🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
GASF
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
GASF GIAC Certifications Coming Soon

GASF

The GASF certification trains forensic examiners in advanced acquisition, analysis, and reporting of iOS and Android smartphones, covering file systems, app data, cloud storage, and email evidence.

120
Minutes
75
Questions
71/100
Passing Score
$979
Exam Cost

Who Should Take This

Digital forensic analysts with at least two years of experience who regularly investigate mobile devices should pursue GASF. It equips them to master deep-level iOS and Android acquisition techniques, decode complex application data, and interpret cloud‑based evidence, advancing their capability to deliver rigorous, court‑ready findings.

What's Covered

1 Mobile Device Fundamentals and File Systems
2 iOS Forensic Analysis
3 Android Forensic Analysis
4 Application Data Forensics
5 Cloud storage and email application forensics
6 Advanced Acquisition Techniques
7 Mobile Malware and Security Analysis
8 Forensic Reporting and Legal Considerations

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

60 learning goals
1 Mobile Device Fundamentals and File Systems
2 topics

Mobile operating system architecture

  • Describe iOS architecture including the Secure Enclave, Data Protection classes, APFS file system structure, app sandbox model, and keychain storage mechanisms relevant to forensic data extraction and analysis.
  • Describe Android architecture including the Linux kernel layer, HAL, ART runtime, app sandbox (UID isolation), full-disk versus file-based encryption, and the Android Keystore system relevant to forensic acquisition constraints.
  • Compare iOS and Android security models including encryption implementations, bootloader lock states, biometric authentication, and device management profiles to assess forensic acquisition feasibility for each platform and version.

Mobile file systems and data storage

  • Describe mobile SQLite database structure including tables, schemas, WAL (Write-Ahead Log) journals, freelist pages, and unallocated space that contain forensically recoverable deleted records and historical data.
  • Implement SQLite forensic analysis using sqlite3 command-line tools, DB Browser, and specialized forensic parsers to recover deleted records from WAL files, freelist pages, and unallocated database space across iOS and Android applications.
  • Implement property list (plist) and protobuf data parsing for iOS artifacts including binary plist decoding, NSKeyedArchiver deserialization, and protocol buffer schema reconstruction for application preference and state data extraction.
  • Analyze mobile file system timestamps, inode metadata, and directory structures to establish file creation, modification, and access timelines across APFS (iOS) and ext4/F2FS (Android) partitions for activity reconstruction.
2 iOS Forensic Analysis
4 topics

iOS acquisition methods

  • Identify iOS acquisition types including iTunes/Finder backup (logical), libimobiledevice-based file system extraction, checkm8 exploit-based full file system acquisition, and GrayKey/Cellebrite advanced acquisition capabilities and their forensic coverage differences.
  • Implement iOS logical acquisition using libimobiledevice tools (idevicebackup2, ideviceinfo, idevicecrashreport) to perform backup extraction, device information collection, and crash log retrieval for forensic examination.
  • Implement iOS backup parsing using iLEAPP and other forensic frameworks to decode Manifest.db, extract application data from backup domains, decrypt encrypted backups with known passwords, and organize artifacts by application and data type.
  • Evaluate iOS acquisition strategy by assessing device model, iOS version, lock state, and available exploits to determine the optimal acquisition method that maximizes forensic data recovery while maintaining evidence integrity.

iOS native artifact analysis

  • Identify key iOS native forensic artifacts including SMS/iMessage databases (sms.db), call history (CallHistory.storedata), Safari browsing data, Photos metadata (Photos.sqlite), and location caches (routined, significant locations) with their file paths and structures.
  • Implement iOS communication artifact extraction by parsing sms.db for iMessage and SMS conversations, decoding attachment references, recovering deleted messages from WAL journals, and correlating with contact database entries.
  • Implement iOS location artifact analysis by extracting and mapping location data from routined cache, significant locations, CoreLocation databases, Photo EXIF metadata, and WiFi/cell tower logs to reconstruct device movement patterns.
  • Implement iOS keychain analysis to extract stored passwords, authentication tokens, WiFi credentials, VPN configurations, and application secrets from keychain-2.db using keychain decryption tools appropriate to the acquisition type obtained.
  • Analyze iOS ScreenTime and Health data to determine device usage patterns, application usage duration, notification history, step counts, heart rate data, and workout routes that provide circumstantial evidence of user activity and location.

iOS browser and web activity forensics

  • Identify iOS browser forensic artifacts including Safari History.db, Safari bookmarks, WebKit local storage, cookie databases, and third-party browser data (Chrome, Firefox) with their file system paths and SQLite schema structures.
  • Implement Safari browsing history extraction by parsing History.db, recovering deleted history entries from WAL journals, extracting cached web content, and decoding web application local storage for forensic web activity reconstruction.
  • Analyze iOS browser artifacts to reconstruct user web activity timelines, identify visited URLs correlated with investigation-relevant events, and determine whether web-based data exfiltration or unauthorized account access occurred.

iCloud and Apple ecosystem artifacts

  • Describe iCloud data synchronization including iCloud Backup, iCloud Drive, CloudKit-based app data, iMessage in the Cloud, iCloud Keychain, and Find My device data and how each synchronization path creates forensic artifacts on device and in cloud storage.
  • Implement iCloud artifact recovery from device-side caches and synchronized databases to reconstruct data that may have been deleted from the device but persists in cloud synchronization state files and local CloudKit containers.
  • Evaluate the forensic completeness of iCloud-sourced data versus device-resident data, identify gaps in cloud-only acquisition, and assess how Apple privacy features (Advanced Data Protection, Private Relay) affect cloud evidence availability.
3 Android Forensic Analysis
4 topics

Android acquisition methods

  • Identify Android acquisition methods including ADB backup, ADB pull with root access, custom recovery (TWRP) imaging, bootloader-based extraction, EDL (Emergency Download) mode access, and the forensic coverage differences between each technique.
  • Implement Android logical acquisition using ADB (Android Debug Bridge) to extract installed package lists, application data directories, system logs (logcat), device properties (build.prop), and user media from accessible storage partitions.
  • Implement Android physical acquisition using custom recovery installation, dd-based partition imaging, and manufacturer-specific download modes (Samsung Odin, Qualcomm EDL) to obtain full partition images for comprehensive forensic analysis.
  • Evaluate Android acquisition feasibility by assessing device manufacturer, chipset vendor, bootloader lock state, encryption status, Android version, and security patch level to select the optimal extraction approach for maximum data recovery.

Android native artifact analysis

  • Identify key Android forensic artifacts including SMS/MMS databases (mmssms.db), call logs (contacts2.db/calllog.db), Chrome browsing data, media store databases, and WiFi connection history with their standard file paths across Android versions.
  • Implement Android communication artifact parsing to extract SMS/MMS conversations, call history with duration and type, and voicemail data from system provider databases, including recovery of deleted records from SQLite journal files.
  • Implement Android location artifact extraction from Google Maps history, location_cache.db, WiFi MAC address logs, cell tower connection records, and sensor data to reconstruct device location timelines and movement patterns.
  • Implement Android APK analysis to determine installed application capabilities by examining AndroidManifest.xml permissions, activity declarations, service registrations, and broadcast receivers to identify suspicious or malicious application behavior.
  • Analyze Android artifact data using ALEAPP automated parser framework to correlate multiple artifact sources, generate comprehensive reports, and identify patterns of user activity across installed applications and system databases.

Android browser and web activity forensics

  • Identify Android browser forensic artifacts including Chrome History, Login Data, Cookies, Web Data, and cached content databases, as well as WebView data stored within individual application sandboxes across Android versions.
  • Implement Android Chrome browser forensic extraction by parsing History, Login Data (saved passwords), autofill databases, download records, and cached page content to reconstruct browsing sessions and credential usage.
  • Analyze Android browser artifacts to reconstruct user web activity, identify credential reuse patterns across websites, correlate browsing timestamps with device usage events, and detect evidence of phishing or social engineering victimization.

Google account and cloud synchronization artifacts

  • Describe Google account synchronization mechanisms including Google Takeout data, Google Dashboard activity, Chrome sync data, Google Photos cloud backup, and Google Drive cached files that create forensic artifacts on Android devices.
  • Implement Google account artifact extraction from device-side caches including sync adapter databases, Google Play Services data, Firebase analytics, and cached cloud content to recover data synchronized across the user's Google ecosystem.
  • Compare device-resident versus cloud-sourced Android evidence to identify data discrepancies, assess the completeness of logical-only acquisitions, and determine whether deleted device data persists in Google cloud synchronization caches.
4 Application Data Forensics
3 topics

Messaging application forensics

  • Describe data storage patterns for major messaging applications including WhatsApp (msgstore.db, encrypted backups), Signal (signal.db, sealed sender), Telegram (cache4.db), and Facebook Messenger, identifying platform-specific encryption and retention behaviors.
  • Implement WhatsApp forensic analysis by parsing msgstore.db (Android) and ChatStorage.sqlite (iOS), extracting message content with media references, recovering deleted messages, and decrypting local encrypted backups using extracted keys.
  • Implement encrypted messaging artifact recovery for Signal and Telegram by extracting available metadata, attachment files, draft messages, contact lists, and session state data despite end-to-end encryption limiting message content availability.
  • Analyze messaging application artifacts across platforms to reconstruct conversation timelines, identify communication networks between subjects, and assess the completeness of recovered messaging data considering app-specific encryption and deletion behaviors.

Social media and web application forensics

  • Identify forensic artifacts from social media applications including Facebook, Instagram, Snapchat, TikTok, and Twitter/X, describing database locations, cached media, ephemeral content remnants, and account session tokens on iOS and Android.
  • Implement Snapchat artifact extraction including recovering cached snaps, chat messages from content_manager database, friend lists, location data (Snap Map), and memories from both iOS and Android file system locations.
  • Analyze social media application data to reconstruct user interactions, identify uploaded and viewed content, extract geolocation tags from shared media, and correlate social media activity with device usage timelines and communication patterns.

Location and navigation app forensics

  • Describe location data sources within mobile applications including Google Maps Timeline, Apple Maps search history, ride-sharing app records (Uber, Lyft), fitness tracking data (Strava, Garmin), and navigation app route histories.
  • Implement cross-application location correlation by aggregating GPS coordinates from photos, navigation apps, fitness trackers, and social media check-ins to create comprehensive location timelines on a geographic visualization platform.
  • Evaluate location evidence accuracy and reliability by assessing GPS precision, WiFi-based positioning limitations, cell tower triangulation accuracy, and timestamp synchronization across location data sources to determine evidentiary weight.
5 Cloud storage and email application forensics
1 topic

Cloud storage application artifacts

  • Identify forensic artifacts from cloud storage applications including Dropbox (filecache.dbx, config.dbx), Google Drive (snapshot.db, cloud_graph.db), and OneDrive (SyncDiagnostics.log, settings.dat) on iOS and Android devices.
  • Implement cloud storage artifact extraction to recover cached file metadata, synchronization timestamps, recently accessed documents, shared file links, and account information from mobile cloud storage application databases.
6 Advanced Acquisition Techniques
2 topics

Hardware-based acquisition

  • Describe chip-off acquisition methodology including eMMC/UFS chip desoldering, BGA reballing, chip reader selection, and raw flash image interpretation for mobile devices where software-based acquisition methods are unavailable.
  • Describe JTAG and ISP (In-System Programming) acquisition techniques including test point identification, boundary scan procedures, and direct memory access methods for extracting flash storage contents without chip removal.
  • Assess hardware acquisition feasibility by evaluating device damage state, encryption implementation, chip type compatibility, and available test points to determine whether chip-off, JTAG, or ISP methods can yield usable forensic data.

Encrypted device handling

  • Describe mobile device encryption schemes including iOS Data Protection (hardware UID key wrapping, class keys), Android full-disk encryption (FDE), and Android file-based encryption (FBE) with credential-encrypted and device-encrypted storage classes.
  • Implement encrypted device triage to determine encryption state, identify before-first-unlock versus after-first-unlock data availability, and apply available decryption methods based on device state, passcode availability, and acquisition type.
  • Evaluate encryption impact on forensic evidence recovery by determining which data categories remain accessible in BFU (Before First Unlock) state, assessing brute-force feasibility based on passcode complexity, and identifying alternative evidence sources.
7 Mobile Malware and Security Analysis
1 topic

Mobile malware identification

  • Identify mobile malware categories including spyware, stalkerware, mobile banking trojans, ransomware, and mobile RATs, describing their typical indicators on iOS and Android including suspicious permissions, background services, and data exfiltration patterns.
  • Implement mobile malware triage by analyzing installed application permissions, identifying sideloaded APKs or enterprise profiles, examining device management configurations, and detecting known malware indicators in file system artifacts.
  • Analyze mobile device compromise indicators to determine malware capabilities, assess data exposure scope, identify command-and-control communication channels, and evaluate whether device integrity can be restored or requires full device replacement.
8 Forensic Reporting and Legal Considerations
1 topic

Mobile forensic reporting

  • Implement comprehensive mobile forensic reports documenting acquisition method, device information, parsed artifact findings, timeline analysis, and evidence integrity verification with proper hash documentation and chain-of-custody records.
  • Evaluate the evidentiary weight of mobile forensic findings by assessing acquisition completeness, data integrity, timestamp reliability, and potential for anti-forensic manipulation to support or challenge conclusions in legal proceedings.

Scope

Included Topics

  • All domains covered by the GIAC Advanced Smartphone Forensics (GASF) certification aligned with SANS FOR585: Smartphone Forensic Analysis In-Depth.
  • Mobile device file systems and data storage including iOS APFS/HFS+, Android ext4/F2FS, SQLite database structures, property list (plist) files, and protobuf data formats used by mobile applications.
  • iOS forensic analysis including logical and file system acquisition, keychain extraction, SQLite database parsing (SMS, call logs, Safari, Photos), plist analysis, iCloud artifact recovery, and Health/ScreenTime data interpretation.
  • Android forensic analysis including ADB-based acquisition, APK analysis, file system artifact extraction, application sandbox data, Google account synchronization artifacts, and Android-specific databases (contacts2.db, mmssms.db, telephony.db).
  • Application data analysis for messaging apps (WhatsApp, Signal, Telegram, iMessage), social media (Facebook, Instagram, Snapchat), location services (Google Maps, Apple Maps timeline), email clients, and cloud storage applications.
  • Advanced acquisition methods including chip-off techniques, JTAG/ISP (In-System Programming) acquisition, bootloader exploitation, logical versus physical versus file system acquisition tradeoffs, and encrypted device handling.
  • Mobile malware analysis including identification of spyware, stalkerware, mobile RATs, and malicious application indicators through file system artifacts, network traffic analysis, and permission abuse detection.

Not Covered

  • Desktop and server forensics including Windows registry analysis, memory forensics, and enterprise incident response covered by GCFA certification.
  • Network forensics and packet capture analysis covered by GNFA certification.
  • Mobile application development practices and programming language specifics not relevant to forensic artifact interpretation.
  • Carrier-level cellular network forensics including cell tower triangulation and lawful intercept systems requiring telecom provider cooperation.
  • Hardware-level chip reverse engineering beyond practical chip-off and JTAG acquisition techniques.

Official Exam Page

Learn more at GIAC Certifications

Visit

GASF is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

GIAC® is a registered trademark of Global Information Assurance Certification (a subsidiary of the SANS Institute). GIAC does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.