The processing phase

Once a phone has been isolated from communication networks, the actual processing of the mobile phone begins. One of the challenges that you will face in this phase is identifying which tools to use, as this is affected by a variety of factors such as price, ease of use, applicability, and so on. Mobile forensic software is highly expensive, and unlike with computer forensics, you may sometimes have to use multiple tools to access data. While selecting a tool, ensure that it has built-in features to maintain forensic integrity. Maintaining forensic integrity requires a tool that packages collected data in a format that probably cannot be easily modified or altered.

The phone should be acquired using a tested method that is repeatable and is as forensically sound as possible. Physical acquisition is the preferred method as it extracts the raw memory data and the device is commonly powered off during the acquisition process. On most devices, the smallest number of changes occur to the device during physical acquisition. If physical acquisition is not possible or fails, an attempt should be made to acquire the filesystem of the mobile device. A logical acquisition should always be performed as it may contain only the parsed data and provide pointers to examine the raw memory image. These acquisition methods are discussed in detail in later chapters.