Mobile Device Forensics and Artifact Analysis
RCCE students will learn how to collect, preserve, and analyze mobile device evidence from Android and iOS systems for investigative, incident response, and legal purposes. RCCE students will learn to identify valuable artifacts, interpret application data stores, reconstruct timelines, recover communication evidence, understand acquisition constraints, and document findings in defensible investigative reports. The course covers practical scenarios ranging from acquisition planning to artifact parsing, timeline building, and reporting. RCCE students will learn to analyze complex systems and think like an attacker to better defend the organization. This comprehensive course delivers practical knowledge applicable to real-world cybersecurity operations. Starting from foundational concepts, RCCE students will learn through a combination of concept explanation, practical demonstration, and hands-on exercises.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Mobile Device Forensics and Artifact Analysis
- Execute hands-on tasks for mobile device forensics
- Explain Course Overview fundamentals
- Execute hands-on tasks for what you will learn
- Execute hands-on tasks for who this is for — covering Mobile evidence acquisition, DFIR analysts & examiners.
- Execute hands-on tasks for mobile forensics fundamentals
- Execute hands-on tasks for core principles
- Execute hands-on tasks for key challenges — covering Preserve evidence integrity at all times.
- Execute hands-on tasks for admissibility standards — covering Daubert standard for methodology.
- Explain Mobile Device Architecture Overview fundamentals
- Design a scalable privilege management architecture with policy and enforcement, including Linux kernel with HAL layer, and XNU hybrid kernel (Mach + BSD).
- Execute hands-on tasks for android file system deep dive
- Execute hands-on tasks for key forensic insight — covering The /data/data/ partition contains per-app private storage with SQLite DBs, SharedPreferences XML, and cache files.
| Module 01 | Mobile Device Forensics |
| Module 02 | Course Overview |
| Module 03 | What You Will Learn |
| Module 04 | Who This Is For |
| Module 05 | Mobile Forensics Fundamentals |
| Module 06 | Core Principles |
| Module 07 | Key Challenges |
| Module 08 | Admissibility Standards |
| Module 09 | Mobile Device Architecture Overview |
| Module 10 | Android Architecture |
| Module 11 | Android File System Deep Dive |
| Module 12 | Key Forensic Insight |
| Module 13 | iOS File System Deep Dive |
| Module 14 | APFS Encryption & Data Protection |
All hands-on labs run on Rocheston Rose X OS. Students practice mobile device forensics and artifact analysis by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for mobile device forensics
- Lab 2: Explain Course Overview fundamentals
- Lab 3: Execute hands-on tasks for what you will learn
- Lab 4: Execute hands-on tasks for who this is for
- Lab 5: Execute hands-on tasks for mobile forensics fundamentals
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Mobile Device Forensics and Artifact Analysis, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI