user activity from a device where data was tampered with or destroyed
    • Backup and Cloud Considerations
      • Overview of Backup File Forensics
      • Data of Interest
      • Meta Takeouts
    • Google Backups
      • Google Cloud Data Extraction and Analysis
      • Google Takeout Extraction and Analysis
    • Apple Backups
      • Creating and Parsing Backup Files
      • iCloud vs iTunes Data
    • Locked iOS Backup Files
      • Decrypting Locked iOS Backup Files
      • How to Successfully Parse
    • iCloud Backups
      • How to Extract Cloud Data
      • How to Parse Cloud Data
    • Malware and Spyware Forensics
      • Different Types of Common Malware
      • Common Locations on Smartphones
      • How to Determine a Compromise
        • How to Recover from a Compromise
          • What Was Affected?
          • How to Isolate?
        • How to Analyze Using Reverse-Engineering Methodologies
    • Detecting Evidence Destruction
      • Different Types of Destruction Methods
      • Determining When the Destruction Occurred
      • Understanding What Happens When Data Are Destroyed
    • Bonus Materials
      • Smartphone Cheat Sheets
      • Malware/Spyware Cheat Sheet
      • APK Decompiling Cheat Sheet
      • Backup File Acquisition Methods
      • Relevant White Papers and Guides
      • Bonus Labs
  • Overview


    This course day starts with third-party applications across all smartphones and is designed to teach students how to leverage third-party application data and preference files to support an investigation. The rest of the day focuses heavily on secure chat applications, recovery of deleted application data and attachments, mobile browser artifacts, and knock-off phone forensics. The skills learned in this section will provide students with advanced methods for decoding data stored in third-party applications across all smartphones. We will show you what the commercial tools miss and teach you how to recover these artifacts yourself.


    During hands-on exercises, students will use smartphone forensic tools to extract and analyze third-party application files of interest, and then manually dig and recover data that are missed. Students will be required to manually decode data that were deleted or are unrecoverable using smartphone forensic tools and custom SQLite queries that they write themselves. Students will learn how to modify python scripts to parse data of interest to their investigations and how to leverage commercial tools to automatically parse data from queries created in the course. The hands-on exercises will be a compilation of everything students have learned up until now in the course and will require the manual decoding of third-party application data from multiple smartphones. When this section ends, you will have proven that you have the skill set to recover artifacts that the forensic tools cannot recover.

    • Advanced third-party application exercise requiring students to use skills learned during the first four days of the course to manually decode communications stored in third-party application files across multiple smartphones
    • Browser analysis exercise requiring students to manually examine third-party browser activity (tor, private browsing, and incognito) that the commercial tools may not parse
    • Recovery of attachments using an exercise that requires students to write more complex SQL queries to recover attachments from the smartphone
    • Leveraging a commercial tool to script a query drafted in class or creating your own python script to parse a database if interest
    • Forensic Challenge Prep
    • Third-Party Application Overview
      • Common Applications Across Smartphones
    • Geolocation Artifacts
      • How to Locate
      • Data Format
      • Manual Recovery
      • Decoding Methods
    • MDM and MAM
      • How to Locate
      • Data Format
      • Manual Recovery
      • Decoding Methods
    • File Sharing Artifacts
      • How to Locate
      • Data Format
      • Manual Recovery
      • Decoding Methods
    • Payment Apps and Mobile Wallets
      • How to Locate
      • Data Format
      • Manual Recovery
      • Decoding Methods
    • Messaging Applications
      • How to Locate
      • Data Format
      • Manual Recovery
      • Decoding Methods
      • SQL Query Development
    • Mobile Browsers
      • Third-Party Browser Overview
      • How to Locate
      • Data Format
      • Manual Recovery
    • AI Applications and Related Artifacts
      • How to detect AI vs Human
      • Common File Formats for Storage
      • How AI Can Help You Learn
    • Dissecting Python Code for Mobile App Parsing
      • Understanding Python Scripts
      • Modifying Python Script for Forensics
  • Overview


    This final course day will test all that you have learned during the course. Working in small groups, students will examine three smartphone devices and solve a cold case scenario relating to a real-world smartphone forensic investigation. Each group will independently analyze the three smartphones, manually decode data, answer specific questions, form an investigation hypothesis, develop a report, and present findings.


    By requiring student groups to present their findings to the class, this capstone exercise will test the students' understanding of the techniques taught during the week. OnDemand students have the opportunity to present virtually to the instructor in order to win the class coin. The findings should be technical and include manual recovery steps and the thought process behind the investigative steps. An executive summary of findings is also expected.


    Each group will be asked to answer the key questions listed below during the capstone exercise, just as they would during a real-world digital investigation.

    • Identification and Scoping
      • Who is responsible for the crime?
      • What devices are involved?
      • Which individuals are involved?
    • Forensic Examination
      • What were the key communications between individuals?
      • What methods were used to secure the communication?
      • Were any of the mobile devices compromised by malware?
      • Were cloud data involved?
      • Did the users attempt to conceal or delete artifacts or data?
    • Forensic Reconstruction
      • What is the motive?

      In addition, students will be required to generate a forensic report. Only the top team will win the forensic challenge.

    • Bonus Materials
      • Take-Home Case Involving a Different Scenario with Three New Smartphones
      • Questions for Take-home Case
      • Answers for Take-home Case

GIAC Advanced Smartphone Forensics

The GIAC Advanced Smartphone Forensics (GASF) certified professionals have demonstrated that they are qualified to perform forensic examinations on devices such as mobile phones and tablets. Candidates are required to demonstrate an understanding of the fundamentals of mobile forensics, device file system analysis, mobile application behavior, event artifact analysis, and the identification and analysis of mobile device malware.

  • Fundamentals of mobile forensics and conducting forensic exams
  • Device file system analysis and mobile application behavior
  • Event artifact analysis and the identification and analysis of mobile device malware
More Certification Details


There is no prerequisite for this course, but a basic understanding of digital forensic file structures and terminology will help the student grasp topics that are more advanced. Previous vendor training in mobile device forensic acquisition is also useful, but not required. We do not teach basic acquisition methods in class, but we do provide instructions about them in the bonus course material. This class focuses on analysis, advanced access methods and understanding smartphone artifacts.

Laptop Requirements

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 32GB of RAM or more is required. You will not have a good experience if you cannot allocate at least 16 GB of RAM for the VM.
  • 200GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts).

Your course media is delivered via download. The media files for class can be large. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files. You will need both .iso files to start Section 1 of the course.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact support.

Author Statement

"Digital forensic investigations almost always involve a smartphone. Often the smartphone is the only form of digital evidence relating to the investigation and is the most personal device someone owns! Let's be honest: how many people share their smartphones like they do computers? Not many. Knowing how to recover all of the data residing on the smartphone is now an expectation in our field, and examiners must understand the fundamentals of smartphone handling and data recovery, methods for obtaining the best acquisition, and manually recovering data hiding in the background on the device. This course will teach you which artifacts you can trust and methods for quick validation or verification of other smartphone artifacts. FOR585: Smartphone Forensic Analysis In-Depth provides this required knowledge to beginners in mobile device forensics and to mobile device experts. This course has something to offer everyone! There is nothing out there that competes with this course and its associated GIAC certification."

- Heather Mahalik Barnhart

"Eighty-five percent of the world's population today has a mobile phone. In the United States alone, almost half of these devices are smartphones. The tools and techniques for acquiring and analyzing these devices are changing every day. As handsets become more sophisticated in the storage and obfuscation of personal user data, the tools and practitioners are in a race to uncover data related to investigations. The concepts covered in FOR585: Smartphone Forensic Analysis In-Depth will not only highlight some of the best tools available for acquiring and analyzing the smart devices on the market today, but they will also provide examiners with best practices and techniques for delving deeper into smart devices as new applications and challenges arise. FOR585 keeps students ahead of the curve!"

- Domenica Crognale


FOR585 has been, by far, the best virtual course AND the best mobile forensics course I've ever taken.
Garry B.
Local Law Enforcement
FOR585 course content provides extremely relevant material, guiding examiners to crucial artifacts for investigations and validation. It outlines key details for every forensic challenge.
Quinn L.
US Federal Agency
I would unequivocally recommend this course (FOR585). I feel more confident in my ability to work outside commercially available forensic tools and complete more difficult mobile forensic examinations.
David Gonzalez
RWJ Barnabas Health
As someone with ZERO experience/background in this subject matter, being able to go back and rewatch the videos is priceless. It's probably the best feature I have ever seen in a class.
Jeff P.
US Federal Agency
This course makes me want to re-work every cell phone case I've ever done.
Anastasia L.
FOR585 is valuable because it is comprehensive, tool-agnostic, and immediately applicable. I will directly apply the techniques of searching for malware/spywaree to a recent case I had when I get back to work.
Daniel M.

    Register for FOR585

    Learn about Group Pricing

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.