Beyond the Tool: Advanced Mobile Artifact Analysis and Anti-Forensics for iOS and Android

Online, Available in English

Topics:

• Android Architecture and Acquisition
• SIM Card Forensics: Structure, Acquisition, and Android Integration
• Android Core Artifact Analysis
• iOS Architecture, Acquisition, and SIM/eSIM Forensics
• iOS Core Artifact Analysis
• Social Media and Encrypted Communications
• Anti-Forensics Identification and Remnant Recovery
• Mobile Memory Acquisition and Analysis
• Capstone Investigation

Overview

Mobile devices generate more forensically relevant evidence than any other artifact class in modern investigations — and are simultaneously the most poorly examined. The problem is not access. It is understanding. The dominant training model produces practitioners who know how to operate commercial tools. When those tools fail, misparse, or simply have not caught up to a given artifact, the investigation stops. This course is built on a different premise: investigators who understand what data exists, where it lives, and why it looks the way it does will outwork any tool-dependent practitioner in every scenario that matters.
 

Over five intensive days, participants work through Android and iOS forensics at the artifact level — filesystem internals, SIM card structures, application database schemas, and the forensic signatures that persist across both platforms and survive deliberate attempts at destruction. Coverage spans SIM card forensics, third-party application analysis across social media, encrypted communications, and financial applications, with a dedicated module on anti-forensics techniques and mobile memory acquisition. Custom scripting is introduced where tools fall short — as a targeted capability for specific investigative scenarios, not a thread running through every session.

The course concludes with a full capstone investigation — a constructed case scenario that demands synthesis under realistic conditions, built by someone whose professional background includes designing forensic problems that experienced practitioners consistently get wrong. Attendees will be tested, not just taught.

By the end of this course, the participant will be able to:

• Perform deep filesystem analysis on Android (ext4, F2FS) and iOS (APFS) without dependency on commercial tooling, understanding storage structures, journaling behavior, and the forensic implications of each.
• Evaluate acquisition types — logical, file system, physical, chip-off — against specific investigative requirements, and identify precisely what evidence each type can and cannot yield.
• Acquire and interpret SIM card artifacts at the Elementary File level, including deleted SMS recovery and network location history reconstruction, and correlate SIM-resident data with device-resident artifacts to surface discrepancies indicative of SIM swap, cloning, or identity fraud.
• Extract and manually interpret core platform artifacts on both Android and iOS at the schema and binary level, including messaging databases, call records, location data, and browser artifacts.
• Conduct targeted forensic examination of third-party applications across social media, encrypted communications, and financial platforms — including artifact structures not documented by vendors.
• Reconstruct behavioral timelines and communication patterns by correlating raw artifact data across SIM records, device artifacts, and multiple application databases.
• Identify anti-forensics techniques deployed at the user and application level — secure deletion, encryption, artifact suppression, and factory reset behavior — and recover remnant artifacts that survive them.
• Acquire and parse mobile memory dumps on Android and iOS, extracting volatile artifacts unavailable through any disk-based acquisition method.
• Develop purpose-built Python scripts for targeted artifact extraction, database parsing, and timeline construction tailored to specific investigative requirements.