Information Technology Reference
In-Depth Information
The identification phase
The forensic examiner should identify the following details for every examination of a mo-
bile device:
• The legal authority
• The goals of the examination
• The make, model, and identifying information for the device
• Removable and external data storage
• Other sources of potential evidence
We will discuss each of them in the following sections.
The legal authority
It is important for the forensic examiner to determine and document what legal authority
exists for the acquisition and examination of the device as well as any limitations placed on
the media prior to the examination of the device.
The goals of the examination
The examiner will identify how in-depth the examination needs to be based upon the data
requested. The goal of the examination makes a significant difference in selecting the tools
and techniques to examine the phone and increases the efficiency of the examination pro-
cess.
The make, model, and identifying information for the device
As part of the examination, identifying the make and model of the phone assists in determ-
ining what tools would work with the phone.
Removable and external data storage
Many mobile phones provide an option to extend the memory with removable storage
devices, such as the Trans Flash Micro SD memory expansion card. In cases when such a
card is found in a mobile phone that is submitted for examination, the card should be re-
moved and processed using traditional digital forensic techniques. It is wise to also acquire
the card while in the mobile device to ensure data stored on both the handset memory and
card are linked for easier analysis. This will be discussed in detail in upcoming chapters.
