Once a copy of the acquisition results is available, the next steps involve searching the data, identifying evidence, creating bookmarks, and developing the contents of a final report. Knowledge and experience with the tools used for examination are extremely valuable since using a forensic tool’s available features and capabilities can greatly speed the examination process.
It is important to note that forensic tools can contain some degree of error in their operation. For example, the implementation of the tool may have a programming error; the specification of a file structure used by the tool to translate bits into data comprehensible by the examiner may be inaccurate or out of date; or the file structure generated by another program as input may be incorrect, causing the tool to function improperly. Experiments conducted with mobile device forensic tools indicate a prevalence of errors in formatting and displaying data. Therefore, having a high degree of trust and understanding of the tool’s ability to perform its function properly is essential. The Computer Forensics Tool Testing (CFTT) project at the National Institute of Standards and Technology (NIST) produces specification, test methods, and test reports that provide a foundation for toolmakers to improve tools, users to make informed choices, and provide interested parties with an overview of any anomalies found. CFTT has spent several years researching and testing forensic tools capable of acquiring data from the internal memory of mobile devices and Subscriber Identity Modules (SIMs).
A knowledgeable individual may tamper with device information, such as purposefully modifying a file extension to foil the workings of a tool, altering the date/time of the mobile device to falsify timestamps associated with logged activities, creating false transactions in the memory of the mobile device or its UICC or utilizing a wiping tool to remove or eliminate data from memory. Seasoned experience with a tool provides an understanding of its limitations, allowing an examiner to compensate for them and minimize errors to achieve the best possible results.
To uncover evidence, specialists should gain the suspect’s background, offense and determine a set of terms for the examination. Search expressions should be developed systematically, such as using contact names that may be relevant. By proceeding systematically, the specialist creates a profile for potential leads that may unveil valuable findings. Forensic Examination of Digital Evidence – A Guide for Law Enforcement, produced by the U.S. Department of Justice, offers the following suggestions for the analysis of extracted data:
- Ownership and possession – Identify the individuals who created, modified, or accessed a file and the ownership and possession of questioned data by placing the subject with the device at a particular time and date, locating files of interest in non-default locations, recovering passwords that indicate possession or ownership, and identifying contents of files that are specific to a user.
- Application and file analysis – Identity information relevant to the investigation by examining file content, correlating files to installed applications, identifying relationships between files (e.g., e-mail files to e-mail attachments), determining the significance of unknown file types, examining system configuration settings, and examining file metadata (e.g., documents containing authorship identification).
- Timeframe analysis – Determine when events occurred on the system to associate usage with an individual by reviewing any logs present and the date/time stamps in the file system, such as the last modified time. Besides call logs, the date/time and content of messages and e-mail can prove useful. Corroborate such data with billing and subscriber records kept by the service provider.
- Data hiding analysis – Detect and recover hidden data that may indicate knowledge, ownership, or intent by correlating file headers to file extensions to show intentional obfuscation; gaining access to password-protected, encrypted, and compressed files; gaining access to steganographic information detected in images, and gaining access to reserved areas of data storage outside the normal file system.
The tool’s capabilities and the richness of its features, versus the operating system and type of device under examination, determines what information can be recovered, identified, and reported and the amount of effort needed. The search engine plays a significant role in discovering information used to create bookmarks and final reporting. For example, some tools are used to search for textual evidence to identify and categorize files based on file extension, where others use a file signature database. The latter feature is preferable since it eliminates the possibility of missing data because of an inconsistent file name extension (e.g., eliminating a text file whose extension was changed to a graphics or image file). Similarly, the ability for the tool to find and gather images automatically into a common graphics library for examination is extremely useful.
Searching data for information on incriminating or exculpatory evidence takes patience and can be time-consuming. Some tools have a simple search engine that matches an input text string exactly, allowing only for elementary searches to be performed. Other tools incorporate more intelligent and feature-rich search engines, allowing for generalized regular expression patterns (grep) type searches, including wildcard matches, filtering files by extension, directory, and batch scripts that search for specific types of content (e.g., e-mail addresses, URLs). The greater the tool’s capabilities, the more the forensic examiner benefits from the experience and the tool’s knowledge.