Forensics Journal - Stevenson University 2010 | Page 11
FORENSICS JOURNAL
AN EXPERT’S ANALYSIS VERSUS CANNED REPORTS
forensic examiners as the devices become ubiquitous. As more individuals discontinue their landlines and opt for reliable cell phones,
this technology will become further ingrained in everyday culture. In
order to keep pace with analyzing cell phones, examiners will need to
seek ongoing training on current and emerging technologies. Additionally, tool makers will need to develop more robust products that
can analyze a greater number of phones in circulation.
Most cell phone forensic tools on the market, e.g., Paraben’s Device
Seizure, Cellebrite’s Universal Forensic Extraction Device (UFED),
Compelson Laboratories’ MOBILedit! Forensic, and Susteen’s SecureView, have the ability to generate reports using “canned” formats,
which list in detail the data recovered from a cell phone. The reports
are enhanced with features such as hash values of recovered files and
the reports themselves.5 Some tools, such as Paraben’s Device Seizure, even have the ability to generate multiple versions of reports to
provide detailed information in a logically arranged format. Although
these reports assist examiners in presenting their data in clear, easy to
understand reports, as detailed below, the reports have drawbacks.
As cell phones evolve and incorporate greater computing power into
the palm of the user, cell phone analysts will need to develop this
branch of digital forensics. Examiners will not be able to share their
time between computer forensics and cell phone forensics. These
specially trained individuals will need to focus on this area with 100%
of their attention.
One of these is the appearance an incomplete report may present. As
previously mentioned, forensic tools have different degrees of success
when it comes to retrieving evidence from a cell phone. For example,
a particular tool may not recover the Short Message Service (SMS)
messages that are stored on a cell phone. The tool may not find the
messages or it may not be able correctly to parse the data into recognizable text