Select Page

Essential Smartphone Forensics

Our new 5-day Essential Smartphone Forensics training is designed for Digital Forensic Investigators who have had some introduction to mobile forensics and would like to delve deeper OR anyone who’s encountered a situation where the tools they use are not getting them the data they need.

This class is designed to provide an in-depth practical understanding of mobile device capabilities and components, as well as their file system and native application artifacts. Students will learn some simple repair techniques and utilize open-source tools to extract data from smartphones via hands-on exercises. Students will also learn techniques and strategies for using open-source tools to supplement and corroborate the results obtained with their mobile forensics tool(s) of choice.

From evidence handling to testimony preparation, this class aims to give examiners the knowledge and skills they need to perform detailed forensic analyses and testify with confidence to their results.

Course Details


Course Code: AT-ESSMART

Duration: 5 Days

Laptop Required: Yes

This class is open to all forensic professionals.

Course Outline

[tabby title=”Day 1″]

  • Device Types and Capabilities
  • Evidence Handling Considerations
  • Signal Blocking
  • Device Components
  • Tear-down hands-on exercises
  • Non-solder repairs
    • Screen replacement
    • Cable-connected components (buttons, etc)

[tabby title=”Day 2″]

  • OS Overview
    • Android
    • iOS
  • Extraction Types (review)
    • Logical
    • File System/Backup
    • Physical
  • Hardware/Firmware Basics
    • How to ID CPU, memory chip, etc.
    • How to ID firmware/OS version info
  • Extraction Considerations
    • Hardware/Firmware issues
    • OS-specific features
  • Advanced Android extractions
    • ADB/Command-line
    • ODIN/Custom Recovery
    • EDL

[tabby title=”Day 3″]
Artifacts and OS Structures – what is stored on the device and how can it be recovered?

  • Android
    • Stock app data
    • 3rd-party app data
    • Cloud considerations
  • iOS
    • Stock app data
    • 3rd-party app data
    • Cloud considerations

Intro to SQLite

Hands-on exercises with test device data

  • Android
  • iOS
  • Cloud data

[tabby title=”Day 4″]
Advanced Analysis (practical concepts and exercises)

  • SQLite
  • Python
  • Hash sets
  • App emulators
  • Mobile device malware
    • Resources
    • Analysis strategies

[tabby title=”Day 5″]

  • Data verification
  • Overview
  • Methods
  • Resources
  • Practical exercise
    • Preparation/Presentation of results
    • Trial prep considerations
    • Moot court practice



In this course you’ll learn about:

  • Device Hardware/Firmware/Software
  • Extraction Types
  • Simple Repairs (screen replacements, cable-connected components)
  • Android and iOS Structures and Artifacts
  • Forensic Tools and Open-Source Tools
  • Application and Malware Analysis, Including App Emulation
  • Using Python and SQLite with Forensic Tools
  • Data Verification Considerations and Methods
  • Courtroom Testimony


Laptop Requirements:

  • Windows 7
  • Windows 8.x and 10.x using these instructions
  • macOS with Bootcamp Windows 7
  • macOS with Bootcamp Windows 8.x and Win 10.x using these instructions
  • macOS alone will not work (No Virtual Machines)
  • 8GB RAM (minimum)
  • 100GB storage (minimum)
  • You must have admin rights or have the admin password for software installation.
  • NOTE: ALL Windows updates should be done prior to class

Mobile Forensics Group