Android Forensic Analysis
Android Analysis Intermediate • Learning Management System (LMS)
®
This AccessData Android training course covers the internals of Android devices, the way the OS is designed, and the way that the devices store data. We will uncover the way to capture these devices’ data. In the end, like all other Mobile Forensics, Inc., courses, you as the examiner will be armed with the ability to perform forensic analysis both using automated tools as well as manually (to double check the results of the tools). This course uses a multiple-tool approach to mobile phone forensics. We use both free and paid applications and teach the skills needed to find and process data with the aid of specialized software tools. There is no single tool that will process every cellular device in its entirety. Mobile Forensics, Inc., trains you to know where information lies on cell phones and how to extract that information—both with and without tools—so you can obtain the maximum amount of data from mobile devices. Prerequisites This course is intended for forensics professionals and law enforcement personnel who must conduct mobile device examinations utilizing multiple tools and a tested forensic process. To obtain the maximum benefit from this class, you should meet the following requirements:
Read and understand the English language.
Attend the AccessData MFI 101 Course or equivalent.
Have previous investigative experience in mobile forensic case work.
Be familiar with Android devices.
Be familiar with working in hex
Class Materials and Software You will receive the student training manual and CD containing the training material, lab exercises and classrelated information.
(Continued on other side)
For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
Android Analysis Intermediate • Learning Management System (LMS)
Module 1: Class Overview Topics Student Introductions Software Used in This Course:
-
Android SDK and Eclipse MPE + FTK
Lab Setup the Android SDK and Eclipse Ensure the ADB command is in the PATH AVD creation Locate and activate the various locations of USB Debugging Module 5: Android File Systems
SQLite DB Viewer
Command line Course Outline
Module 2: Android Overview Objectives Review basic principles of the Android device and the Android operating system. Describe how Android uses NAND to store data. Describe the Dalvik VM in Android. Outline the usage and installation of the Android SDK and emulator. Discuss SD cards and Emulated SD cards
Objectives Outline the various file systems used by Android Discuss the forensic challenges of YAFFS Discuss the “other” file systems used by Android How can examiners utilize the Android temp memory Lab Determine the file systems used by the AVD Determine which file systems are mounted by the Android device List the permissions of the /dev and /nodev mounted in Android Module 6: Android Partitions
Module 3: Forensic Process Objectives Recommended ways to collect and Android device. Challenges of network isolation with Android. Gather information about specific Android devices. Validation and Reporting. Module 4: Android SDK and Eclipse
Module 4: Android SDK and Eclipse Objectives SDK and Eclipse installation and overview Discuss the Android Debug Bridge Android Virtual Devices and forensics Discuss the purpose of the USB debugging
Objectives What partitions can an examiner expect to find on an Android device? Discuss where Android typically stores files of interest and what partition they may be located on Discuss files of interest that may be located on a SD card Discuss what it means to be “root”.
Lab Determine the partitions in use on an Android device Using shell commands, list the partitions and locate files of interest
For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
Android Analysis Intermediate • Learning Management System (LMS)
(Continued) Module 7: Android Logical Acquisition
Module 10: SQLite hex breakdown
Objectives Discuss the tools to extract data from an Android device Troubleshoot connectivity issues the examiner may encounter Learn the different “modes” when connecting and Android device Discuss ADB conflicts
Objectives Compare and discuss parsed SQLite data with that found in hex Discuss deleted data Lab Manually parse SQLite database files. Locate and examine deleted data in hex.
Lab Hands on with MPE+ Demonstrate the techniques commercial software uses to extract data from and Android device Locate and extract the logical filesystem utilizing the command line
Module 8: Android Physical Acquisition Objectives Discuss the tools and techniques used to extract physically from an Android device Discuss NAND v DD physical extractions The recovery partition and what does it mean? Challenges of custom ROMs Lab Creating temp locations for examiner tools Setting up busybox is a temp location Netcat utilization Physical Extraction Module 9: Location of SQLite files of interest Objectives Discuss where key SQLite files live in the file system Discuss and locate column “flag” meanings Discuss tables Lab Using various tools, parse SQLite database files Locate and understand their “links” to other tables For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
®
This AccessData Android training course covers the internals of Android devices, the way the OS is designed, and the way that the devices store data. We will uncover the way to capture these devices’ data. In the end, like all other Mobile Forensics, Inc., courses, you as the examiner will be armed with the ability to perform forensic analysis both using automated tools as well as manually (to double check the results of the tools). This course uses a multiple-tool approach to mobile phone forensics. We use both free and paid applications and teach the skills needed to find and process data with the aid of specialized software tools. There is no single tool that will process every cellular device in its entirety. Mobile Forensics, Inc., trains you to know where information lies on cell phones and how to extract that information—both with and without tools—so you can obtain the maximum amount of data from mobile devices. Prerequisites This course is intended for forensics professionals and law enforcement personnel who must conduct mobile device examinations utilizing multiple tools and a tested forensic process. To obtain the maximum benefit from this class, you should meet the following requirements:
Read and understand the English language.
Attend the AccessData MFI 101 Course or equivalent.
Have previous investigative experience in mobile forensic case work.
Be familiar with Android devices.
Be familiar with working in hex
Class Materials and Software You will receive the student training manual and CD containing the training material, lab exercises and classrelated information.
(Continued on other side)
For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
Android Analysis Intermediate • Learning Management System (LMS)
Module 1: Class Overview Topics Student Introductions Software Used in This Course:
-
Android SDK and Eclipse MPE + FTK
Lab Setup the Android SDK and Eclipse Ensure the ADB command is in the PATH AVD creation Locate and activate the various locations of USB Debugging Module 5: Android File Systems
SQLite DB Viewer
Command line Course Outline
Module 2: Android Overview Objectives Review basic principles of the Android device and the Android operating system. Describe how Android uses NAND to store data. Describe the Dalvik VM in Android. Outline the usage and installation of the Android SDK and emulator. Discuss SD cards and Emulated SD cards
Objectives Outline the various file systems used by Android Discuss the forensic challenges of YAFFS Discuss the “other” file systems used by Android How can examiners utilize the Android temp memory Lab Determine the file systems used by the AVD Determine which file systems are mounted by the Android device List the permissions of the /dev and /nodev mounted in Android Module 6: Android Partitions
Module 3: Forensic Process Objectives Recommended ways to collect and Android device. Challenges of network isolation with Android. Gather information about specific Android devices. Validation and Reporting. Module 4: Android SDK and Eclipse
Module 4: Android SDK and Eclipse Objectives SDK and Eclipse installation and overview Discuss the Android Debug Bridge Android Virtual Devices and forensics Discuss the purpose of the USB debugging
Objectives What partitions can an examiner expect to find on an Android device? Discuss where Android typically stores files of interest and what partition they may be located on Discuss files of interest that may be located on a SD card Discuss what it means to be “root”.
Lab Determine the partitions in use on an Android device Using shell commands, list the partitions and locate files of interest
For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
Android Analysis Intermediate • Learning Management System (LMS)
(Continued) Module 7: Android Logical Acquisition
Module 10: SQLite hex breakdown
Objectives Discuss the tools to extract data from an Android device Troubleshoot connectivity issues the examiner may encounter Learn the different “modes” when connecting and Android device Discuss ADB conflicts
Objectives Compare and discuss parsed SQLite data with that found in hex Discuss deleted data Lab Manually parse SQLite database files. Locate and examine deleted data in hex.
Lab Hands on with MPE+ Demonstrate the techniques commercial software uses to extract data from and Android device Locate and extract the logical filesystem utilizing the command line
Module 8: Android Physical Acquisition Objectives Discuss the tools and techniques used to extract physically from an Android device Discuss NAND v DD physical extractions The recovery partition and what does it mean? Challenges of custom ROMs Lab Creating temp locations for examiner tools Setting up busybox is a temp location Netcat utilization Physical Extraction Module 9: Location of SQLite files of interest Objectives Discuss where key SQLite files live in the file system Discuss and locate column “flag” meanings Discuss tables Lab Using various tools, parse SQLite database files Locate and understand their “links” to other tables For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
