Training Details
viaForensics has invested significant R&D into Android Forensics and is pleased to now offer a comprehensive training course to prepare examiners (Mar 1: open to non-LE, Mar 2-3: LE only) for the Android platform. The course will provide you with the tools, techniques and analysis tools you need to effectively investigate an Android phone. Participants must bring a laptop for the training. The full course outline is provided below.
Overview of Android- History
- Technology
- Linux
- File system
- C library (Bionic)
- App environment (Dalvik VM)
- Phone/other devices
- Currently available or planned
- Hardware vendors
- Service providers
- Overview of security model
- Forensic consideration and discussion about mobile forensics vs. traditional forensics
- Overview of SDK, setup, perhaps a test application
- Android emulator
- Significance
- Configure
- Setup and test forensics techniques, use for R&D
- Overview of Android file system (phone dependent but fairly consistent)
- Mount points
- Important directories
- "Utility" file systems in use (rootfs, tmpfs, devpts, proc, sysfs, cramfs)
- SD Card - (FAT 32/vfat)
- YAFFS2
- Detailed overview
- OOB
- MTD
- Log-structure (versioning!)
- How to compile support (Linux)
- Pros/Cons
- Detailed overview
- SD Card analysis
- Backup techniques
- Nandroid
- Apps
- Android Debug Bridge
- Logical analysis without root
- Logical analysis with root
- Commercial tools
- Pros/Cons
- Specific tools
- Cellebrite
- Paraben
- Oxygen
- XRY
- Others?
- "Hoog" method
- Overview
- Demonstration
- MTD techniques: dd, cat, nanddump, etc.
- Evolution
- Review important directories and files
- Review efficacy of traditional forensics techniques (i.e. file carving)
- Review YAFFS2 characteristics
- Review important applications and their data (SMS, phone, camera, video, GPS, web browsing, email, etc.)