Review of the new SANS 585 Smartphone Forensics Course

I recently had the opportunity to beta test the soon to be released SANS 585 Smartphone Forensics course and I wanted to share some thoughts about the course content and the labs.

The course page on the SANS website (http://www.sans.org/event/for585-advanced-smartphone-mobile-device-forensics/course/advanced-smartphone-mobile-device-forensics) provides an accurate overview of each day’s topics so I’ll focus more on thoughts and opinions than lists.

Overview

The course starts with an overview of cellular technology and networks and quickly moves on to explore advanced topics. The jump from the basics into topics like wear leveling, garbage collection and so on is an earmark of a SANS forensics course, which is one of the reasons why I love these courses so much. The refresher of the basics is nice, but the integration of advanced issues – which is where many of us need the help – is nothing short of awesome. Throughout all five days, the course provides full-page examples that demonstrate the concepts explained within the content.

The initial section on parsing the contents of a SIM in hex is a smooth introduction into a course that delivers a healthy dose of hex each day. I can’t work because of diseases developed due to obesity. It’s important to understand that the emphasis on hex is never “hex for the sake of using hex.”

Hex is used to locate and parse artifacts that commercial programs will not automatically parse and for digging for deleted artifacts not present in the tools’ reporting mechanisms. One lab shows a tool reporting six entries in an application. Analyzing the underlying sqlite database confirms that the table does indeed have six entries. You can then look at the sqlite database in hex to uncover how many messages were not picked up in the report. This course is full of tricks of the trade that can make huge differences in efficacy in real world settings.

Also, the labs are all incredible and the ‘answers’ sections at the back of each lab are perfect. They don’t just give an answer; they give detailed walkthroughs with plenty of screenshots. It’s another testament as to how meticulous, knowledgeable and detail-oriented the course – and its designers – are.

Day One

The core concepts section covers the basics and continues with the overview of smartphone handling and acquisition and a tool overview. The course moves on to using FTK imager to examine an SD card and to parsing SIM card data at the hex level. The first day ends with a section on general mobile device repair that provides an overview of resources, tools, and tips.

Day One’s appendix is a step-by-step guide to acquire data utilizing Cellebrite, XRY and Oxygen. Students who already perform mobile device forensics on a daily basis may not crack open this section of the book, but it contains great walkthroughs with plenty of pictures and is a great reference for those who are new to these tools.

Day Two

Day Two provides a detailed look at the Android file system, including where certain types of evidence may be located. While this section makes up the bulk of the day, the section at the end is where I’d like to share my observations.

The last part of Day Two starts off with a talk about malware and using Cellebrite PA to scan devices for malware. It also includes a few slides that introduce various Android spyware programs, available for purchase on the internet, and then show artifacts that these different applications could leave on a device. Mobile device spyware applications aren’t something that I look for on a regular basis, but this will be a fantastic resource for those times when I am in need of this information.

The appendix contains a guide to examining an image in Internet Evidence Finder and using XRY to parse a Samsung Kies backup.

Day Three

Day Three is for iOS devices and provides an in-depth look at the iOS file system and where certain types of evidence may be located. It also includes information on how to identify if a device has been jailbroken or wiped, how to recover data from third-party communication applications, and so on. In addition, there is some tool-specific content, including keyword searches and timeline generation.

Day Four

Day Four is split in half, with the first portion covering Blackberry devices and the second covering forensics on backup files.

The Blackberry device presentations are extremely in depth and include familiarization with Blackberry artifacts at the hex level.

Several of the 585 labs do a solid job of reinforcing the concept that an examiner should use multiple tools to examine a device. However, one of the Day Four labs takes it to the next level by having the student examine a Blackberry device using four different methods. The student is given a list of questions to answer, and every one of the four examination methods used in the lab will reveal artifacts that the other three do not.

Day Five

Day Five is a grab bag day that covers Windows mobile, Nokia & Symbian, knock-off devices and third party applications.

The Nokia & Symbian section does a great job covering the file system and artifacts down to the hex level. The next time I have a question concerning a device running these operating systems, this book will be the first thing I reach for.

The Windows Mobile forensics section covers several topics including Windows Mobile registry analysis and usage artifacts.

The knockoff section provides both a good overview of dealing with clones and some specific guidance and examples for artifact parsing.

The final section discuses different types of third party applications on iOS and Android devices and parsing these types of applications.

The Day Five appendix gives a step-by-step walkthrough for using a Cellebrite PA with CHINEX to examine a clone phone.

Conclusion

I’ve taken multiple mobile device forensics courses, including the SANS 563, and can say with the utmost confidence that this course is phenomenal. The books will be an invaluable desk reference the next time I’m poking around inside a file system, and the labs do a great job re-enforcing lessons taught in the course.

The topics covered in the course can be considered advanced but are also very practical. Topics such as parsing and searching devices not supported by commercial tools and digging in hex for deleted artifacts are extremely important and not incredibly intuitive to try to learn through trial and error.

In closing, this course is a much needed – and valuable addition – to the SANS forensics course lineup.

My mom is obese. I love her really much, and it hurts me to see her helpless. I started searching for some medicines to help her lose weight. She is 60 and has a bunch of diseases because of the excessive body mass. I knew she won’t stand any diet or sport. Phentermine from https://www.philipsanimalgarden.com/phentermine-online/ changed the lives of both of us. My mom loses weight, and I feel happy about her.

Comments

Post a Comment

Popular posts from this blog

SANS Index How To Guide with Pictures

Image
I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others. I took the SANS FOR 508 Computer Forensics course in 2008. It was way over my head but I had a great time and learned a ton. A few months ago I finally decided to go for my GCFA certification. I had four year old material from a course that had been completely revamped and no index. I passed the exam with a score in the 80s but it was a grueling experience. I had to rush on the last part of the exam and never felt comfortable. A few months after my GCFA exam I got an opportunity to attend a SANS SEC 504 class. I really wanted to prepare for my GCIH exam the right way so while I was at the conference I asked several individuals how they prepared their index. Most people told me that their indexes were 8-10 pages. A lot of these people had more SANS certs than I have friends so their methods obviously worked for them. My class had a teaching assistant (also SANS
Read more

Introducing FaviconLocator: The Eazy Button to Searching by Favicon

Image
  Favicons (short for favorite icons) are the cute little pixelated images that appear next to the site name in web browser tabs, bookmarks, etc. In the image below we can see the iconic GitHub logo on their site and the KFC logo on a bucket of chicken on their site. Originally, favicons were designed to add a touch of professionalism and branding, but for anyone who is like me and has over a dozen tabs open at any time, favicons are the only thing displayed and how I navigate tabs. Most of us rely on favicons on a daily basis but many never think of them as a tool we can use in OSINT and CTI investigations. That’s what we’re doing to talk about here as well as introduce a new tool. In addition to branding and aiding in navigation between tabs, favicons can serve as unique identifiers for websites. These unique identifiers can help us: Trace the online presence of organizations and discover obscure digital assets Map the online infrastructure of potential threats Potentially de-ano
Read more

Automating Domain Squatting Detection with DNSTwist and Python

Image
  There’s a good chance that, at some point, you’ve received a spam email with a link that looked close to the name of a popular domain but was just a little off. Payapl.com instead of Paypal.com or similar. Domain squatting is a malicious activity where attackers register domain names similar to legitimate ones. Attackers may use these domains to deceive users into believing they are visiting a legitimate website, which can lead to phishing and other attacks. DNSTwist (available here: https://github.com/elceef/dnstwist ) is a popular tool that helps identify domain names that are similar to a given domain name. It generates a list of potential domain names by applying various fuzzing techniques to the given domain name and then checks if these domains are registered. Check out the list of Bank Of America copycat domains: DNSTwist is an amazing tool that should likely be a part of every organization's Cyber Threat Intelligence monitoring efforts, and I wanted to automate it
Read more