One Day Left! Get an iPad, Tab A, or $250 Off with your OnDemand registration

San Francisco: Virtual Edition - Live Online

Virtual, US Pacific | Mon, Nov 30, 2020 - Sat, Dec 5, 2020

FOR585: Smartphone Forensic Analysis In-Depth

Mon, November 30 - Sat, December 5, 2020

Associated Certification: GIAC Advanced Smartphone Forensics (GASF)

FOR585: Smartphone Forensic Analysis In-Depth will help you understand:

  • Where key evidence is located on a smartphone
  • How the data got onto the smartphone
  • How to recover deleted mobile device data that forensic tools miss
  • How to decode evidence stored in third-party applications
  • How to detect, decompile, and analyze mobile malware and spyware
  • Advanced acquisition terminology and free techniques to gain access to data on smartphones
  • How to handle locked or encrypted devices, applications, and containers
  • How to properly examine databases containing application and mobile artifacts




A smartphone lands on your desk and you are tasked with determining if the user was at a specific location on a specific date and at a specific time. You rely on your forensic tools to dump and parse the data. The tools show location information tying the device to the place of interest. Are you ready to prove the user was at that location? Do you know how to take this further to place the subject at the location of interest on that specific date and at that time? Tread carefully, because the user may not have done what the tools are showing!

This in-depth smartphone forensic course provides examiners and investigators with advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. Mobile devices are often a key factor in criminal cases, intrusions, IP theft, security threats, accident reconstruction, and more. Understanding how to leverage the data from the device in a correct manner can make or break your case and your future as an expert. FOR585: Smartphone Forensic Analysis In-Depth will teach you those skills.

Every time the smartphone "thinks" or makes a suggestion, the data are saved. It's easy to get mixed up in what the forensic tools are reporting. Smartphone forensics is more than pressing the "find evidence" button and getting answers. Your team cannot afford to rely solely on the tools in your lab. You have to understand how to use them correctly to guide your investigation, instead of just letting the tool report what it believes happened on the device. It is impossible for commercial tools to parse everything from smartphones and understand how the data were put on the device. Examination and interpretation of the data is your job and this course will provide you and your organization with the capability to find and extract the correct evidence from smartphones with confidence.

FOR585 features 31 hands-on labs, a forensic challenge, and a bonus take-home case that allow students to analyze different datasets from smart devices and leverage the best forensic tools, methods, and custom scripts to learn how smartphone data hide and can be easily misinterpreted by forensic tools. Each lab is designed to teach you a lesson that can be applied to other smartphones. You will gain experience with the different data formats on multiple platforms and learn how the data are stored and encoded on each type of smart device. The labs will open your eyes to what you are missing by relying 100% on your forensic tools.

This intensive six-day course is continuously updated to keep up with the latest malware, smartphone operating systems, third-party applications, acquisition shortfalls, extraction techniques (jailbreaks and roots) and encryption. FOR585 offers the most unique and current instruction on the planet, and it will arm you with mobile device forensic knowledge you can immediately apply to cases you're working on the day you get back to work.

Smartphone technologies are constantly changing, and most forensic professionals are unfamiliar with the data formats for each technology. Take your skills to the next level: it's time for the good guys to get smarter and for the bad guys to know that their smartphone activity can and will be used against them!


You Will Be Able To

  • Select the most effective forensic tools, techniques, and procedures to effectively analyze smartphone data
  • Reconstruct events surrounding a crime using information from smartphones, including timeline development and link analysis (e.g., who communicated with whom, where, and when)
  • Understand how smartphone file systems store data, how they differ, and how the evidence will be stored on each device
  • Interpret file systems on smartphones and locate information that is not generally accessible to users
  • Identify how the evidence got onto the mobile device - we'll teach you how to know if the user created the data, which will help you avoid the critical mistake of reporting false evidence obtained from tools
  • Incorporate manual decoding techniques to recover deleted data stored on smartphones and mobile devices
  • Tie a user to a smartphone on a specific date/time and at various locations
  • Recover hidden or obfuscated communication from applications on smartphones
  • Decrypt or decode application data that are not parsed by your forensic tools
  • Detect smartphones compromised by malware and spyware using forensic methods
  • Decompile and analyze mobile malware using open-source tools
  • Handle encryption on smartphones and bypass, crack, and/or decode lock codes manually recovered from smartphones, including cracking iOS backup files that were encrypted with iTunes
  • Understand how data are stored on smartphone components (SD cards) and how encrypted data can be examined by leveraging the smartphone
  • Extract and use information from smartphones and their components, including Android, iOS, BlackBerry 10, Windows Phone, Chinese knock-offs, and SD cards (bonus labs available focusing on BlackBerry, BlackBerry backups, Nokia [Symbian], and SIM card decoding)
  • Perform advanced forensic examinations of data structures on smartphones by diving deeper into underlying data structures that many tools do not interpret
  • Analyze SQLite databases and raw data dumps from smartphones to recover deleted information
  • Perform advanced data-carving techniques on smartphones to validate results and extract missing or deleted data
  • Apply the knowledge you acquire during the course to conduct a full-day smartphone capstone event involving multiple devices and modeled after real-world smartphone investigations

FOR585 Course Topics

  • Malware and Spyware on Smartphones
    • Mobile devices in incident-response cases
    • Determining if malware or spyware exist
    • Handling the isolation of the malware
    • Decompiling malware to conduct in-depth analysis
    • Determining what has been compromised
  • Forensic Analysis of Smartphones and Their Components
    • Android
    • iOS
    • SD cards
    • Cloud-based backups and storage
    • Cloud-synced data - Google and more
    • Devices that have intentionally been modified - deleting, wiping, and hiding applications
  • Deep-Dive Forensic Examination of Smartphone File Systems and Data Structures
    • Recovering deleted information from smartphones
    • Examining SQLite databases in-depth
    • Finding traces of user activities on smartphones
    • Recovering data from third-party applications
    • Tracing user online activities on smartphones (e.g., messaging and social networking)
    • Examining application files of interest
    • Manually decoding to recover missing data and verify results
    • Developing SQL queries to parse databases of interest
    • Understanding the user-based and smartphone-based artifacts
    • Leveraging system and application usage logs to place the device in a location and state when applications were use
  • In-Depth Usage and Capabilities of the Best Smartphone Forensic Tools
    • Using your tools in ways you didn't know were possible
    • Leveraging custom scripts to parse deleted data
    • Leveraging scripts to conduct forensic analysis
    • Carving data
    • Developing custom SQL queries
    • Conducting physical and logical keyword searches
    • Manually creating timeline generation and link analysis using information from smartphones
    • Reporting
    • Using geolocation information from smartphones and smartphone components to place a suspect at a location when an artifact was created
  • Handling Locked and Encrypted Devices
    • Extracting evidence from locked smartphones
    • Bypassing encryption (kernel and application level)
    • Cracking passcodes
    • Decrypting backups of smartphones
    • Decrypting third-party application files
    • Examining encrypted data from SD cards
  • Incident Response Considerations for Smartphones
    • How your actions can alter the device
    • How to prevent remote access on the device
    • How to tie a user or activity to a device at a specific time
    • How mobile device management can hurt as much as help you

Hands-On Training

FOR585 features 31 hands-on labs and a final forensic challenge to ensure that students not only learn the material, but can also execute techniques to manually recover data. Some labs allow you to "choose your own adventure" so that students who may need to focus on a specific device can select relevant labs and go back to the others as time permits. The labs cover the following topics:

  • Malware and Spyware -- Two labs are designed to teach students how to identify, manually decompile, and analyze malware recovered from an Android device. The processes used here reach beyond commercial forensic kits and methods. Bonus IPA and APK files are provided for practice. Two additional bonus labs are available on the USB.
  • Android Analysis -- Four labs are designed to teach students how to manually crack locked devices, carve for deleted data, validate tool results, place the user behind an artifact, and parse third-party application files for user-created data not commonly parsed by commercial forensic tools. Open-source methods are utilized and highlighted where possible. An additional lab teaches students how to manually crack lockcodes from Android devices. A bonus lab encourages students to manually interact with a live device to pull relevant information using free methods.
  • iOS Analysis -- Five labs are designed to teach students how to manually carve for deleted data, validate tool results, manually parse plists and databases of interest, and parse third-party application files for user-created data not commonly parsed by commercial forensic tools. In addition, methods for "tricking" your tools into parsing data from encrypted images are built into the labs. A bonus lab encourages students to manually interact with a live device to pull relevant information using free methods. There are other bonus iOS labs on the course USB.
  • Backup File Analysis -- Three labs are designed to teach students how to parse data from iOS and Android backup files. These labs will drive students to parse data from databases, plists, and third-party application data. A bonus lab on BlackBerry backups is provided.
  • Wiped Phone Analysis -- This is one of the more challenging labs for students, as the device used will have been wiped prior to acquisition. Students will be able to test all of the methods they learned during the course to see what can really be recovered from a wiped smartphone.
  • BlackBerry 10 Analysis -- This all-encompassing lab provides students with a chance to tie external media (SIM cards) to a device, understand how data are manually carved and parsed, and understand how BlackBerry 10 applications differ from Android and iOS. Will you be able to identify a BlackBerry running Android applications? The methods used in this lab will apply to other smartphones that contain SIM cards and leverage third-party applications (Android, Windows Phone, Nokia, etc.)
  • Knock-off Phone Analysis -- This lab focuses on handling knock-off devices, understanding the file system, and decoding the data not parsed by commercial tools.
  • Third-Party Application Analysis -- These labs challenge students to examine third-party applications pulled from multiple smartphone devices, and to manually parse applications that are not commonly parsed by commercial tools.
  • Parsing Application Databases -- These three labs provide students the opportunity to write SQL queries to parse tables of interest and to recover attachments associated with chats, deleted chats, and data from secure chat applications. The labs will challenge students to dig deep beyond what a commercial tool can offer.
  • Browser Analysis -- This lab is focused on showing similarities and differences between computer and mobile browser artifacts. Your commercial tools may be good at parsing some evidence, but this lab will highlight what is missed!
  • Smartphone Forensic Capstone -- The final challenge tests all that students have learned in the course. It features multiple smartphone devices used in various locations involving communication, third-party applications, Internet history, cloud and network activity, shared data, and more. The exercise encourages students to dig deep and showcase what they learned in FOR585 so that they can immediately apply it to their work when returning to their jobs.

What You Will Receive

  • Smartphone Analysis Windows SIFT Workstation

    • A FOR585 SIFT Windows virtual machine (Smartphone Version) is used with all hands-on exercises to teach students how to examine and investigate information on smartphones. The SIFT virtual machine designed for this course contains free and open-source tools, custom and community scripts, commercial tools used in the class, and bonus tools that may aid in your investigations.
  • Smartphone Analysis Tool Licenses
    • UFED4PC License
    • Physical Analyzer License
    • BlackLight License
    • Magnet AXIOM License
    • Elcomsoft Cloud eXplorer License
    • Elcomsoft Phone Password Breaker License
    • Elcomsoft Phone Viewer License
    • Open-Source Tools
    • Bonus Acquisition Tools (Upon Request)
    • Bonus SQLite Tools (Upon Request)
  • Electronic Download package containing:
    • FOR585 Windows SIFT workstation
    • Forensic Capstone data, bonus labs, bonus course material, utilities, bonus IPA/APK files, and other documentation
  • SANS Advanced Smartphone Forensic Electronic Exercise Workbook

    • The course electronic exercise book is packed full of questions and scenarios and contains detailed step-by-step instructions and examples to help you become a better smartphone examiner


Please plan to arrive 30 minutes early on Day 1 for lab preparation and set-up.

Course Syllabus

Domenica Crognale
Mon Nov 30th, 2020
9:00 AM - 12:15 PM PT
1:30 PM - 5:00 PM PT


Focus: Although smartphone forensic concepts are similar to those of digital forensics, smartphone file system structures differ and require specialized decoding skills to correctly interpret the data acquired from the device. On this first course day, students will apply what they know to smartphone forensic handling, device capabilities, acquisition methods, SQLite database examination, and query development. They'll also gain an overview of Android devices. We end this section by examining Android backups and cloud data associated with Android and Google. Students will become familiar with the most popular forensic tools required to complete comprehensive examinations of smartphone data structures.

Smartphones will be introduced and defined to set our expectations for what we can recover using digital forensic methodologies. We quickly review smartphone concepts and the forensic implications of each. We provide approaches for dealing with common challenges such as encryption, passwords, and damaged devices. Students will be taught methodologies for handling devices in different states, such as HOT or COLD devices. We will discuss how to process and decode data on mobile devices from a forensic perspective, then learn tactics to recover information that even forensic tools may not always be able to retrieve.

Forensic examiners must understand the concept of interpreting and analyzing the information on a variety of smartphones, as well as the limitations of existing methods for extracting data from these devices. This course day is packed full of knowledge and covers how to handle encryption issues, smartphone components, bonus material on misfit devices (ones you may not commonly see), and SQLite overview and simple query language. We'll also introduce students to Android and methods for creating an analyzing Android backup files.

The SIFT Workstation used in class has been specifically loaded with a set of smartphone forensic tools that will be your primary toolkit and working environment for the week.

  • SIFT Workstation: Laboratory setup
  • Hands-on demonstrations and familiarization with smartphone forensic tools
  • Familiarization with Physical Analyzer with a physical android extraction
  • Familiarization with AXIOM with an iOS backup extraction
  • Introduction to SQLite database forensics and drafting of simple SQL queries
  • Forensic analysis of android backups

CPE/CMU Credits: 6

  • The SIFT Workstation
  • Introduction to Smartphones
    • Smartphone Components and Identifiers
    • Assessing Capabilities of Evidential Devices
    • Common File Systems
    • Forensic Impact of Flash Memory
    • Data Storage Broken Down and Defined
  • Smartphone Handling
    • Preserving Smartphone Evidence
    • Preventing Data Destruction
    • How to Handle HOT and COLD Devices
  • Forensic Acquisition Concepts of Smartphones
    • Logical Acquisition
    • File System Acquisition
    • Full File System Acquisition
    • Physical Acquisition
    • Advanced Acquisition Methods and Techniques
  • Smartphone Components
    • SIM Card Overview and Examination
    • SD Card Handling and Examination
  • Smartphone Forensic Tool Overview - Physical Analyzer
    • Physical and Logical Keyword Searching
    • Key Features
    • Tips and Tricks
  • Smartphone Forensic Tool Overview - AXIOM

    • Physical and Logical Keyword Searching
    • Key Features
    • Tips and Tricks
  • Introduction to SQLite
    • How SQLite Databases Function
    • How Data Are Stored in These Files
    • How to Examine SQLite Databases
    • How to Create Simple Queries to Parse Information of Interest
  • Android Forensic Overview
    • Android Architecture and Components
    • NAND Flash Memory in Android Devices
    • Android File System Overview
    • Full Disk Encryption vs. File-based Encryption
  • Android Backup Files
    • Overview of Backup File Forensics
    • File Structures of Android Backups
    • Locked Android Backups
    • Data of Interest
  • Google Cloud Data and Extractions

    • Google Cloud Data Extraction and Analysis

Bonus Materials

  • Acquisition of Smartphones Using Tools Provided in the SIFT virtual machine
  • Relevant White Papers and Guides
  • Smartphone Cheat Sheets
  • Relevant White Papers and Guides
  • Mobile Device Repair
  • Bonus Lab: Nokia (Symbian) Forensics
  • Bonus Lab: BlackBerry Backup File Examination
  • Bonus Lab: BlackBerry Device Forensics (Legacy OS 7 Device)
  • Bonus Lab: SIM Card Data Decoding
  • Bonus Lab: BlackBerry 10 Analysis
  • Bonus Lab: Knock-off Forensic Analysis

Domenica Crognale
Tue Dec 1st, 2020
9:00 AM - 12:15 PM PT
1:30 PM - 5:00 PM PT



Android devices are among the most widely used smartphones in the world, which means they surely will be part of an investigation that comes across your desk. Unfortunately, gaining access to these devices isn't as easy as it used to be. Android devices contain substantial amounts of data that can be decoded and interpreted into useful information. However, without honing the appropriate skills to bypass locked Androids and correctly interpret the data stored on them, you will be unprepared for the rapidly evolving world of smartphone forensics. Android backups can be created for forensic analysis or by a user. Smartphone examiners need to understand the file structures and how to parse these data. Additionally, Android and Google cloud data store tons of valuable information. You will find Google artifacts from iOS users as well.


Digital forensic examiners must understand the file system structures of Android devices and how they store data in order to extract and interpret the information they contain. On this course day we will delve into the file system layout on Android devices and discuss common areas containing files of evidentiary value. Traces of user activities on Android devices are covered, as is recovery of deleted data residing in SQLite records and raw data files.

During hands-on exercises, you will use smartphone forensic tools to extract, decode, and analyze a wide variety of information from Android devices. You will use the SQLite examination skills you learned in the first course section to draft queries to parse information that commercial tools cannot support. When all else fails and the tools cannot extract information from newer Android devices, we will use ADB to manually interact and extract data of interest. We'll demonstrate methods to extract and examine cloud data, then end the day by analyzing a physical extraction of an Android device.

  • Manually decoding and extracting information from Android file systems and logical acquisitions
  • Manually parsing third-party applications and conducting deep-dive decoding and recovery of user activities on Android devices
  • Manually decoding and interpreting data recovered from a physical dump of an Android device
  • Leveraging scripts to triage large extractions from Android devices
  • Using ADB to interact with Android devices

CPE/CMU Credits: 6

  • Android Acquisition Considerations
    • Methods Available
      • Physical
      • File System
      • Logical/Backup
    • Understanding the Limitations of Extraction Options
    • Understanding Traces Left Behind
  • Android File System Structures
    • Defining Data Structure Layout
      • Physical
      • File System
      • Logical/Backup
    • Data Storage Formats
    • Parsing and Carving Data
    • Physical and Logical Keyword Searches
  • Handling Locked Android Devices
    • Security Options on Android
    • Methods for Bypassing Locked Android Devices
    • Practical Tips for Accessing Locked Android Devices
  • Android Evidentiary Locations
    • Primary Evidentiary Locations
    • Unique File Recovery
    • Parsing SQLite Database Files
    • Manual Decoding of Android Data
  • Traces of User Activity on Android Devices
    • How Android Applications Store Data
    • Deep Dive into Data Structures on Android Smartphones
      • SMS/MMS
      • Calls, Contacts, and Calendar
      • E-mail and Web Browsing
      • Location Information
      • Third-Party Applications
      • Application Usage
      • System Logs of Interest
    • Salvaging Deleted SQLite Records
    • Salvaging Deleted Data from Raw Images on Android Devices

Bonus Materials

  • Smartphone Cheat Sheets
  • Android Acquisition Methods
  • Relevant White Papers and Guides
  • Hands-on Lab to Pull Data Using ADB from an Android Device
  • Bonus Lab: Cracking Android Locks

Domenica Crognale
Wed Dec 2nd, 2020
9:00 AM - 12:15 PM PT
1:30 PM - 5:00 PM PT



Apple iOS devices contain substantial amounts of data (including deleted records) that can be decoded and interpreted into useful information. Proper handling and parsing skills are needed to bypass locked iOS devices and correctly interpret the data. This course section will cover extraction techniques using jailbreaks and exploits. Without iOS instruction, you will be unprepared to deal with the iOS device that will likely be a major component in a forensic investigation.


This section dives right into iOS devices. Digital forensic examiners must understand the file system structures and data layouts of Apple iOS devices in order to extract and interpret the information they contain. To learn how to do this, we delve into the file system layout on iOS devices and discuss common areas containing files of evidentiary value. We'll cover encryption, decryption, file parsing, and traces of user activities in detail.

During hands-on exercises, students will use smartphone forensic tools and methods to extract and analyze a wide variety of information from iOS devices. Students will also be required to manually decode data that were deleted or are unrecoverable using smartphone forensic tools and scripts supporting iOS device forensics.

  • Manually decoding and extracting information from iOS file system acquisition
  • Extracting information from a full file system checkm8 extraction
  • Leveraging community scripts to quickly analyze and timeline a full file system extraction from an iOS device
  • Manually parsing third-party applications and conducting deep-dive decoding and recovery of user activities on iOS devices
  • Placing the user behind the artifact based on location information and other traces found on file system dumps from iOS devices

CPE/CMU Credits: 6

  • iOS Forensic Overview and Acquisition
    • iOS Architecture and Components
    • NAND Flash Memory in iOS Devices
    • iOS File Systems
    • iOS Versions
    • iOS Encryption
    • iOS Exploits and Jailbreaks
  • iOS File System Structures
    • Defining Data Structure Layout
      • Physical
      • Full File System
      • File System
      • Logical
    • Data Storage Formats
    • Parsing and Carving Data
    • Physical and Logical Keyword Searches
  • iOS Evidentiary Locations
    • Primary Evidentiary Locations
    • Unique File Recovery
    • Parsing SQLite Database Files
    • Manual Decoding of iOS Data
  • Handling Locked iOS Devices
    • Security Options on iOS
    • Current Acquisition Issues
    • Demonstration of Bypassing iOS Security
    • Practical Tips for Accessing Locked iOS Devices
  • Traces of User Activity on iOS Devices
    • How iOS Applications Store Data
    • Apple Watch Forensics
    • Deep Dive into Data Structures on iOS Devices
      • SMS/MMS
      • Calls, Contacts, and Calendar
      • E-mail and Web Browsing
      • Location Information
      • Third-Party Applications
      • Application Usage Logs
      • System Files of Interest
    • Salvaging Deleted SQLite Records
    • Salvaging Deleted Data from Raw Images

Bonus Materials

  • Smartphone Cheat Sheets
  • Hands-on Lab to Pull Data from an iOS Device Leveraging libimobiledevice
  • Manually Decoding and Interpreting Data from iOS File System Extractions
  • Manually Examining an Older File System Dump from an iOS Device
  • iOS Acquisition Methods
  • Relevant White Papers and Guides

Domenica Crognale
Thu Dec 3rd, 2020
9:00 AM - 12:15 PM PT
1:30 PM - 5:00 PM PT



iOS backups are extremely common and are found in the cloud and on hard drives. Users create backups, and we often find that our best data can be derived from creating an iOS backup for forensic investigation. This section will cover methodologies to extract backups and cloud data and analyze the artifacts for each. Malware affects a plethora of smartphone devices. We will examine various types of malware, how it exists on smartphones, and how to identify and analyze it. Most commercial smartphone tools help you identify malware, but none of them will allow you to tear down the malware to the level we cover in this class. We'll conduct five labs on this day alone! The day ends with students challenging themselves using tools and methods learned throughout the week to recover user data from intentionally altered smartphone data (deleting, wiping, and hiding of data).


iOS backup files are commonly part of digital forensic investigations. This course day provides students with a deep understanding of backup file contents, manual decoding, and parsing and cracking of encrypted backup file images. The methods learned during the previous course day are applied to the beginning of this section, as iOS backup files are essentially file system extractions. Examiners today have to address the existence of malware on smartphones. Often the only questions relating to an investigation may be whether a given smartphone was compromised, how, and what can be done to fix it. It is important for examiners to understand malware and how to identify its existence on the smartphone.

During hands-on exercises, students will use smartphone forensic tools and other methods to extract and analyze a wide range of information from iOS backups, an Android device containing mobile malware, and a device that was intentionally manipulated by the user. Students will be required to manually decode data that were wiped, encrypted, or deleted, or that are unrecoverable using smartphone forensic tools.

  • Advanced backup file forensic exercise involving a legacy iOS backup file that requires manual decoding and carving to recover data missed by smartphone forensic tools
  • Advanced backup file forensic exercise involving an iOS 13 backup file that requires manual decoding and carving to recover data missed by smartphone forensic tools
  • Two malware labs: Malware detection and analysis on a physical Android extraction, and unpacking and analyzing malware files
  • Recovering any traces of user activity from a device where an application was tampered with and deleted

CPE/CMU Credits: 6

  • iOS Backup File Forensics
    • Creating and Parsing Backup Files
    • iCloud vs iTunes Data
    • Verifying Backup File Data
  • Locked iOS Backup Files
    • Decrypting Locked iOS Backup Files
    • How to Successfully Parse
  • iCloud Data Extraction and Analysis
    • How to Extract Cloud Data
    • How to Parse Cloud Data
  • Malware and Spyware Forensics
    • Different Types of Common Malware
    • Common Locations on Smartphones
    • How to Determine a Compromise
      • How to Recover from a Compromise
        • What Was Affected?
        • How to Isolate?
      • How to Analyze Using Reverse-Engineering Methodologies
  • Detecting Evidence Destruction
    • Different Types of Destruction Methods
    • Determining When the Destruction Occurred
    • Understanding What Happens When Data Are Destroyed

Bonus Materials

  • Smartphone Cheat Sheets
  • Malware/Spyware Cheat Sheet
  • APK Decompiling Cheat Sheet
  • Backup File Acquisition Methods
  • Relevant White Papers and Guides

Domenica Crognale
Fri Dec 4th, 2020
9:00 AM - 12:15 PM PT
1:30 PM - 5:00 PM PT



This course day starts with third-party applications across all smartphones and is designed to teach students how to leverage third-party application data and preference files to support an investigation. The rest of the day focuses heavily on secure chat applications, recovery of deleted application data and attachments, mobile browser artifacts, and knock-off phone forensics. The skills learned in this section will provide students with advanced methods for decoding data stored in third-party applications across all smartphones. We will show you what the commercial tools miss and teach you how to recover these artifacts yourself.


During hands-on exercises, students will use smartphone forensic tools to extract and analyze third-party application files of interest, and then manually dig and recover data that are missed. Students will be required to manually decode data that were deleted or are unrecoverable using smartphone forensic tools and custom SQLite queries that they write themselves. The hands-on exercises will be a compilation of everything students have learned up until now in the course and will require the manual decoding of third-party application data from multiple smartphones. When this section ends, you will have proven that you have the skill set to recover artifacts that the forensic tools cannot recover.

  • Advanced third-party application exercise requiring students to use skills learned during the first four days of the course to manually decode communications stored in third-party application files across multiple smartphones
  • Browser analysis exercise requiring students to manually examine third-party browser activity that the commercial tools may not parse
  • Recovery of attachments using an exercise that requires students to write more complex SQL queries to recover attachments from the smartphone
  • Recovery of deleted data from chat applications using an exercise challenging students to develop techniques to locate and recover deleted content

CPE/CMU Credits: 6

  • Third-Party Application Overview

    • Common Applications Across Smartphones
  • Third-Party Application Artifacts
    • How to Locate
    • Data Format
    • Manual Recovery
    • Decoding Methods
  • Messaging Applications and Recovering Attachments
    • How to Locate
    • Data Format
    • Manual Recovery
    • Decoding Methods
    • SQL Query Development
  • Mobile Browsers
    • Third-Party Browser Overview
    • How to Locate
    • Data Format
    • Manual Recovery
  • Secure Chat Applications
    • How to Locate
    • Data Format
    • Manual Recovery
    • Decoding Methods

Domenica Crognale
Sat Dec 5th, 2020
9:00 AM - 12:15 PM PT
1:30 PM - 5:00 PM PT



This final course day will test all that you have learned during the course. Working in small groups, students will examine three smartphone devices and solve a scenario relating to a real-world smartphone forensic investigation. Each group will independently analyze the three smartphones, manually decode data, answer specific questions, form an investigation hypothesis, develop a report, and present findings.


By requiring student groups to present their findings to the class, this capstone exercise will test the students' understanding of the techniques taught during the week. The findings should be technical and include manual recovery steps and the thought process behind the investigative steps. An executive summary of findings is also expected.


Each group will be asked to answer the key questions listed below during the capstone exercise, just as they would during a real-world digital investigation.

  • Identification and Scoping
    • Who is responsible for the crime?
    • What devices are involved?
    • Which individuals are involved?
  • Forensic Examination
    • What were the key communications between individuals?
    • What methods were used to secure the communication?
    • Were any of the mobile devices compromised by malware?
    • Were cloud data involved?
    • Did the users attempt to conceal or delete artifacts or data?
  • Forensic Reconstruction

    • What is the motive?

In addition, students will be required to generate a forensic report. Only the top team will win the forensic challenge.

Bonus Materials

  • Take-Home Case Involving a Different Scenario with Three New Smartphones
  • Questions for Take-home Case
  • Answers for Take-home Case

CPE/CMU Credits: 6

Additional Information

Important! Bring your own system configured according to these instructions!

We ask that you do 5 things to prepare prior to class start. This early preparation will allow you to get the most out of your training. One of those five steps is ensuring that you bring a properly configured system to class. This document details the required system hardware and software configuration for your class. You can also watch a series of short videos on these topics at the following web link

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

This is common sense, but we will say it anyway: Back up your system before class. Better yet, do not have any sensitive data stored on the system. SANS cannot be responsible for your system or data.


  • CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory).
  • It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows that will detect whether your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VT."
  • Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary. Test it!
  • 16 gigabytes of RAM or higher is mandatory for this class (Important - Please Read: 16 gigabytes of RAM or higher of RAM is mandatory and minimum.)
  • USB 3.0 Type-A port is required. At least one open and working USB 3.0 Type-A port is required. (A Type-C to Type-A adapter may be necessary for newer laptops.) (Note: Some endpoint protection software prevents the use of USB devices - test your system with a USB drive before class to ensure you can load the course data.)
  • 200 gigabytes of free space on your system hard drive is required. This space is critical to host the VMs we distribute.
  • Local administrator access is required. This is absolutely required. Don't let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • Wireless 802.11 capability


  • Host Operating System: Latest version of Windows 10 or macOS 10.15.x
  • Please note: It is necessary to fully update your host operating system prior to the class to ensure that you have the right drivers and patches installed to utilize the latest USB 3.0 devices.


  1. Download and install VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+ on your system prior to the start of the class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.
  2. Download and install 7Zip (for Windows Hosts) or Keka (macOS).

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact

FOR585 is designed for students who are both new to and experienced with smartphone and mobile device forensics. The course provides the core knowledge and hands-on skills that a digital forensic investigator needs to process smartphones and other mobile devices. The course is a must for:

  • Experienced digital forensic examiners who want to extend their knowledge and experience to forensic analysis of mobile devices, especially smartphones
  • Media exploitation analysts who need to master Tactical Exploitation or Document and Media Exploitation operations on smartphones and mobile devices by learning how individuals used their smartphones, who they communicated with, and what files they accessed
  • Information security professionals who respond to data breach incidents and intrusions
  • Incident response teams tasked with identifying the role that smartphones played in a breach
  • Law enforcement officers, federal agents, and detectives who want to master smartphone forensics and expand their investigative skills beyond traditional host-based digital forensics
  • Accident reconstruction investigators who need to determine how a phone was accessed or used during specific periods of time
  • IT auditors who want to learn how smartphones can expose sensitive information
  • Graduates of SANS SEC575, FOR308, FOR498, FOR563, FOR500, FOR508, FOR572, FOR526, FOR610, or FOR518 who want to take their skills to the next level

There is no prerequisite for this course, but a basic understanding of digital forensic file structures and terminology will help students grasp topics that are more advanced. Previous training in mobile device forensic acquisition is also useful, but not required. We do not teach basic acquisition methods in class, but we do provide instructions about them in the bonus course material.

FOR585 is an ideal course for graduates of SANS SEC575, FOR308, FOR563, FOR508, FOR526, FOR572, FOR610, or FOR518 who want to take their skills to the next level. Most of these courses can be taken in any order.

Related Courses

FOR585 is an ideal course for graduates of SANS SEC575, FOR498, FOR563, FOR500 (formerly FOR408), FOR508, FOR526, FOR572, FOR610, and FOR518 who want to take their skills to the next level. Most of these courses can be taken in any order.

"Simply brilliant! The best SANS course I have ever taken, excellently developed and expertly delivered. " - R. Pittman, NASA

"Great class to take in conjunction with SANS 408/508. I'm better prepared to do my job as a Forensic Analyst. " - B. Kelley, US Army

"I have been working on phones for 3 years & have learned so many valuable things that I would not have through normal job experience. " - J. Sikorski, 4Discovery

"Best hands-on mobile device training." - S. Surzyn, GM

"This is the best cell phone course that I have ever taken. I love that the course is vendor neutral and teaches many different skills. " - A. Bedford, NC DOJ

"This is the most advanced mobile device training that I know of and is greatly needed. It is currently the only course being taught at this level!" - Scott McNamee, DoS/CACI

"As an experienced user of the tools, I found FOR585 very instructional on how and why these tools give the results they do during an examination." - Charles Cox, FBI Computer Analysis and Response Team

"FOR585 is the best out there." - Andy Nind, British Army

"This course is worth it, even for a novice like myself." - S. Gentry, Adobe

"This course was very high-quality training that provided exactly what was advertised!....Great BlackBerry lab. I have never dug this deep in a BlackBerry before." - C. McCollom, Clark County Sheriff's Office

"I finally know what I have been missing! I did not know I was ignorant." - Mark G., Department of Justice

"If I could afford it I would take this course every year. I am sure I would learn new things as the course evolves to new technology." - Jim Stapleton, student

"I have been working with phones since 2009, and [instructor] Heather [Mahalik] very casually showed me how much I don't know. Excellent!" - Harbin Combee, MPDC

Statements From Our Authors

"Digital forensic investigations almost always involve a smartphone or mobile device. Often the smartphone is the only form of digital evidence relating to the investigation and is the most personal device someone owns! Let's be honest: how many people share their smartphones like they do computers? Not many. Knowing how to recover all of the data residing on the smartphone is now an expectation in our field, and examiners must understand the fundamentals of smartphone handling and data recovery, accessing locked devices, and manually recovering data hiding in the background on the device. FOR585: Smartphone Forensic Analysis In-Depth provides this required knowledge to beginners in mobile device forensics and to mobile device experts. This course has something to offer everyone! There is nothing out there that competes with this course and its associated GIAC certification."- Heather Mahalik

"Eighty-five percent of the world's population today has a mobile phone. In the United States alone, almost half of these devices are smartphones. The tools and techniques for acquiring and analyzing these devices are changing every day. As the handsets become more sophisticated in the storage and obfuscation of personal user data, the tools and practitioners are in a race to uncover data related to investigations. The concepts covered in FOR585: Smartphone Forensic Analysis In-Depth will not only highlight some of the best tools available for acquiring and analyzing the smart devices on the market today, they will also provide examiners with best practices and techniques for delving deeper into smart devices as new applications and challenges arise. FOR585 keeps students ahead of the curve!" - Domenica Crognale