About this course

Description

Course features

Mobile Forensics - Expert-level course

During the Cellebrite Advanced Smartphone Analysis course, students will take an in-depth look at the forensic recovery of application data found in today’s smartphones. This class is recommended for those familiar with Physical Analyzer or who have completed the CCPA course. In this course, participants will learn how to decode information which is not decoded by forensic tools. They will also utilize third-party software and Python scripts to analyze, verify and validate findings.

This course uses advanced functions in Physical Analyzer software, attending CCPA prior to this course is strongly recommended.

All Online Course Student Manuals are now eBooks!

Cellebrite Online On Demand courses now feature eBook student manuals. These manuals can be accessed via the Cellebrite Learning Center anytime and be viewed on any device.

Added benefits to digital manuals:

Immediate access to student manuals
Accessible anytime, from anywhere, on any device within your course
Find what you need through easy to use search functions
Modern content format and increased accessibility

Course Access

Students have a 90-day limited time period to access and complete all content, activities, and exams for this class. Access begins on the day the student’s enrollment is confirmed (voucher consumption) and can be monitored in the top left-hand menu of the class homepage, by use of a timer which shows students the number of days remaining for their access.

Following this period, a single 15-day extension can be requested. The student must wait until the number of days reaches 0 days, at which point the countdown will become a button to request an extension of 15-days.
Extension requests typically take 1-2 business days to review/approve and limited to a one-time request. If the student fails to complete the course after the approval of the 15-day extension, you may be required to purchase the class again and start over.

More details on this policy can be viewed here.

Required Resources and Materials Provided

Access to licensed either a UFED Touch2 or UFED4PC to use during the course.
A computer capable of running Physical Analyzer software.
A dongle or software license to use Physical Analyzer software.
An active internet connection to take this course online.

Cellebrite will provide students with:

Online On Demand Class - The learning environment used to deliver the class.
Student Manual (eBook) - Provided in the course outline with no expiration
Student Downloads, Data Sets, and 3rd party applications - Provided by Cellebrite Training within the class environment

Students who do not already have or have access to currently licensed Cellebrite hardware and software are encouraged to take one of our Instructor-Led or Live Online classes.

Completion Requirements

Completion without attempting or passing the optional examination and skills test results in a Cellebrite Advanced Smartphone Analysis Certificate of Attendance.

Successful completion of the Cellebrite Advanced Smartphone Analysis (CASA) examination and practical skills test results in a Cellebrite Advanced Smartphone Analysis Certification credential

Students must pass an exam at the end of the course with a minimum score of 80.
Students will receive a maximum of two attempts. If a student fails their first attempt, they must request for their second attempt via Technical Support ticket.

Prerequisites and Continued Learning

Prerequisites

NOTE: It is strongly recommended that students attending this course complete the Cellebrite Mobile Forensics Fundamentals (CMFF) course or test out, the Cellebrite Certified Operator (CCO) course, as well as the Cellebrite Certified Physical Analyst (CCPA) course prior to attending.

Recommended next course(s) / certification(s):

Cellebrite Certified Mobile Examiner Certification (CCME)

Recertification Requirements

No recertification requirement

CASA Slick_0121.pdf

Learning objectives

NOTE: It is strongly recommended that students attending this course complete the Cellebrite Mobile Forensics Fundamentals (CMFF) course or test out, the Cellebrite Certified Operator (CCO) course, as well as the Cellebrite Certified Physical Analyst (CCPA) course prior to attending.

The CASA course is comprised of the following modules and lessons:

1. Introduction

2. SQLite Database Structures

Identify mobile device hardware
Identify SQLite databases
Identify SQLite database structures
Explain how data is stored within SQLite databases
Explain how SQLite tables are joined
Discuss what happens when data is deleted from an SQLite database and recovery of data
List functions which may destroy data
Use scripts to extract and analyze binary large object (BLOB) data from databases
Assemble unsupported and new applications using UFED SQL Builder

3. iOS Overview and Analysis

Provide a brief overview of iOS demographics
Learn how to identify iOS devices
Describe the structure of the iOS file system
Discuss Cellebrite UFED support for iOS analysis
Analyze iOS extractions with UFED Physical Analyzer
Identify and decode data stored as base64 data from binary plist files
Analyze various artifacts such as health data, data usage, and preference files to support and use in your investigations
Review a processed application for additional relevant data
Parse an unsupported application using the SQL Builder and incorporate the data into Physical Analyzer
Use Python to obtain additional data from Safari and Webkit to aid in web investigations
Learn new artifacts from full file system extractions, such as those from Cellebrite Services and Gray Key

4. iOS Device Access

Identifying iOS device hardware
iOS passcodes
Touch ID – time limits and investigative implications
Recovery of simple and complex passcodes
Various methods for potentially gaining access to locked iOS devices

5. iOS and iCloud Backups

Identify where iOS backups can be found
Identify iOS backup folder structures
Understand how to handle encrypted iOS Backups and Extractions
Obtain iCloud backup files and how Physical Analyzer handles them
Use open source software to crack the password of an encrypted backup
Learn to use iOS settings to potentially remove the backup password

6. Android Overview

Briefly recount the evolution of the Android operating system since its availability in 2007
Identify the different file systems commonly used by Android devices
List the Android devices, file systems, and applications supported by Cellebrite UFED Series
Be familiar with the various extraction methods with Android devices
Understand the various types of Android encryption and possible bypasses

7. Android System Artifacts

Discuss how to determine which file systems have been mounted on an Android device.
Locate and analyze relevant system logs, Android artifacts, and device files
Discuss partitioning schemas used on Android devices
Look at other applications which may prove valuable to an investigation
Locate and decode application usage logs
Identify and parse data from Android User account files

8. Android User Artifacts

Decode call logs and timestamps
Track a downloaded files movement within an Android device
Identify media locations
Be able to interpret cloud-based storage accounts used on a mobile device
Decode information related to applications which are not automatically decoded by any forensic tools
Use Python scripts to assist in decoding data
Locate relevant user data items data from both supported and unsupported applications used on a device
Decode and parse Google Maps data
Recover additional Chrome and browser-based data to include in your investigations