Background of the course (introduction to the purpose behind the course, i.e.,
tracking, DFIR, pentesting, site security)
and computer setup for examination
BlackLight, Oxygen Forensics, AXIOM, Physical Analyzer, and Python
Review of the
forensic tools, how to export data, how to report information, how to analyze
First look at
smart phone and computer databases
Performing sqlite queries to pull the information
Exporting the data to a usable format
previous day and written quiz.
smart phone app types, what type of data they have and how can it be useful,
with specific focus on what apps hold what information, such as timelines,
searches, geolocation data, etc.
exercise in reporting timeline and geo data to a useful format, Instructor Led.
wireless in general and Cell/GSM/CDMA/LTE/WiFi/Bluetooth in particular.
of wireless signals, transmission power, antenna types, range, etc.
Addressing, vendors, trends, random MACs, BSSIDs, patterns of MAC addresses in
WiFi and Bluetooth
previous day and written quiz.
scanning, probe requests, handshaking, disconnection, broadcast vs.
non-broadcasting, etc. (basically, things to look for and what they mean)
Correlation of wireless items with real-world things, small intro to online
Types of WiFi
devices and their implications and behaviours (APs, clients, game systems,
smart watches, laptops, phones, tablets, iOT devices, etc.) How do they act,
where will you see them and what it all means. How our suspect's device may
interact with those devices and what types of traces this leaves.
How we can
use those devices to geolocate other devices, build a profile of our suspect,
and use that information to further an investigation.
exercise in building a comprehensive timeline in Google Earth of device
activity, locations, etc., around the time of the commission of a crime.
WiFi and BT
collection/scanning tools and what they are good for: Kismet, Wigle, Acrylic,
Cain, blue_hydra, RamBLE
previous day and written quiz
and geocoding basics.
from digital forensic tools, such as Cellebrite, Axiom, and Oxygen. Limitations
and strengths. How to augment the information they already have with more data
and analysis. (Some prepared Python scripts will be used here to find evidence)
that can be used, tools for plotting and tracking
Other sites to find historical locations of devices
Intel (OSINT) Augmentation of forensic data
Theory of enriching forensic data with openly-available information on the net
exercise in finding, correlating, plotting, and reporting on different types of
data using web and other open-source tools
profile of a suspect based on the data found on the device and augmentation
with OSINT techniques
previous four days and written quiz.
Pulling it all together, review of integrating device activity, wireless
activity, positional data, OSINT sources, and all other previously-shown
technique to produce a coherent report
AND PRACTICAL SHOULD TAKE 3+ HOURS)
Final Written Test: combination knowledge-based and Internet-search based
Final Practical: given a phone dump and a defined objective, time of crime,
etc., and produce:
Comprehensive profile of the suspect, personal info, where they live, etc.
Analysis of background patterns and behaviors, such as locations and activities
Complete yet concise timeline of relevant suspect activities around the time of
Maps and details of WHERE, WHAT, and WHEN the suspect did things
their own accounts