Let's say we're looking at a cyber-crime scene comprised of several still powered on computers as well as confiscated smartphones. When the forensic investigator arrives, what does his workflow look like?
Mobile devices are typically the most volatile of all the evidence, because they are constantly exchanging data (via wifi, 3G, Bluetooth, calls/SMS, etc.). The typical first step is to isolate those devices using appropriate measures (such as Faraday bags), to prevent a potential remote wipe or alternative technique directed to alter or destroy evidence in the device…