I recently watched a local crime documentary that highlighted the significant role mobile data plays in modern investigations—even in cases of “traditional” criminality. It reinforced just how specialized and complex digital forensics has become. Examiners often need to go beyond automated forensic tools, manually testing and researching app behaviors to determine their evidentiary value.
With the rise of mobile dependency, the increasing popularity of fitness trackers and smartwatches, and the explosion of wearable tech, the volume of digital evidence available to investigators is growing at an unprecedented rate. According to a recent SANs blog post, 66% of DFIR professionals report a significant increase in reliance on mobile and cloud data during their investigations.
Why mobile data matters in investigations
A single mobile device contains vast amounts of data that can be pivotal in criminal, corporate, or civil investigations—from call logs and messaging to internet activity, health data, and location history. However, with millions of apps and diverse data sources, there are cases where automated parsing falls short, requiring examiners to manually extract and analyze data. Sometimes, that means digging deeper into already-parsed content to uncover new insights.
At OpenText™, we provide solutions to support mobile forensics investigations, helping examiners efficiently acquire and analyze mobile device artifacts. Our digital forensics and incident response (DFIR) portfolio includes tools like:
- OpenTextTM Forensic (EnCase™) – Ideal for small-scale forensic investigations.
- OpenText TM Endpoint Investigator – Designed for corporate network-based investigations.
- OpenText TM Mobile Investigator – Streamlined examination of and reporting on mobile data provided by OpenText Forensic and/or OpenText Endpoint Investigator
Going beyond automated parsing in DFIR
As an OpenText Digital Forensics & Incident Response Training Consultant, I teach DF-125 – Mobile Device Examinations, where we explore advanced techniques using OpenText forensic tools. This includes:
- Mobile-specific reporting features for clear, structured evidence presentation.
- Optical Character Recognition (OCR) for keyword searches within images.
- Built-in SQLite viewers for manual database analysis.
- AI-powered image categorization for rapid content review.
One critical aspect of the course is learning how to manually extract unstructured or unsupported artifacts. For example, we examine Apple’s photos. SQlite database to recover location data, comments, and references to modified images. We also delve into Apple Health data, exploring workout routes and location history to reconstruct movements.
The future of mobile forensics
The need for comprehensive mobile forensic analysis will only continue to grow. OpenText solutions help examiners streamline investigations, ensuring forensic integrity while improving efficiency. Our Mobile Driver Pack, included with OpenText TM Forensic and Endpoint Investigator, simplifies mobile artifact collection—offering a one-stop solution for case evidence.
Want to expand your digital forensic expertise? Join us for an upcoming DF-125 training session and gain hands-on experience in advanced mobile device investigations.
At OpenText, we’re reimagining security to help you respond to and recover from security incidents—while ensuring evidence integrity.
