Mobile Device Basics for Investigators

This class will introduce law enforcement officers and investigators to fundamental principles for addressing mobile devices with a focus on those running iOS or Android. It will also provide an overview of Cellebrite's general tools for extraction and review of data stored within those devices.

This class is designed for students who have LITTLE to NO experience handling mobile devices as evidence. The objective is to teach students forensically sound methods of dealing with mobile devices, resolve basic technical challenges, and create an effective digital report of the material pertinent to their particular investigation for prosecution.

The class will use a lecture and hands-on format demonstrating:

• Best practices for seizure of devices
• Use of Cellebrite UFED 4PC or UFED Touch (if students have them) to extract data from a device
• Use of Cellebrite Physical Analyzer to parse and review the data
• Creation of a digital report containing the data relevant to the investigation

Upon completion of this class, investigators should be able to conduct their own basic mobile device examinations using the SVRCFL Cellular Phone Kiosk (a free resource) or any department-owned Cellebrite systems (if available).

PLEASE NOTE: If your department has any of the following items, we will ask you to let us know when you sign up and to bring them with you for the class:

• UFED Touch (and associated cables, etc)
• UFED 4PC dongle
• UFED Physical Analyzer dongle

If you bring a department UFED Touch, we will provide instruction during the class that allows you to use it so you are familiar with your own system when you return to your department. We will provide the computers that run 4PC and Physical Analyzer.

---

CAIR (Case Agent Investigative Review) 1-Day

CAIR is one of the tools that the Silicon Valley RCFL uses in computer forensic examinations. We believe that the case investigator is the most knowledgeable person to conduct an analysis of digital media to determine its relevance to an investigation. For example, who better to determine that a particular e-mail between two individuals is relevant?

This course provides students with the knowledge and skills necessary to effectively use CAIR to conduct a comprehensive review of digital media that has been submitted to and processed by the SVRCFL. This includes techniques to locate and examine e-mail messages, deleted files, documents, graphic files, as well as searching for key words and phrases.

---

Oxygen Forensics Training

Students will obtain an introduction to the Oxygen Forensic Detective and the many advanced features. Students will examine and analyze data from iOS and Android smart devices during the one-day event. In addition, students receive training and instruction on cloud storage, extraction techniques using Oxygen Forensic Detective, application analysis, and the built-in analytics. For additional information see the following course description and its second page.

---

Cellebrite Certified Mobile Examiners Course (5 days)

The Cellebrite Certified Mobile Examiners Course is designed for the intermediate or advanced investigator / digital forensic examiner. This five-day, 35-hour class combines the curriculum from the Cellebrite Certified Operator (CCO) and the Cellebrite Certified Physical Analyst (CCPA) courses, providing the participant with an intensive exposure to Cellebrite UFED, the Physical Analyzer software, and the core competencies associated with examining mobile devices using Cellebrite’s tools and methods. During the course, optional written exams and practical skill challenges are administered, and students may earn the Cellebrite Certified Operator (CCO) and the Cellebrite Certified Physical Analyst (CCPA). The cost for this course is $3,850 per student. Visit Cellebrite's Learning Center for more information regarding their various certifications. The two certifications listed above are described on two separate Learning Center pages; this page describes the Cellebrite Certified Operator (CCO) and this page describes the Cellebrite Physical Analyst (CCPA).

---

Image Scan Training

The Federal Bureau of Investigation’s (FBI) Computer Analysis Response Team (CART) developed the Image Scan system to help investigators locate the presence of picture files that may contain contraband on a computer. This system allows the investigator to view a variety of graphic formats during a consensual search, and protects valuable digital evidence by booting up a computer using the Linux operating system. After mounting the hard drive in a “read only” manner, Image Scan prompts the investigator to search for picture files only. During this process, the tool logs every step taken by the investigator, further documenting what occurred during the search process.

Law enforcement personnel that conduct on-site investigations for child pornography are encouraged to take the Image Scan training.

---

Seizing and Handling of Digital Evidence

Investigators learn how to collect and preserve digital evidence, and to integrate digital evidence into a case. Additionally, investigators are exposed to the advanced tools and techniques used by the RCFL, so they can better understand what to expect from a forensics examination. This course requires no prerequisites, but attendees should have a working knowledge of computers.

---

osTriage

Investigator learns how to use osTriage, the live response and triage tool. The tool provides more information to investigators in a few minutes than most full forensic reports include after months of waiting. osTriage can find images, videos, passwords, encrypted files, virtual machines, archives, and P2P files fast! osTriage can also capture memory which is becoming more and more critical.

---

Linux Boot CD

This course is designed for forensic professionals who will use the FBI developed Live CD for imaging anything from thumbdrives to RAID servers. Topics cover basic usage of the Linux Boot CD, imaging multiple devices simultaneously, and outputing to multiple devices simultaneously. Advanced topics include network acquisition, drive recovery, LVM and RAIDS.