Overview:

Digital Mobile Forensics is fast becoming a lucrative and constantly evolving field, this is no surprise as the mobile phone industry has been witnessing some unimaginable growth, some experts say it may even replace the Computer for those only wishing to send and receive emails. As this area of digital forensics grow in scope and size due to the prevalence and proliferation of mobile devices and as the use of these devices grows, more evidence and information important to investigations will be found on them. To ignore examining these devices would be negligent and result in incomplete investigations. This growth has now presented new and growing career opportunities for interested practitioners in corporate, enforcement, and military settings. Mobile forensics is certainly here to stay as every mobile device is different and different results will occur based on that device requiring unique expertise.

This course was put together focusing on what today’s Mobile Forensics practitioner requires, some of the advanced areas this course will be covering are the intricacies of manual Acquisition (physical vs. logical) & advanced analysis using reverse engineering understanding how the popular Mobile OSs are hardened to defend against common attacks and exploits.

CAST On-site provides personalised Advanced Security Courses to meet the needs of the individual or company and are planned to ensure maximum flexibility in terms of logistics, dates and cost issues. Our certified expert trainers are experienced educators and highly knowledgeable in their respective fields. CAST On-site prides itself on strict quality control principles at all times to ensure that clients receive the highest standard of training and service. CAST On-Site training is designed to add great value to your work force by increasing staff efficiency and skills ensuring improved productivity and output that far exceeds the value of the initial training costs.

Objective

After completing this course, students will be able to:

-      Staying updated and abreast of the latest technologies that are being developed and used by the best in the field

-      Protect your organization by retrieving stolen data and incriminating evidence from communications devices used by rogue employees

-      Influence results of civil, private litigation and criminal cases by providing crucial evidence such as the suspects involved, their locations at the time of question and the role they played by extracting this information from mobile devices

-      Refine current mobile forensic processes by addressing its unique problems of preserving crucial data and producing valid results

-      Protecting your organization by conducting proper & regular IT Audit investigations on mobile devices to ensure no misuse of company information

Duration:

3 days

Intended Audience:

-      Risk Assessment Professionals

-      Digital Forensics Investigators

-      Information Security Professionals

-      Mobile Developers

-      Penetration Testers – CEH Professionals

-      Law Enforcement Officers and Government Agencies

-      Attorneys, Paralegals and First Responders

-      Accountants and Financial Personnel

-      Anyone who deals with implementation, testing, security hardening of mobile devices

Course outlines:

Module 01: Mobile Forensic Challenges

• Digital Forensics: An Overview
• When is Computer Forensics Required?
• Case Study1: Insider Attack – WikiLeaks Case
• Case Study2: External Attacks – Credit Card Theft
• Case Study: External Attacks – T.J. Maxx Case
• Understanding Digital Evidence
• Characteristics of Digital Evidence
• Types of Digital Evidence
• Best Evidence Rule
• SWGDE Standards for the Exchange of Digital Evidence
• Computer Forensics Investigation Process
• Digital Forensics Challenges
• Mobile Device Forensics
• How Mobile Forensics differs from Computer Forensics
• History of Mobile Phone Forensics
• Where are We headed In Mobile Forensics?
• Role of Mobile Forensics in IT Security
• Why Mobile Forensics?
• News: AG Kane Unveils Mobile Forensics Unit To Catch Child Predators
• News: Man Serves Just One Day in Child Porn Case
• Mobile Forensics Challenges
• Digital Forensics: Criminal vs. Civil Cases
• Case Study: Criminal Case
• Case Study: Civil Case
• Case Study: Mobile Phone Forensics
• Forensics Investigation Challenges: Criminal Cases
• Forensics Investigation Challenges: Civil Cases

Module 02: Mobile Forensics Process

• Mobile Forensics Process
• Why Mobile Forensics Process?
• What Should You Do Before the Investigation?
• Build a Forensics Workstation
• Build the Investigation Team
• People Involved in Mobile Forensics
• Review Policies and Laws
• Notify Decision Makers and Acquire Authorization
• Risk Assessment
• Build a Mobile Forensics Toolkit
• Mobile Forensics Investigation Process

-      Obtain Search Warrant (If Required)

-      Requesting For Call Detail Record (CDR)

-      Evidence Preservation

+     Preservation Steps in Normal Case

+     Preservation Steps in Abnormal Case

-      Evaluate and Secure the Scene

-      Documenting the Scene

+     Visual/Audio Capture

-      Collect the Evidence

-      Set of Rules for Switching ON/OFF Mobile Phone

-      Mobile Phone Signal Containment

-      Packing, Transporting, and Storing the Evidence

-      Chain of Custody Documentation

-      Evidence Acquisition

+     Acquisition Process

+     Maintaining Integrity of the Evidence

+     Sterilization of the Destination Storage Media

+     Disk Sterilization Tools

-      Examination and Analysis

-      Generating Investigation Report

• Mobile Forensics Process Challenges

-      Procedural Challenges

-      Acquisition Challenges

-      Integrity Challenges

• Mobile Phone Anti-Forensics Activities
• Anti-Forensics Tools and Techniques
• Common Mistakes in Search Warrants, Affidavit and Mobile Forensics Process

Module 03: Mobile Hardware Design and Architectures

• Mobile Hardware and Forensics
• Typical Components of Mobile Device Hardware Architecture
• Samsung Mobile Device Hardware Design
• Basic Hardware Design of Android-based Devices

-      Intel Mobile Processors for Android

-      Motorola Droid Tear Down

• Basic Hardware Design of Windows Phone OS based Devices

-      Example: Qualcomm Snapdragon 800 Architecture for Windows Phone

-      HTC Surround Teardown

• Basic Hardware Design of iOS based Devices

-      iOS Mobile Models and Configuration

-      iPhone 3GS Hardware Architecture

-      iPhone 5 Teardown

-      iPhone 6 Teardown

-      iPhone 6 Plus Teardown

• Mobile Hardware Toolkit

-      Pro Tech Toolkit

Module 04: Mobile OS Architecture, Boot Process, and File Systems

• Mobile Storage and Forensics
• Mobile Storage and Evidence Locations
• Mobile Memory File System
• Internal Memory in Mobile Phones
• Mobile OS and Forensics
• Architectural Layers of Mobile Device Environment
• Android Architecture Stack

-      Android File System

-      Android Internal Memory Layout

-      Flash Memory Partitions: MDT-based Android Devices

+     Viewing MTD Partitions

+     YAFFS2 Data Extraction Tools

-      Flash Memory Partitions: eMMC-based Android Devices

-      Flash Memory Partitions: MMC-based Android Devices

-      Android Boot Process

• Windows Phone 8.1 Architecture

-      Windows Phone File System

-      Windows Phone Boot Process

• iOS Architecture

-      iPhone HFS+ File System

-      iOS File System

-      iOS Boot Process

-      Normal and DFU Mode Booting

-      Booting iPhone in DFU Mode

Module 05: Mobile Threats and Security

• Mobile Threat Evolution
• Global Mobile Virus Infection Rates 2014
• News: Gmail App for IOS Leaves Users Vulnerable To Man-in-the-Middle Attacks
• Distribution of Mobile Threats 2014
• Top 20 Malicious Mobile Programs
• The Geography of Mobile Threats
• OWASP Mobile Top 10 Risks
• Mobile Threat Agents
• Top Threats Targeting Mobile Devices
• Types of Mobile Device Attack

-      Consequences of Host and Network Based Mobile Attacks

-      Wi-Fi Based Mobile Attacks

-      Bluetooth Attacks

-      HTML 5 Based Attacks

-      Rise in HTML5 App Packaged Malware/ Potentially Unwanted Apps (PUAs)

• Mobile Hacking Toolkit
• Additional Mobile Hacking Tools
• iOS Platform Security Overview
• Android Platform Security Overview
• Platform Security Removal Techniques: Jailbreaking/Rooting

-      Security Implications of Jailbreaking/Rooting

-      Untethered Jailbreaking of iOS 8.X.X Using Pangu

-      Jailbreaking Tools: Redsn0w and Absinthe

-      Jailbreaking Tools: evasi0n7 and GeekSn0w

-      Jailbreaking Tools: Sn0wbreeze and PwnageTool

-      Jailbreaking Tools: LimeRa1n and Blackra1n

-      Rooting Android Phones Using SuperOneClick

-      Android Rooting Tools

-      Additional iOS Jailbreaking Tools

-      Additional Android Rooting Tools

• 10 Reasons Why Mobile Device Are Compromised
• Mobile Device Security Guidelines

-      Mobile Phone Passwords: A weak Security Link

-      Handling Lost or Stolen Devices

-      Symptoms of Mobile Malware Infections

-      Protecting Against Mobile Malwares

-      Mobile Data Security Best Practices

-      Mobile Application Security Best Practices

-      OWASP Mobile Security Project

• Mobile Network Security Guideline

-      Mobile Enterprise Security: Mobile Device Management (MDM)

-      Mobile Device Management (MDM) Best Practices

+     MDM Solutions

-      Mobile Enterprise Security: BYOD Risks

-      Mobile Enterprise Security: Mitigating BYOD Risks

+     Secure BYOD Implementation

-      Mobile Vulnerability Scanning Tools: Nessus

-      Mobile Vulnerability Scanning Tools

-      Android Mobile Security Tools

-      iOS Mobile Security Tools

     Labs
Lab: Rooting an Android Device Using Kingo ROOT
Lab: Advanced Hacking and Spying a Mobile Device Using AndroRat

Module 06: Mobile Evidence Acquisition and Analysis

• Mobile Phone Evidence Analysis
• Mobile Evidence Acquisition
• Data Acquisition Methods
• Manual Acquisition

-      Manual Acquisition Using ZRT3

• Logical Acquisition

-      Android Logical Acquisition Using adb Tool

-      Android Debugging Bridge (adb)

-      Android Logical Acquisition Using ViaExtract

-      Enabling USB Debugging

-      Android Logical Acquisition Using MOBILedit

-      Additional Logical Acquisition Tools

-      iPhone Data Acquisition Tools

• Physical Acquisition

-      Physical Acquisition Using ViaExtract

• JTAG Forensics
• Chip-off Forensics
• Chip-off Forensics Process
• Chip-off Forensic Equipment
• Flasher Boxes
• File System Acquisition

-      File System Acquisition Using ViaExtract

• Android Forensics Analysis Using ViaExtract
• iPhone Data Extraction

-      iPhone Forensics Analysis Using the Oxygen Forensics Suite

-      iPhone Forensics Analysis Using Internet Evidence Finder (IEF)

-      iPhone Forensics Analysis Using iPhone Backup Analyzer (IPBA)

-      iPhone Forensics Analysis on Santoku Linux

-      Creating Disk Image of an iPhone Using SSH

-      Retrieving Files From iPhone Using SCP Command

• Subscriber Identify Modules (SIM)

-      SIM Card Anatomy

-      SIM File System

-      SIM Cloning

-      SIM Data Acquisition Tools

• Forensics Imaging

-      Forensics Imaging Using FTK Imager

• File Carving

-      File Carving Using Autopsy

-      File Carving Using Forensic Explorer

-      iPhone File Carving Using Scalpel Tool

-      File Carving Tools

• Phone Locking

-      Bypassing Android Phone Lock Pattern Using ViaExtract

-      Bypassing Android Phone Lock Password Using ADB

• iPhone Passcodes

-      Bypassing the iPhone Passcode Using IExplorer

-      iPhone Passcode Removal Tools

-      Bypassing the iPhone Passcode

• Decrypting iOS Keychain
• SQLite Database Extraction

-      Forensics Analysis of SQLite Database Using Andriller

-      SQLite Database Browsing Tools: Oxygen Forensics SQLite Viewer

-      SQLite Database Browsing Tools

• Additional Mobile Phone Forensics Tools
• Additional File Carving Tools
• iPhone Mobile Forensic Solutions
• SIM Forensic Analysis Tools
• Mobile Forensics Hardware Tools
• Cell Site Analysis

-      Cell Site Analysis: Analyzing Service Provider Data

-      CDR Contents

-      Sample CDR Log File

Module 07: Mobile Application Reverse Engineering

• Reverse Engineering
• Why Reverse Engineering?
• Reverse Engineering Applications
• Mobile Forensics and Reverse Engineering
• Skills Required for Mobile Reverse Engineering
• Mobile Packages

-      APK and IPA Mobile Packages

-      Android Application Development Process

-      Android Application Development Flow: Forward Engineering

-      Android APK Packaging

-      Dissecting Android Packages

-      Application Layout

-      Android Manifest and Permissions

• Reverse Engineering: Decompiling and Disassembling APK
• Reverse Engineering: Decompiling and Dessembling with apktool
• Reverse Engineering: Decompiling and Dessembling with Baksmali
• Reverse Engineering: Decompiling and Disassembling Using dex2jar and jd-gui
• Android Reverse Engineering Tools: Androguard and Radare
• IPA Package

-      Understanding IPA Package Structure

-      iPhone App Reverse Engineering

-      Before IPA Reverse Engineering

-      Extracting Resources of iPhone App

-      iPhone Application Binaries

-      iPhone Binary Format

• iOS Reverse Engineering Tools: MachOView, otool, and GDB
• Binary Analysis Tools: Class-dump
• iPhone Reverse Engineering: Examining the Binaries Using Class Dump
• Defeating IPA Encryption
• iOS Reverse Engineering Tool: IDA Pro
• Mobile Phone Reverse Engineering Tools
• Online Malware Analysis Service: VirusTotal
• Mobile Malware Analysis Tools
• Preventing APK Reverse Engineering: Progaurd
• Preventing APK Reverse Engineering: DexGuard
• Preventing IPA Reverse Engineering

Module 08: Mobile Forensics Reporting and Expert Testimony

• Post Forensics Activities
• Forensics Reporting
• Forensics Documentation and Report Generation
• Use of Supporting Material
• Mobile Forensics Report Template
• Items That Needs to Submitted in the Court
• Guidelines for Writing a Report
• Before Prosecution
• Sample Mobile Forensics Analysis Worksheet
• Sample Mobile Phone Search Warrant Format
• Sample Chain of Custody Form
• Sample Chain of Custody Tracking Form
• Sample Evidence Collection Form
• CellDEK Sample Mobile Forensic Report Snapshots
• Preparing for Testimony
• What Makes a Good Expert Witness?

     Labs

Lab 07: Extracting the Databases of an Android Mobile Device Using Andriller

Lab 08: Analyzing the Databases Using Oxygen Forensics SQLite Viewer

Lab 11: Conducting Mobile Malware Analysis Using Reverse Engineering

LABS

1.      Day 1

• Module 1 – Mobile Forensic Challenges
• Module 2 – Mobile Forensics Process
• Module 3 – Mobile Hardware Design and Architectures
• Module 4 – Mobile OS Architecture, Boot Process, and File Systems
• Module 5 – Mobile Threats and Security

     Labs

Lab: Rooting an Android Device Using Kingo ROOT
Lab: Advanced Hacking and Spying a Mobile Device Using AndroRat

2.      Day 2

• Module 6 – Mobile Evidence Acquisition and Analysis

     Labs

Lab: Rooting an Android Device Using viaExract
Lab: Bypassing Android Lock Screen Using viaExtract and adb
Lab: Filesystem Acquisition Using viaExtract
Lab: Logical Acquisition Using viaExtract
Lab: Performing Logical Data Extraction on a Mobile Device Using MOBILedit! Forensic
Lab: Forensic Imaging of a Mobile Device Using AccessData FTK Imager
Lab: Analyzing the Forensic Image and Carving the Deleted Files Using Autopsy
Lab: Analyzing the Forensic Image and Carving the Deleted Files Using Forensic Explorer

3.      Day 3

• Module 7 – Mobile Application Reverse Engineering
• Module 8 – Mobile Forensics Reporting and Expert Testimony

     Labs

Lab: Extracting the Databases of an Android Mobile Device Using Andriller
Lab: Analyzing the Databases Using Oxygen Forensics SQLite Viewer
Lab: Conducting Mobile Malware Analysis Using Reverse Engineering