Figure 7 illustrates an example of an on-site decision tree that may be used as a general guideline for organizations and agencies. This provides a starting point intended for customization allowing alignment with existing policies and procedures. The following list describes some of the actions and decision points contained within the tree.
- Unlocked/Undamaged – Is the device in an unlocked state and functional permitting a manual or logical data extraction?
- Urgent – Do circumstances exist such that data extraction is required on-site?
- Lab less than 2 hours away – Can the mobile device be transported to a forensics laboratory in less than 2 hours?
- Tool/Training – Is the device supported by the tool, and has the examiner received proper training?
- Contact Expert – The on-site examiner should contact an expert for additional assistance and guidance.
- Battery More than 50% – Does the device show that it has more than 50% remaining battery power?
- Need More Data – After the extraction is successful and the examiner has reviewed the results, is additional information or analysis required?
![]()
Post your comment on this topic.