The Paradigm Shift

There is a shift in the force. Using a statement that most still understand, no matter what age group you might come from. This Paradigm Shift comes in the form of digital forensics, specifically mobile device forensics. Said simply enough, people want more. Examiners are tired with the push button approach and are wanting more, an ability to customize, the ability to control the examination, to control the bleeding edge of applications in mobile devices, and to have the power to uncover the smoking gun without first falling into the rabbit hole.

Automation is not a bad thing; it allows for repetitive tasks, training level fluctuations, time commitment and sometimes instantaneous results. On the other hand automated tools, without the ability of allowing the practitioner to control the examination, are tools that guess at what might be important to a specific examination, application and vector. As we all know, predicting the course of your examination is like predicting what your teenager might say to you when you ask them about their day. So pure automation that comes with mobile forensic tools is like guessing what you want to see, what application might be important to your investigation or what your examination should look like. Without giving the ability to conform to the task at hand you are relegated to subscribing to what a company believes is important to your investigation from their own research. So if their research does not show a mobile application is not in the top 10 from their polling of their “people in the know” good luck in handling that case with that tool.

As indicated in the title the times are changing. In my many conversations with actual examiners they are fed up with tools that only a give what the company believes is the needed information without allowing for a deep dive analysis. So, they are moving to tools that allow them to dive into the data, support any contingency and build support for themselves. Tools like AccessData’s MPE+ allow for all these contingencies because it is built by forensic examiners, by software developers that understand the need to give the power to the examiner and not guess as to what should be important.

Technology changes at a break neck pace and your examination today might involve a zero day application supported by no automated mobile forensic solutions. If that is the case, look for a tool that will allow you to adjust to these contingencies and allow you to take control of your investigation.

Lee Reiber

About Lee Reiber

Pioneering mobile device forensic examiner, consultant and trainer, software development innovator and former LE officer with the Boise Police Department

This entry was posted in Information and tagged , , , , , , , . Bookmark the permalink.