Mobile Forensic Junior - 5 days
Description
The mobile phone has been evolving for several years as an extension of the workstation and is becoming a privileged target, because it is as close as possible to data. The digital investigation of this type of device aims to identify traces linked to criminal activities, to detect traces of malicious actions and compromise of the mobile phone.
This training aims at presenting the main artifacts present in the Android and iOS environments and to use an open source toolkit in order to analyze them. Adapted analysis methodologies will be presented in order to overcome the black box approach of certain systems and their pre-installed applications which complicate the audit of the phone.
This training exclusively addresses the case where the unlocking secrets of the phone are known.
-
4 days (28 hours)
-
2 mobile exploitation systems: Android & iOS
Public and prerequisites
This training is suitable for people with knowledge of security or Linux system administration. It is mainly aimed at IT teams wishing to have first-level methods for investigating phones and who do not have software dedicated to this activity. More generally, anyone wishing to enrich their professional career with a security component in the mobile field.
-
IT teams
-
System administrators
-
Security teams
Concepts of offensive security and good Unix knowledge are recommended to follow this training.
iPhone and Android phones are provided during the training for the hands-on exercises.
Content
Day 1
Introduction: description of the mobile investigation ecosystem, its main services and players. Presentation of the main threats, infection vectors and the latest known campaigns. Fundamentals: description of the main sources of information linked to a mobile device (SIM card, Warrant Return), the specificities and problems of acquisition methods compared to classic forensic. Data formats used to store information and analysis methodology common to iOS and Android environments. iOS P1 fundamentals: representation of the architecture and main services.
Day 2
iOS P2 fundamentals: description of the file system and locations of interest, security model and its impacts. Acquisition methods and specific data formats. iOS System artifacts: review the activity of the entire phone looking for various traces of execution or presence of applications.
Day 3
iOS application artifacts: presentation of native applications and third-party applications (activity analysis, specific data). Analysis of encrypted backups: methods of acquisition and analysis in the absence of a complete copy of the phone. Other artifacts: Alternative sources of system information. New artifacts introduced in the latest versions of iOS. Live analysis: acquisition of live system data and network activities.
Day 4
Android fundamentals: overview of the architecture, main services and communication mechanisms. File system, locations of interest and security model. Acquisition methods specific to manufacturers. Android system artifacts: review of the activity of the entire phone looking for various traces of execution or presence of applications.
Day 5
Application artifacts: presentation of native applications (Android and manufacturer) and third-party applications (activity analysis, specific data). Live scan: scan with ADB in the absence of a full phone copy. Malicious APK analysis: static and dynamic analysis methodology and tools.