Name: FOR585: Smartphone Forensic Analysis In-Depth
Price: 8780 USD
Availability: InStock

Question 1

What Are The Laptop Requirements?

Accepted Answer

Important! Bring your own system configured according to these instructions. You will need 350 GB of free space to fit the VM and phone images for the course. We recommend bringing an external SSD to help with space issues you may experience.A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in the course. Therefore, please arrive with a system meeting all of the specified requirements.Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data. Mandatory System Hardware RequirementsCPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.32GB of RAM or more is required. You will not have a good experience if you cannot allocate at least 16 GB of RAM for the VM.350GB of free storage space or more is required. Bringing an external SSD drive is recommended.At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.Mandatory Host Configuration And Software RequirementsYour host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed. Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop. You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs. Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it. Download and install the latest version of VMware Workstation Pro for Windows hosts, or VMWare Fusion Pro for Intel-based macOS hosts, prior to class beginning of class. Note that Workstation Pro and Fusion Pro are now available for free for both personal and commercial use from Broadcom.On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials. Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). Your course media is delivered via download. The media files for class are large. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files. You will need all three .iso files to start Section 1 of the course. Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions. Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs. If you have additional questions about the laptop specifications, please contact customer service.  customer service.

Question 2

Who Should Attend FOR585 Training?

Accepted Answer

FOR585 is designed for students who are both new to and experienced with smartphone and mobile device forensics. The course provides the core knowledge and hands-on skills that a digital forensic investigator needs to process smartphones and other mobile devices. The course is a must for: Both new and experienced digital forensic examiners who want to extend their knowledge and experience to forensic analysis of smartphones Media exploitation analysts who need to master Tactical Exploitation or Document and Media Exploitation operations on smartphones by learning how individuals used their smartphones, who they communicated with, and what files they accessed Information security professionals who respond to data breach incidents and intrusions involving smartphones Incident response teams tasked with identifying the role that smartphones played in a breach Law enforcement officers, federal agents, and detectives who want to master smartphone forensics and expand their investigative skills beyond traditional host-based digital forensics Accident reconstruction investigators who need to determine how a phone was accessed or used during specific periods of time IT auditors who want to learn how smartphones can expose sensitive information Graduates of SANS SEC575, FOR498, FOR500, FOR508, FOR528, FOR572, FOR577, FOR589, FOR610, or FOR518 who want to take their skills to the next level

Question 3

What Is The GIAC Advanced Smartphone Forensics (GASF) Certification?

Accepted Answer

The GIAC Advanced Smartphone Forensics (GASF) certified professionals have demonstrated that they are qualified to perform forensic examinations on devices such as mobile phones and tablets. Candidates are required to demonstrate an understanding of the fundamentals of mobile forensics, device file system analysis, mobile application behavior, event artifact analysis, and the identification and analysis of mobile device malware.Fundamentals of mobile forensics and conducting forensic examsDevice file system analysis and mobile application behaviorEvent artifact analysis and the identification and analysis of mobile device malwareMore Certification Details

Question 4

What Will You Get?

Accepted Answer

A FOR585 Windows virtual machine (Smartphone Version) is used with all hands-on exercises to teach students how to examine and investigate information on smartphones. The FOR585 virtual machine designed for this course contains free and open-source tools, custom and community scripts, commercial tools used in the class as well as bonus tools that may aid in your investigations.Cellebrite Inseyets Physical Analyzer License - 120 days Magnet AXIOM License - 90 days Elcomsoft Cloud eXplorer License Elcomsoft Phone Password Breaker License Elcomsoft Phone Viewer License Open-Source Tools Three (3) - 64 GB Course USBs/ISO Images Class repository of bonus documentation, tips, and more Forensic Capstone dataset SANS Smartphone Forensic Analysis In-Depth eWorkbook and lab walkthrough videos The course exercise book (eWorkbook) is packed full of questions and scenarios and contains detailed step-by step instructions and examples to help you become a better smartphone examiner.

Question 5

What Are The Prerequisites For This Course?

Accepted Answer

There is no prerequisite for this course, but a basic understanding of digital forensic terminology will help the student grasp topics that are more advanced. Previous vendor training in mobile device forensic acquisition is also useful but not required. We do not teach basic acquisition methods in class. This class focuses on analysis, advanced access methods and understanding smartphone artifacts.

Question 6

What Learning Path Is This Course A Part Of?

Accepted Answer

The FOR585 course is a part of the “Digital Forensics, Malware Analysis, & Threat Intelligence” Learning Path, which aims to equip cybersecurity professionals with specialized investigative skills.Depending on your current or desired future role, one of these courses is a great next step in your cybersecurity journey:FOR509: Enterprise Cloud Forensics & Incident ResponseFOR518: Mac and iOS Forensic Analysis and Incident ResponseFOR528: Ransomware and Cyber ExtortionFOR577: Linux Incident Response & AnalysisFOR578: Cyber Threat IntelligenceFOR589: Cybercrime InvestigationsFOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

Question 7

What Is Smartphone Forensics And Why Is It Important?

Accepted Answer

Smartphone forensics is the process of recovering, analyzing, and interpreting digital data from mobile devices for investigative purposes. This specialized branch of digital forensics focuses on extracting information such as messages, call logs, emails, photos, app data, and location history, often to support legal or security investigations. It includes:Examining or analyzing data from mobile devicesCreating a pattern of life from mobile device extractionsPlacing a person or device at a location and state what was happening on the device at that moment in timeWhy it’s important:Critical evidenceSmartphones hold vast amounts of personal data, often providing insights into a suspect's or victim's activities, relationships, and location.Crime resolutionEvidence from smartphones can be pivotal in solving crimes, from theft and fraud to serious offenses like terrorism or cybercrime.Data integrityForensic techniques ensure data recovery without tampering, preserving its admissibility in court.Evolving technologyWith smartphones constantly advancing, forensic expertise is essential to keep up with new challenges like encryption, hidden data, and malware. Smartphone forensics bridges technology and justice, playing a crucial role in modern investigations.

Question 8

How Will This Course Benefit My Career?

Accepted Answer

Training in smartphone forensics can significantly enhance your career by equipping you with specialized skills that are in high demand across industries. Here’s how this course can benefit you: Gain expertise in a niche field that is crucial for law enforcement, cybersecurity, legal investigations, and private consulting. Learn cutting-edge tools, techniques, and methodologies to handle constantly evolving smartphone technologies and security challenges. Open doors to roles in digital forensics, cybercrime investigation, corporate security, and litigation support. Earn GIAC certification, showcasing your proficiency to employers and clients. Gain hands-on experience with tools like Cellebrite, AXIOM, and advanced data analysis techniques, enhancing your ability to solve complex cases. Play a critical role in investigations as you uncover key evidence that can solve crimes or protect organizations from security breaches. FOR585 boosts your technical capabilities while enhancing your marketability in a growing field.

SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

FOR585: Smartphone Forensic Analysis In-Depth

Featured Quote

Course Overview

What You'll Learn

Business Takeaways

Meet Your Authors

Heather Barnhart

Domenica (Lee) Crognale

Course Syllabus

Section 1Smartphone Fundamentals, SQLite Forensics, and Tool Orientation

Topics covered

Labs

Section 2Android Forensics

Topics covered

Labs

Section 3iOS Device Forensics

Topics covered

Labs

Section 4AI Impact on Mobile Forensics, Malware/Spyware Forensics, and Detecting Evidence Destruction

Topics covered

Labs

Section 5Third-Party Application Analysis

Topics covered

Labs

Section 6Smartphone Forensic Capstone

Topics covered

Labs

Things You Need To Know

What Are The Laptop Requirements?

Who Should Attend FOR585 Training?

What Is The GIAC Advanced Smartphone Forensics (GASF) Certification?

What Will You Get?

What Are The Prerequisites For This Course?

What Learning Path Is This Course A Part Of?

What Is Smartphone Forensics And Why Is It Important?

How Will This Course Benefit My Career?

Relevant Job Roles

Malware Analyst

Insider Threat Analysis

Digital Forensic Analyst Training, Salary, and Career Path

Digital Forensics (OPM 212)

Cybercrime Investigator Training, Salary, and Career Path (OPM 221)

Military Operations / Law Enforcement Agents

Media Exploitation Analyst

Cybersecurity Analyst/Engineer

Course Schedule & Pricing

GIAC Certification Attempt

OnDemand Course Access

Virtual (OnDemand)

SANS Secure Caribbean 2026

Kingston, JM & Virtual (live)

SANS Secure Japan 2026

Virtual (live)

SANS London March 2026

London, GB & Virtual (live)

SANS Paris March 2026

Paris, FR

SANS 2026

Orlando, FL, US & Virtual (live)

SANS Security Central 2026

New Orleans, LA, US & Virtual (live)

SANS Amsterdam June 2026

Amsterdam, NL & Virtual (live)

SANS Network Security 2026

Las Vegas, NV, US & Virtual (live)

SANS October Singapore 2026

Singapore, SG & Virtual (live)

Learn Alongside Leading Cybersecurity Professionals From Around The World

Benefits of Learning with SANS