The documenting and reporting phase

The forensic examiner is required to document, throughout the examination process, everything related to what was done during acquisition and examination. Once you complete the investigation, the results must go through some form of peer review to ensure that the data is checked and the investigation is complete. Your notes and documentation may include information such as the following:

• The examination start date and time
• The physical condition of the phone
• Photos of the phone and individual components
• Phone status when received—turned on or turned off
• Phone make and model
• Tools used for the acquisition
• Tools used for the examination
• Data found during the examination
• Notes from peer review

Throughout the investigation, it is important to make sure that the information extracted and documented from a mobile device can be clearly presented to any other examiner or to a court. Documentation is one of your most important skills. Creating a forensic report of data extracted from a mobile device during acquisition and analysis is important. This may include data in both paper and electronic format.

Your findings must be documented and presented in a manner that means that the evidence speaks for itself when in court. The findings should be clear, concise, and repeatable. Timeline and link analysis, features offered by many commercial mobile forensic tools, will aid in reporting and explaining findings across multiple mobile devices. These tools allow you to tie together the methods behind the communication of multiple devices.