mr. eerie

“It looks like we’ve got ourselves a digital forensic mystery!”

Smartphone Forensic Analysis In-Depth, Re: SANS FOR585 OnDemand Experience

Derek completed the SANS FOR585 course. He’s a little smarter now.

Derek Eiri
, , , ,

In 2020, Magnet Forensics organized a Capture the Flag event that occurred over several weeks. It was my first intimate encounter with mobile forensics and was such a fun event. I recall one question that really challenged me to explore solutions to the best of my ability.

Cargo Hold – Which exit did the device user pass by that could have been taken for Cargo?

While I never did find the solution on my own, I learned a lot from several others who took the time to share their approach.

From that event, and several others after, appreciation for the information a mobile device contains grew immensely. I also developed an admiration of those who diligently kept up with the rapid changes and their breadth of knowledge in mobile forensics. I started with several books on mobile forensics which helped me contribute to the maturation of the process to collect data from iOS devices and perform analysis at work. Eventually I was able to justify enrolling in FOR585: Smartphone Forensic Analysis In-Depth in 2023.

FOR585 Expectations

Prior to taking the class, I was comfortable with iOS analysis of an encrypted backup and reviewing SQLite databases. I had limited understanding of full file system extractions, and no experience with Android acquisitions. Other than capture-the-flag events, I have not examined an Android device.

Based on the syllabus and advertised topics, I expected to accomplish the following:

  1. Improve understanding of different acquisition techniques of mobile devices, Android devices in particular.
  2. Expand understanding where user activity is recorded and applicability of data sources.
  3. Understand malware and spyware on mobile devices, as it applies to incident response.
  4. Learn about handling corporate-owned mobile devices and mobile device management.

Summary of Thoughts on FOR 585.

Generally, I expected to learn enough about smartphone forensics to have a solid foundation to apply a handful of lessons at work, and branch into new areas of interest on my own. Following the class, and achieving a passing score on the GASF exam, I believed the class met my expectations.

Mentioned previously, I appreciated how Heather Mahalik Barnhart and Domenica Crognale normalized the expectation that no tool will parse “all the things”. The labs curated for the course appropriately emphasized this expectation by modeling manual analysis and the thought process that must be adopted to accomplish this. FOR585 was immensely helpful to better understand different acquisition techniques and their applicability.

While it was not an expectation, specific examples of enterprise mobile device management configuration and downstream impacts it may have on data extraction would have been helpful to me, Taking the class did give me confidence to further explore and write about a specific solution on extracting data from pair-locked iOS devices.

Onward, I’m motivated to jailbreak a test iOS device and explore how Ian Whiffin‘s tool, ArtEx, interacts with it live. I’ll get an Android test device eventually; the last Android phone I had was a Motorola Droid 4.

Generic GIAC Test Preparation Tips

As I’ve done previously, here are a handful of tips when preparing for this GIAC exam:

  1. After your first read through the material, review the certification objectives. This is helpful for me to categorize the information I just read (and will read again) respective to those objectives.
  2. Understand the exam format, including the minimum passing score. As of 2024-04-19, the minimum passing score for GASF is 69%. If you just want to pass, this might help alleviate any test anxiety you may have.
  3. Do the labs at least once. I found the bonus labs interesting.
  4. Read through the material again.
  5. Create an index.
  6. Barnhart and Crognale provide a ton of relevant and helpful supplemental material; including cheat sheets. As I practiced the labs and found interesting artifacts of interest, I made more notes in those cheat sheets. I also tabbed the cheat sheets.
  7. Practice Exam #1: I enable the option to show answers and explanations only for incorrect submissions. My goal is to seek holes in my knowledge and index. I use a digital version of the index and supplemental material for easy searching if I struggle to find a keyword. I try to take the first practice exam 10-15 days before exam day. Reflect on the feedback report.
  8. I’ll skim through the books and spot-check if it is available in the index.
  9. Practice Exam #2: I’ll print out what I believe is a solid index in color, including any supplemental material I created. My goal is to simulate the test environment, so I disable the option to show answers and explanations for any submission. If I find more holes in my index, I’ll write them in. I try to take the second practice exam 2 days before the exam. I don’t do anything exam related the day before the exam.
  10. On the day of, before the exam, I’ll get in a brisk cardio session and go easy on the coffee.

Creating the Index

Completed FOR585 index materials.

This is an illustration of how I typically set up the books and tabs before a GIAC test. This is based on Lesley Carhart’s method when I prepared for my GIAC test, FOR500. I letter each book on the front and bottom-right corner, and highlight the front cover’s edge; front and back. During the test, the highlighted edges helps me return the book with the cover facing up, then placed back in the pile in order. This approach keeps me organized during the test and avoids excess shuffling.

For previous GIAC tests, I used the corresponding SANS posters by breaking them down into manageable 8.5×11″ pages. However, the cheat sheets provided for FOR585 made that effort unnecessary.

For the tabs, I use the variety from Post-it because they’re durable. The four links below are Amazon affiliate links. This means that, at zero cost to you, I may earn an affiliate commission if you click through the link and finalize a purchase:
Bottom tabs
Edge tabs
Top tabs
Staedtler pens for writing on the tabs.

Buying the Extension

I purchased my first SANS extension and it made my life a little easier.

It was a very busy summer in 2023. I signed up for FOR585 in June 2023 just as the impact of the MOVEit vulnerability became known. By the time August rolled around, I only progressed through half of the material with two months left. While I had one conference behind me, I had the fortune to attend another in September. I could have absolutely buckled down to complete and study the material in two months, but I would not have extracted as much value from the course. After extending the class (45 days) for $459, and putting in the time, it worked out.

2 responses to “Smartphone Forensic Analysis In-Depth, Re: SANS FOR585 OnDemand Experience”

  1. Week 17 – 2024 – This Week In 4n6 Avatar
    Week 17 – 2024 – This Week In 4n6

    […] Derek EiriSmartphone Forensic Analysis In-Depth, Re: SANS FOR585 OnDemand Experience […]

    Like

    Reply
  2. FOR518: Mac and iOS Forensic Analysis and Incident Response, Re: SANS FOR518 OnDemand Experience – mr. eerie Avatar
    FOR518: Mac and iOS Forensic Analysis and Incident Response, Re: SANS FOR518 OnDemand Experience – mr. eerie

    […] everything iOS related was review for me after completing FOR585. However, access to Corellium was an awesome opportunity to get exposure to a platform I likely […]

    Like

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.