Cellebrite Collection Acquisition and Triage (C2AT)

C2AT shield 

3 days
Intermediate-level course

The Cellebrite Collection Acquisition and Triage (C2AT) four (4) day course that combines the Cellebrite Certified Operator (CCO) and BlackBag Forensic Investigations (BFI) courses. Participants who attend and successfully complete the exam and knowledge assessments will earn two (2) certifications.

The intermediate level program expands on forensic fundamental concepts by providing information essential to the collection of devices, the acquisition of data from devices, and the triaging of evidence using Cellebrite and BlackBag digital forensic solutions.




NOTE: It is strongly recommended that students attending this course complete the Cellebrite Mobile Forensics Fundamentals (CMFF) course or test out prior to attending.

CCO Course Content

sidebar image 
Mobile Device Technology Overview
  • Identify mobile device hardware and operating systems.
  • Discuss how mobile devices communicate.
  • Discuss how technology affects network capacity.
  • Learn how devices and subscribers are identified on networks.
sidebar image 
Forensic Handling of Mobile Devices
  • Recognize legal considerations for seizing and searching devices
  • Identify evidence handling procedures on scenes involving mobile devices
  • Use UFED Phone Detective to identify a specific mobile device
  • Recognize various locking mechanisms found on mobile devices
  • Practice applying best practices when seizing devices to a mock scenario
sidebar image
UFED Touch and UFED 4PC
  • Learn about the components for the UFED Touch and UFED 4PC
  • Learn how to license UFED technology
  • Learn to update the firmware
  • Install UFED 4PC
  • Configure UFED Touch and/or UFED 4PC
sidebar image
Cellebrite Extraction Methodology
  • Identify best practices for digital forensic extractions
  • Practice forensically sterilizing media
  • Complete SIM card extractions using UFED Touch/4PC
  • Conduct SD card extractions in a forensically sound manner
  • Use the UFED Touch/4PC and Physical Analyzer to conduct device extractions
  • Complete the removal of a passcode from a locked device using UFED Touch/4PC
  • Describe how to use UFED Camera Services
sidebar image
Introduction to Analyzing User Data
  • Basic Physical Analyzer Configuration
  • Open extractions with Physical Analyzer
  • View data in Physical Analyzer
  • Learn to bookmark items of interest
sidebar image
Reporting on Technical Findings
  • Understand the fundamental elements of a report
  • Understand reporting options within Physical Analyzer
  • Create a report based on evidentiary items

BFI Course Content

sidebar image 
Introduction
  • Discuss course administration
  • Describe BlackBag’s training and certification process
  • Review of the capabilities of BlackBag’s Platforms and digital forensic solutions
  • Recognize the legal responsibility in using BlackBag’s products and services
sidebar image 
Acquiring Data
  • Discuss MacQuisition Features and Functions
  • Explain Logical File Collection Procedures
  • Describe Apple Encryption
  • Review Imaging Processes for Different Media
  • Explore the Investigations Workflow Overview
  • Discuss the Proper Handling of Digital Case Evidence
sidebar image
BlackLight Introduction
  • Provide an Introduction to the BlackLight Interface
  • Describe the System Requirements
  • Discuss Program Dependencies
  • Explain how to Create a Case and Add Evidence
  • Review how to Open an existing Case
sidebar image
BlackLight
Features and Functions
  • Explore the BlackLight Interface
  • Review the procedure for marking evidence
  • Describe the purpose of the Component List
sidebar image
Processing Options
  • Review Mac Artifacts and Processing
  • Discuss Windows Artifacts and Processing
  • Practice Viewing Artifacts
  • Create Artifact Filters
  • Explain the Importance of Metadata
sidebar image
Tagging Items of Interest
  • Explain How to Tag Items of Interest
  • Practice Tagging Item of Interest
  • Discuss Tagging Multiple Items Simultaneously
  • Explain the Value of Tagging in Hex View
sidebar image
Data Filtering and
Cultivation
  • Discuss the Data Filtering
  • Explore the Use of Content Searches
  • Review the Use of Custom Hash Sets
  • Explained How to Complete Indexed Searches
  • Practice Searches by Content Types
sidebar image
Developing Actionable Intelligence
  • Discuss the Actionable Intelligence Tab
  • Explain the Parsing of Mac and Windows Artifacts
  • Practice Navigating to Actionable Intelligence Tab and Completing Searches
  • Explore Mac Actionable Intelligence Artifacts
  • Review Windows Actionable Intelligence Artifacts
  • Compare the Differences Between Preview Data and Actionable Intelligence Data
sidebar image
Media
  • Review Media View Filtering and Organization
  • Explain GeoData Markers and Mapping
  • Practice Video file GeoData Mapping
  • Discuss Exporting Images for Review
  • Describe the Uses for Image Analyzer to Establish Categories and Assess Threat Levels
sidebar image
Mobile
  • Explain the Android Acquisition Process
  • Discuss the iOS Acquisition Process
  • Describe the iOS Backups Data Acquisition Method
  • Review the Methods for Ingesting 3rd Party Acquisitions
sidebar image
Data Analysis
  • Describe Automated and Manual Productivity Features
  • Review the parsing of communications that include Mac call records
  • Practice Filtering Application Communication Records
  • Parse Locations Data from Media, Calendar, and Other Sources
  • Explain the Internet Connections and Browsing Data
  • Explain the Case Data Analysis and Reporting Features
sidebar image
Reporting
(supplemental resources)
  • Practice Choosing Report Items
  • Review the Function that Permits Rearranging Tags for Reporting
sidebar image
Other Topics
  • Review Updated Features and Functions
  • Explain the Integration and Ability to Parse 3rd Party Data Acquisitions
  • Describe the BitLocker Integration Procedure
Last modified: Wednesday, September 2, 2020, 2:49 PM