This course is an expert-level four-day training course, designed for participants who are familiar with the principles of digital forensics and who are seeking to leverage Magnet AXIOM and Magnet ACQUIRE to improve their mobile device investigations.
Magnet AXIOM Advanced Mobile Forensics (AX300) details the use of Magnet AXIOM’s imaging abilities, using the standard mobile device imaging methodologies as well as advanced imaging techniques like TWRP and recovery image flashing when things don’t go as expected or when you encounter locked devices.
For those occasions when even those approaches won’t work, this class also introduces the concepts of ISP, JTAG, and chip-off methodologies to gain access to the data on mobile devices. After obtaining access to the data, participants will leverage Magnet AXIOM Examine to explore the contents and leverage AXIOM’s hallmark ability to reveal a wealth of important investigative artifacts.
These modules of instruction will build the participants abilities to investigate mobile devices from: image acquisition, utilizing backups found on computer media, understanding mobile device operating systems, Plists and SQL lite databases, to locating and parsing apps that are unsupported by forensic applications through developing custom artifacts.
Because AX300 is an expert-level course, it is recommended that students first complete Magnet AXIOM Examinations (AX200). AX200 will provide a thorough understanding of AXIOM that will help students focus on the mobile part of investigations in AX300. Click here to find out more about AX200
OBJECTIVES OF Magnet AXIOM Advanced Mobile Forensics
- Learning advanced acquisition procedures and techniques (discussion on JTag, chip off, and ISP)
- Configuring AXIOM Process and Acquire for the acquisition and processing of mobile devices, including the Single Stage Evidence Processing capabilities of AXIOM
- Understanding of iOS by walk throughs dealing with advanced mobile acquisitions, jailbreaking and physical images, the iTunes Backup Service, Apple File Conduit, and iOS backup Encryption
- Gaining access to encrypted backups and the iOS keychain with Passware
- Obtaining the image by any means necessary using advanced mobile device acquisition techniques including Chip Off, JTAG, and ISP
- Analyzing the difference between Full Disk Encryption (FDE) and File-Based Encryption (FBE) and what that means to the examiner
- Utilizing ADB command in the command line to determine encryption employed
- Utilizing direct imaging via recovery mode as well as TWRP to obtain the images
- Understanding root exploits and gaining access via exploits
- Leveraging AXIOM’s application downgrading to obtain images including databases of apps that don't allow database backups
- Locating iTunes Backups & Pairing Records, and exploring backups, plist & org files as well as converting sha1 values
- Locating Core iOS Data for analysis and validation and understanding the anatomy of an application
- Understanding the File System layout, domains and organizational files
- Understanding what to do when unsupported apps are discovered and making sense of the raw data to create custom artifacts
- Exploring SQL databases
- Exploring Android handset locks
- Leveraging XML and Python in your Magnet AXIOM investigations to recover even more data
Training Class Schedule
|Classroom Instructor–Led||Anaheim, CA||November 27-30|
|Classroom Instructor–Led||Herndon, VA||Jan 29 – Feb 1|
|Virtual Instructor-Led||Online||Feb 5-8|
|Classroom Instructor-Led||Anaheim, CA||Mar 19-22|
|Classroom Instructor-Led||Herndon, VA||April 15-18|
|Virtual Instructor-Led||Online||April 23-26|
|Classroom Instructor-Led||Herndon, VA||May 14-17|
|Classroom Instructor-Led||Princes Risborough, UK||June 4-7|
|Virtual Instructor-Led||Online||June 11-14|
|Classroom Instructor-Led||Herndon, VA||June 18-21|
|Classroom Instructor-Led||Anaheim, CA||June 25-28|
MAGNET AXIOM ADVANCED MOBILE (AX300) MODULES
Module 1: Advanced Acquisition Procedures and Techniques Using Magnet AXIOM and ACQUIRE
Participants will be introduced to the instructor and other students as well as be presented an outline of the full class materials for the week. Advanced acquisition procedures and techniques such as Chip-Off, JTAG, and ISP will be discussed so that attendees can understand advanced level extractions and how the they are changing for new examinations. The module will conclude with students installing Magnet AXIOM, associated recovery images, Magnet ACQUIRE, and will cover other open-source tools and files that are needed for the course completion.
Module 2: Acquiring iOS Devices
This module focuses primarily on the iOS operating system and how to acquire Apple devices running iOS. Information about the software will be outlined, along with discussions on security levels and the procedures of these devices — including handset locks, TouchID, and pairing records. Learn how to appropriately identify specific iOS devices and versions as well as standard imaging procedures of iOS devices, including iTunes Backups and Apple File Conduit extractions. Advanced acquisitions involving jailbroken devices will also be discussed, and iOS backup encryption will be defined and explained throughout the recent changes to the iOS file system. This module will conclude with an instructor-led demonstration of extracting information using Magnet ACQUIRE and AXIOM from an iOS device as well as a hands-on exercise using our partner software, Passware to brute-force an encrypted iOS backup.
Module 3: Acquiring Android Devices
This module focuses primarily on the Android operating system and will cover the different levels and ways to extract information from these devices. Because the OS is incredibly fragmented, multiple levels of extraction and explanations will be given that will teach students how to effectively identify the right acquisition procedure for each device. Students will be taught how to properly research multiple factors during an acquisition to see what level of extraction can be applied. New security policies such as Full Disk vs. File-Based Encryption will be discussed and identified, and advanced acquisition techniques — involving passcode bypassing, recovery partition flashing, using custom recovery images, and application downgrading — will be discussed and demonstrated in instructor-led practical exercises.
Module 4: Acquiring via MTP
The Media Transfer Protocol (MTP) is a transfer method that can be used to extract information from some iOS and Android devices (as well as other devices such as digital cameras). This module will discuss what the protocol is, how it is used, and what information can be gathered using this procedure.
Module 5: iOS File System Analysis
Learn how to identify, examine, and report on data from the iOS operating system that is both natively processed and not supported by forensic tools such as Magnet AXIOM. This module will instruct students on how to properly understand data that is extracted from iOS devices, identify the original structure from the backup, and process information from these backups in a "friendly" file system view. Students will gain knowledge on the two main data containers such as SQLite databases and property list files as well as how to examine these files for data using built-in viewers in Magnet AXIOM Examine. This module will also cover core artifacts such as SMS/iMessages, Call Logs, and Contacts, teaching students how these containers are structured for manual examination and analysis. Other artifacts such as Safari web history data, property list configuration data, and more will also be covered that are outside the "standard" supported tools. Students will also learn the anatomy of third-party iOS applications as well as how to identify and extract information from these apps when the tool does not automatically recover it.
Module 6: Android File System Analysis
Like the previous module, this module will teach students how to properly identify, examine, and extract information from the Android operating system. This will include core artifacts such as SMS/RCS/MMS messages, Contacts, Call Logs, Account data and more; as well as focusing on other potentially relevant artifacts that are not automatically gathered by most forensic tools. Students will learn and understand the structure of third party applications in both full and quick image levels, as well as learn how to extract unsupported artifacts from the commonly used container files in Android.
Module 7: Custom Artifacts
This final module builds on information taught over the four-day period by teaching attendees how to use AXIOM features such as Dynamic App Finder and custom artifacts to build data that has been manually recovered into fully-functioning supported Artifacts. By learning to create these custom artifacts, students will gain the ability to share this data with other examiners in the community and increase their working efficiency by being able to automatically recover data after the initial building phase. Students will be taught how to create XML-based artifacts to recover data from SQLite databases as well as advanced file carvers. The custom artifacts built in class will go back with the students and can be used to easily identify new unsupported data in future examinations.