Matthew Plascencia is a Digital Forensic Investigator at Exhibit A Cyber and a recent graduate of Cal Poly Pomona, where he led mobile forensics research through the Forensics and Security Technology (FAST) team. His work has focused on iOS and Android investigations, forensic imaging, and building CTF challenges for the DFIR community. Beyond casework, Matthew shares practical insights through his Substack and YouTube channel, where he breaks down mobile artifacts, tools, and workflows for investigators.
How did you get started in digital forensics, and what is your role at Exhibit A Cyber?
My first experience with digital forensics goes back to data recovery over a decade ago. I didn’t know at the time that data recovery and digital forensics were related, but I had to recover the data of some of my old phones because they had shattered screens. I was able to pull most of what I needed and all of the essential parts that I couldn’t go without.
Fast forward to 2021, I was in my last year of undergraduate university and attending virtual meetings at my club Forensics and Security Technology (FAST) at Cal Poly Pomona and they mentioned the data recovery aspect of digital forensics at one of the meetings. I took notice.
Although I was more into penetration testing back then, and thought I would focus myself into that, I kept myself open to digital forensics.
FAST’s digital forensics team was alive and well throughout the time I was there and many of their talks piqued my interest. From attending their meetings, the thing that consistently piqued my interest is how the leads of the teams always mentioned we were doing what we’re doing not just for the sake of it, but for the sake of (as Magnet Forensics’ slogan says) protecting the innocent. This, if I had no other choice, was what started my momentum.
My true start, which was the first form of what I am today, came in the Fall semester of 2023, when I led FAST’s digital forensics team in creating a CTF for 2024’s So Cal Linux Expo. There, I learned and taught the structure of iPhone backups to the team and myself, so that we all could create CTF challenges for the attendees of SCaLE. The CTF we put on went on to be a success, and that was the spark that lit the fire of me doubling down on digital forensics!
These days, I try to make my forensics skills broad so that I can stay current and employable. Despite making my presence as a general digital forensics practitioner, I want to continually research mobile forensics, specifically Apple devices, because I see that being the most important part of the future. Here in America, most of the people that I know have iPhones, and I’m sure most of the criminals do too, so that is why it’s important to be familiar with Apple forensics.
I’m proud that my interest and continued work in the field has led me to securing a job at Exhibit A Cyber as a forensic analyst. It is still early on in my career, but I’ve already taken on a variety of cases. Doing field work with clients that need data recovery and other services is one of my favorite parts since I enjoy meeting our diverse clients. I also have a deep interest in the comprehensive forensic analysis that we do at Exhibit A, because it allows me to sharpen my skills with all the platforms that are popular among people and build a repitoire of real-world forensic knowledge.
What tools do you find most useful for mobile forensics, and why?
I break the forensic analysis process down into two distinct phases: acquisition and analysis. Here are some tools that I recommend to people.
ACQUISITION:
I’ve used both free and paid tools to acquire data from phones and computers. When it comes to phones, my favorite tools are Magnet Acquire and UFADE by Christian Peter. My favorite thing about them is that they are both free and are very feature packed. Acquiring UFADE is the easiest of the two, you just find the GitHub repo and download it from there. For Acquire, you’d have to call Magnet Customer Service and request it from them. Once you have them, you can do similar things.
To use them, you just plug your phone into the computer, and they will automatically detect it. UFADE only works with iPhones and Acquire works with both major types (iPhone and Android). Both apps are user friendly and allow the user to make full or partial backups of phones in a few clicks. UFADE can also pull detailed logs from the phones. These software options are both great starts to the forensic process.
ANALYSIS:
Beyond the paid suites like Magnet and Belkasoft (which I do enjoy using) I enjoy the LEAPPs, Lionel Notari’s Unified logs tool, and a slew of other free tools for aiding me in my investigations when my knowledge of what I’m looking at needs an extension.
The LEAPPs (iLEAPP and ALEAPP) are both live, open-source DFIR projects managed by Alexis Brignoni and Kevin Pagano, among others. Since they have nice sized teams working on them, they are constantly receiving updates and occasionally receive new features. These days, they are very capable of finding important information that can be found in the phones. You should check them out if you didn’t know about them already.
There are not many aspects to Lionel Notari’s Apple Unified Log acquisition and parsing tool. It extracts and analyzes the Unified logs as the name implies. What I like most about it is that a user can filter through the logs with different keywords they want to see. That is very helpful, seeing as how Apple Unified logs are very large, often containing several million lines for even short bursts.
What makes iOS and Android investigations so challenging, especially for beginners?
Assuming this beginner has no experience with mobile or just has experience with Windows forensics, mobile forensics will be challenging for its new artifacts and foreign file structure. It is important to first talk about the file system of Windows and other non-iOS/Android operating systems.
The Windows file system is structured in folders that start with drives and drive letters. The lack of drive letters and a common Windows file structure will confuse the novice. It may be unclear where key artifacts are. For instance, Windows may put a program executable in a folder under C:\Program Files, while an iPhone has a way more complicated structure. iOS may have something like /Users/macatio/Forensics/images/private/var/mobile/Containers/Data/Application/01CC730D-158D-4BE7-BABA-DCF4407D0146 which is a whole lot more complicated than a Windows application path. A similar thing is true for Android; this time it’s more similar to a *nix pathname, an easier thing to read than an apple app path name.
Beyond the paths, something that still manages to make me roll my eyes, even as a more advanced practitioner, is the different places where the evidence can be stored. For example, on an iPhone, some artifacts of execution can be stored in more than one place. One such place for some evidence of execution artifacts is a log called the Apple Unified Log. If you get the full file system, the same evidence of execution artifact can also be held in two places: the Biome or the knowledgeC.db database. The confusing part of this is that sometimes the artifact exists on the Unified Logs but doesn’t in the Biome or the knowledgeC.db. This deletion can happen because the tables in the database got too big and lost it or the phone only writes that information to the Unified Logs.
On the Android side, the operating system stores its files in a way that is sometimes not as descriptive and easy to follow as iOS. Case in point, the many log files can be under paths that you would never expect. Even if you know where an app lives, the data you want about it may not be in a place you expect. To add to this, some of your data may be imprisoned in a proprietary database type called LevelDB that regular database tools cannot effectively parse. That means you know what tools can and cannot parse all databases on Android.
How do CTFs and tutorials help build forensic skills?
CTFs and tutorials are great ways to build one’s skills because they allow for risk-free learning. What I mean by that is that they allow the player or viewer following along to go through the process of forensics and learn how to do it. Tutorials are the easiest of the two. A learner can choose to follow through one and do exactly what they see. They can do this as many times as they want to build their memory. CTFs are one step up from tutorials. You could say they’re tutorials without the teacher and with the added pressure of being timed.
CTFs are also fun events to participate in. It is very likely that a player of a CTF will learn a lot about whatever operating system they’re working on. Success in CTFs relies on a player’s knowledge of that specific operating system and ability to parse out artifacts. It is also, incidentally, a way of getting in the repetitions to be a successful investigator in practice. It is the best way of simulating being on the job without being on the job and having the pressure of not making mistakes or errors. Players can make as many wrong attempts (usually) as they want until they get the correct solution. They can also make a point to document all their work in CTFs and archive the artifacts and processes they use for reference later on. If they feel particularly generous with the knowledge and skills they gained, they can also publish their knowledge and methods online to benefit their colleagues and all the rest of the DFIR community as a whole.
What advice would you give to students or beginners trying to break into forensics?
My best tip for beginners who want to get into forensics is to begin by doing projects in areas of forensics that you are interested in. This is an essential part of getting into the industry because it builds a plethora of practical digital forensics skills. There is one thing of seeing a professor or a YouTube creator perform a task in their controlled environment, with their own experience; then there’s a whole other thing to go through the trials and tribulations they went through to set up a particular thing.
Building your own projects also allows you to build your own documentation of how to build projects. This is very much the same as what I just mentioned about building. You could not only say that you built something, but you can also have written records of what you did. Documenting your processes and outcomes has further importance because it can build the skill of writing technical reports, the last major aspect of digital forensics.
To summarize all that I just said, you should start out in preparing for a career in forensics by finding, building and documenting projects that are of great interest to you. This will help you in the long-run because it will build your technical and communication skills if you put effort into making everything the best it can be.
You share DFIR insights on your Substack ‘Matt’s Tech Musings’ – what motivated you to start writing?
I originally started my Substack, ‘Matt’s Tech Musings‘ to share my writeup of the 2025 Magnet CTF. After that, I decided to continue working on it. I have always received the advice, “learn in public” from the people who have the jobs I want. I kept it going so that I can truly learn in public. It ended up helping me greatly in my short-term career building and with making career connections. This was also one of the factors that landed my current job (and will probably help me achieve future jobs as it grows).
I am currently writing solely about digital forensics topics on this blog. I think it’d be beneficial for others to do the same and write blogs if they want to get ahead in their respective careers since it helps to build writing skills and it also will allow a person to share their opinions on and methods for executing on forensic operations. Writing is also a beneficial tool for testing one’s understanding of a topic: coherent writing is correlated with a deep enough understanding of a topic to articulate the ideas well.
And finally, what do you enjoy in your spare time?
Apart from spending time with friends and family, I enjoy reading and exploring the various landmarks around town. My leisure readings are heavily focused on history, philosophy, literature, and the science of technology. I am currently doing a reread of Walden by Thoreau and doing a first read of The Siren’s Call by Chris Hayes. When I am not doing either of those things, I also like to learn languages for travel. I plan to go to Turkey in the next few months, so I am currently learning some more Turkish.
