Ok, so we left off talking about the examiners process and now are going to move onto the actual processing of the device it’s self. I will generically talk about some key points I like to cover in my courses.
First though, let me thank all those that responded both on the record, either in their own blog or post and those emails that I received asking questions, offering comments and suggestions. Truly, we are all in this together and that is the only way we can grow.
Location of Key Files
Do your tools actually tell you where the data resided on the device? Or do you just assume that the question will never arise if you are asked. If you are asked, will you simply respond, “from the phone sir”? Well, I would say a followup question would be for the examiner, “Ok, but where in the phone officer, like the shared folder or the cam folder?” Should this matter? Simply think of computer forensics and the location of images in relationship to the “temporary interne”t folder or the “my pictures” folder. There is a tremendous difference in computer forensics, so shouldn’t it be of importance in cellphone forensics? Of course there are always exceptions, but are you looking?
Location of Artifacts
What tools extract internet history? A few but for the most tools they only extract from smartphone type devices like the iPhone, Windows Mobile, Android OS, Palm and others. How about the vx8500 from Verizon? Can I connect to the Internet with this device? Can I run a chat application? Again, these artifacts are easily recovered in the filesystems of these devices with a simple filesystem extraction and then conducting a simple string search.
Overkill you might say? Not so, when I recover that URL showing access to a website the user checked for a stolen firearm they posted on craigslist, or the access to a victim’s webmail they stalked , or possibly a google map search for a burglary location. These are all real examples of data I personally have located when conducting a “standard” thorough cellphone examination.
These are only a few examples of cellphone artifacts.
Don’t forget dates and times that are severely lacking in the recovery by most tools. This is a huge reason we cover dates and time location recovery in the filesystem in our courses. That of course will be another blog.. Until then..
What do you think you might have missed?