Mobile forensics relates to the recovery of digital information from mobile devices during an investigation process. These days, as mobile phones are widely used to store and transmit personal and corporate information, and especially for mobile transactions, there is a growing need for forensics investigators specializing in smartphones. This course covers the fundamentals of mobile platforms, explaining how data is stored on them and how it can be extracted, and guiding participants through the technical challenges of smartphone forensics, both on Android and iOS. Graduates of this course will have a solid base in investigating mobile devices and using various tools to do so.

The course targets participants with or without forensics background who want to specialize in the niche of mobile forensics. Primarily:

  • Law enforcement officers & intelligence corps
  • Incident responders
  • Computer investigators
  • IT/network administrators
  • Cyber forensics investigators
  • Private detectives

Basic familiarity with using smartphone devices.


40 Hours

Cyber Security


Certificate: No

Price: contact us for more details

Leave your details

Course Outline


  • Understanding Android and iOS platforms and how data is stored on them.
  • Learning to extract data from smartphones using recent tools and techniques.
  • Exercising different methods of data extraction with various freely available tools.
  • Understanding the challenges and obstacles when investigating smartphones and learning how to overcome them.

    Course Outline

    Module 1: Introduction to Smartphones – 4 hours

    The first module will expose participants to various processes in the world of smartphone forensics. Students will practice relevant tools and understand how the SIM and SD cards work, and acquire the fundamental principles that will guide them through the course.

    • Forensic acquisition of smartphones
    • Overview of mobile forensics tools
      • Santoku Linux
      • Android brute force encryption
      • Drozer
    • JTAG forensics
    • Smartphone components
      • SIM card overview
      • SD card examination


    Module 2: Mobile Device Forensics – 4 hours

    This module will cover processes of data extraction, and help students understand where the data is stored and hidden and introduce the relevant mobile forensics technologies in the market.

    • The forensics process
      • Acquisition – retrieval of material from a device
      • Examination and analysis
    • Cellular network technologies
      • Elements of a cellular wireless network
      • Code Division Multiple Access (CDMA)
      • Components of cellular network architecture

    Module 3: Android Forensics – 16 hours

    During this module, participants will enter the world of Android and familiarize themselves with the operating system. They will learn how to extract hidden and revealed data, perform malware injection into “innocent” applications and begin the forensic process using known frameworks.

    • Principals of Android devices
    • Collecting information from Android devices
      • SMS/MMS
      • Calls, contacts, and calendar
      • E-mail and web browsing
      • Location information
      • Third-party applications
    • Android file system
      • Defining data structure layout
        • Physical
        • File system
        • Logical
      • Data storage formats
      • Parsing and carving data
      • Physical and logical keyword searches
    • Android SDK – main android framework
    • JSON
    • Signed APK trojans and exploits
      • Spade
      • FatRat



    Module 4: iOS Forensics – 16 hours

    This module will take the students into the forensics perspective of iOS devices, that present many useful artifacts during the investigation. Students will study well-defined procedures to extract and analyze data from iOS devices, such as iPhone and iPad, and focus on extracting logical and physical data, analyzing iOS file system and storage, reading data from backups and more.

    • First steps of iOS forensics
      • Preservation
        • Isolation from the network
        • Chain of custody
        • Hashing
      • Acquisition
        • Physical
        • File system
        • Logical
      • iOS Structure
        • iOS devices
        • iOS HFS + file system
        • System partition
        • Data partition
        • SQLite databases
      • iOS device acquisition
        • Phone identification
        • Operating modes
          • Normal
          • Recovery
        • Breaking passcodes
        • Acquistion
          • Direct
          • Logical
          • Physical
        • iOS Analysis
          • Data structure and artifacts
            • Default applications
            • Popular applications
            • File carving
          • Analysis tools
        • iOS backup
          • iTunes backup acquisition
          • Unencrypted backup
          • Encrypted backup
          • iCloud backup