Six Steps to Mobile Validation – Working Together for the Common Good

Digital forensics is a complex and ever-changing field that requires a lot of testing, tools, and validation. Mobile forensics is no exception. When handling evidence from mobile devices, documentation, evidence preservation, and validation are critical to successful investigations. In other words, how a mobile device is handled matters.

Mobile validation can take several forms. It can mean acquiring and mounting your dataset in multiple tools, exporting individual files or folders out of your current tool for further inspection in a different utility, or closely examining the raw data file. It most certainly can and should include re-creating scenarios to understand just how an artifact was created and whether the analysis lines up with the action in question.

With the constant state of flux in mobile investigations, it is more important than ever to validate the findings of forensic examinations. Fortunately, investigators have access to some phenomenal tools (both free and paid) that acquire, parse, and analyze smartphone artifacts. However, even though there have been incredible upgrades to these tools over the years in terms of data analysis, examiners still must do their due diligence to validate findings. This is especially important because examiners and tools are constantly playing catch-up with our forensic artifacts.

“Tool reports are not the data. The data is the data. Validate everything that matters. This paper shows how you can do it,” explains Alexis Brignoni, a co-author of Six Steps to Mobile Validation.

Brignoni is one of the 10 top mobile forensics experts from different backgrounds, organizations, and jurisdictions who collaborated to create the paper. Together the co-authors have decades of experience in research, tool development, and validation, as well as in providing testimony. The focus of their collaboration is to educate the community about the optimal steps to ensure that mobile data is extracted, examined, and reported in a trustworthy manner.

“Now more than ever, the community needs to take a stance and help law enforcement understand why validation matters in mobile forensics,” explains co-author Heather Mahalik. “This paper is a collaboration between those who I see as experts in the field, those with research experience, and those who are great representatives of the tools we all rely on to do our jobs. Mobile forensics is constantly evolving, and we need to adapt, adjust, and validate our findings.”

The authors note that, despite there being many tools and methods to support smartphone forensics, no one tool is perfect. Not every step recommended in the paper is necessarily applicable for every investigation. On the other hand, mobile forensics is so broad that the steps recommended, by definition, cannot be exhaustive, and more research or guidance might be necessary depending on the investigation. Ultimately it is the investigators themselves who need to decide which steps are required to obtain the information that they need and are authorized to access, and that answer the key questions at hand.

In short, Six Steps to Mobile Validation guides examiners down a path to ensure that their smartphone examinations are completed successfully.

Here are some additional final thoughts from co-authors about Six Steps to Mobile Validation and their collaboration in preparing it:

“I’ve never seen all the key mobile forensic industry players come together like this before. It’s great to see that when the need arises, we can act in the best interests of the community.” – Mike Dickinson, MSAB

“This paper is designed to walk you through six simple steps that will help you gain confidence that you worked the case in a way other experts would. We hope you find it helpful, and, more importantly, we hope you verify and validate what we suggest to you! Follow these steps and feel free to take it further. Ask questions and ask for help. We are a small but mighty DFIR community.” – Heather Mahalik, SANS

“Now more than ever, the community needs to take a stance and help law enforcement understand why validation matters in mobile forensics.  This paper is a collaboration of those who I see as experts in the field, those with research experience and those who are great representatives of the tools we all rely on to do our jobs. Mobile forensics is constantly evolving and we need to adapt, adjust and validate our findings” says paper co-author Heather Mahalik

Paper Co-Authors:

John Bair: Senior Consultant for an eDiscovery firm in Seattle for which he conducts forensic services and provides expert testimony. John spent 30 years in law enforcement, including 13 years devoted to mobile forensic investigations related to violent crimes.

Alexis Brignoni: FBI Special Agent, Certified Computer Analysis Response Team Examiner, and open-source digital forensics tool developer.

Mattia Epifani: Digital Forensics Analyst and CEO at Reality Net, SANS Certified Instructor, Researcher at the Italian National Council of Research, and Contract Professor at the University of Genoa.

Jessica Hyde: Director, Forensics at Magnet Forensics, and Adjunct Professor at George Mason University.

Paul Lorentz: Technical Account Expert/Senior Solutions Engineer, Cellebrite. Paul previously worked in law enforcement.

Heather Mahalik: Senior Director of Digital Intelligence, Cellebrite, and SANS DFIR Curriculum Lead/Senior Instructor/Author. Heather has over 19 years of experience supporting Law Enforcement, government, and DFIR, and is the co-author of Practical Mobile Forensics.

Christophe Poirier: Sworn Forensic Examiner since 2017 and a cybersecurity expert in the energy sector.

Lee Reiber: Chief Operations Officer, Oxygen Forensics. Lee has over 25 years of experience in law enforcement and support for law enforcement DFIR, and is the author of Mobile Forensic Investigations: A Guide to Evidence Collection, Analysis, and Presentation.

Ian Whiffin: Senior Digital Intelligence Expert, Cellebrite. Ian previously worked in law enforcement and specializes in digital and mobile forensics.

Mike Williamson: Technical Forensic Consultant, Magnet Forensics. Mike previously worked in law enforcement and specializes in digital forensics, software development, and reverse engineering.

.