Information Technology Reference
In-Depth Information
The verification phase
After processing the phone, the examiner needs to verify the accuracy of the data extracted
from the phone to ensure that data is not modified. The verification of the extracted data
can be accomplished in several ways.
Comparing extracted data to the handset data
Check if the data extracted from the device matches the data displayed by the device. The
data extracted can be compared to the device itself or a logical report, whichever is pre-
ferred. Remember, handling the original device may make changes to the only eviden-
ce—the device itself.
Using multiple tools and comparing the results
To ensure accuracy, use multiple tools to extract the data and compare results.
Using hash values
All image files should be hashed after acquisition to ensure data remains unchanged. If file
system extraction is supported, the examiner extracts the file system and then computes
hashes for the extracted files. Later, any individually extracted file hash is calculated and
checked against the original value to verify the integrity of it. Any discrepancy in a hash
value must be explainable (for example, if the device was powered on and then acquired
again, thus the hash values are different).
