Date and Time:
Tuesday, March 19, 08:45 – 10:45

This workshop is provided only face-to-face.


Performing (live) SOCMINT operations has many digital forensic challenges when using for instance Android apps like WhatsApp, Telegram or Snapchat in under cover work. The apps support disappearing or self-destructing messages and stories, and prevent easy downloading of files or screen capturing. Other apps like Signal do not only encrypt communications, but also most files on the device making capturing the contents difficult. And finally, most social media app communication is through servers, making it hard to determine the location or for instance IP address of another user. The workshop is an interactive session with hands-on tasks for the participants. After a brief explanation and demonstration per topic, the participants are challenged to capture and parse the data from the various apps as well. Using various scripts and third-party tools like Frida the participants will be able to investigate and perform live capture of data on Android mobile devices.

Preparation Details:

For hands-on participation the following is required from the participants: 1) Laptop with Linux distribution (e.g. Ubuntu Desktop), Android Debug Bridge (ADB) and Frida tools. 2) Rooted Android mobile device (for instance via Magisk) with an active (pre-paid) SIM card for app registration. Either pre-installed or installed during the workshop: Signal Private Messenger, WhatsApp, Snapchat and Telegram. 3) USB cable to connect the rooted Android mobile device with the laptop. Other software links may be made available during the workshop.

Workshop organiser:

Rens de Wolf (Volto Labs, The Netherlands)

Rens has a Master of Science degree in Computer Science from the Delft University of Technology and holds the CISSP, CISA, and CISM certifications. He has over 20 years of international experience in the field of cyber security and digital forensics investigations in both corporate and government environments. Currently, he is co-founder at Volto Labs (previously Tracks Inspector) and involved with Cyber HUMINT/SOCMINT innovations and software development. He was in the lead for the well-known Sweetie 2.0 project and is currently involved with the Cyber Agent Technology (CAT) solution for law enforcement.