🔍

Insights on Mobile Device Forensics

May 8, 2025

Lecture on Digital Forensics and Mobile Device Analysis

Introduction

  • Speaker: Jessica Hyde
  • Occupation: Digital Forensics Examiner, Adjunct Professor at George Mason University
  • Runs a digital forensics company focusing on training and research

Teaching and Training

  • Teaches mobile forensic analysis and data structures
  • Offers training to law enforcement and civilians
  • Chairs DFIR Review to support peer-reviewed research

Peer Review and Research

  • Peer review: Assessment of study methodology and data validation
  • Published work on file classification and forensic timelines

Forensic Data Analysis

  • Focus: Mobile phones, Internet of Things (IoT) devices
  • Tasks: Data extraction, analysis, and recovery
  • Education: Masters in Digital Forensics, multiple certifications

Tools Used in Digital Forensics

  • Reliance on tools for data extraction, not interpretation
  • Importance of examiner expertise in providing context and meaning to data
  • Use of multiple forensic tools (e.g., Celbrite, Magnet Axiom)

Issues with Forensic Tools

  • Importance of human analysis beyond tool results
  • Risks of over-reliance on parsed results
  • Tools update regularly; cannot cover every app

Case Study: Jennifer McCabe's Phone

  • Mandate: Analyze phone for user-initiated deletions within a specific timeframe
  • Tasks: Examine web search deletions, phone call deletions
  • Findings included web searches and call logs within specified dates
  • Hashing: Ensured data integrity through hash validation

Analysis Methodology

  • Examined databases and artifacts (e.g., browser state, history)
  • Importance of manual testing in verifying forensic tool results
  • Industry standards from NIST and SWDGE

Discussion on Specific Artifacts

  • Clarification of timestamps significance in search activities
  • Examination focused on understanding true search times
  • Specific terms such as "How long to die in cold" analyzed

Cross-examination Highlights

  • Questions on past cases and report discrepancies
  • Discussion on potential errors in report findings
  • Examination of secure handling of forensic devices

Conclusion

  • Emphasis on comprehensive analysis rather than reliance solely on tool outputs
  • Importance of peer-reviewed methodologies in forensics
  • Ensured integrity of data and processes used in analysis

Additional Notes:

  • Questions on device extraction process and best practices
  • Differences between Celbrite and Axiom in artifact representation
  • Importance of network isolation in forensic procedures

These notes provide a structured overview of key points discussed during the lecture on digital forensics with a focus on mobile device analysis. The lecture highlighted the complexities in forensic analysis, the importance of examiner expertise, and the necessity of using multiple tools and methodologies.

Full transcript