Another airblog for you. This time coming from 40,000 feet!
Finally a new MFI on-site course! We ran this course in some private venues to seen how it went. To be honest we sorta feel like a band doing a little testing of the soon to be release album at the Roxy but hey Sterling VA is close right?
The outcome and comments of the curriculum have been outstanding so we are taking the course on the road starting October 19th in a new location for Mobile Forensics Inc, San Francisco California. The course will run for three full days.
If you have not heard about the course and want a little info on the content and difficulty level read on..
We of course have two other live courses, the MFI 101 and 202. The MFI 101 is our three day intro into automated tools course and our 202 is an advanced course dealing with topics to include: flash interpreting, carving,communication techniques, artifact hunting and interpretation to name a few.
The NEW MFI 303 course is sorta between the two in difficulty with the addition of two new flashers and interpretation of data across the port (which are the most difficult concepts) as well as using FTK to carve data not recovered by most logical cellphone software tools. This can include but is not limited to: Internet, MMS, and file metadata.
Our big sellers and most commented on in the test classes are the instruction in obtaining a full Disk Image from the Apple iPhone, parsing it for user data, then analyzing it in FTK and instruction on the Cellebrite Physical Analyzer software. Here is a little more detail on both.
APPLE DEVICE DISK IMAGES
During the course we will be utilizing both FTS iXAM as well as the soon to be released AccessData MPE+ to create a full disk image (DMG) of the Apple device or if you want just a disk image of the user partition.
What if the phone has a user lock (PIN)? Who cares when using these methods since we bypass them!
Continuing on, we then examine this extracted .dmg in FTS iXAMiner and AccessData’s FTK which can natively support .dmg files, mounting the HFSX(+) filesystem. We rip the user data from the image and then carve to our hearts content to look for deleted images, videos, text, email, voice messages and more.
We say bye bye to using the command line or running only in a MAC as was the norm before. Using the afore mentioned method was both unreliable and risky, leaving fragments and sometimes dealing with the possibility of corrupting the disk. Now any and all data, locked or not is at your fingertips with these new tools.
CELLEBRITE PHYSICAL ANALYZER
The Cellebrite Physical Pro is an add-on for the standard UFED that can add extracted data from many cellular phones that most tools cannot recover, physical memories from the phone’s flash. Using the UFED Physical Pro in the MFI 303 is briefly covered as part of the class since it is relatively easy to operate, but using the accompanying software, the UFED Physical Analyzer is covered a ton! We tear into the software and talk about every aspect from the parsed data that the software “recognizes” to doing some serious carving for data it might have missed. Because the UFED PA Software is designed for cellphones many formats like PDU, Unicode, ICCID and Numbers to name but a few are easily located even if it was not originally parsed by the UFED PA Software.
If you have a Physical Pro and Physical Analyzer software it is worth just coming for this day as we really get into some cool features not covered in any course.
Yes that is ALL that is in the class, I say with a smile. All MFI students know I pack about three weeks into a week class so there is no shortage of information in this three day class either.
I am really proud of this new offering from MFI and think the content is relevant, current and most of all really COOL. I really hope you can make it.
I am out for now! Back to the in-flight movie…..