The HMFA course is designed to prepare students to conduct mobile forensic analysis and covers the fundamentals of mobile forensics including timestamp analysis, SQLite, PLists, and device preservation. The course will then look at Android and iOS analysis.
REGISTER NOW
Where: Canberra
When: October 28 to November 1
Cost: $6,600 inc GST per person
All tools utilised in this course are open source, freeware, or trial versions of inexpensive tools. It is intended that students learn concepts and techniques that are non-vendor specific, but the analysis skills taught in this course can be replicated in commercial tools.
Normally taught online or in the US, don’t miss this opportunity to learn from an expert on one of their rare trips to Australia!
Students must bring their own laptop (recent CPU, at least 8GB RAM and 250GB of disk space to participate in the labs) and we will provide links to the tools and datasets used in class so you can install them ahead of time. Some of the tools are Windows only but will work within a Windows VM if necessary.
Who is it For?
This training is designed for anyone who wants to learn more about mobile forensics. This may include current forensic examiners as well as those with an interest in the field. No formal training in digital or mobile forensics is required.
Learning Objectives
- Understand different types of forensic images available from mobile devices.
- Understand critical elements of mobile device preservation.
- Decode common mobile timestamps by hand or with the use of freeware tools.
- Create mobile data test sets for purposes of verification and validation.
- Conduct analysis of Android and iOS devices to include multimedia, communications, geolocation, and system artifacts.
- Identify and analyse unsupported 3rd party applications from mobile devices.
- Conduct comparative analysis.
Course Schedule (subject to class pacing needs)
Day 1
- Mobile forensics fundamentals:
Terminology of mobile forensics, basic components, identifiers, possible data sources, artifact types, mobile forensic image types, similarities, and differences between mobile and computer forensics. - Mobile device preservation:
Methods to maintain data integrity, network isolation, device states, and documentation.
Day 2
- Mobile timestamp fundamentals:
Manual decoding of timestamps and fundamentals such as nibble swapping and endianness are covered as well as different timestamp formats a forensic examiner may encounter in their analysis of Android and iOS mobile devices. Includes multiple parsing and decoding exercises. - SIM analysis:
Basics about Subscriber Identity Module (SIM) cards. Discussed different formats, identifiers, SIM card clones, SIM card imaging and data found on SIM Cards. Includes multiple parsing and decoding exercises.
Day 3
- SQLite forensics:
Analysis of SQLite databases to include parsing of data from binary large objects (BLOBs) and the use of SQL queries. - Android analysis:
Understanding and location of Android artifacts to include multimedia locations, timestamps, communication applications, geolocation, and system artifacts. Includes hands-on labs.
Day 4
- PList forensics:
Analysis of PLists encountered in the analysis of iOS and Mac devices, including Binary PLists, XML PLists, NSKeyedArchive, and more. - iOS analysis:
Understanding and location of Android and Google Takeout artifactsto include multimedia locations, timestamps, communication applications, geolocation, and system artifacts. Includes hands-on labs.
Day 5
- Mobile analysis methodology and 3rd party app parsing:
Methodology for mobile forensic analysis of unsupported applications and artifacts. It teaches a 5-part methodology; Discover, Test, Parse, Find, and Script. These are necessary skills to parse 3rd party applications. Includes hands-on labs and exercises. - Comparative analysis:
Utilise comparative analysis tools to understand their function in app analysis and testing. Hands-on exercises to learn to detect changes in artifacts.
DOWNLOAD BROCHURE
