Training Details
viaForensics has invested significant R&D into Android Forensics and is pleased to now offer a comprehensive training course to prepare examiners for the Android platform. The course will provide you with the tools, techniques and analysis tools you need to effectively investigate an Android phone. Participants must bring a laptop for the training and have the ability to run a VMWare appliance/image. The full course outline is provided below.
Overview of Android- History
- Technology
- Linux
- File system
- C library (Bionic)
- App environment (Dalvik VM)
- Phone/other devices
- Currently available or planned
- Hardware vendors
- Service providers
- Overview of security model
- Forensic consideration and discussion about mobile forensics vs. traditional forensics
- Overview of SDK, setup, perhaps a test application
- Android emulator
- Significance
- Configure
- Setup and test forensics techniques, use for R&D
- Overview of Android file system (phone dependent but fairly consistent)
- Mount points
- Important directories
- "Utility" file systems in use (rootfs, tmpfs, devpts, proc, sysfs, cramfs)
- SD Card - (FAT 32/vfat)
- YAFFS2
- Detailed overview
- OOB
- MTD
- Log-structure (versioning!)
- How to compile support (Linux)
- Pros/Cons
- Detailed overview
- SD Card analysis
- Backup techniques
- Nandroid
- Apps
- Android Debug Bridge
- Logical analysis without root
- Logical analysis with root
- Commercial tools
- Pros/Cons
- Specific tools
- Cellebrite
- Paraben
- Oxygen
- XRY
- Others?
- "Hoog" method
- Overview
- Demonstration
- MTD techniques: dd, cat, nanddump, etc.
- Evolution
- Review important directories and files
- Review efficacy of traditional forensics techniques (i.e. file carving)
- Review YAFFS2 characteristics
- Review important applications and their data (SMS, phone, camera, video, GPS, web browsing, email, etc.)