Recovering Evidence, Personal Data, and Corporate Assets
The iPhone and iPad have become some of the world's top mobile devices, and are increasingly being used in business, personal activities, and also crime. These devices store an enormous amount of information useful to corporate security professionals and law enforcement agencies conducting investigations. Enterprises must adequately manage sensitive data which may put their company at risk. Law enforcement agencies and freelance forensic examiners must process these devices for evidence linking its owner to crimes.
Join us as Jonathan Zdziarski, author, forensic scientist and iOS forensics expert, leads your organization's law enforcement or security professionals through the delicate process of recovering and processing evidence stored on these devices. This advanced, one-day course will guide your investigators, hands on, through imaging and electronic discovery of an iPhone, iPhone 3G, iPhone 3G[s], iPhone 4, and iPad 1 devices covering iOS and desktop trace up to and including iOS 5 firmware. Attendees will receive a special law enforcement forensics guide and access to the tools used in the field by thousands of law enforcement agencies world wide. All tools and classroom content will be provided to attendees on a USB stick so students can learn and explore hands-on. This course has undergone numerous transformations to make it continually the #1 forensics course for iOS based devices.
Join us and follow along hands-on to learn:
• What kind of evidence gets stored on iOS devices
• How to prepare an environment for iOS forensics and properly secure devices to prevent remote wipe
• Circumventing passcode protection and encrypted backups to gain access to a passcode protected device's UI
• NEW! Keychain decryption and PIN brute forcing. Learn how to obtain the device's encryption keys and decrypt passwords on the keychain, such as stored account passwords for websites and applications, including those that encrypt photos and other data. You'll also learn how to brute force the device's passcode PIN to obtain access to the device's user interface.
• NEW! Decrypting iTunes 10 encrypted backups using passwords found on the keychain.
• NEW! Raw disk decryption. Learn how to decrypt the device's raw disk, includingfiles normally found encrypted from a file system dump, such as protected email and certain application data. Scrape the HFS+ journal to potentially recover some deleted files.
• NEW! iOS application forensics. Learn how applications are organized on the device and delve into the world of electronic discovery within some of the most popular mobile applications, including Facebook, Twitter, TextNow, and other social networking applications.
• NEW! Consolidated geolocation data. Learn iOS 4's new consolidated.db and how to parse geolocation data harvested by the device. applications, TomTom, and texting applications.
• NEW! SQLite forensics and recovery of deleted database information from free records, and reconstructing timestamp and other critical record data from fragmented data
• NEW! iOS 4 and 5 data, including Spotlight SMS cache, SMS drafts, and other new types of artifacts found in newer versions of iOS.
• Using the free law enforcement tools to image iOS devices
• Interrupting the iPhone 3G "secure wipe" process
• Data recovery of an iOS user disk partition, preserving and recovering the entire raw user disk partition.
• Data recovery of an iOS user data partition decrypted, performing a quick dump of the entire live file system
• Recovering deleted voicemail, images, email, and other personal data using data carving techniques
• Recovering geotagged metadata from camera photos (GPS coordinates taken at the time the photo was taken)
• Electronic discovery of Google map lookups, keyboard typing cache, and other data stored on the live file system
• Extracting contact information and other data from the device's database
• Collecting desktop trace and establishing trusted relationships to owners' desktops
• Different recovery strategies based on case needs, and courtroom guidance
Using the tools and know-how provided in this workshop, you'll work hands-on to recover stored and deleted information from a device including:
• Keyboard caches containing usernames, passwords, search terms, and historical fragments of typed communication.
• Screenshots preserved from the last state of an application, taken whenever the home button is pressed or an application is exited.
• Deleted images from the suspect's photo library, camera roll, and browsing cache.
• Deleted address book entries, contacts, calendar events, and other personal data.
• Exhaustive call history, beyond that displayed.
• Map tile images from the Google Maps application, lookups and longitude/latitude coordinates of previous map searches, and coordinates of the last GPS fix.
• Browser cache and deleted browser objects, which identify the web sites a user has visited.
• Cached and deleted email messages, SMS messages, and other communication with corresponding time stamps.
• Deleted voicemail recordings stored on the device.
• Pairing records establishing trusted relationships between the device and one or more desktop computers.
• Much more!
In addition, Jonathan will walk you through many common corporate and crime scene scenarios and describe the kind of data that will prove most useful in your investigation. A Q/A session will conclude the conference as time permits. Classroom assistants will be available to help during all classes.
This is a Mac-only course, however some Linux will be demonstrated. Be sure to bring a Mac or Linux (Linux supported for iOS 4) notebook and an iPhone or iPad if you would like to learn hands-on. Do not bring live evidence or any data that cannot be at risk from classroom mistakes. To keep everything on track, the following classroom specifications will be used:
• Mac OS X Lion (v10.7.x) on an Intel-based Mac running iTunes 10.0 - 10.5
• [Optional] An iPhone, iPhone 3G, iPhone 3G[s], iPhone 4, or iPad1 running firmware up to 5.0
Don't miss the opportunity to have your personnel trained by the leading expert in iOS forensic examination. Contact us for pricing and booking information today, as dates are limited.
Important Billing Information
If you do not have a PayPal account or would like to have your credit card billed directly, please contact us directly at firstname.lastname@example.org.
Due to the expenses involved in organizing this workshop, cancellations within 14 days of the event date are non-refundable. We will work with you, however, to place you in a different workshop that may better fit your schedule.
When & Where
Jonathan Zdziarski is considered, worldwide, to be among the foremost experts in iOS related digital forensics and security. As an iOS security expert in the field (sometimes known as the hacker "NerveGas"), Jonathan's research into the iPhone has pioneered many modern forensic methodologies used today, and has been validated by the United States' National Institute of Justice. Jonathan has extensive experience as a forensic scientist and security researcher specializing in reverse engineering, research and development, and penetration testing, and has performed a number of red-team penetration tests for financial and government sector clients. Jonathan frequently consults with law enforcement agencies on high profile cases and assists federal, state and local agencies in their forensic investigations, and has trained many federal, state and local agencies internationally. Also an author for O'Reilly Media, Jonathan has written several books related to the iPhone including iPhone Forensics, iPhone SDK Application Development, iPhone Open Application Development, and his latest book, Hacking and Securing iOS Applications.