Cellebrite Advanced Smartphone Analysis (CASA)

Course Information

4 Day, Instructor Led Training (ILT) CASA

SQLite Database Structures

This module focuses on SQLite database structures and functionality. You will learn about write-ahead log
and shared memory files, binary large objects handling, free page lists and free page handling, the vacuum
function, and how table data is joined. You will use practical, hands-on exercises using UFED Physical
Analyzer and verify their findings using other software tools and be able to:

• Identify mobile device hardware
• Identify SQLite databases
• Identify SQLite database structures
• Explain how data is stored within SQLite databases
• Explain how SQLite tables are joined
• Discuss what happens when data is deleted from a SQLite database and recovery of data
• List functions which may destroy data
• Use scripts to extract and analyze binary large object (BLOB) data from databases
• Assemble unsupported and new applications using UFED SQL Builder

iOS Overview and Analysis

iOS Device Access

In this module, you will learn about the challenges caused by the Data Protection API found in Apple iOS
devices. You will learn about:

• Identifying iOS device hardware
• iOS passcodes
• Touch ID – time limits and investigative implications
• Recovery of simple and complex passcodes
• Various methods for potentially gaining access to locked iOS devices

iOS and iCloud Backups

In this module we will learn about iOS backups found on computer systems, encrypted iOS extractions, and
what kind of information can be contained within them. We will also discuss backup file encryption and
decryption using open source tools, iCloud backups, and decoding. At the completion of this module, you will
be able to:

• Identify where iOS backups can be found
• Identify iOS backup folder structures
• Understand how to handle encrypted iOS Backups and Extractions
• Obtain iCloud backup files and how Physical Analyzer handles them
• Use open source software to crack the password of an encrypted backup
• Learn to use iOS settings to potentially remove the backup password

Android Overview

In this module we will discuss the evolution of the Android operating system since its availability in 2007. You
will also learn about the different file systems commonly used and how data is stored on Android devices and
SD cards. We will discuss encryption, extractions and limitations. At the completion of this module, you will
be able to:

• Briefly recount the evolution of the Android operating system since its availability in 2007
• Identify the different file systems commonly used by Android devices
• List the Android devices, file systems, and applications supported by Cellebrite UFED Series
• Be familiar with the various extraction methods with Android devices
• Understand the various types of Android encryption and possible bypasses

Android System Artifacts

In this module you will learn about important Android system artifacts. You will learn about obtaining data that
documents wireless networks, time zone settings, mounted file systems, SD Card usage, pattern lock codes,
Bluetooth information, and operating system versions; this information may prove critical to the investigation.
At the completion of this module, you will be able to:

• Discuss how to determine which file systems have been mounted on an Android device.
• Locate and analyse relevant system logs, Android artifacts, and device files
• Discuss partitioning schemas used on Android devices.
• Look at other applications which may prove valuable to an investigation.
• Locate and decode application usage logs
• Identify and parse data from Android User account files

Android User Artifacts

In this module you will learn about artifacts created by the user’s interaction with different applications on
the Android device. Using hands-on practical exercises, you will examine: Google Maps data, unsupported
applications, and artifacts which store data about user activity which aren’t parsed as part of any tool
extraction. At the completion of this module you will be able to:

• Decode call logs and timestamps
• Track a downloaded files movement within an Android device
• Identify media locations
• Be able to interpret cloud-based storage accounts used on a mobile device
• Decode information related to applications which are not automatically decoded by any forensic tools
• Use Python scripts to assist in decoding data
• Locate relevant user data items data from both supported and unsupported applications used on a device
• Decode and parse Google Maps data
• Recover additional Chrome and browser based data to include in your investigations

* CHANGES TO COURSE CONTENT AND PROVIDED SOFTWARE CAN BE MADE WITH OUR PRIOR NOTICE.

About the Instructor

Scott is an Orlando, Florida Police Officer assigned to the electronic surveillance unit of the Metropolitan Bureau of Investigation, a 60 member task force of local, state and federal law enforcement agents. MBI is responsible for long term investigations involving narcotics, organized crime and human trafficking. Scott is the only digital forensic investigator assigned to MBI and is responsible for complex investigations spanning multiple jurisdictions. His primary job with MBI involves conducting digital forensic exams on cell phones and computers. Additional duties include supporting MBI through GPS tracking, Title III intercepts and clandestine video and audio installations. Scott is part of the Cellebrite training team and has taught more than thirty, five day classes both in the United States and internationally to various law enforcement, military and private sector students from around the world.