Mobile devices have nowadays become almost universally accessible, deeply entangled into our personal lives and part of our own personal space. As a result, these devices, which now support a wide range of use cases, may often host personal, or otherwise sensitive, information. Such information is being protected with complex security architectures, which are difficult to fully grasp, making it increasingly more difficult for digital forensics experts to understand what is required to access the unprotected information.

The goal of this training is to educate the participants on the fundamental low-level security features used by modern security architectures of mobile devices. At the end of the training, the participants will understand how mobile devices are able to boot securely, are secured at runtime and assure the confidentiality of the sensitive information. Moreover, they will understand, as well as experience, the impact of: the mobile device state (e.g., BFU and AFU), usage of a Secure Element (SE), vulnerabilities in low-level code (e.g., ROM, Bootloader and TEE), the availability of signed recovery mode loaders (e.g., EDL) and the usage of a custom operating system (e.g., GrapheneOS).

The participants will analyse commercial off-the-shelf (COTS) mobile devices with Android. Although these mobile devices run Android and serve similar purposes, their low-level security architectures differ significantly, which makes it interesting to analyse solutions from different manufacturers.

The exercises are designed to provide a hands-on learning experience, during which the participants will: use various tooling, study source code, as well as reverse engineering. Even though not mandatory, we assume that the participants already familiarized themselves with some of these type of activities on less complex devices.

The training aims to provide the foundational knowledge required to understand how information is protected on mobile devices. It does not focus on actually identifying or exploiting the type of vulnerabilities that are required to access the information. Nonetheless, the exercises position the participants in a context (i.e., reverse engineering), where vulnerabilities may be found.

Please contact us for more information!

Audience

This training is intended for:

• Digital Police investigators
• forensic investigators in law-enforcement agencies
• Security Analysts, Researchers & Enthusiasts

Level

The training level of this training is Intermediate.

Our experienced trainers, as well as the detailed instructions, will guide participants of all skill levels throughout the training. This includes participants with or without reverse engineering experience.

Learning objectives

The leaning objectives of this training are:

• Understand the security architecture of mobile devices
• Understand what is required to decrypt encrypted data stored on mobile devices

Agenda

The topics are covered by hands-on exercises (75%) and presentations (25%), which provide context and the required information. During the hands-on exercises, the participants may, for example, perform a physical activity, analyse a document, use a specific hardware or software tool, review source code or reverse engineering.

Most of the exercises are performed on commercial off-the-shelf (COTS) mobile devices with Android. This allows the participants to get familiar with real-world security architectures that make use of the underlying hardware platform (i.e., System-on-Chip).

The list of topics shown below provide an overview of what will be discussed during the training. Their order may be scheduled differently during the actual training.

• Hardware Security
• Booting
• Memories (e.g., ROM, SRAM and OTP)
• Secure Boot
• Recovery Modes (e.g., Emergency Download Mode and Download Mode)
• Hardware modules / IP
• Android Security
• Verified Boot
• Sandboxing (SELinux)
• Authentication (Gatekeeper)
• Keystore (Keymaster)
• Encryption (FBE / FDE)
• StrongBox (eSE / iSE)
• Device states (BFU / AFU)
• Custom OSes (e.g., GrapheneOS)
• Trusted Execution Environment (TEE)
• Secure Monitor (EL3)
• Operating System (S-EL1)
• Trusted Application (S-EL0)

Exercise examples

• Analyzing the internals of a mobile device
• Booting mobile devices in different modes
• Using Bootloader mode (e.g., using fastboot)
• Using Recovery mode (e.g., mtkclient)
• Analyzing flash dumps using typical tooling (e.g., unblob)
• Analyzing the key components of a mobile device (e.g., ROM, bootloader and TEE)
• Communicating with the TEE from Linux
• Analyzing Kernel-level security features (e.g., DM-Verity, SELinux)
• Brute-forcing credentials (and decryption keys)
• Identifying how forensic tooling is able to access information

This training aims to provide the foundational knowledge required to understand how information is protected on mobile devices. It does not focus on actually identifying or exploiting the type of vulnerabilities that are required to access the decrypted information.

What students need to know

This training requires the students to be familiar with:

• Linux command line tools
• programming (Python, C)
• cryptography (AES, RSA)
• reverse engineering (ARM)

Note, above requirements are not a must, the training is set up in such fashion that participants with any skill level or background are able to reach the training's objectives and complete (most) of the exercises.

What students need to bring

The students of this training are expected to bring a modern laptop or workstation:

• with sufficient memory (~16 GB)
• with at least four (2) available USB-A ports
• Raelize will have extra USB hubs available during the training (USB-C / USB-A)
• installed with a modern browser (i.e., Google Chrome)
• installed with VMware Player/Workstation (or VirtualBox)

Important: the required tooling is only tested on x86-64-based systems and it's NOT thoroughly tested on Apple's ARM-based systems (e.g., M1, M2 or M3).

Please contact us for more information!