DF125 - Mobile Device Examinations with EnCase
Duration: 2 Days
Digital forensics is no longer limited to the examination of desktop computers, laptop/notebook devices, or their associated media. Examiners of digital evidence are now involved in the examination of mobile devices and their associated applications in the pursuit of uncovering information related to criminal and corporate investigations. While the field of mobile device examinations shares a crossover with more traditional digital forensics, mobile devices offer their own unique characteristics and challenges.
To meet these challenges OpenText™ EnCase™ Forensic has been developed to incorporate acquisition of such devices while EnCase™ Mobile Investigation provides an examination platform, which includes Optical Character Recognition, native support for viewing SQLite databases, and reporting functionality.
Delivery method: Group-Live. NASBA defined level: basic
CPE Credits - 16
This hands-on course provides practical demonstrations and real-life simulations to help understand the methodology of using EnCase Forensic and EnCase Mobile Investigator in mobile device examinations involving criminal, corporate, and civil investigations.
This course will provide instruction related to the acquisition of mobile devices using EnCase Forensic followed by the examination via the use of EnCase Mobile Investigator (as well as EnCase Forensic).
The course will detail performing acquisitions from both a handset and a device backup followed by examination of devices running the mobile operating systems Android and Apple iOS.
During class the automated examination functionality of EnCase Mobile Investigator / EnCase Forensic will be used as well as manual examination and via EnScript programs of file types, including SQLite databases and Apple property lists.
Students attending this course will learn the following:
- The history of Android and Apple iOS mobile operating systems
- How to prepare for and conduct an acquisition of an Android device
- How to conduct an acquisition of an Android Samsung S5/S6 device via the android bootloader
- How to conduct an acquisition of an Apple iOS device
- How to conduct an acquisition of Apple iOS backup (including an encrypted backup)
- How to examine the Android system, user, application, and Internet artifacts
- How to examine the Apple iOS system, user, application, and Internet artifacts
- How to conduct an examination of still and moving image file formats
- Understanding the structure of file types and data structures, including (but not limited) to support mobile device applications and system artifacts:
- SQLite databases
- Apple property lists (pLists)
This course is intended for digital forensic investigators, including law enforcement, government, military, corporate, IT security, and litigation support professionals who are seeking to analyze smartphones and mobile devices for evidence for criminal and corporate investigations.
Basic computer skills. Advance preparation for this course is not required.