The examination process uncovers digital evidence, including that which may be hidden or obscured. The results are gained through applying established scientifically based methods and should describe the content and state of the data fully, including the source and the potential significance. Data reduction, separating relevant from irrelevant information, occurs once the data is exposed. The analysis process differs from examination in that it looks at the results of the examination for its direct significance and probative value to the case. An examination is a technical process that is the province of a forensic specialist. However, an analysis may be done by roles other than specialists, such as an investigator or the forensic examiner.
The examination process begins with a copy of the evidence acquired from the mobile device. Fortunately, compared with a classical examination of personal computers or network servers, the amount of acquired data to examine is much smaller with mobile devices. Because of the prevalence of proprietary case file formats, the forensic toolkit used for the acquisition is typically used for examination and analysis. While interoperability among the acquisition and examination facilities of different tools is possible, only a few tools support this feature. Examination and analysis using 3rd party tools are generally accomplished by importing a generated mobile device memory dump into a mobile forensics tool that supports 3rd party mobile device images.
The forensic examiner will need information about the case and the parties involved to provide a starting point for potential evidence found. Conducting the examination is a partnership between the forensic analyst or examiner and the investigator. The investigator provides insight into the types of information sought, while the forensic examiner provides the means to find relevant information on the system.
The understanding gained by studying the case should provide ideas about the type of data to target and specific keywords or phrases to use when searching the acquired data. Depending on the type of case, the strategy varies. For example, a case about child pornography may begin with browsing all of the graphic images on the system. In contrast, a case about an Internet-related offense might begin with browsing all Internet history files.