Magnet AXIOM Advanced Mobile Forensics

Nivel: avanzado.

Código: AX300.

Duración: 4 días.

What You’ll Learn

This course is an expert-level four-day training course, designed for participants who are familiar with the principles of digital forensics and who are seeking to improve their mobile device investigations.

Because AX300 is an expert-level course, it is recommended that students first complete Magnet AXIOM Examinations (AX200). AX200 will provide a thorough understanding of AXIOM that will help students focus on the mobile part of investigations in AX300.

Module 1

Advanced Acquisition Procedures and Techniques Using Magnet AXIOM and ACQUIRE

• Meet the instructor and other students while seeing what’s expected for the week.
• Advanced acquisition procedures and techniques such as Chip-Off, JTAG, and ISP will be discussed so that attendees can understand advanced level extractions and how they are changing for new examinations.
• Install Magnet AXIOM, associated recovery images, Magnet ACQUIRE, and other open-source tools and files that are needed for the course completion.

Module 2

Acquiring iOS Devices

• Learn about the iOS operating system and how to acquire Apple devices running iOS. Information about the software will be outlined, along with discussions on security levels and the procedures of these devices — including handset locks, TouchID, and pairing records.
• Understand how to appropriately identify specific iOS devices and versions as well as standard imaging procedures of iOS devices — including iTunes Backups and Apple File Conduit extractions.
• Advanced acquisitions involving jailbroken devices will also be discussed, and iOS backup encryption will be defined and explained throughout the recent changes to the iOS file system.
• Watch an instructor-led demonstration of extracting information using Magnet ACQUIRE and AXIOM from an iOS device and take part in a hands-on exercise using Passware to brute-force an encrypted iOS backup.

Module 3

Acquiring Android Devices

• This module focuses primarily on the Android operating system and will cover the different levels and ways to extract information from these devices.
• Because the OS is incredibly fragmented, multiple levels of extraction and explanations will be given that will teach students how to effectively identify the right acquisition procedure for each device.
• Learn how to properly research multiple factors during an acquisition to see what level of extraction can be applied.
• New security policies such as Full Disk vs. File-Based Encryption will be discussed and identified, and advanced acquisition techniques — involving passcode bypassing, recovery partition flashing, using custom recovery images, and application downgrading — will be discussed and demonstrated in instructor-led practical exercises.

Module 4

Acquiring via MTP

• The Media Transfer Protocol (MTP) is a transfer method that can be used to extract information from some iOS and Android devices (as well as other devices such as digital cameras).
• Learn what the protocol is, how it is used, and what information can be gathered using this procedure.

Module 5

iOS File System Analysis

• Learn how to identify, examine, and report on data from the iOS operating system that is both natively processed and not supported by forensic tools such as Magnet AXIOM.
• Properly understand data that is extracted from iOS devices, identify the original structure from the backup, and process information from these backups in a “friendly” file system view.
• Gain knowledge on the two main data containers such as SQLite databases and property list files as well as how to examine these files for data using built-in viewers in Magnet AXIOM Examine. Core artifacts will also be covered, such as SMS/iMessages, Call Logs, and Contacts. See how these containers are structured for manual examination and analysis. Other artifacts such as Safari web history data, property list configuration data, and more will also be covered that are outside the “standard” supported tools.
• The anatomy of third-party iOS applications will also be demonstrated, as well as how to identify and extract information from these apps when the tool does not automatically recover it.

Module 6

Android File System Analysis

• Properly identify, examine, and extract information from the Android operating system. This will include core artifacts such as SMS/RCS/MMS messages, Contacts, Call Logs, Account data and more; as well as focusing on other potentially relevant artifacts that are not automatically gathered by most forensic tools.
• Learn and understand the structure of third-party applications in both full and quick image levels, as well as learn how to extract unsupported artifacts from the commonly used container files in Android.

Module 7

Custom Artifacts

• Building on information taught over the four-day period, learn how to use AXIOM features such as Dynamic App Finder and custom artifacts to build data that has been manually recovered into fully-functioning supported Artifacts.
• Gain the ability to share this data with other examiners in the community and increase their working efficiency by being able to automatically recover data after the initial building phase.