In reality, almost every application in the marketplace today is capable of performing many of the functions that we discussed earlier, from social networking and messaging to file sharing and presenting geolocation data.

So, because every application can do so much, we can’t assume that our tools are always pulling out all of the available data for us. The applications that were once touted solely for messaging or gaming are now also incorporating things like video chat, disappearing messages, locational data, and encrypted messaging.

Familiarizing oneself with the capabilities of an application can yield better results, and understanding which data is analyzed or omitted by a tool of choice is another important factor in application analysis.

Not all commercial tools will parse the same applications, and the data may be presented differently by each. If a particular application is parsed, it will be identified in the tool’s main extraction overview screen. Chat data is often among the most important to an investigation, so commercial vendors continue to update their offerings.

If you’ve determined that your forensic utility has parsed data from an application of interest, find out which files have been parsed by reviewing the file source information. Then, make sure that there are no other relevant files that haven’t been analyzed. Last, review results to make sure that individual items within databases or parsed files have not been omitted in the analyzed results.