Analysis explores the data acquired from the device during extraction. This can take days or weeks depending on the nature of the investigation, the amount of data, whether specialized data carving is needed, and the data’s relevance to the case.
Analyzing logical data may involve a review of not just content, but also usage patterns: whom the phone’s owner contacted most often, how they communicated with those people, activity at certain times of day or days of the week. Logical data analysis can also verify what a subject told you s/he saw on the device.
Analyzing physical or file system data is much more detailed. Not only can it corroborate statements and include usage patterns; it can also carve deleted image fragments, scan for malware, reconstruct deleted SMS, and other advanced capabilities. Needless to say, this takes more time than logical data analysis.
Validation ensures whether the extracted data is complete and accurate. This is an important step. Mobile forensic tools aren’t perfect, and while some are better than others, any of them can misreport the data. The report can be incomplete, might conflict--either with the subject’s statement or with the data viewed on the screen--or be plain wrong.
A good forensic examiner might use one or more additional tools, or simple manual methods, to verify the initial report. As you might have guessed from reading the paragraph about extraction, this can take additional time. However, validation is well worth the effort if it means being able to withstand cross-examination.
How to focus your request for data
Know what you need and communicate this to the forensic examiner, in person or over the phone if possible:
- Is this a suspect's, victim's or witness' device? How do they use the phone that suggests it may contain evidence?
- What types of evidentiary data are you looking for -- for instance, photos posted to social media, or call logs vs. SMS?
- Do you need intelligence about their contacts and movements, or evidence that may need to be presented at trial?
- Are there one or more specific time periods, or specific calls, messages or images you need?
- Are you charging for a misdemeanor or felony?
- What report format (PDF, HTML, XML or other formats) do you need the data in? This may be especially relevant if you or another investigator plan to plug the extracted data into some other tool, such as link analysis software.
It can also help to create a list of keywords—words that are related to your case. Keywords can be helpful in homicide, suicide, narcotics, human trafficking, missing-persons, and a variety of other cases. List key people’s names, drug brand and generic names, potential internet search terms, location names, and so on. Be sure to include misspellings.
Finally, property tags are as essential for mobile devices as they are for any other piece of evidence, and especially important when you seize multiple devices from a scene. They help forensic examiners track devices both during examination and within their reports. However, don’t affix a property tag to a device’s screen or keyboard. This affects the forensic exam itself.
Mobile forensics is not a push-button operation. It often takes considerable time and patience, especially as more people store ever more data on their mobile devices. Understanding what’s involved in the process, what kinds of data you need to make your case, and how to communicate with your forensics examiners and prosecutors will improve your chances of getting the mobile evidence you need, when you need it.