• Online, Self-Paced
  • Classroom
Course Description

FOR585: Advanced Smartphone Forensics will help you understand:

  1. Where key evidence is located on a smartphone
  2. How the data got onto the smartphone
  3. How to recover deleted mobile device data that forensic tools miss
  4. How to decode evidence stored in third-party applications
  5. How to detect, decompile, and analyze mobile malware and spyware
  6. Advanced acquisition terminology and free techniques to gain access to data on smartphones
  7. How to handle locked or encrypted devices, applications, and containers

SMARTPHONES HAVE MINDS OF THEIR OWN.

DON'T MAKE THE MISTAKE OF REPORTING SYSTEM EVIDENCE, SUGGESTIONS, OR APPLICATION ASSOCIATIONS AS USER ACTIVITY.

IT'S TIME TO GET SMARTER!

A smartphone lands on your desk and you are tasked with determining if the user was at a specific location at a specific date and time. You rely on your forensic tools to dump and parse the data. The tools show location information tying the device to the place of interest. Are you ready to prove the user was at that location? Do you know how to take this further to place the subject at the location of interest at that specific date and time? Tread carefully, because the user may not have done what the tools are showing!

Mobile devices are often a key factor in criminal cases, intrusions, IP theft, security threats, accident reconstruction, and more. Understanding how to leverage the data from the device in a correct manner can make or break your case and your future as an expert. FOR585: Advanced Smartphone Forensics will teach you those skills.

Every time the smartphone "thinks" or makes a suggestion, the data are saved. It's easy to get mixed up in what the forensic tools are reporting. Smartphone forensics is more than pressing the "find evidence" button and getting answers. Your team cannot afford to rely solely on the tools in your lab. You have to understand how to use them correctly to guide your investigation, instead of just letting the tool report what it believes happened on the device. It is impossible for commercial tools to parse everything from smartphones and understand how the data were put on the device. Examination and interpretation of the data is your job and this course will provide you and your organization with the capability to find and extract the correct evidence from smartphones with confidence.

This in-depth smartphone forensic course provides examiners and investigators with advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. The course features 27 hands-on labs, a forensic challenge, and a bonus take-home case that allow students to analyze different datasets from smart devices and leverage the best forensic tools, methods, and custom scripts to learn how smartphone data hide and can be easily misinterpreted by forensic tools. Each lab is designed to teach you a lesson that can be applied to other smartphones. You will gain experience with the different data formats on multiple platforms and learn how the data are stored and encoded on each type of smart device. The labs will open your eyes to what you are missing by relying 100% on your forensic tools.

FOR585 is continuously updated to keep up with the latest malware, smartphone operating systems, third-party applications, acquisition shortfalls, and encryption. This intensive six-day course offers the most unique and current instruction on the planet, and it will arm you with mobile device forensic knowledge you can immediately apply to cases you're working on the day you leave the course.

Smartphone technologies are constantly changing, and most forensic professionals are unfamiliar with the data formats for each technology. Take your skills to the next level: it's time for the good guys to get smarter and for the bad guys to know that their smartphone activity can and will be used against them!

SMARTPHONE DATA CAN'T HIDE FOREVER - IT'S TIME TO OUTSMART THE MOBILE DEVICE!

Learning Objectives

  • Select the most effective forensic tools, techniques, and procedures to effectively analyze smartphone data
  • Reconstruct events surrounding a crime using information from smartphones, including manual timeline development and link analysis (e.g., who communicated with whom, where, and when) without relying on a tool
  • Understand how smartphone file systems store data, how they differ, and how the evidence will be stored on each device
  • Interpret file systems on smartphones and locate information that is not generally accessible to users
  • Identify how the evidence got onto the mobile device - we'll teach you how to know if the user created the data, which will help you avoid the critical mistake of reporting false evidence obtained from tools
  • Incorporate manual decoding techniques to recover deleted data stored on smartphones and mobile devices
  • Tie a user to a smartphone at a specific date/time and at various locations
  • Recover hidden or obfuscated communication from applications on smartphones
  • Decrypt or decode application data that are not parsed by your forensic tools
  • Detect smartphones compromised by malware and spyware using forensic methods
  • Decompile and analyze mobile malware using open-source tools
  • Handle encryption on smartphones and bypass, crack, and/or decode lock codes manually recovered from smartphones, including cracking iOS backup files that were encrypted with iTunes
  • Understand how data is stored on smartphone components (SD cards) and how encrypted data can be examined by leveraging the smartphone
  • Extract and use information from smartphones and their components, including Android, iOS, BlackBerry 10, Windows Phone, Chinese knock-offs, and SD cards (bonus labs available focusing on BlackBerry, BlackBerry backups, Nokia [Symbian], iOS File System, iOS Physical, and SIM card decoding)
  • Perform advanced forensic examinations of data structures on smartphones by diving deeper into underlying data structures that many tools do not interpret
  • Analyze SQLite databases and raw data dumps from smartphones to recover deleted information
  • Perform advanced data-carving techniques on smartphones to validate results and extract missing or deleted data
  • Manually extract BLOBs from SQLite databases trying to hide data
  • Apply the knowledge you acquire during the course to conduct a full-day smartphone capstone event involving multiple devices and modeled after real-world smartphone investigations
  • Challenge yourself by completing the 6 bonus labs and the take-home case designed to model real-work smartphone investigations

Framework Connections

The materials within this course focus on the Knowledge Skills and Abilities (KSAs) identified within the Specialty Areas listed below. Click to view Specialty Area details within the interactive National Cybersecurity Workforce Framework.

Feedback

If you would like to provide feedback for this course, please e-mail the NICCS SO at NICCS@hq.dhs.gov.