Digital Forensic Investigators need to understand the inner working of mobile devices and how they store data in order to extract and interpret the information they contain. The second day of the course covers mobile device operation and data storage, and forensic examination of SIM cards. This day begins with a review of operating systems and file systems on common devices, including Windows Mobile and Blackberry. Devices will be provided in class for you to work with. We build on this foundational knowledge of the different ways that information is arranged and protected on mobile devices by closely examining logical storage objects they contain, including user created data (e.g., call logs, SMS/MMS/e-mail messages, calendars, address books) and system files (e.g., Registry). We delve into the storage structure of SIM/USIM cards as defined in GSM11.11 and TS51.011, dealing with PIN protection, and creating a safe SIM for forensic examination purposes.

During hands-on exercises on day 2, you will use manufacturer and developer tools to gain a deeper understanding of mobile device internals. Furthermore, you will acquire and examine the contents of SIM cards to get practical, hands-on experience and better understand how they store data, how to decode the data, the types of information they contain, and how that information can be useful in an investigation.