Handheld Forensic Course - Level 1

Attending examiners will be taught the structure of the data associated with each type of PDA, cellular, and hybrid device. The examiners will then continue by practically applying the acquisition process for these various devices using multiple forensic tools. After acquisition has been completed, the students will exercise their analysis skills through the use of these tools both with live acquisitions as well as sample cases.

The course runs from 9:00 AM to 5:00 PM for four days. Practical examinations throughout class and a written examination on techniques at the end of this four day course go towards Paraben's PCME certification.

Handheld Forensics PDA's, Cell, Hybrid Devices

Each day of training is designed to allow the student to understand the theory behind each concept and then practically apply that knowledge.

COURSE DETAILS

Day 1

1. Introductions
   • Instructor
   • Students
   • Facility Information
2. Certifications
   • Requirements for class level
   • PCME Information
3. Other training classes offered
4. Objectives
   • Understand Fundamentals
   • Forensic Procedures
   • Practical Application
5. Device definitions
   • Which devices are considered PDA's? Cellular? Hybrids?
6. Faraday technology
   • Various Faraday solutions
7. Faraday practical
   • Practical application of Faraday technology
8. Cellular and Mobile Networks
   • Cellular layout
   • Cellular network description
   • Frequencies
   • Cellular "hand offs"
9. Network Generations
   • 1G / 2G / 2.5G / 3G / 4G
10. 10. Cellular Subsets
    • TDMA
    • CDMA
    • GSM
11. Phone identification numbers
    • MIN
    • ESN
    • IMEI
    • IMSI
    • How to decode these numbers
12. Practical
    • Practical exercise to determine cellular subsets
13. Wireless Data
    • GPRS
    • EDGE
    • EVDO
    • WiDEN
14. Legal considerations regarding mobile devices
    • Title III
    • ECPA
    • Wiretapping
    • Lawful seizure
15. First Responders
    • Guidelines
    • First responder cards
    • First responder training (Go Through Free Training Students Receive)
16. Forensic rules for cell phones
    • Seizure
    • Analysis
17. Cell phone accessories
    • Current accessories
    • Next generation accessories
18. Device Seizure
    • Overview
    • Acquisition Procedure
    • Drivers & Com Ports
    • Seizure
    • Acquisition
    • Logs
19. Practical
    • Cell phone practical
    • Instructor led practical acquisition
    • Hands on student acquisition of multiple phones
20. Cell phone file systems
    • TDMA
    • CDMA
    • GSM
    • iDEN
21. Cell phone data storage
    • Physical examination
    • Logical examination
22. Sources of cellular evidence
    • Provider data
    • Handset data
    • SIM data
23. SMS / MMS technology
    • How messages are sent
    • Changes in messaging technology
    • Recovering deleted messages
24. Recoverable phone data
    • PIM
    • Calendar
    • Audio
    • Video
    • Graphics

Day 2
SIM card evidence

1. 1. Data storage
   • File system
   • Authentication
   • Encryption
   • SIM / PUK
2. Practical
   • SIM Practicals Cell phone practicals
   • Analysis of multiple cell phone acquisitions
   • SIM card practical analysis
3. Locating cellular phones
   • Live tracking
   • Historical locating
   • Cell site analysis
   • Call Detail Records
4. Processing cellular accessories
   • External media
   • Bluetooth
   • IrDa
5. Report generation
   • Device Seizure report generation
6. Bitpim
   • Devices Supported
   • Proper use of the tool
   • Forensic issues associated with the tool
   • Presentation of the Evidence
7. Oxygen
   • Devices Supported
   • Proper use of the tool
   • Forensic issues associated with the tool
   • Presentation of the Evidence
8. MOBILedit
   • Devices Supported
   • Proper use of the tool
   • Forensic issues associated with the tool
   • Presentation of the Evidence
9. Data Pilot
   • Devices Supported
   • Proper use of the tool
   • Forensic issues associated with the tool
   • Presentation of the Evidence
10. Internet Paraben's Handheld Database
    • Testing data / How to access
    • How to test your tools (Paper)
11. Practical
    • BitPim
    • MOBILedit
    • Process through phones and use compare function in Device Seizure

Day 3
PDA's

1. PDA device basic structure
   • Manufacturers of PDA's
   • Major features of PDA's
   • Physical Device Structure
2. Operating Systems
   • Palm
   • Pocket PC
   • RIM
   • Embedded Linux
   • Symbian
3. Memory Storage
   • ROM
   • RAM
4. Desktop software
   • Palm
   • Windows CE
5. Forensic Rules (for PDA's)
   • Palm
   • Windows CE
   • Basic rules for PDA's
6. Practical
   • Practical Acquisition of PDA devices
7. Operating System Specifics
   • Palm OS
   • Memory blocks
   • Data Structure
   • Database Structure
8. Practical skills application
   • Practical involving PDA data
9. Windows CE
   • Devices
   • Evolution
   • Operating System
   • Structure
10. Memory and Data Structure
    • RAM
    • ROM
    • Program Memory
    • Storage Memory
    • Registry
    • File system types
11. Databases
    • Property Databases
    • Heap Structure
12. Practical
    • Analysis of Windows CE device
13. Quick Examination Techniques
    • Palm
    • Windows CE
    • RIM Blackberry
14. Practical acquisitions
    • Palm PDA's
    • Windows CE PDA's

Day 4
Hybrids

1. RIM Blackberry Devices
   o Features o Device and connection variations
2. RIM Blackberry Specifics
   • Connection
   • Applications
   • Synchronization
   • Data backups
   • Email
   • Data storage
   • Security techniques
3. Forensic rule for hybrid devices
   • Communications
   • Power
   • Cables
4. Blackberry Practicals
   • Practical acquisitions of hybrid devices
5. Review
   • Review of relevant material
   • Skills test
6. Certification Test Level 1