Digital Forensics - Winter/Spring 2014

Achieving advanced smartphone and mobile device forensics is a time-consuming, complex process for many. Simply looking at a raw Hex dump which displays the contents of a digital file in Hexadecimal code is not enough. Investigators must know how to manually convert everything to a readable format through data decoding. They need to know how each file system stores data and how to decode it into a readable format. For investigators who are unfamiliar with a particular device, research and development via reverse engineering may be necessary to determine where data is stored on that device’s file system. This process is costly and time-consuming. Fortunately, training courses exist that educate investigators on where to look for data, how to verify data, and how to take raw binary data and change it into a readable format.

The Importance of Forensic Analysis
Training

The mobile device industry is evolving very quickly. To stay current on the latest devices and the proper techniques for acquiring and analyzing data, smartphone and mobile device forensic analysis training courses are becoming more and more necessary.

These courses aren’t limited to law enforcement either. Courses are available for those who work in IT and believe corporate information may have been compromised by an employee or those proactively looking to secure a device.

There are many training courses currently available. For example, most vendors offer vendor-specific courses for their toolkits. While these courses are valuable, they are limited as attend-ees only learn how the vendor’s toolkit works.

Vendor-neutral training courses, however, teach
digital forensic examiners, law enforcement offi-
cers, and information security professionals how
to conduct smartphone forensic analysis using the
best tools for the device. Smartphone forensic tool
vendors often support the same devices, but the
underlying capabilities for each drastically differ.
Knowing which tool is currently the best one for
the smartphone in an investigation will aid in the
entire forensic process. Vendor-neutral forensic
analysis training courses provide the necessary
insight to deal with all of these variations.

When considering training courses, advanced investigators should look for those that offer deep dive analysis rather than push button forensics; which is simply pushing a button and getting all the answers. While push button forensics can get some of the data, deep dive analysis is necessary to recover data that a tool misses. These courses will show how to handle the data that is missed by the tools and provide detailed instruction on data validation, which is required in any investigation. Otherwise, without knowing how to handle the data, the data is non-sensible (i.e. virtually useless). Data must be understandable for it to add value to an investigation. Deep dive analysis training courses will provide the necessary insight to leverage all data that is available on a smartphone.

Too often smartphone devices are overlooked as investigators focus solely on computer hard drives. It is important to remember the smartphone might actually be the key to an entire investigation for those who know where to look. As the mobile device market continues to grow and evolve, an investigator’s task of uncovering evidence will be that much harder. Staying current through education and hands-on training courses will enable digital forensic examiners, law enforcement officers, and information security professionals to handle investigations involving even the most complex smartphones available with the confidence of knowing no data was left behind.

Heather Mahalik is a senior digital forensics analyst at Basis Technology and a certified instructor for the SANS Institute. Heather has worked in digital forensics for over ten years and has performed thousands of forensic acquisitions and examinations on hard drives, e-mail and file servers, mobile devices, and portable media.

Want to learn more? Heather will be presenting Advanced Smartphone and Mobile Device Forensics at SANS Security West 2014 in San Diego, CA May 10-15, 2014. For more information visit www.sans.org/info/151150.

To stay current on the latest
devices and the proper techniques
for acquiring and analyzing data,
smartphone and mobile device
forensic analysis training courses are
becoming more and more necessary.