Cellebrite Advanced Smartphone Analysis - Online On Demand

Course type: On Line On Demand
Location: On demand
Log in to see the options to register for this course. If you do not already have an account, create your FREE account. Creating an account does not obligate you to enroll or pay for classes.

About this course

Course features

Mobile Forensics - Expert-level course

During the Cellebrite Advanced Smartphone Analysis course, students will take an in-depth look at the forensic recovery of application data found in today’s smartphones. This class is recommended for those familiar with Physical Analyzer or who have completed the CCPA course. In this course, participants will learn how to decode information which is not decoded by forensic tools. They will also utilize third-party software and Python scripts to analyze, verify and validate findings.

This course uses advanced functions in Physical Analyzer software, attending CCPA prior to this course is strongly recommended.

All Online Course Student Manuals are now eBooks!

Cellebrite Online On Demand courses now feature eBook student manuals. These manuals can be accessed via the Cellebrite Learning Center anytime and be viewed on any device.

Added benefits to digital manuals:

  • Immediate access to student manuals
  • Accessible anytime, from anywhere, on any device within your course
  • Find what you need through easy to use search functions
  • Modern content format and increased accessibility

Course Access

Students have a 90-day limited time period to access and complete all content, activities, and exams for this class. Access begins on the day the student’s enrollment is confirmed (voucher consumption) and can be monitored in the top left-hand menu of the class homepage, by use of a timer which shows students the number of days remaining for their access.

  • Following this period, a single 15-day extension can be requested. The student must wait until the number of days reaches 0 days, at which point the countdown will become a button to request an extension of 15-days.
  • Extension requests typically take 1-2 business days to review/approve and limited to a one-time request. If the student fails to complete the course after the approval of the 15-day extension, you may be required to purchase the class again and start over.

More details on this policy can be viewed here.

Required Resources and Materials Provided

  • Access to licensed either a UFED Touch2 or UFED4PC to use during the course.
  • A computer capable of running Physical Analyzer software.
  • A dongle or software license to use Physical Analyzer software.
  • An active internet connection to take this course online.

Cellebrite will provide students with:

  • Online On Demand Class - The learning environment used to deliver the class. 
  • Student Manual (eBook) - Provided in the course outline with no expiration
  • Student Downloads, Data Sets, and 3rd party applications - Provided by Cellebrite Training within the class environment
Students who do not already have or have access to currently licensed Cellebrite hardware and software are encouraged to take one of our Instructor-Led or Live Online classes.

Completion Requirements

Completion without attempting or passing the optional examination and skills test results in a Cellebrite Advanced Smartphone Analysis Certificate of Attendance.

Successful completion of the Cellebrite Advanced Smartphone Analysis (CASA) examination and practical skills test results in a Cellebrite Advanced Smartphone Analysis Certification credential

Students must pass an exam at the end of the course with a minimum score of 80.
Students will receive a maximum of two attempts. If a student fails their first attempt, they must request for their second attempt via Technical Support ticket.

Prerequisites and Continued Learning


NOTE: It is strongly recommended that students attending this course complete the Cellebrite Mobile Forensics Fundamentals (CMFF) course or test out, the Cellebrite Certified Operator (CCO) course, as well as the Cellebrite Certified Physical Analyst (CCPA) course prior to attending.

Recommended next course(s) / certification(s):

Recertification Requirements

No recertification requirement

CASA Slick_0121.pdfCASA Slick_0121.pdf
Learning objectives

NOTE: It is strongly recommended that students attending this course complete the Cellebrite Mobile Forensics Fundamentals (CMFF) course or test out, the Cellebrite Certified Operator (CCO) course, as well as the Cellebrite Certified Physical Analyst (CCPA) course prior to attending.

The CASA course is comprised of the following modules and lessons:

1. Introduction

2. SQLite Database Structures

  • Identify mobile device hardware 
  • Identify SQLite databases 
  • Identify SQLite database structures 
  • Explain how data is stored within SQLite databases 
  • Explain how SQLite tables are joined 
  • Discuss what happens when data is deleted from an SQLite database and recovery of data 
  • List functions which may destroy data 
  • Use scripts to extract and analyze binary large object (BLOB) data from databases 
  • Assemble unsupported and new applications using UFED SQL Builder

3. iOS Overview and Analysis

  • Provide a brief overview of iOS demographics 
  • Learn how to identify iOS devices 
  • Describe the structure of the iOS file system 
  • Discuss Cellebrite UFED support for iOS analysis 
  • Analyze iOS extractions with UFED Physical Analyzer 
  • Identify and decode data stored as base64 data from binary plist files 
  • Analyze various artifacts such as health data, data usage, and preference files to support and use in your investigations 
  • Review a processed application for additional relevant data 
  • Parse an unsupported application using the SQL Builder and incorporate the data into Physical Analyzer 
  • Use Python to obtain additional data from Safari and Webkit to aid in web investigations 
  • Learn new artifacts from full file system extractions, such as those from Cellebrite Services and Gray Key

4. iOS Device Access

  • Identifying iOS device hardware 
  • iOS passcodes 
  • Touch ID – time limits and investigative implications 
  • Recovery of simple and complex passcodes 
  • Various methods for potentially gaining access to locked iOS devices

5. iOS and iCloud Backups

  • Identify where iOS backups can be found 
  • Identify iOS backup folder structures 
  • Understand how to handle encrypted iOS Backups and Extractions 
  • Obtain iCloud backup files and how Physical Analyzer handles them 
  • Use open source software to crack the password of an encrypted backup 
  • Learn to use iOS settings to potentially remove the backup password

6. Android Overview

  • Briefly recount the evolution of the Android operating system since its availability in 2007 
  • Identify the different file systems commonly used by Android devices 
  • List the Android devices, file systems, and applications supported by Cellebrite UFED Series 
  • Be familiar with the various extraction methods with Android devices 
  • Understand the various types of Android encryption and possible bypasses

7. Android System Artifacts

  • Discuss how to determine which file systems have been mounted on an Android device. 
  • Locate and analyze relevant system logs, Android artifacts, and device files 
  • Discuss partitioning schemas used on Android devices
  • Look at other applications which may prove valuable to an investigation
  • Locate and decode application usage logs 
  • Identify and parse data from Android User account files

8. Android User Artifacts

  • Decode call logs and timestamps 
  • Track a downloaded files movement within an Android device 
  • Identify media locations 
  • Be able to interpret cloud-based storage accounts used on a mobile device 
  • Decode information related to applications which are not automatically decoded by any forensic tools 
  • Use Python scripts to assist in decoding data 
  • Locate relevant user data items data from both supported and unsupported applications used on a device
  • Decode and parse Google Maps data 
  • Recover additional Chrome and browser-based data to include in your investigations