Examination and analysis
This is the ultimate step in the investigation, which aims to uncover data that is present on the device. Examination is done by applying well-tested and scientific methods to conclusively establish the results. The analysis phase is focused on separating relevant data from the rest and to probe data which is of value to the underlying case. The examination process starts with a copy of the evidence acquired using some of the techniques described above, which will be covered in detail in the next chapters. Examination and analysis using third-party tools is generally performed by importing the device's memory dump into a mobile forensics tool which will automatically retrieve the results. Understanding the case is also crucial to perform a targeted analysis of the data. For example, a case about child pornography may require focusing on all of the images present on the device rather than looking at other artifacts.
It is important that the examiner has fair knowledge of how the forensic tools which are used for examination work. Proficient use of the features and options available in the tool will drastically speed up the examination process. Sometimes, due to programming flaws in the software, the tool may not be able to recognize or convert bits into a format comprehensible by the examiner. Hence, it is crucial that the examiner has the necessary skills to identify such situations and use alternate tools or software to construct the results. In some cases, the individual may purposefully tamper with the device information or may delete/hide some of the crucial data. Forensic analysts should understand the limitations of the tool and sometimes compensate for them to achieve the best possible results. To analyze the extracted data, the US Department of Justice has published the following suggestions (referenced directly from: https://www.ncjrs.gov/pdffiles1/nij/199408.pdf) in the publication Forensic Examination of Digital Evidence - A Guide for Law Enforcement:
- Ownership and possession: Identify the individuals who created, modified, or accessed a file, and the ownership and possession of questioned data by placing the subject with the device at a particular time and date, locating files of interest in non-default locations, recovering passwords that indicate possession, and identifying contents of files that are specific to a user.
- Application and file analysis: Identify information relevant to the investigation by examining file content, correlating files to installed applications, identifying relationships between files (for example, email files to email attachments), determining the significance of unknown file types, examining system configuration settings, and examining file metadata (for example, documents containing authorship identification).
- Timeframe analysis: Determine when events occurred on the system to associate usage with an individual by reviewing any logs present and the date-/timestamps in the filesystem, such as the last modified time. Besides call logs, the date/time and content of messages and email can prove useful. Such data can also be corroborated with billing and subscriber records kept by the service provider.
- Data hiding analysis: Detect and recover hidden data that may indicate knowledge, ownership, or intent by correlating file headers to file extensions to show intentional obfuscation; gaining access to password-protected, encrypted, and compressed files; and gaining access to steganographic information detected in images.