Cellebrite Advanced Smartphone Analysis (CASA) Course - Advanced

Image: CASE Class

Level - Expert

Course Length: 4 Days

The Cellebrite Advanced Smartphone Analysis (CASA) class is an expert level four-day, 28-hour course lead by Cellebrite Certified Instructors (CCIs). During this Expert Series course, students will take an in-depth look at the forensic recovery of application data found in today’s smartphones. This class is recommended for those familiar with UFED Physical Analyzer or who have completed the CCPA course. In this course, participants will learn how to decode information which is not decoded by forensic tools. They will also utilize third-party software and Python scripts to analyze, verify and validate findings.

By passing an examination and practical skills assessment in this course, you will earn a certification in Cellebrite Advanced Smartphone Analysis.

NOTE: It is strongly recommended that students attending this course complete the Cellebrite Mobile Forensics Fundamentals (CMFF) course or test out, the Cellebrite Certified Operator (CCO) course, as well as the Cellebrite Certified Physical Analyst (CCPA) course prior to attending.

The CASA course is comprised of the following modules and lessons:

1. Introduction

2. SQLite Database Structures

  • Identify mobile device hardware 
  • Identify SQLite databases 
  • Identify SQLite database structures 
  • Explain how data is stored within SQLite databases 
  • Explain how SQLite tables are joined 
  • Discuss what happens when data is deleted from an SQLite database and recovery of data 
  • List functions which may destroy data 
  • Use scripts to extract and analyze binary large object (BLOB) data from databases 
  • Assemble unsupported and new applications using UFED SQL Builder

3. iOS Overview and Analysis

  • Provide a brief overview of iOS demographics 
  • Learn how to identify iOS devices 
  • Describe the structure of the iOS file system 
  • Discuss Cellebrite UFED support for iOS analysis 
  • Analyze iOS extractions with UFED Physical Analyzer 
  • Identify and decode data stored as base64 data from binary plist files 
  • Analyze various artifacts such as health data, data usage, and preference files to support and use in your investigations 
  • Review a processed application for additional relevant data 
  • Parse an unsupported application using the SQL Builder and incorporate the data into Physical Analyzer 
  • Use Python to obtain additional data from Safari and Webkit to aid in web investigations 
  • Learn new artifacts from full file system extractions, such as those from Cellebrite Services and Gray Key

4. iOS Device Access

  • Identifying iOS device hardware 
  • iOS passcodes 
  • Touch ID – time limits and investigative implications 
  • Recovery of simple and complex passcodes 
  • Various methods for potentially gaining access to locked iOS devices

5. iOS and iCloud Backups

  • Identify where iOS backups can be found 
  • Identify iOS backup folder structures 
  • Understand how to handle encrypted iOS Backups and Extractions 
  • Obtain iCloud backup files and how Physical Analyzer handles them 
  • Use open source software to crack the password of an encrypted backup 
  • Learn to use iOS settings to potentially remove the backup password

6. Android Overview

  • Briefly recount the evolution of the Android operating system since its availability in 2007 
  • Identify the different file systems commonly used by Android devices 
  • List the Android devices, file systems, and applications supported by Cellebrite UFED Series 
  • Be familiar with the various extraction methods with Android devices 
  • Understand the various types of Android encryption and possible bypasses

7. Android System Artifacts

  • Discuss how to determine which file systems have been mounted on an Android device. 
  • Locate and analyze relevant system logs, Android artifacts, and device files 
  • Discuss partitioning schemas used on Android devices
  • Look at other applications which may prove valuable to an investigation
  • Locate and decode application usage logs 
  • Identify and parse data from Android User account files

8. Android User Artifacts

  • Decode call logs and timestamps 
  • Track a downloaded files movement within an Android device 
  • Identify media locations 
  • Be able to interpret cloud-based storage accounts used on a mobile device 
  • Decode information related to applications which are not automatically decoded by any forensic tools 
  • Use Python scripts to assist in decoding data 
  • Locate relevant user data items data from both supported and unsupported applications used on a device
  • Decode and parse Google Maps data 
  • Recover additional Chrome and browser-based data to include in your investigations

Last modified: Sunday, July 14, 2019, 1:37 PM