I want to preface this post by saying that I'm relatively new to mobile forensics. I work in law enforcement and due to budget constraints I divide my time between "regular" detective duties and being the "tech guy" for our department. I'm slowly trying to build a lab, but for now the primary tool I'm using is Oxygen Forensic Suite Analyst.
My first question is a general one how can I know that the data I get in an extraction is everything that was on the device? For example, I recently acquired an image from a ZTE Z667G with prior knowledge that there were messages between 2 subjects using Facebook Messenger. The device was not able to be rooted with Oxygen's root exploit, so I used the Android backup method. When I began to analyze the data, I noted that Facebook messenger was not in the listed applications; also, none of the database files for that app were acquired. Had I not been told about the messages by the detective working that case, that data would have likely been missed. Without going through the device manually, how can I know for sure that what I'm getting is everything that is there?
My second question is, are there any free/low cost mobile forensic tools out there that I could add to my inventory?
Any answers or advice are very welcomed by this novice.
http//www.forensicfocus.com/Forums/viewtopic/p=6577720/#6577720
http//
jaclaz
My first question is a general one how can I know that the data I get in an extraction is everything that was on the device? Had I not been told about the messages by the detective working that case, that data would have likely been missed. Without going through the device manually, how can I know for sure that what I'm getting is everything that is there?
Verification - ensure "no stone is left unturned" as I discussed in a case study
My second question is, are there any free/low cost mobile forensic tools out there that I could add to my inventory?
As you are LE, I believe you qualify for a free 6 month license for one tool I recommend
Also take a look at
The tool is only one aspect meso.
Knowing the memory available and areas where data maybe stored is another aspect you may wish to consider as a planned exercise before commencing examination of the target DUT (device under test). As a simple exercise consider
a) Handset memory
b) (U)SIM memory
c) SD card memory
Query the examiner is interested to know the memory available in an e.g. Samsung Galaxy S6 edge (GSM)?
One popular website used by mobile phone examiners is Phonescoop
http//
The site identifies the following
Memory
32 GB internal storage, raw hardware
23 GB internal storage, available to user
3 GB RAM
also available in 64 and 128 GB versions
SIM card size
Nano (4FF)
Is there any info that identifies whether an SD card may be used? Check for yourself at the link above.
You have referred to the ZTE Z667G. Would this be the correct model at Phonescoop?
http//
However, a Z667g user manual suggests a different name
http//
and another website identifies the Z667g under a different name
http//
Could that suggest variances between the different model names??
As the examiner can you verify or validate the accuracy of the Phonescoop details elsewhere?
e.g. are there any other website that may provide details? There are many, so here is another link
http//
Finally, what does the ZTE manufacturer website state about the ZTE Z667G?
There are a range of tools out there each to assist the examiner extract and harvest data; but be mindful, a tool may provide answers but a tool should not determine the questions and by extension think for you.
Thank you all.