Cellebrite Advanced Smartphone Analysis (CASA)

shield 

4 days
Expert-level course

The Cellebrite Advanced Smartphone Analysis (CASA) class is an expert level four-day, 28-hour course lead by Cellebrite Certified Instructors (CCIs). During this Expert Series course, students will take an in-depth look at the forensic recovery of application data found in today’s smartphones. This class is recommended for those familiar with UFED Physical Analyzer or who have completed the CCPA course. In this course, participants will learn how to decode information which is not decoded by forensic tools. They will also utilize third-party software and Python scripts to analyze, verify and validate findings.




NOTE: It is strongly recommended that students attending this course complete the Cellebrite Mobile Forensics Fundamentals (CMFF) course or test out, the Cellebrite Certified Operator (CCO) course, as well as the Cellebrite Certified Physical Analyst (CCPA) course prior to attending.

Course Content

sidebar image 
SQLite Database Structures
  • Identify mobile device hardware
  • Identify SQLite databases
  • Identify SQLite database structures
  • Explain how data is stored within SQLite databases
  • Explain how SQLite tables are joined
  • Discuss what happens when data is deleted from an SQLite database and recovery of data
  • List functions which may destroy data
  • Use scripts to extract and analyze binary large object (BLOB) data from databases
  • Assemble unsupported and new applications using UFED SQL Builder
sidebar image 
iOS Overview and Analysis
  • iOS demographics,  file system, and how to identify iOS devices
  • Discuss Cellebrite UFED support for iOS analysis and analyze iOS extractions with UFED Physical Analyzer
  • base64 data and binary plist files
  • Analyze health data, data usage, and preference files to support and use in your investigations
  • Review a processed application for additional relevant data
  • Parse an unsupported application using the SQL Builder and incorporate the data into Physical Analyzer
  • Use Python to obtain additional data from Safari and Webkit
  • Learn new artifacts from full file system extractions, such as those from Cellebrite Services and Gray Key
sidebar image 
iOS Device Access
  • Identify iOS device hardware
  • iOS passcodes
  • Touch ID – time limits and investigative implications
  • Recovery of simple and complex passcodes
  • Various methods for potentially gaining access to locked iOS devices
sidebar image 
iOS and iCloud Backups
  • Identify where iOS backups can be found
  • Identify iOS backup folder structures
  • Understand how to handle encrypted iOS Backups and Extractions
  • Obtain iCloud backup files and how Physical Analyzer handles them
  • Use open source software to crack the password of an encrypted backup
  • earn to use iOS settings to potentially remove the backup password
sidebar image 
Android Overview
  • Briefly recount the evolution of the Android operating system since its availability in 2007
  • Identify the different file systems commonly used by Android devices
  • List the Android devices, file systems, and applications supported by Cellebrite UFED Series
  • Be familiar with the various extraction methods with Android devices
  • Understand the various types of Android encryption and possible bypasses
sidebar image 
Android System Artifacts
  • Discuss how to determine which file systems have been mounted on an Android device
  • Locate and analyze relevant system logs, Android artifacts, and device files
  • Discuss partitioning schemas used on Android devices
  • Look at other applications which may prove valuable to an investigation
  • Locate and decode application usage logs
  • Identify and parse data from Android User account files
sidebar image 
Android User Artifacts
  • Decode call logs and timestamps
  • Track a downloaded files movement within an Android device
  • Identify media locations
  • Be able to interpret cloud-based storage accounts used on a mobile device
  • Decode information related to applications which are not automatically decoded by any forensic tools
  • Use Python scripts to assist in decoding data
  • Locate relevant user data items data from both supported and unsupported applications used on a device
  • Decode and parse Google Maps data
  • Recover additional Chrome and browser-based data to include in your investigations
Last modified: Tuesday, January 14, 2020, 9:09 AM