The verification phase

After processing the phone, you need to verify the accuracy of the data extracted from the phone to ensure that data has not been modified. The verification of the extracted data can be accomplished in several ways:

• Comparing the extracted data to the handset data: Check whether the data extracted from the device matches the data displayed by the device if applicable. The data extracted can be compared to that on the device itself or a logical report, whichever is preferred. Remember, handling the original device may make changes to the only evidence—the device itself.

• Using multiple tools and comparing the results: To ensure accuracy, use multiple tools to extract the data and compare results.

• Using hash values: All image files should be hashed after acquisition to ensure that data remains unchanged. If filesystem extraction is supported, you can extract the filesystem and then compute hashes for the extracted files. Later, any individually extracted file hash is calculated and checked against the original value to verify the integrity of it. Any discrepancy in hash values must be explicable (for example, the device was powered on and then acquired again, so the hash values are different).