Once a full physical forensic image has been obtained from a mobile device, investigators must know how to process the file in order to secure as much forensic evidence as possible. However, smart phone file formats are not easily understood and most forensic applications will not mount an image taken from a mobile device.
We thoroughly explain the file structures and through the use of header information carve out data that would normally be overlooked due to fragmentation or partial deletion. The course explores advanced recovery of SQLite files, SMS data, Google Talk, and more.
Students get hands-on experience carving data from a forensic image in our instructor-led lab. In addition, we instruct and demonstrate how to develop your own Python script to automate the file carving process. (Prior programming experience is helpful but is not necessary as the instructor will walk you through the coding process.)
Basic Linux experience is necessary as a prerequisite. If you are new to using Linux, our Intro to Linux in Forensics is a great place to get a jump start.
