FOR585 provides examiners and investigators with advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. The course is continuously updated to keep up with the latest file formats, malware, smartphone operating systems, third-party applications, acquisition shortfalls, extraction techniques (how to get full file system or physical access) and encryption. It offers the most unique and current instruction to arm you with mobile device forensic knowledge you can immediately apply to cases you’re working on the day you get back to work. Business Takeaways ▐ Understand Android and iOS artifacts that aid in investigations ▐ Understand application artifacts on iOS and Android devices ▐ Leverage smartphone usage to determine device locations when “something” occurred ▐ Gain insight to how a device is used—car connections, data syncing, hands-free, watches, etc. ▐ Decrease potentials of malware infecting mobile devices by understanding how infections occur and how to investigate malware that lands on mobile devices ▐ Gain a deep understanding of SQLite databases and how a bulk of smartphone data exists on devices ▐ Better understand commercial tools your company is already using and utilize the free scripts the course provides to fill the gaps these tools might have ▐ Gain experience in creating SQLite queries and python scripting for forensic examination ▐ Stay ahead of mobile technology changes and investigative trends with the SANS FOR585 Alumni Community Group Syllabus Summary SECTION 1: Smartphone Overview, Fundamentals of Analysis, and SQLite Forensics SECTION 2: Android Forensics SECTION 3: iOS Device Forensics SECTION 4: Backups and Cloud Data, Malware and Spyware Forensics, and Detecting Evidence Destruction SECTION 5: Third-Party Application Analysis SECTION 6: Smartphone Forensic Capstone Exercise FOR585: Smartphone Forensic Analysis In-Depth™ 6 Day Program 36 CPEs 31+ Labs You Will Be Able To ▐ Select the most effective forensic tools, techniques, and procedures to effectively analyze smartphone data ▐ Reconstruct events surrounding a crime using information from smartphones, including timeline development and link analysis (e.g., who communicated with whom, where, and when) ▐ Understand how smartphone file systems store data, how they differ, and how the evidence will be stored on each device ▐ Interpret file systems on smartphones and locate information that is not generally accessible to users ▐ Identify how the evidence got onto the mobile device – we’ll teach you how to know if the user created the data, if it was AI created or synced data which will help you avoid the critical mistake of reporting false evidence obtained from tools ▐ Incorporate manual decoding techniques to recover unparsed data stored on smartphones ▐ Tie a user to a smartphone on a specific date/time and at various locations ▐ Recover hidden or obfuscated communication from applications on smartphones Who Should Attend ▐ Experienced digital forensic examiners ▐ Media exploitation analysts ▐ Information security professionals ▐ Incident response teams ▐ Law enforcement officers, federal agents, and detectives ▐ Accident reconstruction investigators ▐ IT auditors ▐ Graduates of SANS SEC575, FOR308, FOR498, FOR563, FOR500, FOR508, FOR572, FOR526, FOR610, or FOR518 who want to take their skills to the next level NICE Framework Work Roles ▐ Cyber Crime Investigator (OPM 221) ▐ Cyber Defense Forensics Analyst (OPM 212) CURRICULUM: DFIR & Threat Hunting For detailed course description, visit SANS.ORG/FOR585 WAYS TO TAKE FOR585 Live Online In-Person OnDemand Heather Mahalik Barnhart Course Author Domenica Crognale Course Author GASF Advanced Smartphone Forensics giac.org/gasf “ FOR585 course content provides extremely relevant material, guiding examiners to crucial artifacts for investigations and validation. It outlines key details for every forensic challenge.” —Quinn L., U.S. Federal Agency
