How are certain application artifacts stored, and what should you look for if you are investigating these particular apps for items of interest?

1) Assess the type of application you are investigating to determine the types of data it could contain. It can be beneficial to conduct background research on a particular unfamiliar application to become familiar with new features and functionalities. Knowing what types of data the application is capable of containing will assist in locating user-created data. A chat application may also be capable of sending map-related data, or a messaging application may have added a video messaging or self-destructing capability. Respective app stores are often the best source for this data.

2) How can third-party applications aid or restrict in accessing other important data? Review application directories for roots or jailbreaks. If these exist, the access to user information is greatly increased. Similarly, look for encryption applications or MDM solutions. These may greatly prohibit access to data.

3) Is application data always locked down to one specific app directory? Third-party messaging applications may store pictures/videos in camera or media folders (DCIM) instead of the directory of that app where it was created. Applications are so integrated now that they may give the ability to generate messages or media within one application and port it to another. Also, applications are now integrated with SMS and email or other third-party apps, so these can also be reviewed to determine file-sharing links, application invites, and other shared data.

In the next few slides, some of these artifact-generating applications are further explained to aid in examining their potential for evidentiary data.