SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
Major updates
FOR585: Smartphone Forensic Analysis In-Depth
FOR585Digital Forensics and Incident Response
- 6 Days (Instructor-Led)
- 36 Hours (Self-Paced)
Course created by:
Heather Barnhart & Domenica Lee Crognale
Course created by:Heather Barnhart & Domenica Lee Crognale
- GIAC Advanced Smartphone Forensics (GASF)
- 36 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- Essential Skill Level
Course material is for individuals with an understanding of IT or cyber security concepts
- 22 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Smartphones Have Minds of Their Own. Don't Make the Mistake of Reporting System Evidence, AI Created Date, Incorrect Locations, Smartphone Suggestions, or Application Cache as User Activity.
Featured Quote
This should be the course all cell examiners take once they are experienced with basic cell phone extraction and analysis.
Course Overview
This mobile forensics course provides examiners and investigators with advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. FOR585 is continuously updated to keep up with the latest file formats, malware, smartphone operating systems, third-party applications, acquisition shortfalls, extraction techniques (how to get full file system or physical access) and encryption. It offers the most unique and current instruction to arm you with mobile device forensic knowledge you can immediately apply to cases you're working on the day you get back to work.
What You’ll Learn
- Apply advanced smartphone forensic tools and techniques
- Understand smartphone file systems and data storage
- Identify data origins to prevent false evidence
- Recover hidden or obfuscated mobile data
- Investigate compromised smartphones and malware
- Overcome encryption and extract protected data
- Use advanced analysis methods in a simulated investigation
Business Takeaways
- Interpret Android and iOS artifacts
- Analyze device usage and connections
- Investigate and mitigate mobile malware
- Use SQLite and Python for data analysis
- Improve skills with forensic tools and resources
Meet Your Authors
- Slide 1 of 2
Heather Barnhart
FellowHeather has 20+ years of experience working with government agencies, defense contractors, law enforcement, and Fortune 500 companies. Her case experience ranges from fraud, crimes against children, counter-terrorism, and homicide investigations.
Read more about Heather Barnhart - Slide 2 of 2
Domenica Lee Crognale
Senior InstructorDomenica has revolutionized mobile device forensics through her 15-year tenure supporting U.S. federal law enforcement and intelligence agencies and leading global training for elite units including the FBI and military special forces.
Read more about Domenica Lee Crognale
Slide 1 of 0
(1/0)
Course Syllabus
Explore the course syllabus below to view the full range of topics covered in FOR585: Smartphone Forensic Analysis In-Depth.
Section 1Smartphone Overview, Fundamentals of Analysis, and SQLite Forensics
This section provides an in-depth introduction to smartphone forensics, focusing on the unique file systems of iOS and Android devices and the specialized tools and techniques needed to analyze them. Students will explore smartphone components, acquisition methods, data decoding strategies, and SQLite database analysis through hands-on labs.
Topics covered
- FOR585 VM and Course Resources
- Smartphone Fundamentals and Handling
- Cellebrite and AXIOM Basics
- File Formats and SQLite Overview
- Access to Bonus Materials
Labs
- FOR585 VM Setup and Lab Integration
- Hands-on Smartphone Forensic Tools Demo
- Android and iOS Extraction with Key Tools
- SQLite Forensics: Basic and Advanced Queries
- Bonus Lab: SQLite .wal File Analysis
Section 2Android Forensics
This section focuses on advanced Android forensics, emphasizing file system structures, encryption, and data recovery from Full File System acquisitions. Students will learn to manually decode data, parse third-party applications, recover deleted artifacts, and use tools like ADB when commercial solutions fall short.
Topics covered
- Android Overview and Acquisition Tips
- Device Info and Native Applications
- Location Artifacts and Native Logs
- Fitness and Health App Analysis
- Access to Bonus Materials
Labs
- Decode and Extract Information from a Full File System
- Parse Third-Party Applications
- Decode and Interpret Device Location Data
- Large Extractions from Android Devices
- Identify Device Syncing and Cloud Activity
Section 3iOS Device Forensics
Apple iOS devices contain substantial amounts of data that can be decoded and interpreted into useful information. Proper handling and parsing skills are needed to extract information from iOS devices and correctly interpret the data. This course section will cover extraction techniques using jailbreaks and exploits to obtain a Full File System acquisition.
Topics covered
- iOS Overview and Device Acquisition Considerations
- Basic Device Information
- Native Applications and Logs
- Location Artifacts
- Advanced Analysis
Labs
- Decode and Extract from iOS File System
- Extract information from Full File System Extraction
- Analyze and Timeline a Full File System Extraction
- Parse Third-Party Applications and Recover User Activities
- Place the User Behind the Artifact
Section 4Backups and Cloud Data, Malware and Spyware Forensics, and Detecting Evidence Destruction
This section explores forensic analysis of iOS and Android backups, cloud data extractions, and smartphone malware. Students will learn to extract, decrypt, and manually decode backup files, identify malware, and recover data from devices with deleted or hidden content. Hands-on labs focus on advanced techniques for uncovering tampered or compromised data.
Topics covered
- Backup and Cloud Considerations
- Google, iCloud, and Apple Backups
- Locked iOS Backup Files
- Malware and Spyware Forensics
- Detecting Evidence Destruction
Labs
- Decoding and Analysis of iOS 17 Encrypted Backup File
- Database Analysis on iOS Images
- Malware Detection Analysis
- Analysis of .apk Malware File
- Analysis of Damaged or Destroyed Device
Section 5Third-Party Application Analysis
Section five focuses on advanced forensic analysis of third-party applications, secure messaging platforms, and mobile browsers across iOS and Android devices. Recover deleted or hidden data missed by commercial tools using SQL queries and custom Python scripts. Learn to decode app artifacts, parse browser activity, and script forensic solutions.
Topics covered
- Third-Party Application Overview
- Geolocation and File Sharing Artifacts
- MDM and MAM
- Payment Apps, Mobile Wallets, and Messaging Applications
- Mobile Browsers, AI Applications, and Related Artifacts
Labs
- Decode Communications in Third-Party Application Files
- Analyze Third-Party Browser Activity Look for Evidence of Deletion Outside of SQLite Free Pages
- Script Query or Create Python Script to Parse Database
Section 6Smartphone Forensic Capstone Exercise
This final course day will test all that you have learned during the course. Working in small groups, students will independently analyze three smartphones and solve a cold case scenario relating to a real-world smartphone forensic investigation. You’ll decode data, form an investigation hypothesis, develop a report, and present findings.
Topics covered
- Identification and Scoping
- Forensic Examination
- Forensic Reconstruction
- Bonus Materials
Labs
- Replicate a Real-World Smartphone Forensic Investigation
- Take-Home Case Involving Different a Scenario
Things You Need To Know
Relevant Job Roles
Malware Analyst
Digital Forensics and Incident ResponseMalware analysts face attackers’ capabilities head-on, ensuring the fastest and most effective response to and containment of a cyber-attack. You look deep inside malicious software to understand the nature of the threat – how it got in, what flaw it exploited, and what it has done, is trying to do, or has the potential to achieve.
Explore learning pathInsider Threat Analysis
NICE: Protection and DefenseResponsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.
Explore learning pathDigital Forensics Analyst
Digital Forensics and Incident ResponseThis expert applies digital forensic skills to a plethora of media that encompass an investigation. The practice of being a digital forensic examiner requires several skill sets, including evidence collection, computer, smartphone, cloud, and network forensics, and an investigative mindset. These experts analyze compromised systems or digital media involved in an investigation that can be used to determine what really happened. Digital media contain footprints that physical forensic data and the crime scene may not include.
Explore learning pathDigital Forensics (OPM 212)
NICE: Protection and DefenseResponsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.
Explore learning pathCybercrime Investigation (OPM 221)
NICE: InvestigationResponsible for investigating cyberspace intrusion incidents and crimes. Applies tactics, techniques, and procedures for a full range of investigative tools and processes and appropriately balances the benefits of prosecution versus intelligence gathering.
Explore learning pathMilitary Operations / Law Enforcement Agents
Digital Forensics and Incident ResponseExecute digital forensic operations under demanding conditions, rapidly extracting critical intelligence from diverse devices. Leverage advanced threat hunting and malware analysis skills to neutralize sophisticated cyber adversaries.
Explore learning pathCybersecurity Analyst / Engineer
Cyber DefenseAs this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchase Options?Contact Us
GIAC Certification Attempt
Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Filter by:
Location & instructorDate & TimeCourse priceEnrollment options
- Location & instructor
Virtual (OnDemand)
Instructed by Heather BarnhartDate & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Washington, DC, US & Virtual (live)
Instructed by Domenica Crognale & Josh HickmanDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Salt Lake City, UT, US & Virtual (live)
Instructed by Domenica CrognaleDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Las Vegas, NV, US & Virtual (live)
Instructed by Domenica CrognaleDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Singapore, SG & Virtual (live)
Instructed by Domenica CrognaleDate & TimeFetching schedule..View event detailsCourse price$8,900 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
London, GB & Virtual (live)
Instructed by Mattia EpifaniDate & TimeFetching schedule..View event detailsCourse price£7,160 GBP*Prices exclude applicable taxes | EUR price available during checkout - Location & instructor
Coral Gables, FL, US & Virtual (live)
Instructed by Domenica CrognaleDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Dubai, AE & Virtual (live)
Instructed by Mattia EpifaniDate & TimeFetching schedule..View event detailsCourse price$8,900 USD*Prices exclude applicable local taxes
Showing 8 of 13
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 4As someone with ZERO experience/background in this subject matter, being able to go back and rewatch the videos is priceless. It's probably the best feature I have ever seen in a class.
- Slide 2 of 4This course makes me want to re-work every cell phone case I've ever done.
- Slide 3 of 4FOR585 course content provides extremely relevant material, guiding examiners to crucial artifacts for investigations and validation. It outlines key details for every forensic challenge.
- Slide 4 of 4FOR585 has been, by far, the best virtual course AND the best mobile forensics course I've ever taken.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources