• How do you know if you found everything that exists on a mobile device?
  • When do you throw in the towel and say, “I found everything I could?”
  • What determines this for you? Is it a time constraint due to a pending court hearing?
  • Are billable hours only allotting so much time?

If you work in the consulting world, you may consider yourself lucky that time is controlling your level of effort.

Think about it, with all the time in the world to work a case, when can you stop? What if you didn’t find what you thought would be there? This is where you need to ensure you are relying on a tool you can trust, and that all data is present for your examination. Cellebrite Physical Analyzer (PA) is my most trusted tool for mobile forensics. I have been trained on how to leverage the built-in support to start my investigation.

Key features, like installed applications, parsed user accounts, plug-ins (such as fuzzy model or the app genie), and timeline will help you along the way. You still need a platform that lets you dig deeper and PA does just that.

Stay tuned in this series to learn more from Heather Mahalik as she dives into the file system and shows tricks for uncovering artifacts that may be hiding there.

Video Transcription:

In my previous blog in this series, we looked at “installed applications.” Here in Part 2, we’re going to try and determine if we got every artifact that exists on the mobile devices in our example.

This is one of the hardest things to do in mobile forensics and one of the biggest gut-checks you’ll need to take as an examiner. When someone says to me, “Heather are you sure you found everything?” It’s always difficult for me to say with 100-percent certainty, “Yes, I did.” Sometimes billable hours are the stopping point and, honestly, if that’s all you’re up against you’ll be lucky.

When I worked as an independent contractor on billable hours, I would always state in my reports that, “Due to the time constraints, I was able to verify ‘X, Y, and Z.’” My inference was that if a client also wanted items A, B, and C, guess what? It’s going to cost a little bit more money.”

If you are working a case where you can work it until it’s solved, that’s where the heartache begins. You wonder if your tools and your own skills are reliable enough to say that you found everything. If you have any doubts, I recommend that you go back and start with the basics.

Go to the “Install Applications” drop-down (below) and see if there’s an application listed there that your tools are not parsing. 

From there, dive into user accounts (below). Do you see a user account for an application where nothing is being parsed?

Have you run the “Fuzzy Model Plug-in,” like we talked about or the App Genie?

Is this giving you any better clues as to something else that might exist on this device? If you’ve exhausted this search, then ask yourself the following:

  • Have you done all your keyword searching?
  • Have you gone into your file system and looked in each of the files to see if there are any plists on an iPhone or any preference files on an Android?
  • Have you looked at databases that track installed applications? 

At this point, you may be able to say with certainty, based upon your experience, that there is nothing hiding from you. However, in this example there is something hiding from you, and I’m going to show you that in Part 3 of this series.

Share this post