Advanced ⢠Learning Management System (LMS)
iOS Forensic Analysis MPE+
/ FTK / iTunes Backup Browser
Advanced • Learning Management System (LMS)
This basic three day course provides the knowledge and skills necessary for mobile device examiners to gain a understanding of how iOS devices store data. We will uncover the ways to capture the data from these devices and perform a forensic analysis on the data with automated tools as well as manually so that the examiner may verify the findings of the tools they are using. This course uses a multi-tool approach to iOS forensics. We use both free and paid applications and teach the skills needed to find and process the data with the aid of specialized software tools. There is no single tool that will process every cellular device in its entirety. AccessData trains you to know where information lies on the iOS device and other locations where data may be located. During this three-day workshop, participants will review the following: History of iOS Plists and SQLite iTunes including backups and iCloud Jailbroken devices SMS breakdown iMessage Call Log Breakdown Commercial Software Acquisitions Verifying your findings The class includes multiple hands-on labs that allow students to apply what they have learned in the workshop.
Prerequisites To obtain the maximum benefit from this class, you should meet the following requirements: • Read and understand the English language. • Perform basic operations on a personal computer. • Have a basic knowledge of mobile device forensic investigations and acquisition procedures. • Be familiar with the Microsoft Windows environment. Class Materials and Software You will receive the student training manual and CD containing the training material, lab exercises and classrelated information.
(Continued on other side)
For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
iOS Forensic Analysis MPE+ / FTK / iTunes Backup Browser Advanced • Learning Management System (LMS)
(Continued) Day One
Day Three
Objectives Discuss the history of iOS Review Apple’s iDevices and their generations along with their capabilities Discuss “Jail Broken” iOS device and their significance in mobile device forensics Cydia and other third party stores Discuss iTunes and it’s importance in forensic examinations Discuss the different types of iTunes backups Challenges of encrypted backups Introduction to SQLite and Plists, including the different types of plists and the challenges associated with them. Parse iTunes backup files with free and commercial tools Breaking down and carving for plists in hex.
Objectives Discuss the importance of validating automated forensic software Diving in the hexadecimal data contained within a SQLite database which includes SMS, Call History, Contacts, etc. Locating the offsets of important data in order to conduct a proper validation Recognizing and locating “deleted” data contained within a SQLite database
Day Two Objectives Discuss the iOS file system and partition configuration Methods and challenges when extracting files from an iOS device Discuss Device Firmware Update (DFU) mode Demonstrate the use of MPE+ in extracting evidence from an iOS device. Navigate and locate to key evidence locations within the iOS file system Discuss SQLite Schema and the importance of Tables to forensic examiners Demonstrate “flag” and other items of interest within the SQLite table structure
For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
/ FTK / iTunes Backup Browser
Advanced • Learning Management System (LMS)
This basic three day course provides the knowledge and skills necessary for mobile device examiners to gain a understanding of how iOS devices store data. We will uncover the ways to capture the data from these devices and perform a forensic analysis on the data with automated tools as well as manually so that the examiner may verify the findings of the tools they are using. This course uses a multi-tool approach to iOS forensics. We use both free and paid applications and teach the skills needed to find and process the data with the aid of specialized software tools. There is no single tool that will process every cellular device in its entirety. AccessData trains you to know where information lies on the iOS device and other locations where data may be located. During this three-day workshop, participants will review the following: History of iOS Plists and SQLite iTunes including backups and iCloud Jailbroken devices SMS breakdown iMessage Call Log Breakdown Commercial Software Acquisitions Verifying your findings The class includes multiple hands-on labs that allow students to apply what they have learned in the workshop.
Prerequisites To obtain the maximum benefit from this class, you should meet the following requirements: • Read and understand the English language. • Perform basic operations on a personal computer. • Have a basic knowledge of mobile device forensic investigations and acquisition procedures. • Be familiar with the Microsoft Windows environment. Class Materials and Software You will receive the student training manual and CD containing the training material, lab exercises and classrelated information.
(Continued on other side)
For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
iOS Forensic Analysis MPE+ / FTK / iTunes Backup Browser Advanced • Learning Management System (LMS)
(Continued) Day One
Day Three
Objectives Discuss the history of iOS Review Apple’s iDevices and their generations along with their capabilities Discuss “Jail Broken” iOS device and their significance in mobile device forensics Cydia and other third party stores Discuss iTunes and it’s importance in forensic examinations Discuss the different types of iTunes backups Challenges of encrypted backups Introduction to SQLite and Plists, including the different types of plists and the challenges associated with them. Parse iTunes backup files with free and commercial tools Breaking down and carving for plists in hex.
Objectives Discuss the importance of validating automated forensic software Diving in the hexadecimal data contained within a SQLite database which includes SMS, Call History, Contacts, etc. Locating the offsets of important data in order to conduct a proper validation Recognizing and locating “deleted” data contained within a SQLite database
Day Two Objectives Discuss the iOS file system and partition configuration Methods and challenges when extracting files from an iOS device Discuss Device Firmware Update (DFU) mode Demonstrate the use of MPE+ in extracting evidence from an iOS device. Navigate and locate to key evidence locations within the iOS file system Discuss SQLite Schema and the importance of Tables to forensic examiners Demonstrate “flag” and other items of interest within the SQLite table structure
For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
