Android Analysis

Intermediate Learning Management System (LMS)

This AccessData Android training course covers the internals of Android devices, the way the OS is designed,
and the way that the devices store data. We will uncover the way to capture these devices data. In the end, like all
other Mobile Forensics, Inc., courses, you as the examiner will be armed with the ability to perform forensic
analysis both using automated tools as well as manually (to double check the results of the tools).
This course uses a multiple-tool approach to mobile phone forensics. We use both free and paid applications and
teach the skills needed to find and process data with the aid of specialized software tools. There is no single tool
that will process every cellular device in its entirety. Mobile Forensics, Inc., trains you to know where information
lies on cell phones and how to extract that informationboth with and without toolsso you can obtain the
maximum amount of data from mobile devices.
Prerequisites
This course is intended for forensics professionals and law enforcement personnel who must conduct mobile
device examinations utilizing multiple tools and a tested forensic process. To obtain the maximum benefit from this
class, you should meet the following requirements:

Read and understand the English language.

Attend the AccessData MFI 101 Course or equivalent.

Have previous investigative experience in mobile forensic case work.

Be familiar with Android devices.

Be familiar with working in hex

Class Materials and Software

You will receive the student training manual and CD containing the training material, lab exercises and classrelated information.

(Continued on other side)

For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi

Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network
Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of
their respective owners.

Android Analysis
Intermediate Learning Management System (LMS)

Module 1: Class Overview

Topics
Student Introductions
Software Used in This Course:

Android SDK and Eclipse

MPE +
FTK

Lab
Setup the Android SDK and Eclipse
Ensure the ADB command is in the PATH
AVD creation
Locate and activate the various locations of USB Debugging
Module 5: Android File Systems

SQLite DB Viewer

Command line
Course Outline

Module 2: Android Overview

Objectives
Review basic principles of the Android device and the
Android operating system.
Describe how Android uses NAND to store data.
Describe the Dalvik VM in Android.
Outline the usage and installation of the Android SDK
and emulator.
Discuss SD cards and Emulated SD cards

Objectives
Outline the various file systems used by Android
Discuss the forensic challenges of YAFFS
Discuss the other file systems used by Android
How can examiners utilize the Android temp memory
Lab
Determine the file systems used by the AVD
Determine which file systems are mounted by the Android
device
List the permissions of the /dev and /nodev mounted in
Android
Module 6: Android Partitions

Module 3: Forensic Process

Objectives
Recommended ways to collect and Android device.
Challenges of network isolation with Android.
Gather information about specific Android devices.
Validation and Reporting.
Module 4: Android SDK and Eclipse

Module 4: Android SDK and Eclipse

Objectives
SDK and Eclipse installation and overview
Discuss the Android Debug Bridge
Android Virtual Devices and forensics
Discuss the purpose of the USB debugging

Objectives
What partitions can an examiner expect to find on an
Android device?
Discuss where Android typically stores files of interest and
what partition they may be located on
Discuss files of interest that may be located on a SD card
Discuss what it means to be root.

Lab
Determine the partitions in use on an Android device
Using shell commands, list the partitions and locate files of
interest

For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi

Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network
Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of
their respective owners.

Android Analysis
Intermediate Learning Management System (LMS)

(Continued)
Module 7: Android Logical Acquisition

Module 10: SQLite hex breakdown

Objectives
Discuss the tools to extract data from an Android
device
Troubleshoot connectivity issues the examiner may
encounter
Learn the different modes when connecting and
Android device
Discuss ADB conflicts

Objectives
Compare and discuss parsed SQLite data with that
found in hex
Discuss deleted data
Lab
Manually parse SQLite database files.
Locate and examine deleted data in hex.

Lab
Hands on with MPE+
Demonstrate the techniques commercial software
uses to extract data from and Android device
Locate and extract the logical filesystem utilizing the
command line

Module 8: Android Physical Acquisition

Objectives
Discuss the tools and techniques used to extract
physically from an Android device
Discuss NAND v DD physical extractions
The recovery partition and what does it mean?
Challenges of custom ROMs
Lab
Creating temp locations for examiner tools
Setting up busybox is a temp location
Netcat utilization
Physical Extraction
Module 9: Location of SQLite files of interest
Objectives
Discuss where key SQLite files live in the file system
Discuss and locate column flag meanings
Discuss tables
Lab
Using various tools, parse SQLite database files
Locate and understand their links to other tables
For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi
Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network
Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of
their respective owners.