Special Guest: Scott Koenig – State Law Enforcement Officer Las Vegas Nevada

In this episode, we will be discussing the paper: 6 Steps to Successful Mobile Validation. Scott Koenig, one of the thirteen co-authors of the paper will reveal how to apply the topics discussed in the paper specifically using community resources, verification, and validation.

Scott is a state law enforcement officer in Las Vegas, Nevada and will talk about each of the six steps covered in the original paper.

Step 1: Determine All Possible Data Collection Methods For Your Search Authority

  • Research handset and data collection methods for the device. Use Google groups, the DFIR community, release notes, etc.
  • Obtain data collections and validate software whenever possible
  • Use more than one tool or method to collect data

Step 2 – Process the Data in More Than One Tool

  • Update your tools and validate your software downloads
  • Compare your results across more than one tool
  • Learn the intricacies of your tools

Step 3 – Deep Dive Forensics: Where the Push Button Stops and Forensic Examinations Begin

  • Ensure the artifacts make sense
  • Compare to the source device
  • Leverage community tools and scripts
  • Create sample files and take time to research

Step 4: Validation

  • Follow the source file for the artifact
  • Examine databases, plists, and other files in native viewer
  • Reach out to the DFIR community and vendor support to get your questions answered

Step 5: Reporting and Sharing Your Findings

  • Highlight evidence relevant to the investigation
  • Explain your findings
  • Provide opinions only when required or legally permitted
  • Share findings within your organization or DFIR community via blog or whitepaper

Step 6: Education

  • Continue your education and stay as current as possible with training, remaining up-to-date with case law, follow researchers on social media, etc.

Listen to the full episode to hear of various scenarios of how this works in real life and to learn more about mobile validation.

Share this post