Mobile Device Digital Forensics is just coming out of its infancy. The data extracted from a mobile device can also be used to do audits of devices and security checks for vulnerabilities. Using the Mobile Evidence Comparer function in the E3 Platform is one of those features that has multiple functions. This quick training will walk you through the use of the Mobile Case Comparer wizard and associated functions.
Mobile Case Comparison allows you to take two different acquisition files and compare those results to have the differences marked for easy reference by the examiner. There are many reasons to be able to use this function in your examination.
Using it for Validation
When you use the Case Comparison function for validation, it allows you to create a baseline acquisition of your mobile device, then run the device through other tools, and then reacquire the device. With those two acquisition files, you can compare to see if a tool made changes to that device in its acquisition process. This is a great methodology to use when creating a validation plan for your tools.
This same methodology can be used when it comes to reprocessing a device that has gone to the opposing side in a case. This way you are able to confirm that they did not make any changes to the evidence in their processing efforts.
Using it for Audits & Security Checks
Many times, there is a risk that can occur to a device as it travels with the user to different areas globally. Using your forensics tool to do a baseline audit prior to travel, and then recheck the device when it returns, gives you the peace of mind through the Case Comparison function to see exactly what might have changed in the device’s internal settings and/or structure. Something in the file system could change to introduce potential malware that the user would never be able to see, but a quick forensic audit can bring that risk to light.
Please watch the following quick training to see the Case Comparer in use and how easy finding the data can be.