FOR585: SANS Munich October 2024
Provided by SANS
What You Will Learn
FOR585: Smartphone Forensic Analysis In-Depth Will Help you Understand:
It's Time to Get Smarter!
A smartphone lands on your desk and you are tasked with determining if the user was at a specific location at a specific date and time. You rely on your forensic tools to dump and parse the data. The tools show location information tying the device to the place of interest. Are you ready to prove the user was at that location? Do you know how to take this further to place the subject at the location of interest at that specific date and time? Tread carefully, because the user may not have done what the tools are showing!
Mobile devices are often a key factor in criminal cases, intrusions, IP theft, security threats, accident reconstruction, and more. Understanding how to leverage the data from the device in a correct manner can make or break your case and your future as an expert. FOR585: Smartphone Forensic Analysis In-Depth will teach you those skills.
Every time the smartphone "thinks" or makes a suggestion, the data is saved. It's easy to get mixed up in what the forensic tools are reporting. Smartphone forensics is more than pressing the "find evidence" button and getting answers. Your team cannot afford to rely solely on the tools in your lab. You must understand how to use them correctly to guide your investigation, instead of just letting the tool report what it believes happened on the device. It is impossible for commercial tools to parse everything from smartphones and understand how the data was put on the device. Consider AI vs human - how can a tool determine that level of granularity from a data set? Examination and interpretation of the data is your job, and this course will provide you and your organization with the capability to find and examine the correct evidence from smartphones with confidence.
This in-depth smartphone forensic course provides examiners and investigators with advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. The course features 23 hands-on labs, a forensic challenge, bonus labs, and a bonus take-home case that allows students to analyze different datasets from smart devices and leverage the best forensic tools, methods, and custom scripts to learn how smartphone data hide and can be easily misinterpreted by forensic tools. Each lab is designed to teach you a lesson that can be applied to other smartphones. You will gain experience with the different data formats on multiple platforms and learn how the data are stored and encoded on each type of smart device. The labs will open your eyes to what you are missing by relying 100% on your forensic tools. The course will also introduce community created tools that are designed to parse specific artifacts that compliment commercial tools.
FOR585 is continuously updated to keep up with the latest smartphone operating systems, third-party applications, acquisition short-falls, extraction techniques (jailbreaks and roots), file format changes, malware and encryption. This intensive six-day course offers the most unique and current instruction on the planet, and it will arm you with mobile device forensic knowledge you can immediately apply to cases you're working on the day you leave the course.
Smartphone technologies are constantly changing, and most forensic professionals are unfamiliar with the data formats for each technology. Take your skills to the next level: it's time for the good guys to get smarter and for the bad guys to know that their smartphone activity can and will be used against them!
Smartphone Data Can't Hide Forever - It's Time To Outsmart The Mobile Device!
"This should be the course all cell examiners take once they are experienced with basic cell phone extraction and analysis." Matt L, FOR585 student
What Is Smartphone Forensics?
FOR585 features 23+ hands-on labs and a final forensic challenge to ensure that students not only learn the material, but can also execute techniques to manually recover data. Some labs allow you to "choose your own adventure" so that students who may need to focus on a specific device can select relevant labs and go back to the others as time permits.
The labs cover the following topics:
FOR585: Smartphone Forensic Analysis In-Depth Will Help you Understand:
- Where key evidence is located on a smartphone
- How the data got onto the smartphone - was it AI, was it user created, was it synced
- How to recover deleted or unparsed data that forensic tools miss
- How to decode evidence stored in third-party applications
- How to detect, decompile, and analyze mobile malware and spyware
- Advanced acquisition terminology and techniques to gain access to data on smartphones
- How to handle locked or encrypted devices, applications, and containers
- How to properly examine databases, protobofs, leveldbs, and other file formats containing application and mobile artifacts
- How to craft SQLite queries and modify python scripts to conduct mobile forensics
- How to create, validate, and verify the tools and scripts against real datasets
- How to manually parse application data when commercial tools don't support them
It's Time to Get Smarter!
A smartphone lands on your desk and you are tasked with determining if the user was at a specific location at a specific date and time. You rely on your forensic tools to dump and parse the data. The tools show location information tying the device to the place of interest. Are you ready to prove the user was at that location? Do you know how to take this further to place the subject at the location of interest at that specific date and time? Tread carefully, because the user may not have done what the tools are showing!
Mobile devices are often a key factor in criminal cases, intrusions, IP theft, security threats, accident reconstruction, and more. Understanding how to leverage the data from the device in a correct manner can make or break your case and your future as an expert. FOR585: Smartphone Forensic Analysis In-Depth will teach you those skills.
Every time the smartphone "thinks" or makes a suggestion, the data is saved. It's easy to get mixed up in what the forensic tools are reporting. Smartphone forensics is more than pressing the "find evidence" button and getting answers. Your team cannot afford to rely solely on the tools in your lab. You must understand how to use them correctly to guide your investigation, instead of just letting the tool report what it believes happened on the device. It is impossible for commercial tools to parse everything from smartphones and understand how the data was put on the device. Consider AI vs human - how can a tool determine that level of granularity from a data set? Examination and interpretation of the data is your job, and this course will provide you and your organization with the capability to find and examine the correct evidence from smartphones with confidence.
This in-depth smartphone forensic course provides examiners and investigators with advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. The course features 23 hands-on labs, a forensic challenge, bonus labs, and a bonus take-home case that allows students to analyze different datasets from smart devices and leverage the best forensic tools, methods, and custom scripts to learn how smartphone data hide and can be easily misinterpreted by forensic tools. Each lab is designed to teach you a lesson that can be applied to other smartphones. You will gain experience with the different data formats on multiple platforms and learn how the data are stored and encoded on each type of smart device. The labs will open your eyes to what you are missing by relying 100% on your forensic tools. The course will also introduce community created tools that are designed to parse specific artifacts that compliment commercial tools.
FOR585 is continuously updated to keep up with the latest smartphone operating systems, third-party applications, acquisition short-falls, extraction techniques (jailbreaks and roots), file format changes, malware and encryption. This intensive six-day course offers the most unique and current instruction on the planet, and it will arm you with mobile device forensic knowledge you can immediately apply to cases you're working on the day you leave the course.
Smartphone technologies are constantly changing, and most forensic professionals are unfamiliar with the data formats for each technology. Take your skills to the next level: it's time for the good guys to get smarter and for the bad guys to know that their smartphone activity can and will be used against them!
Smartphone Data Can't Hide Forever - It's Time To Outsmart The Mobile Device!
"This should be the course all cell examiners take once they are experienced with basic cell phone extraction and analysis." Matt L, FOR585 student
What Is Smartphone Forensics?
- The ability to examine or analyze data from mobile devices
- The art of creating a pattern of life from mobile device extractions
- The ability to place a person or device at a location and state what was happening on the device at that moment in time.
- Understand Android and iOS artifacts that aid in investigations
- Understand application artifacts on iOS and Android devices
- Leverage smartphone usage to determine device locations when "something" occurred
- Gain insight to how a device is used - car connections, data syncing, hands-free, watches, etc.
- Decrease potentials of malware infecting mobile devices by understanding how infections occur and how to investigate malware that lands on mobile devices
- Gain a deep understanding of SQLite databases and how a bulk of smartphone data exists on devices
- Better understand commercial tools your company is already using and utilize the free scripts the course provides to fill the gaps these tools might have
- Gain experience in creating SQLite queries and python scripting for forensic examination
- Stay ahead of mobile technology changes and investigative trends with the SANS FOR585 Alumni Community Group
- Select the most effective forensic tools, techniques, and procedures to effectively analyze smartphone data
- Reconstruct events surrounding a crime using information from smartphones, including timeline development and link analysis (e.g., who communicated with whom, where, and when)
- Understand how smartphone file systems store data, how they differ, and how the evidence will be stored on each device
- Interpret file systems on smartphones and locate information that is not generally accessible to users
- Identify how the evidence got onto the mobile device - we'll teach you how to know if the user created the data, if it was AI created or synced data which will help you avoid the critical mistake of reporting false evidence obtained from tools
- Incorporate manual decoding techniques to recover unparsed data stored on smartphones
- Tie a user to a smartphone on a specific date/time and at various locations
- Recover hidden or obfuscated communication from applications on smartphones
- Decrypt or decode application data that are not parsed by your forensic tools
- Detect smartphones compromised by malware and spyware using forensic methods
- Decompile and analyze mobile malware using open-source tools
- Handle encryption on smartphones and crack iOS backup files that were encrypted with iTunes
- Extract and use information from smartphones and their components from Android, iOS, application directories, and SD cards
- Perform advanced forensic examinations of data structures on smartphones by diving deeper into underlying data structures that many tools do not interpret
- Analyze SQLite databases and raw data dumps from smartphones to recover deleted information
- Perform advanced data-carving techniques on smartphones to validate results and extract missing or deleted data
- Apply the knowledge you acquire during the course to conduct a full-day smartphone capstone event involving multiple devices and modeled after real-world smartphone investigations
FOR585 features 23+ hands-on labs and a final forensic challenge to ensure that students not only learn the material, but can also execute techniques to manually recover data. Some labs allow you to "choose your own adventure" so that students who may need to focus on a specific device can select relevant labs and go back to the others as time permits.
The labs cover the following topics:
- Malware and Spyware - Two labs are designed to teach students how to identify, manually decompile, and analyze malware recovered from an Android device. The processes used here reach beyond commercial forensic kits and methods. Bonus IPA and APK files are provided for practice. Two additional bonus labs are available on www.smarterforensics.com/for585.
- Android Analysis - Four labs are designed to teach students how to determine files of interest, carve for data and locations, validate tool results, place the user behind an artifact, and parse third-party application files for user-created data not commonly parsed by commercial forensic tools. Open-source methods are utilized and highlighted where possible. A bonus lab encourages students to interact with the device via ADB. Additional bonus labs are also available.
- iOS Analysis - Four labs are designed to teach students how to determine files of interest, carve for data and locations, validate tool results, manually parse plists and databases of interest, and parse third-party application files for user-created data not commonly parsed by commercial forensic tools. In addition, ArtEx, a free tool is introduced and used in labs to show the simplicity of understanding iOS artifacts. A bonus lab encourages students to manually interact with a live device to pull relevant information using free methods. There are other bonus iOS labs on the course USB.
- Cloud data and Backup File Analysis - Two labs are designed to teach students how to parse data from cloud data and backup files. These labs will drive students to parse data from databases, plists, and third-party application data.
- Evidence Destruction Analysis - This is one of the more challenging labs for students, as the device used will have been tampered with prior to acquisition. Students will be able to test all of the methods they learned during the course to see what can really be recovered from an altered smartphone.
- Third-Party Application Analysis - These four labs challenge students to examine third-party applications pulled from multiple smartphone devices, and to manually parse applications that are not commonly parsed by commercial tools. Bonus labs are provided for those who want more.
- Parsing Application Databases - These three labs provide students the opportunity to write SQL queries to parse tables of interest and to recover attachments associated with chats, deleted chats, and data from secure chat applications. The labs will challenge students to dig deep beyond what a commercial tool can offer. A lab leveraging a query with the ability to write or modify a python script will challenge students to understand how the tools parse data.
- Browser Analysis - This lab is focused on manually parsing mobile browser artifacts. Your commercial tools
Enquire
Start date | Location / delivery | |
---|---|---|
21 Oct 2024 | Munich | Book now |