Mobile Forensics Junior - 5 days - 4800€ HT
Description
The mobile phone has been evolving for several years as an extension of the workstation and is becoming a privileged target, because it is as close as possible to data. The digital investigation of this type of device aims to identify traces linked to criminal activities, to detect traces of malicious actions and compromise of the mobile phone.
This training aims at presenting the main artifacts present in the Android and iOS environments and to use an open source toolkit in order to analyze them. Adapted analysis methodologies will be presented in order to overcome the black box approach of certain systems and their pre-installed applications which complicate the audit of the phone.
This training exclusively addresses the case where the unlocking secrets of the phone are known.
-
5 days (35 hours)
-
2 mobile exploitation systems: Android & iOS
Objectives
- Understand the fundamentals of mobile forensics on Android and iOS, including security models and native artifacts
- Learn techniques for acquiring and analyzing digital traces (systems, applications, network captures, encrypted backups)
- Conduct practical investigations using real-world artifacts and dynamic/static analysis of malicious APKs
Public and prerequisites
This training is suitable for people with knowledge of security or Linux system administration. It is mainly aimed at IT teams wishing to have first-level methods for investigating phones and who do not have software dedicated to this activity. More generally, anyone wishing to enrich their professional career with a security component in the mobile field.
-
IT teams
-
System administrators
-
Security teams
Concepts of offensive security and good Unix knowledge are recommended to follow this training.
iPhone and Android phones are provided during the training for the hands-on exercises.
Content
Day 1
Introduction and fundamentals: objectives, getting started, and an overview of mobile forensics (information sources, main formats of interest, timestamp management). iOS fundamentals: representation of the architecture and main services, security model, file systems, and specific data formats. iOS acquisition: acquisition methods illustrated by practical exercises in full acquisition (root access to the device) and partial acquisition (restricted access) using reference tools such as libimobiledevice, mvt, and sysdiagnosis generation.
Day 2
iOS system artifacts: review of the entire phone's activity to list execution traces and the presence of applications (info.plist, LSD database), analyze their activities (netusage, powerlogs, KnowledgeC, Biome) and their permissions (TCC). In-depth analysis of logs from archives using the sysdiagnose.py tool. iOS application artifacts: presentation of native and third-party applications and study of their common use cases (accounts, communications, web browsing). The practical exercises primarily rely on iLEAPP and Apollo to extract and analyze this specific data.
Day 3
Analysis methods: network capture, encrypted backup, and system diagnostics. Android fundamentals: architectures, OEMs, security model, file systems, with a detailed presentation of the ADB (Android Debug Bridge) and mvt-android tools. Android data acquisition: practical acquisition methods demonstrated through hands-on exercises covering device rooting, full data acquisition, and partial data acquisition targeting the collection of specific artifacts via ADB.
Day 4
Android System Artifacts: Review of phone activity and study of the main data formats (ABX, SQLite databases, Protobuf). Analysis of artifacts used to list applications, their permissions, and their activities, followed by a live analysis practical exercise using the data collected with MVT and ADB. Android Application Artifacts: Presentation of the classic directory structure of native and third-party applications, methods for retrieving and parsing their internal data. Study of use cases (accounts, communications, web) using ALEAPP as the central theme of the practical exercises.
Day 5
Malicious Android Applications: Mobile threat analysis and presentation of common injection methods. Static and dynamic analysis: Methodology for analyzing the structure of a suspicious APK using reverse engineering tools (apktool, mobsf, jadx) and dynamic execution within an emulator coupled with network captures. Practical exercises: Hands-on work dedicated to the manipulation and complete analysis of a known Android malware, including live analysis phases with ADB.
All the details regarding how the training is conducted are described on this page.