Mobile Forensics Training (Basic and Advanced)

Mobile Forensic Analysis

1.1. Mobile device characteristics
1.2. Introduction to Mobile Forensics
1.3. Why we need Mobile Forensics?
1.4. Challenges in Mobile Forensics

2.1. Evolution of Mobile Communication Network
2.2. First generation mobile communication
2.3. Second generation mobile communication
2.4. Third generation mobile communication
2.5. Fourth generation mobile communication
2.6. Fifth generation of wireless network technology
2.7. Mobile Communication Network Infrastructure

• Mobile Station
• Base Transceiver Station
• Base Station Controller
• Base Station Subsystem
• Mobile Switching Center
• Equipment Identity Register
• Home Location Register
• Authentication Center
• Visitor Location Register
• Network and Switching Subsystem
• Location Area Identity (LAI)
• Composition of IMEI and IMEISV
• International Mobile Subscriber Identity (IMSI)

3.1. Internal makeup
3.2. File structure
3.3. Data on SIM
3.4. Where is the evidence?
3.5. Integrated Circuit Card Identifier (ICC-ID)
3.6. International Mobile Subscriber Identity (IMSI)
3.7. Forbidden Public Land Mobile Network (FPLMN)
3.8. Abbreviated Dialing Numbers (ADNs)
3.9. Last Number Dialed (LND)
3.10. Mobile Station Integrated Services Digital Network (MSISDN)
3.11. Short Message Service (SMS)
3.12. Forensic SIM Cloning

4.1. Android

• Android OS& Versions
• Android Architecture
• Dalvik Virtual Machine (DVM)
• Android Runtime (ART)
• Why Android use Virtual Machine?
• Android Boot Process
• Android Application Package (APK)
• Android Security
• Android Hardware Components
• Memory
• Android File System
• Android Rooting

4.2. iOS & Devices

• iOS Devices
• iPhone Models
• iPad Models
• iPod Models
• Apple TV
• Apple Watch
• Apple Connectors
• iOS Operating System
• iOS Architecture
• iOS Secure Boot Chain
• iOS Operating Modes

 Normal
 Recovery
 DFU

• iOS Security
• iOS File System

 HFS+
 Apple File System (APFS)

• iOS Jailbreaking

5.1. Mobile Forensic Tools Classification System

• Manual extraction
• Logical extraction
• Hex Dump
• JTAG
• Chip off
• Micro Read

5.2. Data Acquisition Methods

• Manual extraction
• Logical extraction
• File System extraction
• Physical extraction

6.1. Preservation

• Things to consider at the crime scene
• Chain of Custody
• Isolation

 Remote Wipe (Android)
 Remote Wipe (iOS)
 Forensic SIM Cloning
 Faraday Bags
 RF Shielded Areas
 Jammers
 Connect to a Power Source
 Airplane Mode

• Mobile Device (Android)

 Enable USB debugging
 Enable stay awake setting
 Increase Screen timeout
 Check Android Version

• Mobile Device (iOS)

 Mobile Device (Turned on & Locked)
 Mobile Device (Turned on & Unlocked)
 Mobile Device (Turned Off)
 Identify iPhone Model
 Check Firmware Version
 On-Site Triage Processing

• Packaging
• Transportation
• Storage

6.2. Acquisition

• Forensic Imaging with 20 Different Mobile Phones (Hands on)

 Operating system backup
 Logical imaging
 File extraction
 Android backup
 iTunes backup
 Physical imaging
 Imaging with “ADB.exe”
 Imaging with “Autopsy “
 Imaging with “Cellebrite UFED4PC” and “Physical Analyzer”
 Imaging with “HancomGMD NEXT”
 Imaging with “MobilEdit Forensic Express”

• Surgery on Mobile Operating Systems (Hands on)

 Rooting of Google Android
 Jailbreaking Apple iOS
 Downgrade process
 Usage of Forensic Recovery Partition

• Data Recovery on Mobile Operating Systems

 Different versions of Google Android
 Data recovery on Google Android
 Different versions of Apple iOS
 Data recovery on Apple iOS
 Data recovery tools

• Advanced Data Recovery on Mobile Devices

 JTAG methods (Hands on)
 ISP methods (Hands on)
 Chip off methods (Hands on)

• SQLite Analysis

 SQlite Forensic Explorer (Hands on)
 SQLite Analyzer (Hands on)
 Forensic Explorer (Hands on)