FOR585 delivers advanced iOS and Android forensics focused on artifact interpretation, not just tool operation. Master location data validation, recovery of deleted records tools miss, manual decoding of unsupported applications, and determination of whether evidence was user-created or generated automatically by the operating system. Business Takeaways ▐ In-house smartphone forensic capability eliminates outsourcing delays and reduces costs ▐ Time to evidence is critical—volatile mobile data can purge within hours of seizure ▐ Open-source tools taught in class supplement or replace expensive commercial licenses ▐ Examiners who validate findings produce court-ready reports that withstand scrutiny ▐ Mobile malware analysis skills prepare incident response teams for emerging threats ▐ Staff trained on manual recovery techniques extract evidence when tools fail entirely Syllabus Summary SECTION 1: Smartphone Overview, Fundamentals of Analysis, and SQLite Forensics SECTION 2: Android Forensics SECTION 3: iOS Device Forensics SECTION 4: AI Impact on Mobile Forensics, Malware/Spyware Forensics, and Detecting Evidence Destruction SECTION 5: Third-Party Application Analysis SECTION 6: Smartphone Forensic Capstone Exercise FOR585: Smartphone Forensic Analysis In-Depth™ MAJOR UPDATE 6 Day Program 36 CPEs 22 Labs You Will Be Able To ▐ Locate critical evidence on iOS and Android and determine exactly how data got there ▐ Recover deleted, unparsed, and obfuscated mobile data that commercial tools miss ▐ Manually decode third-party application artifacts when tools provide zero support ▐ Validate location artifacts and confidently identify false positives before court ▐ Detect, isolate, decompile, and analyze mobile malware and commercial spyware apps ▐ Leverage AI assistants safely to build Python scripts and SQL queries for analysis ▐ Extract evidence from locked devices, encrypted containers, and secure messaging Who Should Attend ▐ Experienced digital forensic examiners ▐ Media exploitation analysts ▐ Information security professionals ▐ Incident response teams ▐ Law enforcement officers, federal agents, and detectives ▐ Accident reconstruction investigators ▐ IT auditors ▐ Graduates of SANS SEC575, FOR498, FOR500, FOR508, FOR528, FOR572, FOR577, FOR589, FOR610, or FOR518 who want to take their skills to the next level NICE Framework Work Roles ▐ Cyber Crime Investigator (OPM 221) ▐ Cyber Defense Forensics Analyst (OPM 212) CURRICULUM: DFIR & Threat Hunting For detailed course description, visit SANS.ORG/FOR585 WAYS TO TAKE FOR585 Live Online In-Person OnDemand Heather Barnhart Course Author Domenica Crognale Course Author GASF Advanced Smartphone Forensics giac.org/gasf “ FOR585 course content provides extremely relevant material, guiding examiners to crucial artifacts for investigations and validation. It outlines key details for every forensic challenge.” —Quinn L., U.S. Federal Agency “ This class has been amazing. I’ve learned so much in such a short amount of time. I’m ready to go back to work and use these new skills.” —Stephen W., Seminole County
