I joined Metadata Forensics in July of 2024. My primary field of expertise is digital media, which encompasses audio, video, and image data. These are the disciplines which I’ve had the most formal education and training in, but I’ve had a great deal of practical, hands-on experience performing mobile phone extractions and analysis. Much of my initial Cellebrite UFED and PA knowledge came from helpful co-workers and by simply imaging and analyzing own phones to familiarize myself with the user interface. I would estimate that in my casework I’ve worked on well over a hundred phones of numerous makes and models, and I was curious how much information I had gleaned independently compared to what would be taught in the Cellebrite CCO and CCPA courses.

The CCO course really is a 2-day introductory level class which goes over the very basics of forensic examinations including evidence handling, forensic terminologies, device identification, chain of custody, and acquisition procedures. It does get a little more complex when the course gets into cellular topics like IMEI, MSISDN, ICCID, MEID, etc., but the rest really is an introduction to simply using the software and allowing it to do what it does best. Something I did learn about was www.phonescoop.com which is an excellent database of mobile phone details and a great resource for information.

The CCPA course is a 3-day intermediate course which primarily covers the usage of Physical Analyzer to open images or data packets, perform forensic analysis, search for specific data, tag evidence, and create forensic reports. I felt this course was a big step up in terms of complexity and more advanced analysis methods, and again I was curious how the knowledge I’ve gained from my own practical experience using these tools would compare with the information being covered in the course syllabus. This course provided me with a better understanding of topics that I was foundationally aware of but didn’t quite have a full grasp of yet. Rooting, jailbreaking, data coding schemas and conversions, and SQLite databases were better explained for me, along with the data carving and advanced sorting features within PA. I was also introduced to other data points that would be of use during investigations involving location data and message attachments. In the end I felt I had learned a great deal, but that my hands-on learning was also extremely valuable and headed in the right direction.

Both courses had some slights flaws in the content, with data in the provided extractions not matching the module examples, such as email addresses, hit counts or phone models, and in a couple cases the final exam question did not match as well. Aside from an obsessive wish to get every question correct, these were not an issue, and the learning process wasn’t hindered by this. I felt both courses were thoughtfully laid out and the presentation quality was extremely high. I believe in my case both courses were successful in filling in foundational gaps as well as providing additional, advanced knowledge, and completing them will result in my being a better and more thorough examiner.