Chapter 11 – Manual Examinations

During the course of performing mobile forensic extractions, examiners will find the need to manually document various aspects of the examination. Forensic tools, utilities, programs, and other devices specifically designed to perform extractions do not always obtain all available artifacts. In almost all cases, the ability to document the evidence is not an embedded feature on the program. Locked USB ports, unsupported mobile devices, specific internal settings, enabled or disabled features, and the actual evidence itself are all reasons where documentation through screenshots, video, and still cameras would be warranted. Vendors have specifically designed hardware and software to be used exclusively for this purpose. Windows capture programs can also assist. The use of a simple digital camera, Microsoft Word, and a free PDF printing program can also aid agencies and private companies who want a cheaper alternative to manual examination. Manual examinations complement and augment the vast tools needed to perform mobile forensics.