iPhone & Android Forensics Training, Sept. 2010

The training will cover the forensic examination of iPhone, iPhone 3G, iPhone 3G[s], and iPhone 4 devices covering iPhone OS v1.x, v2.x, v3.x, and the new v4.0 software. Join us and follow along hands-on to learn:

• What kind of evidence is stored on the device
• How to prepare an environment for iPhone forensics
• Circumventing passcode protection and encrypted backups to gain access to the device
• Building a custom recovery toolkit for the iPhone
• Interrupting the iPhone’s “secure wipe” process
• Data recovery of an iPhone user disk partition, preserving and recovering the entire raw user disk partition. Recovery over USB cable and Wi-Fi will be demonstrated.
• Recovering deleted voicemail, images, email, and other personal data using data carving techniques
• Recovering geotagged metadata from camera photos (GPS coordinates taken at the time the photo was taken)
• Electronic discovery of Google map lookups, keyboard typing cache, and other data stored on the live file system
• Extracting contact information and other data from the iPhone’s database
• Collecting desktop trace and establishing trusted relationships to owners’ desktops
• Different recovery strategies based on case needs

This is a Mac-only course. Be sure to bring a Mac notebook and an iPhone if you would like to learn hands-on. Do not bring live evidence or any data that cannot be at risk from classroom mistakes. To keep everything on track, the following classroom specifications will be used:

• Mac OS X 10.6
• iTunes 8.1.1
• [Optional] An iPhone
• iPhone 3G running v3.1.3 or earlier
• iPhone 3G[s] running v3.1.3 or earlier
• iPhone 4 running v4.0 *will work for logical acquisition, but not physical

The course will provide you with the tools, techniques and analysis tools you need to effectively investigate an Android phone. Participants must bring a laptop for the training and have the ability to run a VMWare appliance/image. The full course outline is provided below.

Overview of Android

• History
• Technology
  • Linux
  • File system
  • C library (Bionic)
  • App environment (Dalvik VM)
• Phone/other devices
  • Currently available or planned
  • Hardware vendors
  • Service providers
• Overview of security model
• Forensic consideration and discussion about mobile forensics vs. traditional forensics

Software Development Kit

• Overview of SDK, setup, perhaps a test application
• Android emulator
  • Significance
  • Configure
  • Setup and test forensics techniques, use for R&D

File system overview

• Overview of Android file system (phone dependent but fairly consistent)
  • Mount points
  • Important directories
  • "Utility" file systems in use (rootfs, tmpfs, devpts, proc, sysfs, cramfs)
• SD Card - (FAT 32/vfat)
• YAFFS2
  • Detailed overview
    • OOB
    • MTD
    • Log-structure (versioning!)
  • How to compile support (Linux)
  • Pros/Cons

Forensics Techniques

• SD Card analysis
• Backup techniques
  • Nandroid
  • Apps
• Android Debug Bridge
  • Logical analysis without root
  • Logical analysis with root
• Commercial tools
  • Pros/Cons
  • Specific tools
    • Cellebrite
    • Paraben
    • Oxygen
    • XRY
    • Others?
  • "Hoog" method
    • Overview
    • Demonstration
    • MTD techniques: dd, cat, nanddump, etc.
    • Evolution

File system and application/data analysis

• Review important directories and files
• Review efficacy of traditional forensics techniques (i.e. file carving)
• Review YAFFS2 characteristics
• Review important applications and their data (SMS, phone, camera, video, GPS, web browsing, email, etc.)