Practical Mobile Forensics(Third Edition)
上QQ阅读APP看书,第一时间看更新

Documenting the evidence and changes

Whenever possible, a record of all visible data should be created. It is recommended to photograph the mobile device along with any of the other media found, such as cables, peripherals, and so on. This will be helpful in case questions arise later on about the environment. Do not touch or lay hands on the mobile device when photographing it. Ensure that you document all the methods and tools that are used to collect and extract the evidence. Detail your notes so that another examiner can reproduce them. Your work must be reproducible; if not, a judge may rule it inadmissible. It's important to document the entire recovery process, including all the changes made during the acquisition and examination. For example, if the forensic tool used for the data extraction sliced up the disk image to store it, this must be documented. All changes to the mobile device, including power cycling and syncing, should be documented in your case notes.