The actual test cases selected depend on the tool features supported for a particular mobile device. For example, a tablet would not usually have call logs, but a phone would. A given phone might or might not have a UICC. A given tool may not support particular image file acquisition types and possibly no acquisitions but provide analysis capabilities of mobile device images.
Tools tested are expected to report supported data elements to the user within the GUI. This does not mean having to search for data artifacts within a hex view physically.
If a mobile device forensic tool supports selective logical acquisition, then do the three variations of ONE, SUBSET, and SELECTED. A challenge of selected acquisition is the large number of possible combinations that could test. The compromise between the time required to run a large number of different combinations and expending a reasonable amount of time is to use three selection set variations (ONE, SUBSET, and SELECTED) for each device tested, but use a different selection set for each device. The selection sets for each variation are as follows:
- Variation SELECTED: Select all supported data items. Do this for each device tested.
- Variation ONE: Select just one supported data item. Select a different data item for each device tested. If there are more devices than data items, then repeat selected data items.
- Variation SUBSET: Select a subset of supported data items. Use a different one of the following patterns for each device, and the expectation is to select about a third to a half of the data items for each tested device. If you have more devices than there are patterns, you will need to repeat patterns already used; use all the patterns approximately an equal number of times:
- Mentally number the supported data items: 1, 2, 3, … select the odd-numbered items.
- Mentally number the supported data items: 1, 2, 3, … select the even-numbered items.
- Mentally number the supported data items: 1, 2, 3, … select every third item starting with item 2.
- Select the first half of the supported items.
- Select the last half of the supported items.
MDT-01. Disruption notification.
This test case only applies to acquisition types supported by the tool. Begin an acquisition, wait a suitable time interval, and then disrupt the connection to the mobile device. There can be case variations for each acquisition type:
▪ MDT-01-LOG for logical acquisition
▪ MDT-01-ONE for the selective acquisition of one data item
▪ MDT-01-SUBSET for the selected acquisition of subset of data items
▪ MDT-01-SELECTED for the selected acquisition of all supported data items
▪ MDT-01-FILE for file system acquisition
▪ MDT-01-PHY for physical acquisition
Post your comment on this topic.