Installed third party applications could contain communication or location data, but could also include photos, videos, or even tracking software, called spyware. Application data may record location data even when it is disabled on the device by the user. This data will not be found in service provider records. This type of data could be critical and this type of digital evidence should be considered in every investigation, emphasizing the need for a comprehensive assessment. As a practice, one of the first things forensic examiners should be directed to is to identify if third party apps are installed. Because of the huge number of third party applications, not all apps are decoded by forensic software. However, depending on the popularity of the application, access to previously unsupported apps can change overnight. Determining which apps can be accessed begins with knowing what apps are present and what version they are using. With that baseline information the forensic examiners will be able to quickly find out what data can be recovered. Additional information: IRIS LLC Digital Evidence Toolbox
Forensic investigators should routinely determine if backup files exist during their initial case assessment. A backup file is a like a snapshot of the devices memory in time. It is an excellent alternative to a lost or locked device or when other forensic procedures cannot recover the data. A backup may be found in the cloud or may be stored on a computer or mobile device. It would require the user’s credentials or a forensic acquisition of the device it was stored in. Attempts to restore a backup without the proper training could result in the contamination and permanent loss of data. A backup file is also a good alternative when faced with a locked device with an unknown pass code. However, advances in technology allow examiners to overcome more locked devices than ever before. Because of the rapid pace of technology, the forensic community lags behind. New tools are created regularly so reviewing the latest forensic capabilities periodically is recommended. Damaged devices can often be accessed after making only minor repairs, more often than not. For example, the simple and inexpensive process of replacing a broken screen may be the only thing preventing the examiner from accessing the device. Water damage can also be easily mitigated, but requires the investigator to follow a recently updated standard procedure. Depending on the device and the current state of the devices power certain actions should be taken. See the iPhone Collection Flowchart and the Android Collection Flowchart.