• Home

  • Documents

  • Evaluating Mobile Forensics Training White Paper Final
9
 Evaluating Mobile Forensics Training & Certi cation Programs: 5 Questions to Ask

Evaluating Mobile Forensics Training White Paper Final

Embed Size (px)

DESCRIPTION

mobile forensics

Citation preview

  • Evaluating Mobile Forensics Training & Certification Programs: 5 Questions to Ask

  • Table of ContentsHow to Evaluate Mobile Forensics Training...............................................3

    1. Does the vendor ground you in forensic best practices as well as its tool?.......4

    2. Does the vendor offer training and certification for every investigative level?...5

    3. Is it the right course for the investigations you perform?.............................6

    4. Do the delivery models provide you with the flexibility you need?.................7

    5. Are the trainers experienced and proficient professionals?.........................8

    Maximize value by choosing the right training vendor...................................9

    Page 2

  • Whether you're new to mobile device forensics, or looking to take your skills to the next level, the amount of available mobile forensics training available can be overwhelming. You might be tempted to sign up for the cheapest course, or the course closest to you.

    However, cheap or close mean little if the training doesnt prepare you to effectively obtain, use, and testify about mobile device evidence. Good training and certification programs can remove many of these unknowns. From showing you how to get the most out of your mobile forensics hardware and software, to preparing you to testify in court, training should prepare you for a full range of responsibil-ities as a first responder, mobile data analyst, and/or forensic specialist. Here are some criteria to use in your evaluations.

    Does the vendor ground you in forensic best practices as well as its tool?

    Does the vendor offer training and certification for every investigative level?

    Is it the right course for the investigations you perform?

    Do the delivery models provide you with the flexibility you need?

    Are the trainers experienced and proficient professionals?

    1

    2

    3

    4

    5

    How to Evaluate Mobile Forensics Training

    Page 3

  • When researching training, you may encounter professionals who believe that the only good training is vendor-neutral training. Their argument: vendor-neutral training focuses on the forensic process across a spectrum of tools, rather than relying on one tool to com-plete examinations.

    Vendor-neutral training can improve your overall expertise, and may even provide a package of tools to take back to your office. It can help supplement your process in that it presents a range of options you can use to validate your evidentiary findings. In higher educa-tion, it can also serve as a foundation for research and development work.

    However, its important to note that courts value examiners who are certified and adept at using specific tools. Because vendor-neutral training likely cannot go as in depth on each tool as a certification course, it cannot show what's possible to achieve in your investiga-tions through extensive use of a single tool's built-in features.

    Therefore, look for a third option: the vendor that builds its curriculum on a foundation of forensic process. This curriculum builds in third-party tools as part of a broader approach to best practices, including the validation of the vendors own tool results.

    This approach ensures that not only will the training prepare you to testify in detail about your use of the vendors tool; it will also prepare you to discuss your use of the tool as part of an objective forensic methodology.

    1 Does the vendor ground you in forensic best practices as well as its tool?

    Page 4

  • Does the vendor offer training and certification for every investigative level?

    Ideally, trainers offer basic, intermediate, and advanced courses for every level of investigative expertise. These should build on one another so that your skills improve with each level. They can be offered by level, or bundled into an entire week's worth of training.

    If you're brand-new to mobile forensics, look for a course that includes fundamentals, such as the difference between a logical and physical exam, what you can get from a SIM card vs. in-built memory, etc. This type of course should give you the basics of mobile device technology, and foren-sic process from seizure through extraction to validation.

    A course that teaches logical extraction should go into more detail on extraction and analysis processes than a basic course does. It should explore logical data analysis methods, focusing on analytics that can help you make immediate use of data.

    Are certications important?Certification in the use of a tool can be critical to your potential status as an expert witness, and even to your testimony as a fact witness. It should help you successfully meet an admissibility challenge in court, as well as withstand cross-examination about your process and the tools you used.

    Certification can also help employers' decision-making about whether to hire or promote you. The examiner who carries a meaningful, industry-recognized certification means that s/he has demon-strated a level of proficiency and dedication to his or her work, and is prepared not only to meet the demands of forensic analysis, but also to testify about it if called.

    The ideal certification has both written and practical components, and is offered on a refresher basis to help you keep your skills up to date. No more than two years should pass before you refresh your certification training, to account for the dynamic nature of the cellular market.

    2

    The more complicated the

    forensic process, the longer the class should be. That shouldnt put you

    off, however. Longer classes give you more opportunity to understand the subjects and to interact with experienced instructors as you

    seek to build your understanding. This will also put you in a better position to apply what

    youve learned immediately upon returning to work, no matter what your skill level

    is or what your certification is for.

    Page 5

    Investigators who want and need to take the next step from basic to advanced forensic examination skills should look for courses that build on the foundation of their existing knowl-edge. This kind of instruction should include processes like data carving, a wider variety of search and filtering tech-niques, and device-specific challenges.

  • Certification in the use

    of a tool can be important to your

    potential status as an expert witness. It

    should help you successfully meet an

    admissibility challenge in court, as well as

    withstand cross-examination about your

    process and the tools you used. It may also

    help employers' decision-making about

    whether to hire or promote you.

    Is it the right course for the investigations you perform?

    Be sure the curriculum at each level meets your requirements for the work you or your employees will be performing.

    First responders and investigators need the skills to obtain evidence that is both actionable, and legally defensible. This is because in many cases, logical dataundeleted low hanging fruit and/or evidence of a nonfelony offensemay be enough to build a case. When it provides insights into a subjects patterns of life, including frequent contacts and communications, it may also have immediate intelligence value.

    Because in these cases, speed is as important as accuracy, the course geared for these needs should cover search and seizure procedures, as well as evidence handling, analysis, and documen-tation processes that can be applied on the scene and/or back at the office. This type of course should also help investigators collaborate more closely with lab examiners when they need to esca-late evidence gathering and analysis.

    Investigators whose primary job is to focus on mobile device and other forensic examinations need coursework in learning how to do deeper extractions. This is relevant in cases where logical extrac-

    tion data is circumstantial or unavailable, and it becomes necessary to obtain via file system or physical extraction.

    3

    Page 6

    Finally, supervisors, prosecutors, and others who are not directly involved in evidence collection, but supervise those who

    are, should attend a primer course that covers mobile forensics fundamentals. Topics in this course cover basic extraction and analysis capabilities, what search and seizure entails on a mobile device, and evidence handling.

    Because these methods can include a wide variety of com-plex tools and techniques, including data carving, multi-ple search tools, malware scanning, or other traditional-ly forensic methods, coursework should cover both automated and manual decoding, analysis, and valida-tion techniques, with an emphasis on preparing examin-

    ers to testify about their work in court.

  • Basic, intermediate,

    and advanced level courses

    should build on one another so

    that your skills improve with each

    level. They can be offered by

    level, or bundled into an entire

    week's worth of training.

    The

    ideal certification has

    both written and practical

    components, and is offered on a

    refresher basis to help you keep your

    skills up to date. No more than two years

    should pass before you refresh your

    certification training, to account for

    the dynamic nature of the

    cellular market.

    Do the delivery models provide you with the flexibility you need?

    Look for a curriculum that can be presented in a variety of delivery models, that gives you the flexibili-ty you need to address your specific professional development requirements. Although some cours-es may be offered to personnel in a single organization, many are set up to allow investigators to network with one another.

    In-person training is ideal when you are located nearby convenient training facilities, and your schedule allows. It may also be offered at conferences you plan to attend. If your organization has the space, you may be able to save some money by hosting courses.

    Online instructor-led training combines classroom interaction with the convenience of internet-based study, when your sched-ule doesnt fit a planned class training in your area or you are located too remotely from classroom training facilities.

    Self-paced online training is best for professionals with tight schedules.

    Either way, online training should allow for hands-on expertise via interactive tutorials, and should facilitate timely contact with instructors should you have questions or need help.

    In addition, training manuals should be available for you to refer back to after your coursework is complete.

    4

    Page 7

    Is the class length optimal for learning?The more complicated the forensic process, the longer the class should be. That shouldnt put you off, however. Longer classes give you more opportunity to understand the subjects and to interact with instructors as you seek to build your understanding. This will also put you in a better position to

    apply what youve learned immediately upon returning to work, no matter what your skill level is or what your certification is for.

    Core fundamentals typically can be covered in just eight hours (one day), but certification classes on logical and physical extrac-tion and analysis should each take longer: two to three days (16 to 24 hours), respectively.

  • Are the trainers experienced and proficient professionals?

    Whether beginner, intermediate, or advanced, mobile forensics students should seek out trainers who:

    Understand the forensic process and can answer questions about the material they present

    Have deep experience with digital forensic examinations, lab, field, and court procedures

    Train students toward professional goals, not the training organizations goals

    Are committed to student learning, to the extent that they remain accessible throughout the duration of the course and beyond

    Have an understanding of adult education and how to read their audience

    Create curriculum that presents logical, step-by-step instruction that is easy to follow

    5

    Page 8

    How do you find out whether courses and instructors meet these criteria? Ask. Listservs for HTCIA, IACIS, HTCC, and other groups; forums such as Forensic Focus, phone-forensics.com, and others; and even Twitter all serve as communities you can ask for recommendations. You can also call upon investigators who work at forensic labs in your own region, along with those you may meet at confer-ences and other events. Be sure to research the trainers teaching the courses, and ask what other students thought of them as well as their material.

  • Founded in 1999, Cellebrite is a global company known for its technological breakthroughs in the cellular industry with dedicated opera-

    tions in the United States, Germany, Singapore, and Brazil. A world leader and authority in mobile data technology, Cellebrite

    established its mobile forensics division in 2007, introducing a new line of products targeted to the law enforcement sector. Using

    advanced extraction methods and analysis techniques, Cellebrites Universal Forensic Extraction Device (UFED) is able to extract and

    analyze data from thousands of mobile devices, including feature phones, smartphones and GPS devices. Cellebrites UFED is the tool

    of choice for thousands of forensic specialists in law enforcement, military, intelligence, security, government and private sector organi-

    zations in more than 100 countries.

    Cellebrite is a wholly-owned subsidiary of the Sun Corporation, a listed Japanese company (6736/JQ).

    Cellebrite: Delivering Mobile Expertise

    Maximize value by choosing the right training vendor

    When time and funding are scarce, you need training that will help you maximize your return on investment. This return includes the confidence you need to collect and analyze accurate digital evidence, and the authority you need to testify about your process. Whether you are seeking to get started with mobile forensics, or youre trying to take the next step to become an expert in mobile forensics, look for training vendors who can give you the solid foundation you need in forensic process, the certification you need for your level of responsibility, and the flexibility to complete the curriculum in the time and place that works best for you.

    Cellebrite's New Standardized Forensic Training and CertificationOpen to all user levels, from beginners to advanced, Cellebrite certification training provides hands-on experience with Cellebrite

    products and applications, delivering the tools and knowledge required for evidence collection from mobile phones and portable

    GPS devices, data analysis, searching, and reporting. Upon completion of a course, each participant receives a certificate, making

    them eligible to move to the next stage in the curriculum.

    Upon successful completion of the core curriculum, students have the opportunity to enter an extensive capstone certification

    process known as Cellebrite Certified Mobile Examiner (CCME). This capstone examination, which includes both knowledge and

    practical content, tests the student's knowledge in all of the domains offered in Cellebrite's forensic core curriculum. Students must

    demonstrate proficiency with Cellebrite's tools and methodology at a level that signifies competency as a Cellebrite Certified Mobile

    Examiner.

    Page 9


Computer Hacking Forensic Investigator - ITpreneurspages.itpreneurs.com/ec-council/gisec-2016/docs/CHFI v8 Course... · Module 02: Computer Forensics ... Securing and Evaluating Electronic

Computer Hacking Forensic Investigator - ITpreneurspages.itpreneurs.com/ec-council/gisec-2016/docs/CHFI v8 Course... · Module 02: Computer Forensics ... Securing and Evaluating Electronic

Documents
PerkinElmer white paper evaluating XRpad flat panel detectors for security applications

PerkinElmer white paper evaluating XRpad flat panel detectors for security applications

Technology
White Paper: Evaluating MLC vs TLC vs V-NANDingrammicrosystemarchitechs.com/wp...MLC-vs-TLC-vs... · White Paper: Evaluating MLC vs TLC vs V-NAND Choosing the Right SSD for Enterprise

White Paper: Evaluating MLC vs TLC vs V-NANDingrammicrosystemarchitechs.com/wp...MLC-vs-TLC-vs... · White Paper: Evaluating MLC vs TLC vs V-NAND Choosing the Right SSD for Enterprise

Documents
COMPUTER FORENSICS - Boise Chapter€¦ · 3 Mobile device forensics 4 Other 5 References Computer forensics Main article: computer forensics ... 1.19 Computer Forensics Solution

COMPUTER FORENSICS - Boise Chapter€¦ · 3 Mobile device forensics 4 Other 5 References Computer forensics Main article: computer forensics ... 1.19 Computer Forensics Solution

Documents
COE589: Digital Forensics - ccse.kfupm.edu.saahmadsm/coe589-122/00_Overview_Logisti… · Digital Forensics computer forensics mobile forensics network forensics ... COE589 - Ahmad

COE589: Digital Forensics - ccse.kfupm.edu.saahmadsm/coe589-122/00_Overview_Logisti… · Digital Forensics computer forensics mobile forensics network forensics ... COE589 - Ahmad

Documents
Network Forensics: How to Optimize Your Digital …Network Forensics: How to Optimize Your Digital Investigation WHITE PAPER 3 Introduction In the last twelve months, 90 percent of

Network Forensics: How to Optimize Your Digital …Network Forensics: How to Optimize Your Digital Investigation WHITE PAPER 3 Introduction In the last twelve months, 90 percent of

Documents
Evaluating OpenFace: an open-source automatic facial ... · ORIGINAL ARTICLE Evaluating OpenFace: an open-source automatic facial comparison algorithm for forensics Angeliki Fydanaki

Evaluating OpenFace: an open-source automatic facial ... · ORIGINAL ARTICLE Evaluating OpenFace: an open-source automatic facial comparison algorithm for forensics Angeliki Fydanaki

Documents
Digital Evidence and Computer Forensics Oct 7-8 2013/Tab 02 Oct 7-8... · Digital Evidence and Computer Forensics COMPUTER FORENSICS FORENSICS FORENSICS

Digital Evidence and Computer Forensics Oct 7-8 2013/Tab 02 Oct 7-8... · Digital Evidence and Computer Forensics COMPUTER FORENSICS FORENSICS FORENSICS

Documents
computer forensics-evaluating tools_Chapter7

computer forensics-evaluating tools_Chapter7

Documents
Forensics · Disk Forensics Mobile Forensics E-mail investigations Questioned document Cryptography, examination Steganography Live Forensics and Network Forensics Audio/video authentication

Forensics · Disk Forensics Mobile Forensics E-mail investigations Questioned document Cryptography, examination Steganography Live Forensics and Network Forensics Audio/video authentication

Documents
Evaluating White Spruce Decline and Mortality in the … · EVALUATING WHITE SPRUCE DECLINE AND MORTALITY ... What is the extent of white spruce decline and mortality in ... Inonotus

Evaluating White Spruce Decline and Mortality in the … · EVALUATING WHITE SPRUCE DECLINE AND MORTALITY ... What is the extent of white spruce decline and mortality in ... Inonotus

Documents
Evaluating Telecommunications Options for Power Distribution …/media/files/insightsnews/... ·  · 2016-04-25EVALUATING TELECOMMUNICATIONS OPTIONS FOR POWER ... WHITE PAPER EVALUATING

Evaluating Telecommunications Options for Power Distribution …/media/files/insightsnews/... ·  · 2016-04-25EVALUATING TELECOMMUNICATIONS OPTIONS FOR POWER ... WHITE PAPER EVALUATING

Documents
Comp ter Forensics It’s NotComputer Forensics: It’s … ter Forensics It’s NotComputer Forensics: ... Computer Forensics Can be Useful with ... Solid state drives & deleted file

Comp ter Forensics It’s NotComputer Forensics: It’s … ter Forensics It’s NotComputer Forensics: ... Computer Forensics Can be Useful with ... Solid state drives & deleted file

Documents
Evaluating the Taxonomic Status of the Great White Heron

Evaluating the Taxonomic Status of the Great White Heron

Documents
SQL SERVER Anti-Forensics - Black Hat · • Anti-Forensics techniques help to make forensics investigations difficult • Anti-Forensics can be a never ending game • Forensics

SQL SERVER Anti-Forensics - Black Hat · • Anti-Forensics techniques help to make forensics investigations difficult • Anti-Forensics can be a never ending game • Forensics

Documents
Development of a Forensics Based Approach to Evaluating

Development of a Forensics Based Approach to Evaluating

Documents
Cloud Storage Forensics - SANS Computer Forensics

Cloud Storage Forensics - SANS Computer Forensics

Documents
NUCLEAR FORENSICS INTERNATIONAL TECHNICAL WORKING … · evaluating and expressing uncertainty in measurements, ... represents a separate interdiction, seizure, and analysis of HEU

NUCLEAR FORENSICS INTERNATIONAL TECHNICAL WORKING … · evaluating and expressing uncertainty in measurements, ... represents a separate interdiction, seizure, and analysis of HEU

Documents
Windows 8 Forensics & Anti Forensics

Windows 8 Forensics & Anti Forensics

Technology
CSN08101 Digital Forensics · According to many professionals, Computer Forensics is a four (4) step process: Evaluation Evaluating the information/data recovered to determine if

CSN08101 Digital Forensics · According to many professionals, Computer Forensics is a four (4) step process: Evaluation Evaluating the information/data recovered to determine if

Documents
Is Mobile Device Forensics Really Forensics?

Is Mobile Device Forensics Really Forensics?

Documents
Evaluating Effects White - dugi-doc.udg.edu

Evaluating Effects White - dugi-doc.udg.edu

Documents
SAP Forensics Detecting White Collar Cyber-crime

SAP Forensics Detecting White Collar Cyber-crime

Technology
Turnitin White Paper Evaluating Sources

Turnitin White Paper Evaluating Sources

Documents
AirPatrol White Paper: Evaluating Wireless Threat Management Solutions

AirPatrol White Paper: Evaluating Wireless Threat Management Solutions

Documents
Alice V. White - Evolve Forensics · Curriculum Vitae of Alice V. White Updated: 08/2018 1 Alice V. White Education Bachelor of Science, Biology University of Alaska, Anchorage August

Alice V. White - Evolve Forensics · Curriculum Vitae of Alice V. White Updated: 08/2018 1 Alice V. White Education Bachelor of Science, Biology University of Alaska, Anchorage August

Documents
Computer Forensics White Paper

Computer Forensics White Paper

Documents
SHOTS 2008 Advisor: Dr. Dinitra White Forensics Lab Tierra Simmons Arielle Thomas

SHOTS 2008 Advisor: Dr. Dinitra White Forensics Lab Tierra Simmons Arielle Thomas

Documents
iPhone Forensics Methodology and Tools · Forensics methodologies, iPhone forensics, forensics tools, digital forensics evidence handling, INTRODUCTION iPhone mobile phone is becoming

iPhone Forensics Methodology and Tools · Forensics methodologies, iPhone forensics, forensics tools, digital forensics evidence handling, INTRODUCTION iPhone mobile phone is becoming

Documents
Evaluating a Ryan White Quality Management Program using quantitative and qualitative methods

Evaluating a Ryan White Quality Management Program using quantitative and qualitative methods

Documents