Cellebrite Collection Acquisition and Triage (CCAT)
4 days
Intermediate-level course
Course Description
Cellebrite Collection Acquisition and Triage (CCAT) is a four (4) day intermediate level course that combines the Cellebrite Certified Operator (CCO) and Cellebrite Basic Forensics Investigations (CBFI) courses. The intermediate level program is ideal for professionals involved in triaging, extracting, authenticating, analyzing, and reporting on digital evidence. Instructor-led activities include data collection, screen previews, evidence triage, and the operation of Cellebrite (Touch2/4PC), Reader, Cellebrite Digital Detector, and Cellebrite Illuminator solutions.
Participants who attend and successfully complete the exam and knowledge assessments will earn two (2) certifications.
Participants who attend and successfully complete the exam and knowledge assessments will earn two (2) certifications.
NOTE: It is strongly recommended that students attending this course complete the Cellebrite Mobile Forensics Fundamentals (CMFF) course or test out prior to attending.
CCO Course Content
Mobile Device Technology Overview
- Identify mobile device hardware and operating systems.
- Discuss how mobile devices communicate.
- Discuss how technology affects network capacity.
- Learn how devices and subscribers are identified on networks.
Forensic Handling of Mobile Devices
- Recognize legal considerations for seizing and searching devices
- Identify evidence handling procedures on scenes involving mobile devices
- Use UFED Phone Detective to identify a specific mobile device
- Recognize various locking mechanisms found on mobile devices
- Practice applying best practices when seizing devices to a mock scenario
UFED Touch and UFED 4PC
- Learn about the components for the UFED Touch and UFED 4PC
- Learn how to license UFED technology
- Learn to update the firmware
- Install UFED 4PC
- Configure UFED Touch and/or UFED 4PC
Cellebrite Extraction Methodology
- Identify best practices for digital forensic extractions
- Practice forensically sterilizing media
- Complete SIM card extractions using UFED Touch/4PC
- Conduct SD card extractions in a forensically sound manner
- Use the UFED Touch/4PC and Physical Analyzer to conduct device extractions
- Complete the removal of a passcode from a locked device using UFED Touch/4PC
- Describe how to use UFED Camera Services
Introduction to Analyzing User Data
- Basic Physical Analyzer Configuration
- Open extractions with Physical Analyzer
- View data in Physical Analyzer
- Learn to bookmark items of interest
Reporting on Technical Findings
- Understand the fundamental elements of a report
- Understand reporting options within Physical Analyzer
- Create a report based on evidentiary items
CBFI Course Content
Introduction
- Discuss course administration
- Describe BlackBag’s training and certification process
- Review of the capabilities of BlackBag’s Platforms and digital forensic solutions
- Recognize the legal responsibility in using BlackBag’s products and services
Acquiring Data
- Discuss MacQuisition Features and Functions
- Explain Logical File Collection Procedures
- Describe Apple Encryption
- Review Imaging Processes for Different Media
- Explore the Investigations Workflow Overview
- Discuss the Proper Handling of Digital Case Evidence
BlackLight Introduction
- Provide an Introduction to the BlackLight Interface
- Describe the System Requirements
- Discuss Program Dependencies
- Explain how to Create a Case and Add Evidence
- Review how to Open an existing Case
BlackLight
Features and Functions
- Explore the BlackLight Interface
- Review the procedure for marking evidence
- Describe the purpose of the Component List
Processing Options
- Review Mac Artifacts and Processing
- Discuss Windows Artifacts and Processing
- Practice Viewing Artifacts
- Create Artifact Filters
- Explain the Importance of Metadata
Tagging Items of Interest
- Explain How to Tag Items of Interest
- Practice Tagging Item of Interest
- Discuss Tagging Multiple Items Simultaneously
- Explain the Value of Tagging in Hex View
Data Filtering and
Cultivation
- Discuss the Data Filtering
- Explore the Use of Content Searches
- Review the Use of Custom Hash Sets
- Explained How to Complete Indexed Searches
- Practice Searches by Content Types
Developing Actionable Intelligence
- Discuss the Actionable Intelligence Tab
- Explain the Parsing of Mac and Windows Artifacts
- Practice Navigating to Actionable Intelligence Tab and Completing Searches
- Explore Mac Actionable Intelligence Artifacts
- Review Windows Actionable Intelligence Artifacts
- Compare the Differences Between Preview Data and Actionable Intelligence Data
Media
- Review Media View Filtering and Organization
- Explain GeoData Markers and Mapping
- Practice Video file GeoData Mapping
- Discuss Exporting Images for Review
- Describe the Uses for Image Analyzer to Establish Categories and Assess Threat Levels
Mobile
- Explain the Android Acquisition Process
- Discuss the iOS Acquisition Process
- Describe the iOS Backups Data Acquisition Method
- Review the Methods for Ingesting 3rd Party Acquisitions
Data Analysis
- Describe Automated and Manual Productivity Features
- Review the parsing of communications that include Mac call records
- Practice Filtering Application Communication Records
- Parse Locations Data from Media, Calendar, and Other Sources
- Explain the Internet Connections and Browsing Data
- Explain the Case Data Analysis and Reporting Features
Reporting
(supplemental resources)
- Practice Choosing Report Items
- Review the Function that Permits Rearranging Tags for Reporting
Other Topics
- Review Updated Features and Functions
- Explain the Integration and Ability to Parse 3rd Party Data Acquisitions
- Describe the BitLocker Integration Procedure
Last modified: Friday, August 13, 2021, 2:36 PM