Oxygen Forensic Expert Certification

Course Description

Students will obtain a start to finish education on the use of Oxygen Forensic® Detective. The course adds to the Basic and Expert course by introducing advanced methods of Smart Device collections and data analysis. Students will examine collect and analyze data from iOS, Android, and Windows Phone smart devices. Students will work to obtain physical images, understand file system formats, storage methods and evidence locations. Students receive training and instruction on Cloud Storage and extraction techniques using Oxygen Forensic® Detective. SQLite database data is extremely important to today’s smart device examinations. Not only will students receive training on the SQLite database format and creating SQL queries, but Property Lists, recovering deleted data, write-ahead-logs, shared-memory-files and interpreting database artifacts using the SQLite Viewer and secondary tools are covered.

Course Objectives
  • Gain extensive knowledge on today’s smart devices including iOS, Android and Windows Phone.
  • Understand file system formats and data types found within major smart device operating systems.
  • Provide information to students to assist in locating, processing and recovering artifacts from the smart device file system.
  • Gain required knowledge to create advanced SQL queries to recover data from unsupported app and cache files within the smart device file system.
  • Students will gain valuable knowledge during the training that will assist in passing a certification examination
Required Student Resources

Students will receive a manual during class that will contain the class content and worksheets. Some class locations will require the student to supply their own laptop for the training.


Course Outline Day 1
Topic Covering
History and Quick Introduction CDMA/GSM
Legality
Isolation Techniques
Device Security
Different ways to connect to a mobile device Cable
Bluetooth
JTAG
Troubleshooting Drivers
Connections
ADB
Passwords iOS
AndroidBlackberry
Logical/Physical collections of Smart Devices Differences
Data Representation of both
Collecting Mobile Device Data Smart Device Collection
Basic data analysis
Backup and Import of Mobile Device Images iTunes
Android
JTAG
Other Forensic Solutions
Basic Reporting Create basic report of Smart Device Collection
Course Outline Day 2
Topic Covering
Multi-device collections iOS
Android
Cases Creating Cases, Removing Cases, Archiving Cases
Live device
Imported Images
App Data Analysis of valuable data
Key Evidence Bookmarking
Aggregated Data and Groups Contacts
Merge/Un-Merge
Analytics Social Analysis
Link Analysis
Timelines
Searching Text
Regular ExpressionsNumbers
Advanced Reporting HTML
PDFAssociated Images
Key Evidence
Course Outline Day 3
Topic Covering
Obtaining File System Data iOS
Android
Windows Phone
Types of File Systems iOS
Android
Windows Phone
Recovering Artifacts from the smart device Evidence areas
File Types
Recovery Methods
Cloud Extractions Using Cloud Extractor
Property List Data Storage
Types of Data
PLIST Breakdown
SQLite Databases Data Storage
Types of Data
SQLite Breakdown
FreePages
SQL Queries
Creating/Running

Evaluation Procedures and Grading Criteria

Students are evaluated on class participation and the final project. Passing of class will earn Attendance Certificate and access to online certification examination.

Attendance Statement

Students cannot miss more than 1 hour of class to receive a certificate of attendance. Students completing the course will be eligible to take the Oxygen Forensic® User Certification exam free of charge within 30 days of completing the course.


Course Offerings