Android for Analysts

Duration:

5 days

Audience:

This class is strictly ONLY available to Government Agencies and Law Enforcement Personnel.

Course Description:

Android for Analysts is designed to help operators extrapolate and analyze data after an Android device has been exploited.  The class will focus on helping to learn as much as possible about the user from their device including information from applications that are installed on the device.  Analysis of how Android versions impact what can be learned will also be discussed.  Open source tools such as Android Debugger Bridge, Autopsy and Andriller will be discussed and used in this course.

Course Outline:

Android Architecture

  • Hardware Architecture
  • OS Architecture
    • Multiple versions but emphasis on 5.0 (Lollipop) to 9.0 (Pie) because those are the most common.
    • Emphasis on differences in versions
    • How versions impact security of the phone (passcodes, encryptions, etc.)
    • Details on Android encryption
    • Methods to attempt to subvert the encryption on an Android
  • Application Structure
    • How are apps structured?
    • What data do they store?
    • Where and how do they store it?

Android Forensics

  • What can be extracted
    •  Contacts
    • Messages
    • App data
    • History
    • GPS data
  • Open source extraction
    • Deep dive with ADB (Android Debugger Bridge)
  • Students will finish with a deep knowledge of ADB
  • Lots of hands on labs getting all data from an Android
    • Work with DD to image an Android
  • Hands on imaging an Android with DD
    • Using Autopsy and Andriller (open source) to analyze
  • Complete analysis of multiple Android phones using this