Examination and analysis

This is the ultimate step of the investigation, and it aims to uncover data that is present on the device. Examination is done by applying well-tested and scientific methods to conclusively establish results. The analysis phase is focused on separating relevant data from the rest and probing for data that is of value to the underlying case. The examination process starts with a copy of the evidence acquired using some of the techniques described previously, which will be covered in detail in coming chapters. Examination and analysis using third-party tools is generally performed by importing the device's memory dump into a mobile forensics tool that will automatically retrieve the results. Understanding the case is also crucial to performing a targeted analysis of the data. For example, a case about child pornography may require focusing on all of the images present on the device rather than looking at other artifacts.

It is important that you have a fair knowledge of how the forensic tools that are used for examination work. Proficient use of the features and options available in a tool will drastically speed up the examination process. Sometimes, due to programming flaws in the software, a tool may not be able to recognize or convert bits into a format comprehensible by you. Hence, it is crucial that you have the necessary skills to identify such situations and use alternate tools or software to construct the results. In some cases, an individual may purposefully tamper with the device information or may delete/hide some crucial data. Forensic analysts should understand the limitations of their tools and sometimes compensate for them to achieve the best possible results.