Test Assertions

Test Assertions:

▪MDT-AO-06 The user is notified if an acquisition is disrupted.
▪MDT-02. Create an image file.

Acquire data from a mobile device. This test case only applies to acquisition types supported by the tool. If the tool supports selective logical acquisition, run all three selective acquisition variations (ONE, SUBSET, and SELECTED). There can be case variations for the different acquisition types:

▪ MDT-02-LOG for logical acquisition
▪ MDT-02-ONE for the selective acquisition of one data item
▪ MDT-02-SUBSET for the selected acquisition of subset of data items
▪ MDT-02-SELECTED for the selected acquisition of all supported data items
▪ MDT-02-FILE for file system acquisition
▪ MDT-02-PHY for physical acquisition

Test Assertions (only one of the first 4 applies depending on the variation):

▪MDT-AO-01 An image file is created of physical memory. (PHY)
▪MDT-AO-02 An image file is created containing supported memory artifacts. (LOG)
▪MDT-AO-03 An image file is created containing selected artifacts. (ONE, SUBSET and SELECTED)
▪MDT-AO-04 An image file is created of the device file system. (FILE)
▪MDT-AO-05 The user is notified if the tool fails to establish a connection or acquire data from a connected mobile device.
▪MDT-03. View artifacts from an image file.

View data acquired from a mobile device to an image file. Open an image file and try to view the expected data items present. There can be case variations for the different acquisition
methods used to create the image file:

▪ MDT-03-LOG for logical acquisition
▪ MDT-03-ONE for the selective acquisition of one data item
▪ MDT-03-SUBSET for the selected acquisition of subset of data items
▪ MDT-03-SELECTED for the selected acquisition of all supported data items
▪ MDT-03-FILE for file system acquisition
▪ MDT-03-PHY for physical boot loader acquisition
▪ MDT-03-JTAG for JTAG acquisition (acquired via separate hardware device)
▪ MDT-03-CHIP for Chip-off acquisition (acquired via separate hardware device)

Test assertions:

▪MDT-CA-01 The tool presents all subscriber and equipment information available from an image file.
▪MDT-CA-02 The tool presents all PIM (address book, calendar & notes) data available from an image file.
▪MDT-CA-03 The tool presents all call data (call type (incoming, outgoing, missed), date-time stamps, duration) available from an image file.
▪MDT-CA-04 The tool presents all message (SMS, MMS & instant messages) data available from an image file.
▪MDT-CA-05 The tool presents all stand-alone (audio, documents, graphic & video) files available from an image file.
▪MDT-CA-06 The tool presents all browsing (history & bookmarks) data available from an image file.
▪MDT-CA-07 The tool presents all email data available from an image file.
▪MDT-CA-08 The tool presents all social media application data available from an image file.
▪MDT-CA-10 Presented text is rendered with the correct character glyphs.
▪MDT-AO-20 If an image file contains recoverable deleted data artifacts and the tool supports data recovery, the tool presents the recovered deleted items.
▪MDT-CA-11 The tool does not modify an image file.
▪MDT-04. Detect change to an image file.

Make a change to an image file, then open the image file. There can be case variations for the different acquisition types:

▪ MDT-04-LOG for logical acquisition
▪ MDT-04-ONE for the selective acquisition of one data item
▪ MDT-04-SUBSET for the selected acquisition of subset of data items
▪ MDT-04-SELECTED for the selected acquisition of all supported data items
▪ MDT-04-FILE for file system acquisition

Test assertions:

▪MDT-CA-12 If an image file is modified, the tool notifies the user that a change has been made to the image file.
▪MDT-05. Unlock a UICC. Connect to a locked UICC and attempt to unlock the UICC. There are two variations:
▪ MDT-05-PIN Unlock with a PIN code a locked UICC.
▪ MDT-05-PUK Unlock with a PUK code a UICC with the maximum number of failed PIN attempts.

Test Assertions for MDT-05-PIN:

▪MDT-AO-07 A mobile device forensic tool provides a count of remaining authentication attempts for a locked UICC acquisition if an incorrect PIN is entered.
▪MDT-AO-08 A mobile device forensic tool unlocks a locked UICC if the correct PIN code is given to the tool.

Test Assertions for MDT-05-PUK:

▪MDT-AO-09 A mobile device forensic tool provides the examiner with a count of remaining authentication attempts for a locked UICC acquisition if an incorrect PUK code is entered.
▪MDT-AO-10 A mobile device forensic tool unlocks a locked UICC that has been given the maximum number of incorrect PIN codes if the correct PUK code is given to the tool.
▪MDT-06. Create a UICC image file. Create an image file of an unlocked UICC.

Test assertion:

▪MDT-AO-11 An image file is created containing supported UICC artifacts.
▪MDT-07. View artifacts from the UICC image file. View acquired artifacts from a UICC.

Test Assertions:

▪MDT-AO-12 A mobile device forensic tool presents Service Provider Name (SPN) from a UICC image file.
▪MDT-AO-13 A mobile device forensic tool presents Integrated Circuit Card Identifier (ICCID) from a UICC image file.
▪MDT-AO-14 A mobile device forensic tool presents International Mobile Subscriber Identity (IMSI) from a UICC image file.
▪MDT-AO-15 A mobile device forensic tool presents Mobile Subscriber International ISDN Number (MSISDN) from a UICC image file.
▪MDT-AO-16 A mobile device forensic tool presents Abbreviated Dialing Numbers (ADNs) from a UICC image file.
▪MDT-AO-17 A mobile device forensic tool presents Last Numbers Dialed (LND) from a UICC image file.
▪MDT-AO-18 A mobile device forensic tool presents Text messages (SMS) from a UICC image file.
▪MDT-AO-19 A mobile device forensic tool presents Location (LOCI, GPRSLOCI) from a UICC image file.
▪MDT-AO-20 If an image file contains recoverable deleted data artifacts and the tool supports data recovery, the tool presents the recovered deleted items.
▪MDT-CA-11 The tool does not modify an image file.
▪MDT-08. View active table data within an SQLite database. View acquired artifacts within the embedded SQLite viewer.

Test Assertions:

▪MDT-AO-21 The tool shall display numeric values (e.g., integer and floating-point values).
▪MDT-AO-22 The tool shall display integer time values as a conventional human-readable date and time.
▪MDT-AO-23 The tool shall render text for Text fields, table names, and column names encoded in UTF 8, UTF 16BE, and UTF 16LE.
▪MDT-AO-24 The tool shall decode and display base64 encoded text.
▪MDT-AO-25 The tool shall display graphic image data recorded as a BLOB in the database.
▪MDT-AO-26 The tool shall decode data recorded as a BLOB in the database.
▪MDT-AO-27 The tool shall have the ability to display SQLite BLOB data.

▪MDT-AO-28 The tool shall report all currently active data when WAL mode is in use.
▪MDT-AO-29 The tool shall report all currently active data when journal mode is in use.
▪MDT-09. Execute SQLite commands stored within the image file. Run and save SQLite commands.

Test Assertions:

▪MDT-AO-30 If an image file contains recoverable deleted data artifacts and the tool supports data recovery, the tool presents the recovered deleted items.
▪MDT-AO-31 The tool shall have the capability to save SQLite commands for later recall