One important thing to keep in mind when conducting mobile device forensics is that not all tools are equal, and not all smartphones are equal. Different mobile device forensic tools support various makes and models of phones to different levels of acquisition, and the way they report data back to the examiner may not be consistent. Even if the same acquisition level is supported by different tools, there may be differences between tools in the data acquired and in how it is reported. There are also sometimes errors in data translation, especially when it comes to date and timestamps because there are so many different data formats utilized by mobile devices.

For these reasons and others, it is important that you make a habit of always verifying acquired data against the phone itself and/or manually verify decoded data by checking the underlying hex yourself.

It is important not only to know how to use the mobile forensic tools you have access to, but also to know what they are doing when you process a phone. Different mobile forensic tools use different methods to access and acquire the data from different makes and models of phones. The tool itself often makes changes to the data on the phone, including the installation of bootloaders or applications, or use of jailbreaking and rooting methods. These methods are acceptable and necessary to obtain data from the devices, but it is advisable to know what your tools are doing for each phone so you can document and explain any changes made to the device and why they were made. In this course, we will discuss new methods for access like checkra1n and checkm8. It’s important for you to understand how these exploits work and how the tools leverage them.

Another reason to know what your tools are doing is that you may find different methods to use the tool to obtain better results. For example, with Cellebrite Physical Analyzer, on many Android-based devices, using Generic Android Methods under the File System acquisition option may parse more data into usable format than a successfully supported physical acquisition of the same model of phone.

Sometimes, tools may make changes to the original device during acquisition that affect subsequent acquisition attempts. For example, when performing acquisitions on newer iPhones, Oxygen applies an encryption password to devices that have not had a previously encrypted backup, without notification to the examiner. If the examiner attempts a subsequent acquisition using Cellebrite or another tool, they will be asked to supply the encryption password applied by Oxygen during the parsing process, though that password is not well documented. The password is “oxygen”.  Cellebrite uses “1234” or “12345” and Magnet uses “mag123” when backup encryption is applied to the extraction. This information isn’t readily available in the documentation, and Elcomsoft Phone Breaker was used to solve the puzzle of what the password was; keep in mind this may happen to you and you may find yourself having to crack a password you and the user did not set on the device.