The H-11 Python for Advanced Mobile-Forensics Analysis Course will take a mobile-forensics practitioner beyond simply pointing and clicking. This course will provide students the ability to search out and decode data that hasn’t been found, was missed, and not analyzed by automated mobile-forensic tools. Students will use Python both in and outside the mobile-forensic tool to quickly take raw data and make it presentable and reportable.

Students will use a variety of proprietary and open source tools, including database-analysis tools, raw-data conversion utilities, Python libraries and other tools to learn skills and techniques for finding low-level evidence data found on smartphones and other smart  devices.

Course Topics and Learning Points:

• Raw Storage Formats used in Mobile Phones
• Decoding of Raw Phone Data
• Intro to Python
  • The Python Shell
  • Basic Commands
  • Modifying Existing Code
• Python inside the Mobile-Forensics Tool
  • Application-Programming Interfaces (APIs)
• SQLite Databases
  • Manual Analysis
    • Command-Line Analysis
  • Automated Analysis
    • Within a Mobile-Forensics Tool
• Plugins and Chains in Mobile-Forensics Tools

Required Equipment:
Laptop – Windows 7 or Windows 10

Course Outline

Module 1: Intro and Review

• Introduction – Welcome
• Overview
• The Forensic Process
• Review of Mobile-Device Forensics

Module 2: Low-Level Data Recovery and Decoding

• Raw Storage Formats Used in Mobile Phones
  • Binary
  • Hexadecimal
  • Little vs. Big-Endian
  • Reverse Nibble
  • 7-bit
  • Base64
  • Hashing
  • Timestamp Formats
• Manual Decoding of Raw Phone Data
• Recovery of Phone Data Using Excel and Other 3rd Party Tools

Module 3: Intro to Python

• Background
• Environment Setup
• The Python Shell
• References
• Basic Commands
• Getting Python to do what you want it to
• Modifying Existing Code
• Finding Techniques to do what you want with Python
• Practical Exercises

Module 4: Python inside the Mobile-Forensic Tool

• Why do we need it?
• What can it do for us?
• Specific Application-Programming Interfaces (APIs) we can use
• First Program that Recovers Previously-Uudecoded Information
• Practical Exercises

Module 5: Adding Device Information

• Searching for and recovering Mobile-Phone Identifying Information
• IMSI – IMEI – ICCI
• Phone Numbers
• Unique Device IDs and Android IDs
• Advertising Identifiers
• Practical Exercises

Module 6: Phonebook, Call Lists, and BREW Phones

• Recovering Simple Information from Basic Phones
• API lookups for Wi-Fi and cellular location data
• Practical Exercises

Databases and Final Practicals

Module 7: SQLite Databases

• Manual Analysis
  • 3rd Party Tools
  • Command-Line Analysis
• Automated Analysis
  • Within a Mobile – Forensics Tool

Module 8: Plugins and Chains in Mobile Forensics

Module 9: PDU-Formatted SMS in GSM Phones

Module 10: Final Practical and Group Collaboration

• Group Exercise to create a complex program for decoding data