Skip to content

CH3: Triaging Mobile Evidence & Report Writing

Chapter Overview

In the chaotic environment of a crime scene or a search warrant execution, digital evidence is often the most volatile item present. Unlike a physical weapon or a fingerprint, digital data can vanish, be remotely wiped, or become encrypted in a matter of seconds. This reality makes mobile triage—the immediate assessment, prioritization, and preservation of digital devices—one of the most critical skills for a digital forensic investigator.

Triage is not just about grabbing devices; it is a systematic process of decision-making. As a first responder or forensic examiner, you must instantly assess the state of a device and determine the course of action that maximizes the probability of recovering data while minimizing the risk of contamination. This chapter bridges the gap between the legal foundations discussed in Chapter 2 and the technical acquisition methods we will cover in later chapters. We will focus on the immediate actions taken at the scene, the critical decision trees based on device power states, and the essential equipment required to perform these tasks successfully.

Learning Objectives

By the end of this chapter, you will be able to:

  • Differentiate between critical device power states (Powered On, Powered Off, Sleep) and explain how maintaining the "After First Unlock" (AFU) state impacts the accessibility of encrypted data.
  • Execute the standardized triage workflows for both Powered On and Powered Off devices, ensuring proper isolation, legal authorization, and evidence preservation.
  • Apply industry-standard isolation techniques, such as the use of Faraday bags and Airplane Mode, to prevent remote wiping and maintain the integrity of the crime scene.
  • Analyze the security challenges presented by modern mobile operating systems, including biometrics and encryption, and identify the appropriate legal and technical tools (such as bypass technologies) required to overcome them.
  • Construct a "Court-Ready" forensic report that adheres to NIST SP 800-101 guidelines, demonstrating replicability, objectivity, and thorough documentation of the investigation.
  • Validate forensic findings using visual verification and cross-tool analysis to ensure the accuracy and legal admissibility of extracted evidence.

3.1 Device Power States

Before touching a mobile device found at a scene, an investigator must visually assess its power state. The state of the device dictates every subsequent move. In modern mobile forensics, the distinction is not merely between "on" and "off," but also involves the security state of the encryption (BFU vs. AFU).

3.1.1 Powered On (Active)

A device is considered "Powered On" when the operating system is fully loaded and running. Forensically, this is the most valuable state, but also the most precarious.

  • The Opportunity: If the device is unlocked, or if it is locked but in an After First Unlock (AFU) state (meaning the user has unlocked it at least once since boot), encryption keys may still be resident in RAM. This allows for more comprehensive data extraction.
  • The Risk: A powered-on device is susceptible to remote wiping commands (via "Find My iPhone" or Google’s "Find My Device") if it maintains a network connection. It is also consuming battery life, threatening a shutdown that would revert the device to a more secure state.

3.1.2 Sleep / Standby

Most devices found at a scene will appear to be off (black screen) but are actually in Sleep or Standby mode. The device is powered on, but the display and non-essential processes are suspended to save power.

  • Identification: Pressing the power button or home button briefly usually wakes the screen.
  • Forensic Note: Do not confuse Sleep mode with Powered Off. If you assume a sleeping device is off and attempt to "turn it on," you might actually restart it or interact with the UI, potentially altering evidence. Treat a black screen with extreme caution until verified.

3.1.3 Powered Off

A device is "Powered Off" when the operating system has shut down completely and power is cut from the main processor.

  • BFU (Before First Unlock): When a modern iOS or Android device is powered off (or rebooted) and turned back on, it sits in a state known as BFU. In this state, the user's data is fully encrypted, and the decryption keys are not yet loaded into memory. This is the "coldest" state for forensics and offers the least amount of accessible data without the passcode.

Crucial Rule: If a device is found Powered Off, NEVER turn it on at the scene. Powering it on may trigger boot-up authentication sequences, establish network connections that overwrite logs, or trigger "self-destruct" settings configured to wipe data upon unauthorized access.

3.2 Process for Powered On Devices

When you encounter a mobile device that is powered on, you are in a race against time (battery life) and security mechanisms (auto-lock and remote wipe). The following six-step process provides a standardized workflow to secure this volatile evidence.

Step 1: Identify What You Have

Do not simply grab the phone. Observe it first.

  • Visual Inspection: Is the screen on? Is it unlocked? Is there a progress bar indicating a data wipe is already in progress?
  • Take Photos: Photograph the device exactly as it was found (in situ). Capture what is on the screen. If the screen is active and shows a chat window or map, that image may be the only record of that data if the phone locks immediately after.

Step 2: Isolation

The immediate threat to a powered-on device is network connectivity. If the suspect or an accomplice realizes the phone has been seized, they can issue a remote wipe command from any browser.

  • Airplane Mode: If the device is unlocked and you can access the settings without a passcode, immediately place the device in Airplane Mode. Ensure Wi-Fi, Bluetooth, and Cellular Data are all disabled.
  • Faraday Isolation: If the device is locked (but on), or if you cannot verify that Airplane Mode was successful, place the device into a Faraday Bag immediately. A Faraday bag is lined with conductive mesh that blocks radio signals (Cellular, Wi-Fi, Bluetooth, GPS), effectively severing the device from the outside world.

Before proceeding to extraction, you must verify your legal standing.

  • Scope of Warrant: Does your search warrant explicitly cover the search of digital contents on this specific device? If you are operating under "Search Incident to Arrest," remember that Riley v. California (2014) generally prohibits warrantless searches of cell phones.
  • Exigent Circumstances: If you believe evidence is being destroyed right now (e.g., you see a "wiping" animation), you may act to preserve the evidence under exigent circumstances, but you must stop and apply for a warrant before analyzing that data.

Step 4: Perform Extraction

If the device is unlocked, do not let it lock!

  • Keep it Awake: Tap the screen (in a non-interactive area) periodically to prevent the screen time-out.
  • Adjust Settings: If possible, go to Settings and set "Auto-Lock" to "Never."
  • Triage Extraction: If you have field forensics tools (like Cellebrite UFED Touch or similar field kits), perform a logical extraction immediately. Prioritize "volatile" data like Call Logs and Recent Messages. If the device locks later, you may lose access to this data.

Step 5: Validate Findings

Field acquisition tools are designed for speed, not necessarily depth.

  • Spot Check: If you performed a logical extraction, quickly verify that the data looks readable. Did you get the contacts? Are the timestamps making sense?
  • Manual Verification: If safe to do so, manually compare the call history on the screen with the extracted report to ensure the tool communicated correctly with the phone.

Step 6: Court-Ready Reporting

Your actions at the scene will be scrutinized in court.

  • Document Everything: Record the time you seized the phone, the time you enabled Airplane mode, and the battery percentage at the time of seizure.
  • Chain of Custody: Start the Chain of Custody log immediately. Who found it? Who bagged it? Who transported it?

Real-World Example: In a narcotics investigation, a detective found a suspect’s phone unlocked on a table. He immediately photographed the screen, which showed a text message: "Package delivered to the stash house." He then enabled Airplane Mode and set the screen timeout to "Never." By keeping the phone unlocked, the forensic lab was later able to perform a full file system extraction. Had he let the screen turn off, the device would have reverted to an AFU state (or BFU if battery died), requiring a complex brute-force attack to bypass the passcode.

3.3 Battery Management Considerations

One of the most common failures in mobile forensics is allowing a device to run out of power.

  • The Rule: If it is found Powered On, keep it Powered On.
  • The Consequence: If a modern iPhone or Android device runs out of battery and shuts down, it reverts to BFU (Before First Unlock) mode upon reboot. In BFU mode, the encryption keys are evicted from RAM. Even if you have the best forensic tools in the world, the amount of data you can extract from a BFU device is significantly less than an AFU device.

The Faraday Bag Paradox

Placing a phone in a Faraday bag creates a battery management crisis.

  1. The phone realizes it has lost network connection.
  2. The cellular radio boosts its power output to maximum, desperately trying to find a tower.
  3. This aggressive searching causes the battery to drain much faster than normal—sometimes killing a phone in less than an hour.

Solution: You must introduce power inside the isolation environment. This is done by connecting the phone to a portable power bank before placing it in the Faraday bag, or using a specialized Faraday bag that has a filtered power pass-through cable.

3.4 Essential Field Kit Components

A digital forensic investigator is only as effective as their toolkit. When deploying to a scene, you cannot rely on borrowing equipment. A standardized "Go-Bag" ensures you are ready for isolation, preservation, and documentation.

Category Component Forensic Purpose
Isolation & Preservation Faraday Bags Various sizes (phone, tablet, laptop) to block network signals immediately.
Faraday Box A rigid enclosure for larger devices or for working on a device while keeping it isolated.
Anti-Static Gloves To prevent static discharge and to avoid adding your own fingerprints/DNA to the device.
Power Management Portable Power Banks High-capacity (20,000mAh+) battery packs to keep seized devices alive.
Cable Squid A multi-head charging cable (USB-C, Lightning, Micro-USB) to fit any device encountered.
Car Charger For charging devices during transport.
Data Acquisition Forensic Laptop/Tablet High-spec machine loaded with acquisition software (e.g., Cellebrite, Magnet, Oxygen).
External SSDs High-speed storage for saving extracted images.
SIM Card Reader For reading SIM data independently if required.
Documentation Tools Digital Camera For photographing the screen and the device location (in situ).
Chain of Custody Forms Paperwork to document evidence transfer.
Evidence Tape/Bags Tamper-evident bags for final transport.
Tools SIM Ejector Tool Paperclips are unprofessional; carry proper ejector tools.
Micro-Screwdriver Set Occasionally needed to access batteries or storage in older devices.

3.5 Process for Powered Off Devices

While a powered-on device offers the best chance for immediate data access, the reality of digital investigations is that you will often encounter devices that are already powered off. This could be due to battery exhaustion, the suspect turning it off to secure it, or the device sitting in an evidence locker for days before examination.

When a device is powered off, it is in its most secure state (BFU - Before First Unlock). The encryption keys are cold, and the operating system is not facilitating data access. Therefore, the workflow changes from "preservation of volatile state" to "methodical preparation for bypass."

Step 1: Identify What You Have

Before applying power, you must understand the hardware you are dealing with.

  • Visual Inspection: Check for physical damage, liquid contact indicators, or cracked screens that might hinder the boot process.
  • Model Identification: Locate the model number (often on the back or on the SIM tray). Knowing the exact model (e.g., iPhone 14 Pro vs. iPhone 12) determines which exploits or bypass tools are compatible.
  • Port Inspection: Check the charging port for debris. A clogged port can prevent a successful connection to forensic tools later.

Just as with powered-on devices, you must verify your legal standing before turning the device on.

  • Warrant Verification: Confirm that the search warrant specifically authorizes the search of this device's contents.
  • Scope: Does the warrant allow for the bypass of security features? Does it allow for the removal of components (like a chip-off procedure) if logical methods fail?

Step 3: Independent Media Processing

Before booting the phone, remove and process any removable media.

  • SIM Cards: Remove the SIM card and process it separately using a SIM reader. This isolates the device from the cellular network once it is turned on (preventing remote wipes). Additionally, SIM cards may contain valuable location data (LOCI), contacts, or SMS messages that are accessible without the phone's passcode.
  • microSD Cards: If the device supports external storage (common in Android devices), remove the microSD card. These cards are often less encrypted than the internal storage and may contain photos, videos, and documents that can be imaged immediately using a write-blocker.

Step 4: Charge the Battery

Never attempt a forensic extraction on a low battery.

  • The Risk: If a device dies during the boot process or during an extraction, it can corrupt the file system or interrupt a critical exploit, potentially permanently locking you out.
  • Best Practice: trickle-charge the device while it remains off until it reaches a safe level (at least 50%, though 80%+ is preferred).

Step 5: Comprehensive Extraction

Once the device is charged and isolated (SIM removed), you proceed to acquisition.

  • Boot and Attack: Power on the device. Since it is in BFU mode, you will likely need to employ a brute-force tool or a specialized bypass solution (discussed in section 3.8) to gain access.
  • Acquisition Type: Depending on the success of the bypass, perform the deepest extraction possible—ideally a Physical or Full File System extraction. If the passcode cannot be bypassed, you may be limited to a "BFU Extraction," which recovers limited system data available before the user authenticates.

Step 6: Validation

After the tool completes its work, you must verify the integrity of the data.

  • Hash Verification: Ensure the hash values of the extracted image match the verification hash generated by the tool.
  • Content Check: Briefly review a sample of the data (e.g., check the date of the most recent photo) to ensure the extraction time window is correct and the data isn't corrupted.

Step 7: Court-Ready Reporting

The final step is documenting the entire lifecycle of the evidence handling.

  • Methodology: Explicitly state that the device was received powered off, the steps taken to charge it, and the specific tools used for the extraction.
  • Anomalies: Note if the device failed to boot initially or if specific cables were required.

3.6 Forensic Processing Triage Forms

In a professional forensic laboratory, you cannot rely on memory. Every device that enters the lab for analysis must be accompanied by a Forensic Processing Triage Form. This document serves as a roadmap for the examiner and a critical piece of the chain of custody.

A standard triage form includes five critical sections:

1. Case Information

This section ties the digital evidence to the broader investigation.

  • Case Number
  • Investigator Name
  • Date/Time of Intake
  • Chain of Custody reference numbers

2. Device Specifications

Detailed physical attributes of the evidence.

  • Make and Model (e.g., Samsung Galaxy S22)
  • Color and Condition (e.g., "Black, cracked screen, in Otterbox case")
  • Serial Number / IMEI (if visible)
  • Peripherals included (SIM card, SD card, Case)

3. Security Status

The current known state of the device's defenses.

  • Power State: On, Off, or Sleep.
  • Lock State: Locked, Unlocked, or Unknown.
  • Known Credentials: If the suspect provided a PIN or pattern during the interview, it is recorded here. Note: Always write down passcodes exactly as stated, including casing.

4. User Information

Details about the suspect or victim associated with the device.

  • Name and aliases.
  • Phone number associated with the device.
  • Cloud accounts (Apple ID, Google Account) if known.

5. Specific Requests

Forensics can be a "fishing expedition" if not narrowed down. This section tells the examiner what to look for.

  • Date Range: "Search for evidence between Jan 1, 2023, and Feb 14, 2023."
  • Target Data: "Look for chat messages related to drug sales," or "Recover deleted photos from the DCIM folder."
  • Priority: Is this a rush case due to an imminent threat?

3.7 Mobile Device Security Challenges

As forensic examiners, we are in a constant arms race with mobile operating system developers. Companies like Apple and Google prioritize user privacy and security, which often puts their goals in direct conflict with forensic data recovery.

Android vs. iOS Security Models

  • iOS (Apple): historically operates a "walled garden." The hardware and software are tightly integrated. The Secure Enclave Processor (SEP) handles encryption keys and passcode verification. If the SEP determines that too many wrong passcodes have been entered, it can enforce delays or even wipe the encryption keys, rendering the data permanently inaccessible.
  • Android (Google): operates on a more fragmented ecosystem. While modern flagship phones (like Google Pixel or Samsung Galaxy) use hardware-backed security similar to Apple (such as Titan M chips or Knox), many budget devices still lack robust hardware security. However, Android's implementation of File-Based Encryption (FBE) means that different files can be encrypted with different keys, complicating the extraction process.

Encryption

Modern devices use encryption by default.

  • Full Disk Encryption (FDE): The entire partition is encrypted as one block. This was common in older Androids.
  • File-Based Encryption (FBE): Each file is encrypted individually. This allows the phone to boot up to the lock screen (Direct Boot mode) and receive calls/alarms without the user entering a PIN, but user data remains encrypted.

Multi-Factor Authentication (MFA)

Even if you bypass the lock screen, individual apps may be gated behind MFA.

  • Challenge: You may access the phone, but opening the banking app or the secure email folder requires a secondary code sent to a different device or a biometric scan.

Biometrics and Facial Recognition

Biometrics (FaceID, TouchID) offer convenience to users but present challenges and opportunities for forensics.

  • The Opportunity: In some legal jurisdictions, you can compel a suspect to provide a fingerprint or face scan (biometric) even if you cannot compel them to give up a passcode (testimonial).
  • The Challenge: Biometrics are often disabled if the device has been restarted (BFU), if the "SOS" mode has been triggered (by holding down volume buttons), or if the biometric has not been used for a set period (usually 48 hours). Once disabled, the passcode is the only entry method.

3.8 Modern Bypass Technologies

When a device is locked and the user refuses to provide the passcode (or is deceased/unavailable), investigators must rely on advanced bypass technologies. This area of forensics is highly specialized and relies on exploiting hardware or software vulnerabilities to circumvent security.

The Role of Exploits

Tools in this category do not "guess" the passcode in the traditional sense; they exploit vulnerabilities in the phone's bootrom or operating system to bypass the limit on passcode attempts.

  • For example, an exploit might trick the Secure Enclave into thinking a wrong guess was actually a "test," preventing the counter from increasing. This allows the forensic tool to try thousands of passcodes (Brute Force) without triggering a data wipe.

Magnet GrayKey

One of the most prominent tools in this space is Magnet GrayKey (formerly Grayshift).

  • Function: GrayKey is a hardware box that connects to the mobile device (often via Lightning or USB-C). It installs a proprietary agent on the device that performs the brute-force attack on the device itself.
  • Capability: It is famous for its ability to unlock modern iPhones and leading Android devices that were previously considered "unhackable" by standard commercial software.

Law Enforcement Restriction

It is critical to understand that tools like Magnet GrayKey, Cellebrite Premium, and others are not available to the general public or private investigators.

  • Controlled Distribution: These vendors strictly vet their customers. They are sold only to law enforcement, military, and intelligence agencies.
  • Why? If these exploits became public, Apple and Google would patch them immediately (closing the door for police), or criminals could use them to steal data from stolen phones. The secrecy of the "Zero-Day" exploits used by these tools is their most valuable asset.

The "Cat and Mouse" Game

The effectiveness of these tools fluctuates. An iOS update might patch the vulnerability GrayKey uses, rendering the tool useless for that specific iOS version until the engineers find a new vulnerability. This is why forensic labs often delay updating the OS on seized devices and why documentation of the exact OS version is critical during Triage.

Read more about GrayKey features on their website: https://www.magnetforensics.com/products/magnet-graykey/

3.9 Court-Ready Report Writing

The investigation does not end when the data is extracted; it ends when the jury understands what the data means. In mobile forensics, the report is the bridge between technical complexity and legal clarity. The finest forensic extraction is worthless if the resulting report is confusing, biased, or incomplete.

According to NIST SP 800-101, the industry standard for mobile device forensics:

"Reporting is the process of preparing a detailed summary of all the steps taken and conclusions reached in the investigation of a case. Reporting depends on maintaining a careful record of all actions and observations, describing the results of tests and examinations, and explaining the inferences drawn from the data. A good report relies on solid documentation, notes, photographs and tool-generated content."

This definition highlights three critical components that every report must possess:

  1. Actions: A record of every step taken (e.g., "Connected device to Cellebrite UFED").
  2. Observations: The results of tests (e.g., "Device successfully entered Download Mode").
  3. Inferences: The conclusions drawn from the data (e.g., "The presence of the file 'img_1234.jpg' in the Downloads folder indicates it was saved from the web browser, not taken by the camera").

The Importance of Detail and Neutrality

A "Court-Ready" report differs significantly from a corporate IT incident report. In a criminal trial, your report will be scrutinized by the defense, who will look for any procedural error to suppress the evidence.

  • Replicability: A forensic report must be written with enough detail that another competent forensic examiner could take your notes, your tools, and the original evidence, and arrive at the exact same result. If your process is not replicable, the scientific validity of your evidence is in question.
  • Unbiased Objectivity: Your role is that of a neutral finder of fact, not an advocate for the prosecution. Avoid emotionally charged language or assumptions of guilt.
    • Bad: "The suspect suspiciously deleted the text messages to hide his crime."
    • Good: "The text message database indicates that records between 14:00 and 16:00 were marked as 'deleted' by the system. These records were recovered from unallocated space."

3.10 The Forensic Narrative: Documenting the Investigation

While automated tools generate massive tables of data, the "Forensic Narrative" is the human-written portion of the report that contextualizes the investigation. It serves as the story of the evidence handling. A standard narrative follows a chronological structure covering the "Who, What, When, Where, How, and Why."

1. Initial Contact

This section sets the scene and establishes your authority. It answers the fundamental questions:

  • Who are you? State your name, agency, and role.
  • What is the problem? Define the scope of the request (e.g., "Analyze device for evidence of narcotics distribution").
  • Where did you begin? Describe how the evidence came into your possession.
    • Example: "On January 12, 2024, at 0900 hours, I, Examiner Jane Doe, received one (1) sealed evidence bag containing a Samsung smartphone from Detective Smith at the Central Forensics Lab."
  • Why did you do what you did? Briefly explain the objective. "The device was processed to identify communications relevant to Case #24-001."

2. Device State Documentation

You must capture the exact condition of the device before any forensic alteration occurs. This protects you from claims that you damaged the device or altered its state.

  • Power State: Was the device found Powered On, Powered Off, or in Sleep mode?
  • Physical Condition: Note cracked screens, water damage, or missing buttons.
  • Why a step was necessary: If you chose to perform a "Chip-Off" (a destructive process), you must justify why a standard logical extraction was insufficient.
    • Example: "Due to the severe physical damage to the USB port preventing a standard cable connection, a Chip-Off procedure was deemed necessary to access the flash memory directly."

3. Handling Initial Issues and Contamination

Digital evidence rarely exists in a vacuum. Often, the mobile device is also a carrier of physical evidence.

  • Physical Evidence Priority: Did the device require DNA swabbing or fingerprint processing? If so, this must happen before you start pressing buttons or plugging in cables.
  • Documentation: Record who performed these actions.
    • Example: "Prior to digital examination, the device was swabbed for DNA by Officer Jones (Badge #456) at 0915 hours. No latent prints were developed."
  • Biohazards: Note if the device was found in bodily fluids or hazardous materials, necessitating cleaning with ethanol wipes (which might affect adhesive labels).

4. Tool Documentation

Forensic software is constantly updated. A parser in version 7.1 might interpret a timestamp differently than version 7.2.

  • Version Control: You must list every tool used, including its specific version number.
  • Why it matters: If a bug is discovered in "Tool v1.0" three years later, the court needs to know if that specific buggy version was used in your case.
    • Example: "Extraction performed using Cellebrite UFED 4PC (Version 7.60). Analysis performed using Magnet AXIOM (Version 6.8)."

5. Listing Parsed Data

Automated tools will parse thousands of items—contacts, cookies, cache files, and system logs. A common mistake for beginners is trying to include everything in the written report.

  • Summarize, Don't Dump: The written report should highlight the data relevant to the investigation (e.g., "Found 15 chat messages related to the sale of 'product'").
  • Referencing the Appendix: For the bulk of the data, point the reader to the digital attachment.
    • Example: "A full list of the 4,500 recovered text messages is available in the 'SMS_Report.html' file located on the finalized media DVD attached to this report."
    • Example: "The complete browser history, containing 12,000 entries, has been exported to 'Browser_History.xlsx' on the attached media."

This approach keeps the primary report readable for the judge and jury while ensuring the defense has access to the full dataset for their own analysis.

6. Reporting Issues and Anomalies

A forensic examination is rarely perfect. Cables fail, software crashes, and security patches block access. A court-ready report must be transparent about these failures. If you do not document an anomaly, the defense may argue that you are hiding exculpatory evidence.

  • Partial Extractions: If a tool only recovered 60% of the file system, state this clearly. Explain why (e.g., "Device disconnection during extraction due to loose charging port").
  • Unparsed Data: If you see a database for a new app (e.g., "NewSecureChatApp.db") but your tool cannot parse it into readable text, document this.
    • Example: "The application 'NewSecureChatApp' was identified on the device. Current forensic tools do not support automated parsing of this application. The raw database file has been exported to the 'Unparsed_Databases' folder on the archive disk for manual review."
  • Inconsistencies: If the phone's system clock was off by 3 years, note this immediately. "Device system time was observed to be 01/01/1970. All timestamps in this report have been manually adjusted by +54 years to reflect the correct epoch."

3.11 Validation of Findings

As emphasized in Chapter 1, validation is the bedrock of digital forensics. You cannot simply trust a tool because it is expensive or "industry standard." Software has bugs. In your report, you must explicitly confirm which validation methods you employed.

  • Cross-Tool Validation: "The text messages extracted by Cellebrite UFED were cross-referenced with an extraction performed by Magnet AXIOM. Both tools yielded identical message counts and timestamps."
  • Visual Verification: "The investigator manually navigated to the specific chat thread on the device screen (photographed in Exhibit C) to verify that the emojis and formatting in the report matched the visual representation on the device."
  • Third-Party Data: "The call logs recovered from the device were compared against the Call Detail Records (CDRs) provided by AT&T to confirm the accuracy of the dates and times."

3.12 Final Deliverables and Archiving

When the investigation is complete, you must deliver your findings to the requestor (detective, attorney, or court). This usually involves a "Final Report" and an "Archive Disk" (or high-capacity USB drive).

The Importance of Hashing (Again)

Integrity must be maintained from the moment of seizure to the moment of delivery.

  • Hash the Evidence: You hashed the image file when you acquired it.
  • Hash the Report: When you finish writing your PDF report and exporting your HTML tables, you must hash those files as well.
  • The Guarantee: This ensures that when the defense attorney opens the file six months later, they are looking at the exact same byte-for-byte report you signed. If the hashes do not match, the file has been altered or corrupted.

Methods of Reporting

You will likely need to produce multiple formats of your report for different audiences.

Format Pros Cons Best Use Case
PDF Static & Secure. Difficult to accidentally edit. Standard for legal filings. Easy to print. Navigability. Extremely difficult to read if the report is 5,000 pages long. Cannot filter or sort data. The "Executive Summary" and the official written narrative for the judge/jury.
HTML Interactive. Clickable links (e.g., click a thumbnail to see the full photo). Easy to search in a browser. File Structure. Relies on a folder of dependencies (CSS/images). If you move the HTML file without the folder, it breaks. The working copy for the lead investigator to browse chats and photos.
Excel / CSV Analytical. Allows for sorting, filtering, and pivot tables. Great for financial data or massive call logs. Editable. Very easy to accidentally change a cell value. Not secure for final court presentation. Financial investigations or timeline analysis.
Media Disks (CD/DVD/BD) Physical Integrity. Write-once media (DVD-R) prevents modification after burning. Cheap. Capacity & Hardware. DVDs hold only 4.7GB. Modern computers lack optical drives. Archiving the final case file for long-term storage in an evidence locker.

Archive Disk Contents

The "Archive Disk" is the master digital container for the case. It should be organized so that anyone opening it can understand the structure without guidance. A standard directory structure includes:

  1. 01_Admin: Scans of the Search Warrant, Chain of Custody forms, and Triage Notes.
  2. 02_Reports: The final PDF narrative and the HTML/Excel exports.
  3. 03_Original_Media: The raw forensic image files (e.g., .ufd, .tar, .bin). Note: These are often too large for DVDs and may require a separate hard drive.
  4. 04_Photos: High-resolution original photos taken of the device and the scene (in situ).
  5. 05_Exports: Specific files of interest extracted from the phone (e.g., the video file of the crime).
  6. 06_External_Media: Reports generated from the SIM card or microSD card.

Chapter Summary

In this chapter, we established that mobile device triage is a high-stakes decision-making process that begins the moment an investigator arrives at a scene. The critical first step is identifying the device's power state. A powered-on device represents a "volatile" opportunity; if kept alive and shielded from the network via Faraday bags or Airplane mode, it may offer access to "After First Unlock" (AFU) data. Conversely, allowing a device to lose power forces it into a "Before First Unlock" (BFU) state, where encryption keys are evicted from RAM, significantly increasing the difficulty of forensic extraction. We also outlined the essential components of a digital forensic field kit, emphasizing that proper tools for isolation (Faraday bags) and power management (battery packs) are just as important as the extraction software itself.

We concluded with the rigorous standards required for court-ready reporting. A forensic report is not merely a data dump; it is a scientifically replicable document that details the actions, observations, and inferences of the examiner. We discussed the necessity of documenting anomalies, validating findings through cross-tool verification, and maintaining data integrity via hashing throughout the entire lifecycle of the evidence. Whether delivering a static PDF for court or an interactive HTML report for investigators, the goal remains the same: to present complex digital evidence in a manner that is accurate, unbiased, and understandable to a layperson.