Improve your experience. We are very sorry but this website does not support Internet Explorer. We recommend using a different browser that is supported such as Google Chrome or Mozilla Firefox.

AX300 Advanced Mobile Forensics Microlearning

Magnet Axiom Advanced Mobile Forensics (AX300 Microlearning) details the use of Magnet Axiom’s advanced mobile analysis capabilities. Students will learn advanced analysis techniques and leverage Magnet Axiom Examine to become proficient in investigating advanced aspects of full file system extractions of both iOS and Android devices.

Description

Magnet Axiom Advanced Mobile Examinations (AX300) is an expert-level four-day training course, designed for participants who are familiar with the principles of digital forensics and who are seeking to improve their mobile device investigations.

This course details the use of Magnet Axiom’s advanced mobile analysis capabilities. Students will learn advanced analysis techniques and leverage Magnet Axiom Examine to become proficient in investigating advanced aspects of full file system extractions of both iOS and Android devices. These lessons will build the participants’ ability to understand more advanced concepts of iOS and Android, such as advanced media analysis, pattern of life artifacts (including Biomes), third-party application analysis and social media platforms. This will all be conducted using analysis of multiple different file types including system logs, Plist files and SQLite databases.

Microlearning is designed to be consumable in very short lessons for those who are on the go and have little time to dedicate hours or days to learning. Single lesson microlearning lessons are the core of this learning modality.

What to expect

Micro lessons

Course introduction and scenario – Welcome to the course! In this topic, we will discuss the current landscape of mobile device forensics. We will cover file storage types and detail the course scenario that underpins the rest of the topics.

Understanding the file system structure & acquisition of the iOS file system – See how the iOS file system is structured while discussing traditional acquisition methods of the file system.

Identifying previous devices wipes – Very few items persist on an iOS device after a factory reset—discover how you can identify previous iOS device resets.

Apple Directory Services Identifier – Unique identifiers are key, discover the use cases of Apple’s DSID.

Apple advanced data protection for iCloud – Apple has continued to release enhanced privacy and security features, one of the latest being Apple advanced data protection for iCloud. Learn how this feature could impact your data returns.

FindMy artifacts – Apple's FindMy network empowers users to track their devices and items in the event of loss or theft. Students will discover what artifacts are derived from the FindMy data on an iOS device.

Apple CarPlay – The iPhone is now an extension of vehicle infotainment systems in supported vehicles. Discover what artifacts can be recovered surrounding CarPlay.

Apple Health – iOS devices have become a treasure trove of health-related data. From steps, workouts and heart rate, Apple Health can provide an additional layer of insight towards any investigation. Students will learn what artifacts are derived from Apple Health and the SQLite databases storing the data.

Snapshots & device wallpapers – Applications sent to the background as part of iOS’s multitasking operation is another datapoint for iOS examinations, and the device wallpaper could be within your investigative scope. Students will learn about the origin of this artifact and how they’re stored and presented within AXIOM.

Photos media information – Photos on an iOS device can take on additional attributes, such as hidden, favorites, placed in an album, or imported by third-party applications. In this topic, see how an iOS device is handling this data within the Photos.sqlite database and how this comes together in an artifact.

iCloud Share Photo Library – Alongside Photos media information, media on an iOS device could be within the iCloud Photo Library ecosystem where media can be synced between devices, primarily stored within iCloud. Discover how to identify iCloud Share Photo Library media.

WebKit browser web history – WebKit is a browser engine created by Apple. While it powers other browsers, it serves a unique functionality within iOS device with in-app browsing. Learn more about the WebKit browser web history artifact.

iCloud Private Relay – Apple has recently introduced iCloud+, with it comes a variety of features only available for subscribers. This includes what is essentially a VPN within the Safari browsers. Students will learn about iCloud Private Relay, its functionality, and potential impacts to investigations.

KnowledgeC – Prior to iOS 16, KnowledgeC data, which was primarily stored within a database, was the go-to area for discovering rich pattern of life data about an iOS device. KnowledgeC is still utilized, which is explored in this topic.

Biomes – From iOS 16 and onward, the majority of the pattern-of-life data stored in KnowledgeC has migrated to Biomes, which has enabled even more artifacts than previously known with KnowledgeC. In this topic, students will explore the artifacts while exploring the new SEGB files storing this data.

Biomes continued – This topic continues the in-depth discussion of pattern-of-life data stored within Biomes on iOS 16 devices and newer.

AirDrop – Within the Apple ecosystem, devices are also to create an ad-hoc network for file and media sharing called AirDrop. Students will discover the functionality and parameters around AirDrop and the artifacts within Axiom.

PowerLog – iOS devices are tracking battery usage across the device, what applications are using the battery and certain components of the device, along with total amounts of data being transmitted or received. In this topic, students will explore PowerLog artifacts and the data therein.  

Third-party application analysis (installed apps & permissions) - Being able to recognize characteristics of third-party applications is critical when evaluating applications. Establishing characteristics of these applications such as identifiers and permissions will be discussed.

Third-party application analysis (finding the data) - Once you’ve built a profile around an application’s characteristics, being able to identify where the application data is stored within the file system helps with manual examination of the data should it be deemed necessary. Students will explore how to manually examination applications from the file system in this topic.

iOS Files app – Since iOS 13, the iOS Files app has been present, enabling users to store files locally on their iOS device, in iCloud Drive, or through third-party cloud storage providers. The iOS Files app will be discussed along with its usage.

 iCloud Drive - iCloud Drive allows users to store content in the Cloud. This topic will explore the differences in iCloud Drive storage such as files stored in iCloud, but not available on the local device.

Common iOS applications & LinkedIn – In this module, students will learn about popular iOS applications expected during examinations. This topic will also cover the first communication/social networking artifacts of interest in our scenario, LinkedIn.

Discord – With a wide user base, Discord is a popular communication application for millions of users. Students will discover how AXIOM handles iOS Discord artifacts.

Telegram – Telegram, with an international appeal, has maintained a large user base allowing direct and group communication between users. How Axiom handles these artifacts will be covered.

WhatsApp – As one of the world’s most popular chat applications owned by Meta, WhatsApp, with its native end-to-end encryption nature, has remained consistent as a top messaging application. Students will discover how WhatsApp artifacts are handled within Axiom and how they’re stored within the file system.

Snapchat –Students will discover the functionality of the Snapchat application and how Axiom handles artifacts derived from the application.

Acquisition of the Android file system – In this first topic of Android, students will discuss the acquisition of the Android file system and the parameters needed to meet in order to accomplish an acquisition.

Understanding the full file system structure – During this topic, students will explore the file system structure of the Android operating system and the particular directories of interest while examining Android devices.

Android users & secure folder – Android enables devices to have multiple users with separate applications and user preferences. Additionally, the Secure Folder functionality of Samsung devices allows users to further encrypt their data in isolated segments of the file system. This topic will discuss how these attributes are displayed in Axiom and considerations around them.

Previous devices wipes & device information – Being able to determine when an Android device was previously factory reset or set up empowers the examiner with time focused data to place into a timeline of interest. Discover the artifacts around reset and activation times.

Android device information – This topic discusses the general Android device information including identifiers, advertising ID, timezone information, and more.

Connected devices – Bluetooth devices such as vehicles and wearables can provide additional datapoints for an investigation.

Accounts information – Android devices can maintain account information should the application be given adequate permissions by the developer. See the difference between credential and device encrypted accounts information.

Samsung device health services – Unique to Samsung devices, Samsung has an application that purely tracks battery usage, CPU usage, and network usage. How this data can be attributed to particular application and the usage will be discussed.

Gallery and media files – Exploration of the DCIM directory is a common starting point for media files that exist on an Android device. This data, along with Motion Photos and a comparison to how applications can freely store data within this directory will be demonstrated.

Web-Related (Chrome) - Web browsers have fairly similar functionality but may vary in particular features based on the development of the browser, considering that many browsers share the Chromium image, we will start by exploring Chrome-related web artifacts on an Android device.

Web-related (Samsung browser & Brave) - Two additional web browsers will be explored in this topic, and the similarities between them. Web browsing looks different on Android as, depending on the manufacturer and Android OS version, will have different default browsers. This topic will discuss the similarities and differences between web browsers.

Gmail – Developed by Google, Gmail continues to be one of the most popular email services globally, especially on Android devices where Gmail is default. This topic will cover artifacts derived from Gmail and the way they are stored within the File System Explorer.

Messaging on Android – SMS and MMS messaging on Android is much different in comparison to iOS, where the user may have multiple applications that will handle SMS/MMS messaging over the lifespan of the device. RCS messaging and the mmssms.db database will be discussed in this topic and how the Android device is storing messaging data not only in the databases of the applications, but also stored separately by the device itself.

Other files of importance & application activity – When applications are sent to the background, image snapshots are created and recoverable within Axiom. This, and other directories of importance from the Android file system will be discussed.

Google Play Store & Installed Applications – Being able to identify installed applications on an Android device and how they were downloaded is often the first steps of examination both first- and third-party applications. In this topic, students will explore the Installed Applications artifact and Google Play Store-related artifacts, including searches within Google Play, Google Play installations, and how to identify applications installed from alternative sources.

App permissions and folder structure – Building a “profile” around characteristics of third-party applications including app permissions is critical to establish whether or not you must manually examine the app’s data from the file system.

Google File application – Similar to the previously discussed iOS Files application, the Google Files application offers users the ability to manage files on their device with the inclusion of additional features such as “Clean Up Junk” and “Nearby Share” which is similar to Airdrop. The Google Files application has to be examined similar to an unsupported third-party application, which will be discussed in this topic.

Intro to third-party apps, Facebook Messenger, and Instagram – Common third-party Android applications will be discussed in this topic and how Magnet Axiom presents the data therein, starting with two Meta-owned applications: Facebook Messenger and Instagram.

WhatsApp – Discover how Magnet AXIOM organizes WhatsApp messages, group chats, and account information.

Signal & Android location information – See how Magnet Axiom handles Signal-related artifacts and Android location information.

Cloud service providers - Certain cloud providers could have additional features not present on other platforms. While Mega is an end-to-end encrypted cloud provider, the service also maintains Mega chat, which will be explored.

Similar courses

AX100 Forensic Fundamentals

Forensic Fundamentals (AX100) is a beginner-level course, designed for participants who are unfamiliar with the principles of digital forensics. Magnet Forensics Training is hosted in a variety of time zones. Prior to registration, please confirm the time zone for the class you wish to register in. You can purchase training classes directly online using a credit card or if payment by purchase order is required, please request a quotation from sales@magnetforensics.com.

More Information
GK200 Graykey Examinations

This course is an intermediate-level four-day training course, designed for participants who are familiar with the principles of digital forensics and who are seeking to expand their knowledge base into deep iOS examinations and the use of the Magnet Graykey device. You can purchase training classes directly online using a credit card or if payment by purchase order is required, please request a quotation from sales@magnetforensics.com.

More Information
AX250 Axiom Advanced Computer Forensics

This course is an expert-level four-day training course, designed for participants who are somewhat familiar with the principles of digital forensics and who are seeking to expand their knowledge base on advanced forensics and improve their computer investigations. You can purchase training classes directly online using a credit card or if payment by purchase order is required, please request a quotation from sales@magnetforensics.com.

More Information
AX300 Axiom Advanced Mobile Forensics

This course is an expert-level four-day training course, designed for participants who are familiar with the principles of digital forensics and who are seeking to improve their mobile device investigations. You can purchase training classes directly online using a credit card or if payment by purchase order is required, please request a quotation from sales@magnetforensics.com.

More Information
AX200 Axiom Examination

Magnet Axiom Examinations (AX200) is ideal for those who require intermediate-level training with a digital investigation platform that covers cases involving smartphones, tablets, computers, and cloud data in a single collaborative interface. This course is the perfect entry point for examiners who are new to Axiom. You can purchase training classes directly online using a credit card or if payment by purchase order is required, please request a quotation from sales@magnetforensics.com.

More Information
AX310 Axiom Incident Response Examinations

AX310 is an expert-level four-day training course, designed for participants who are familiar with the principles of digital forensics and who are seeking to expand their knowledge base on advanced forensics and incident response techniques and want to improve computer investigations. You can purchase training classes directly online using a credit card or if payment by purchase order is required, please request a quotation from sales@magnetforensics.com.

More Information
AX320 Axiom Internet & Cloud Investigations

This course is an intermediate-level four-day training course, designed for participants who are somewhat familiar with the principles of digital forensics and who are seeking to expand their knowledge base into cloud-based and social media forensics. You can purchase training classes directly online using a credit card or if payment by purchase order is required, please request a quotation from sales@magnetforensics.com.

More Information
AX350 Axiom macOS Examinations

This course is an expert-level four-day training course, designed for participants who are somewhat familiar with the principles of digital forensics and who are seeking to expand their knowledge base on macOS and the forensic analysis of devices using the APFS file system and AXIOM. You can purchase training classes directly online using a credit card or if payment by purchase order is required, please request a quotation from sales@magnetforensics.com.

More Information
AX250 Axiom Advanced Computer Forensics Online Self Paced

This course is an expert-level four-day training course, designed for participants who are somewhat familiar with the principles of digital forensics and who are seeking to expand their knowledge base on advanced forensics and improve their computer investigations. You can purchase training classes directly online using a credit card or if payment by purchase order is required, please request a quotation from sales@magnetforensics.com.

More Information
AX220 Axiom iOS Filesystem Analysis

This course is an intermediate-level two-day training course, designed for participants who are familiar with the principles of digital forensics and who are seeking to expand their knowledge base into deep iOS file system examinations. You can purchase training classes directly online using a credit card or if payment by purchase order is required, please request a quotation from sales@magnetforensics.com.

More Information
AX100 Forensic Fundamentals Online Self Paced

Forensic Fundamentals (AX100) is a beginner-level course, designed for participants who are unfamiliar with the principles of digital forensics. You can purchase training classes directly online using a credit card or if payment by purchase order is required, please request a quotation from sales@magnetforensics.com.

More Information
DV200 Witness Digital Video Investigations

Digital Video Investigations with Magnet Witness (DV200) is a beginner-level course, designed for participants who are not yet familiar with the concepts of the recovery and analysis of digital video files from commercially available digital video recorders.

More Information
Axiom to Axiom Cyber Transition

Magnet Axiom to Cyber Transitions is ideal for those who are looking to continue their education and transition into the unique features of Axiom Cyber after taking the Axiom Examinations (AX200) course.

More Information
AX200 Axiom Examination Microlearning

Magnet Axiom Examination (AX200 Microlearning) is ideal for those who are relatively new to forensics and want to learn how to utilize Axiom to get the most out of the forensic platform. Axiom is a platform that covers cases involving mobile device, computer, and cloud data in a single collaborative interface. Students will learn the workflows of how to interrogate and investigate devices containing digital media.

More Information
AX150 Core Mobile Acquisition & Analysis

Core Mobile Acquisition and Analysis (AX150) is a beginner level course, designed for participants who are unfamiliar with the principles of mobile forensics. The course focuses on iOS and Android devices from the point of collection to the point of analysis whilst exploring Magnet Axiom and Magnet tools such as Magnet Acquire, the Magnet Custom Artifact Generator (MCAG) and Magnet Axiom Dynamic App Finder.

More Information
GE200 Griffeye Examinations

The Magnet Griffeye Examinations Course is a 3-day training course designed for students who have attended the Magnet Griffeye Lite online course or have already attained proficiency in Magnet Griffeye Advanced. The course is designed to equip you with the necessary skills and tools to handle media files effectively during a criminal investigation, thereby maximizing the productivity of the tool.

More Information
DV200 DVR Examiner Digital Video Investigations

Digital Video Investigations with DVR Examiner (DV200) is a beginner-level course, designed for participants who are not yet familiar with the concepts of the recovery and analysis of digital video files from commercially available digital video recorders.

More Information

Press enter to see more results