FOR585: Advanced Smartphone Forensics

Provided by

About the course

FOR585: Advanced Smartphone Forensics
Mon, April 8 - Sat, April 13, 2019
Contents | Additional Info
Instructor: Domenica Crognale
 6,275 EUR
GASF Certification
Affiliate Pricing
36 CPEs
Laptop Required
Masters Program

The best part about Advanced Smartphone Forensics is it provides real world technologies for forensically investigating devices without the typical point and click approaches.

Andy Gil, ECO

If I could afford it I would take this course every year. I am sure I would learn new things as the course evolves to new technology.

Jim Stapleton, Student

FOR585: Advanced Smartphone Forensics will help you understand:

  • Where key evidence is located on a smartphone
  • How the data got onto the smartphone
  • How to recover deleted mobile device data that forensic tools miss
  • How to decode evidence stored in third-party applications
  • How to detect, decompile, and analyze mobile malware and spyware
  • Advanced acquisition terminology and free techniques to gain access to data on smartphones
  • How to handle locked or encrypted devices, applications, and containers




A smartphone lands on your desk and you are tasked with determining if the user was at a specific location at a specific date and time. You rely on your forensic tools to dump and parse the data. The tools show location information tying the device to the place of interest. Are you ready to prove the user was at that location? Do you know how to take this further to place the subject at the location of interest at that specific date and time? Tread carefully, because the user may not have done what the tools are showing!

Mobile devices are often a key factor in criminal cases, intrusions, IP theft, security threats, accident reconstruction, and more. Understanding how to leverage the data from the device in a correct manner can make or break your case and your future as an expert. FOR585: Advanced Smartphone Forensics will teach you those skills.

Every time the smartphone "thinks" or makes a suggestion, the data are saved. It's easy to get mixed up in what the forensic tools are reporting. Smartphone forensics is more than pressing the "find evidence" button and getting answers. Your team cannot afford to rely solely on the tools in your lab. You have to understand how to use them correctly to guide your investigation, instead of just letting the tool report what it believes happened on the device. It is impossible for commercial tools to parse everything from smartphones and understand how the data were put on the device. Examination and interpretation of the data is your job and this course will provide you and your organization with the capability to find and extract the correct evidence from smartphones with confidence.

This in-depth smartphone forensic course provides examiners and investigators with advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. The course features 27 hands-on labs, a forensic challenge, and a bonus take-home case that allow students to analyze different datasets from smart devices and leverage the best forensic tools, methods, and custom scripts to learn how smartphone data hide and can be easily misinterpreted by forensic tools. Each lab is designed to teach you a lesson that can be applied to other smartphones. You will gain experience with the different data formats on multiple platforms and learn how the data are stored and encoded on each type of smart device. The labs will open your eyes to what you are missing by relying 100% on your forensic tools.

FOR585 is continuously updated to keep up with the latest malware, smartphone operating systems, third-party applications, acquisition shortfalls, and encryption. This intensive six-day course offers the most unique and current instruction on the planet, and it will arm you with mobile device forensic knowledge you can immediately apply to cases you're working on the day you leave the course.

Smartphone technologies are constantly changing, and most forensic professionals are unfamiliar with the data formats for each technology. Take your skills to the next level: it's time for the good guys to get smarter and for the bad guys to know that their smartphone activity can and will be used against them!



FOR585 Course Topics

Malware and Spyware on Smartphones

  • Determining if malware or spyware exist
  • Handling the isolation of the malware
  • Decompiling malware to conduct in-depth analysis
  • Determining what has been compromised

Forensic Analysis of Smartphones and Their Components

  • Android
  • iOS
  • SD cards
  • Cloud-based backups and storage
  • Cloud synced data - Google and more
  • BlackBerry 10
  • Windows Phone
  • Chinese knock-offs

Deep-Dive Forensic Examination of Smartphone File Systems and Data Structures

  • Recovering deleted information from smartphones
  • Examining SQLite databases in-depth
  • Finding traces of user activities on smartphones
  • Recovering data from third-party applications
  • Tracing user online activities on smartphones (e.g., messaging and social networking)
  • Examining application files of interest
  • Manually decoding to recover missing data and verify results
  • Developing SQL queries to parse databases of interest
  • Understanding the user-based and smartphone-based artifacts

In-Depth Usage and Capabilities of the Best Smartphone Forensic Tools

  • Using your tools in ways you didn't know was possible
  • Leveraging custom scripts to parse deleted data
  • Carving data
  • Developing custom SQL queries
  • Conducting physical and logical keyword searches
  • Manually creating timeline generation and link analysis using information from smartphones
  • Reporting
  • Using geolocation information from smartphones and smartphone components that can be used to place a suspect in a location when an artifact was created

Handling Locked and Encrypted Devices

  • Extracting evidence from locked smartphones
  • Bypassing encryption (kernel and application level)
  • Cracking passcodes
  • Decrypting backups of smartphones
  • Decrypting third-party application files
  • Examining encrypted data from SD cards

Incident Response Considerations on Smartphones

  • How your actions can alter the device
  • How to prevent remote access on the device
  • How to tie a user or activity to a device at a specific time
  • Can MDM hurt as much as help you?



For multi-course live training events, there will be a set up time from 8:30-9:00am on the first day only to make sure that computers are configured correctly to make the most of class time. All students are strongly encouraged to attend.

Course Syllabus
  FOR585.1: Malware Forensics, Smartphone Overview, and SQLite Introduction
  FOR585.2: Android Forensics
  FOR585.3: Android Backups and iOS Device Forensics
  FOR585.4: iOS Backups, Windows, and BlackBerry 10 Forensics
  FOR585.5: Third-Party Application and Knock-Off Forensics
  FOR585.6: Smartphone Forensic Capstone Exercise
  FOR585: Advanced Smartphone Forensics Will Prepare You And Your Team To:
  Hands-On Training & Labs
  Quotes from Former Students

Statements From Our Authors
"Digital forensic investigations almost always involve a smartphone or mobile device. Often the smartphone is the only form of digital evidence relating to the investigation and is the most personal device a person owns! Let's be honest: how many people share their smartphones like they do computers? Not many. Knowing how to recover all of the data residing on the smartphone is now an expectation in our field, and examiners must understand the fundamentals of smartphone handling, data recovery, accessing locked devices, and manually recovering data hiding in the background on the device. FOR585: Advanced Smartphone Forensics provides this required knowledge to beginners in mobile device forensics and to mobile device experts. This course has something to offer everyone! There is nothing out there that competes with this course and associated GIAC certification." - Heather Mahalik

"One thing is clear no matter whether you work in law enforcement or the private sector: the importance of evidence obtained from smartphones and other mobile devices has become crucial to all kinds of investigations. Solid foundational knowledge, skills, and techniques in mobile device forensics are no longer optional. Developed by passionate practitioners with a high level of experience in the field, FOR585: Advanced Smartphone Forensics provides the elements you need to succeed in your investigations and thrive in the rapidly changing mobile device forensics environment." - Cindy Murphy

"Eighty-five percent of the world's population today has a mobile phone. In the United States alone, almost half of these devices are smartphones. The tools and techniques for acquiring and analyzing these devices are changing every day. As the handsets become more sophisticated in the storage and obfuscation of personal user data, the tools and practitioners are in a race to uncover data related to investigations. The concepts covered in FOR585: Advanced Smartphone Forensics will not only highlight some of the best tools available for acquiring and analyzing the smart devices on the market today, they will also provide examiners with best practices and techniques for delving deeper into smart devices as new applications and challenges arise. FOR585 keeps students ahead of the curve!" - Domenica Crognale

Related article

Cyber security – why bother? Most people’s perception of cyber-attacks are either of someone in a darkened room trying to take down web sites, or c...