“SANS FOR585 Q&A: Smartphone Forensics – Questions answered”

by sansdfir on January 7, 2019

Learning doesn’t stop when you leave the SANS classroom. Instructors Domenica “Lee” Crognale, Heather Mahalik and Terrance Maguire answer some of the most common questions from FOR585 Smartphone Forensics course students in these short videos:

1) Using Hashcat to Crack an Encrypted iTunes Backup: Acquiring a locked iOS can be difficult so an iTunes backup may be the best evidence to examine. The iTunes backup files might be encrypted so this mini webcast outlines how to use HashCat to crack the encrypted iTunes backup files.

Sponsorships Available

2) An Overview of Third Party App Examination: There are millions of applications (Apps) that can be used on a smartphone. This mini webcast outlines an approach to examining these applications.

3) Why Every Examiner Needs a Test Device?: In a perfect world, we would always be examining rooted Androids and jailbroken iOS devices, but unfortunately, full access to the file system is becoming a thing of the past. This mini webcast highlights the importance of populating test devices with user data so you can better speak to the artifacts that you ARE able to access on your next examination.

4)What if Nothing Supports Android Pie (v9)? The latest versions of Android are not commonly supported for acquisition by our tools. What can you do? Use ADB and interact with the live device. This mini webcast will teach you how to use ADB to extract information from Android devices and will discuss the traces some tools leave behind and why that trace is required if you want to obtain data.

5) iOS Malware – Where to Begin: It’s notably more difficult to pinpoint malware on your non-jailbroken iOS device without access to the application packages. This mini webcast outlines some of the best practices in analyzing the files you can access to provide indications of suspicious activity and the applications and services that are likely responsible.

6) Two Major Plists: This mini webcast will discuss how to determine if iMessage is disabled on an iPhone and how to determine if an iCloud restore occurred. Simple questions like this can make a difference in your investigation. We will discuss the file locations, which acquisition methods provide access to the files of interest and most importantly, how to parse the data.

About SANS FOR585: Smartphone Forensics Course

This in-depth smartphone forensic course provides examiners and investigators with advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. The course features 27 hands-on labs, a forensic challenge, and a bonus take-home case that allow students to analyze different datasets from smart devices and leverage the best forensic tools, methods, and custom scripts to learn how smartphone data hide and can be easily misinterpreted by forensic tools. Each lab is designed to teach you a lesson that can be applied to other smartphones. You will gain experience with the different data formats on multiple platforms and learn how the data are stored and encoded on each type of smart device. The labs will open your eyes to what you are missing by relying 100% on your forensic tools. More information: http://sans.org/FOR585 | Next course runs: sans.org/u/Mht

More Resources:

FOR585 Mobile Forensics Poster: Use this poster as a cheat-sheet to help you remember how to handle smartphones, where to obtain actionable intelligence, and how to recover and analyze data on the latest smartphones and tablets. This poster was created by FOR585 Advanced Smartphone Forensics course authors & Certified Instructors Heather Mahalik, Cindy Murphy and Domenica “Lee” Crognale with support from the SANS DFIR Faculty. Download it here