Third-Party Applications

Forensic analysis of a mobile device should not be limited to system-level applications and data such as SMS, photos, and email. Owners of mobile devices download and use numerous applications that have messaging, photo, video, and other capabilities, which may also create electronic evidence.

A number of third-party hardware tools and software applications exist to process and analyze mobile devices. However, the rapid rate of change in mobile device security features continues to make mobile forensics examinations a challenging process. Therefore, it is important for digital forensics investigators to stay updated on the latest mobile device examination tools and weigh the value and suitability of each tool.

It is possible to directly analyze application files. For example, many applications across multiple operating systems use an SQLite database for application-level data storage. These databases may contain the photos, messages, or other evidence that an investigator is in search of. It may also be necessary or beneficial to reverse engineer a mobile device application for examination.

What are the leading tool capabilities in regard to processing third-party applications? What skills may an investigator need to process third-party applications? The NIST guidelines on mobile device forensics in the resources below should provide a good starting point.

The National Institute of Standards and Technology also has a website on tool testing programs for forensics.

References

Ayers, R., Brothers, S., & Jansen, W. (2014). Guidelines on mobile device forensics. NIST Special Publication 800-101, Revision 1. National Institute of Standards and Technology. http://dx.doi.org/10.6028/NIST.SP.800-101r1