MODULE 1: COURSE INTRODUCTION
- Meet the instructor and other students while seeing what’s expected for the week.
- Work through a mobile device evidence handling procedure to maximize available information.
- Install Magnet AXIOM and other open-source tools and files that are needed for the course completion.
MODULE 2: ACQUIRING IOS DEVICES
- Learn about the iOS operating system and how to acquire Apple devices running iOS. Information about the software will be outlined, along with discussions on security levels and the procedures of these devices — including handset locks, TouchID, and pairing records.
- Understand how to appropriately identify specific iOS devices and versions as well as standard imaging procedures of iOS devices — including iTunes Backups and Apple File Conduit extractions.
- Learn about command-line extraction tools and techniques including data from sysdiagnose logs and how to generate them.
- Watch an instructor-led demonstration of extracting information using Magnet AXIOM from an iOS device.
MODULE 3: IOS ANALYSIS
- Learn how to identify, examine, and report on data from the iOS operating system that is both natively processed and not supported by forensic tools such as Magnet AXIOM.
- Properly understand data that is extracted from iOS devices, identify the original structure from the backup, and process information from these backups in a “friendly” file system view.
- Gain knowledge on the two main data containers such as SQLite databases and property list files as well as how to examine these files for data using built-in viewers in Magnet AXIOM Examine.
- Core artifacts will also be covered, such as SMS/iMessages, Call Logs, and Contacts. See how these containers are structured for manual examination and analysis.
- Other artifacts such as Safari web history data, property list configuration data, and more will also be covered that are outside the “standard” supported tools.
- The anatomy of third-party iOS applications will also be demonstrated, as well as how to identify and extract information from these apps when the tool does not automatically recover it.
- Learn how to parse data from log files included in sysdiagnoselog data that are usually only available to full filesystem images.
MODULE 4: ACQUIRING ANDROID DEVICES
- This module focuses primarily on the Android operating system and will cover the different levels and ways to extract information from these devices.
- Because the OS is incredibly fragmented, multiple levels of extraction and explanations will be given that will teach students how to effectively identify the right acquisition procedure for each device.
- Learn how to properly research multiple factors during an acquisition to see what level of extraction can be applied.
- New security policies such as Full Disk vs. File-Based Encryption will be discussed and identified, and advanced acquisition techniques — involving passcode bypassing, recovery partition flashing, using custom recovery images, and application downgrading — will be discussed and demonstrated in instructor-led practical exercises.
MODULE 5: ANDROID FILE SYSTEM ANALYSIS
- Properly identify, examine, and extract information from the Android operating system. This will include core artifacts such as SMS/RCS/MMS messages, Contacts, Call Logs, Account data and more; as well as focusing on other potentially relevant artifacts that are not automatically gathered by most forensic tools.
- Learn about artifacts that can assist in finding where data is being stored across the Android operating system. Understand how data may be duplicated and where to look to find all traces of the information.
- Learn and understand the structure of third-party applications in both full and quick image levels, as well as learn how to extract unsupported artifacts from the commonly used container files in Android.
- Understand what can be acquired using “Live Data” as well as information that may be restricted only to file system extractions.
MODULE 6: CUSTOM ARTIFACTS
- Building on information taught over the four-day period, learn how to use AXIOM features such as Dynamic App Finder and custom artifacts to build data that has been manually recovered into fully-functioning supported Artifacts
- Learn how to extract additional data types using AXIOM’s Search for Custom Files by Type feature.
- Gain the ability to share this data with other examiners in the community and increase their working efficiency by being able to automatically recover data after the initial building phase.
- Learn how to create XML-based artifacts to recover data from SQLite databases as well as advanced file carvers. The custom artifacts built in class will go back with the students and can be used to easily identify new unsupported data in future examinations.
- Learn how to use the Magnet Custom Artifacts Generator to generate artifacts for non-traditional data like Call Detail Records and ingest the data into AXIOM.