Evaluating Mobile

Forensics Training &

Certification
Programs:
5 Questions to Ask

Table of Contents
How to Evaluate Mobile Forensics Training...............................................3
1. Does the vendor ground you in forensic best practices as well as its tool?.......4
2. Does the vendor offer training and certification for every investigative level?...5
3. Is it the right course for the investigations you perform?.............................6
4. Do the delivery models provide you with the flexibility you need?.................7
5. Are the trainers experienced and proficient professionals?.........................8
Maximize value by choosing the right training vendor...................................9

Page 2

How to Evaluate Mobile Forensics Training

Whether you're new to mobile device forensics, or looking to take your skills to the next level, the
amount of available mobile forensics training available can be overwhelming. You might be tempted
to sign up for the cheapest course, or the course closest to you.
However, cheap or close mean little if the training doesnt prepare you to effectively obtain, use, and
testify about mobile device evidence. Good training and certification programs can remove many of
these unknowns. From showing you how to get the most out of your mobile forensics hardware and
software, to preparing you to testify in court, training should prepare you for a full range of responsibilities as a first responder, mobile data analyst, and/or forensic specialist. Here are some criteria to use
in your evaluations.

Does the vendor ground you in forensic best practices as well as its tool?

Does the vendor offer training and certification for every investigative level?

Is it the right course for the investigations you perform?

Do the delivery models provide you with the flexibility you need?

Are the trainers experienced and proficient professionals?

Page 3

1 Does the vendor ground you in forensic best

practices as well as its tool?

When researching training, you may encounter professionals who

believe that the only good training is vendor-neutral training. Their
argument: vendor-neutral training focuses on the forensic process
across a spectrum of tools, rather than relying on one tool to complete examinations.
Vendor-neutral training can improve your overall expertise, and may
even provide a package of tools to take back to your office. It can
help supplement your process in that it presents a range of options
you can use to validate your evidentiary findings. In higher education, it can also serve as a foundation for research and development
work.
However, its important to note that courts value examiners who are
certified and adept at using specific tools. Because vendor-neutral
training likely cannot go as in depth on each tool as a certification
course, it cannot show what's possible to achieve in your investigations through extensive use of a single tool's built-in features.
Therefore, look for a third option: the vendor that builds its curriculum
on a foundation of forensic process. This curriculum builds in
third-party tools as part of a broader approach to best practices,
including the validation of the vendors own tool results.
This approach ensures that not only will the training prepare you to
testify in detail about your use of the vendors tool; it will also prepare
you to discuss your use of the tool as part of an objective forensic
methodology.

Page 4

2 Does the vendor offer training and certification for

every investigative level?

Ideally, trainers offer basic, intermediate, and advanced courses for every level of investigative
expertise. These should build on one another so that your skills improve with each level. They can
be offered by level, or bundled into an entire week's worth of training.
If you're brand-new to mobile forensics, look for a course that includes fundamentals, such as the
difference between a logical and physical exam, what you can get from a SIM card vs. in-built
memory, etc. This type of course should give you the basics of mobile device technology, and forensic process from seizure through extraction to validation.
A course that teaches logical extraction should go into more detail on extraction and analysis
processes than a basic course does. It should explore logical data analysis methods, focusing on
analytics that can help you make immediate use of data.
The

Investigators who want and need to take the next step from
more complicated the
forensic process, the longer the
basic to advanced forensic examination skills should look for
class should be. That shouldnt put you
courses that build on the foundation of their existing knowloff, however. Longer classes give you more
edge. This kind of instruction should include processes like
opportunity to understand the subjects and to
data carving, a wider variety of search and filtering techinteract with experienced instructors as you
niques, and device-specific challenges.
seek to build your understanding. This will also
put you in a better position to apply what
youve learned immediately upon returning
to work, no matter what your skill level
Are certifications important?
is or what your certification is
Certification in the use of a tool can be critical to your potential
for.

status as an expert witness, and even to your testimony as a fact

witness. It should help you successfully meet an admissibility challenge
in court, as well as withstand cross-examination about your process and the tools you used.
Certification can also help employers' decision-making about whether to hire or promote you. The
examiner who carries a meaningful, industry-recognized certification means that s/he has demonstrated a level of proficiency and dedication to his or her work, and is prepared not only to meet the
demands of forensic analysis, but also to testify about it if called.
The ideal certification has both written and practical components, and is offered on a refresher basis
to help you keep your skills up to date. No more than two years should pass before you refresh your
certification training, to account for the dynamic nature of the cellular market.
Page 5

3 Is it the right course for the investigations you

perform?

Be sure the curriculum at each level meets your requirements for the work you or your employees
will be performing.
First responders and investigators need the skills to obtain evidence that is both actionable, and
legally defensible. This is because in many cases, logical dataundeleted low hanging fruit
and/or evidence of a nonfelony offensemay be enough to build a case. When it provides insights
into a subjects patterns of life, including frequent contacts and communications, it may also have
immediate intelligence value.
Because in these cases, speed is as important as accuracy, the course geared for these needs
should cover search and seizure procedures, as well as evidence handling, analysis, and documentation processes that can be applied on the scene and/or back at the office. This type of course
should also help investigators collaborate more closely with lab examiners when they need to escalate evidence gathering and analysis.
Investigators whose primary job is to focus on mobile device and other forensic examinations need
coursework in learning how to do deeper extractions. This is relevant in cases where logical extraction data is circumstantial or unavailable, and it becomes necessary
to obtain via file system or physical extraction.
Certification in the use
of a tool can be important to your
potential status as an expert witness. It
should help you successfully meet an
admissibility challenge in court, as well as
withstand cross-examination about your
process and the tools you used. It may also
help employers' decision-making about
whether to hire or promote you.

Because these methods can include a wide variety of complex tools and techniques, including data carving, multiple search tools, malware scanning, or other traditionally forensic methods, coursework should cover both
automated and manual decoding, analysis, and validation techniques, with an emphasis on preparing examiners to testify about their work in court.

Finally, supervisors, prosecutors, and others who are not

directly involved in evidence collection, but supervise those who
are, should attend a primer course that covers mobile forensics fundamentals. Topics in this course
cover basic extraction and analysis capabilities, what search and seizure entails on a mobile
device, and evidence handling.

Page 6

4 Do the delivery models provide you with the

flexibility you need?

Look for a curriculum that can be presented in a variety of delivery models, that gives you the flexibility you need to address your specific professional development requirements. Although some courses may be offered to personnel in a single organization, many are set up to allow investigators to
network with one another.
In-person training is ideal when you are located nearby convenient training facilities, and your
schedule allows. It may also be offered at conferences you plan to attend.
The
If your organization has the space, you may be able to save some
ideal certification has
money by hosting courses.
both written and practical

Online instructor-led training combines classroom interaction

with the convenience of internet-based study, when your schedule doesnt fit a planned class training in your area or you are
located too remotely from classroom training facilities.
Self-paced online training is best for professionals with tight
schedules.

components, and is offered on a

refresher basis to help you keep your
skills up to date. No more than two years
should pass before you refresh your
certification training, to account for
the dynamic nature of the
cellular market.

Either way, online training should allow for hands-on expertise via interactive tutorials, and
should facilitate timely contact with instructors should you have questions or need help.
In addition, training manuals should be available for you to refer back to after your coursework is
complete.

Is the class length optimal for learning?

The more complicated the forensic process, the longer the class should be. That shouldnt put you
off, however. Longer classes give you more opportunity to understand the subjects and to interact
with instructors as you seek to build your understanding. This will also put you in a better position to
apply what youve learned immediately upon returning to work, no matter
what your skill level is or what your certification is for.
Basic, intermediate,

and advanced level courses

should build on one another so
that your skills improve with each
level. They can be offered by
level, or bundled into an entire

Core fundamentals typically can be covered in just eight hours

(one day), but certification classes on logical and physical extraction and analysis should each take longer: two to three days (16 to
24 hours), respectively.

week's worth of training.

Page 7

5 Are the trainers experienced and proficient

professionals?

Whether beginner, intermediate, or advanced, mobile forensics students should seek out trainers
who:
Understand the forensic process and can answer questions about the material they present
Have deep experience with digital forensic examinations, lab, field, and court procedures
Train students toward professional goals, not the training organizations goals
Are committed to student learning, to the extent that they remain accessible throughout the
duration of the course and beyond
Have an understanding of adult education and how to read their audience
Create curriculum that presents logical, step-by-step instruction that is easy to follow
How do you find out whether courses and instructors meet these criteria? Ask. Listservs for HTCIA,
IACIS, HTCC, and other groups; forums such as Forensic Focus, phone-forensics.com, and others;
and even Twitter all serve as communities you can ask for recommendations. You can also call upon
investigators who work at forensic labs in your own region, along with those you may meet at conferences and other events. Be sure to research the trainers teaching the courses, and ask what other
students thought of them as well as their material.

Page 8

Maximize value by choosing the right training vendor

When time and funding are scarce, you need training that will help you maximize your return on
investment. This return includes the confidence you need to collect and analyze accurate digital
evidence, and the authority you need to testify about your process. Whether you are seeking to get
started with mobile forensics, or youre trying to take the next step to become an expert in mobile
forensics, look for training vendors who can give you the solid foundation you need in forensic
process, the certification you need for your level of responsibility, and the flexibility to complete the
curriculum in the time and place that works best for you.

Cellebrite's New Standardized Forensic Training and Certification

Open to all user levels, from beginners to advanced, Cellebrite certification training provides hands-on experience with Cellebrite
products and applications, delivering the tools and knowledge required for evidence collection from mobile phones and portable
GPS devices, data analysis, searching, and reporting. Upon completion of a course, each participant receives a certificate, making
them eligible to move to the next stage in the curriculum.
Upon successful completion of the core curriculum, students have the opportunity to enter an extensive capstone certification
process known as Cellebrite Certified Mobile Examiner (CCME). This capstone examination, which includes both knowledge and
practical content, tests the student's knowledge in all of the domains offered in Cellebrite's forensic core curriculum. Students must
demonstrate proficiency with Cellebrite's tools and methodology at a level that signifies competency as a Cellebrite Certified Mobile
Examiner.

Cellebrite: Delivering Mobile Expertise

Founded in 1999, Cellebrite is a global company known for its technological breakthroughs in the cellular industry with dedicated operations in the United States, Germany, Singapore, and Brazil. A world leader and authority in mobile data technology, Cellebrite
established its mobile forensics division in 2007, introducing a new line of products targeted to the law enforcement sector. Using
advanced extraction methods and analysis techniques, Cellebrites Universal Forensic Extraction Device (UFED) is able to extract and
analyze data from thousands of mobile devices, including feature phones, smartphones and GPS devices. Cellebrites UFED is the tool
of choice for thousands of forensic specialists in law enforcement, military, intelligence, security, government and private sector organizations in more than 100 countries.
Cellebrite is a wholly-owned subsidiary of the Sun Corporation, a listed Japanese company (6736/JQ).

Page 9