Introduction
This practical lab provides hands-on experience with mobile forensic tools. You will learn to use MOBILedit Forensic and Autopsy's Android Analyzer module to extract and analyze mobile device data. These exercises simulate real-world forensic scenarios.
🔧 Lab Requirements
- Windows 10/11 computer with 16GB+ RAM
- MOBILedit Forensic Express (trial or licensed)
- Autopsy 4.x with Android Analyzer module
- Test Android device or sample image files
- USB cable for device connection
Forensic Tools Overview
Before beginning the exercises, let's understand the tools we'll be using.
MOBILedit Forensic
Commercial Tool
Comprehensive mobile forensic solution supporting 17,000+ phone models. Provides logical and physical extraction with detailed reporting.
- Logical and physical extraction
- App data analysis (WhatsApp, etc.)
- Deleted data recovery
- Password bypass for some devices
- Court-ready report generation
- Camera Ballistics (photo analysis)
Autopsy + Android Analyzer
Free/Open Source
Open-source digital forensics platform with Android module. Excellent for analyzing extracted images and performing keyword searches.
- Android image analysis
- SQLite database parsing
- Timeline analysis
- Keyword search
- File carving
- Report generation
Mobile Forensics Workflow
Every mobile forensic examination should follow a structured workflow to ensure completeness and legal admissibility.
Standard Mobile Forensics Workflow
1
Document Device
→
2
Isolate Device
→
3
Extract Data
→
4
Verify Hash
→
5
Analyze Data
→
6
Generate Report
Exercise 1: Device Extraction with MOBILedit
1
Android Device Logical Extraction
Estimated time: 45 minutes
Objective
Perform a complete logical extraction from an Android device using MOBILedit Forensic, generate hash values, and create a forensic report suitable for court presentation.
Pre-Exercise Checklist
- MOBILedit Forensic installed and licensed
- Android device with USB debugging enabled
- Device screen unlocked
- Faraday bag available (if live device)
- Case documentation form prepared
Step-by-Step Instructions
Document Initial State
Photograph the device from multiple angles. Document: device model, serial number (from Settings > About Phone), current date/time, battery level, and screen state. Note any visible damage.
Launch MOBILedit Forensic
Open MOBILedit Forensic Express. Select
Phone > Connect. Choose the appropriate connection method (USB recommended for reliability).
Enable USB Debugging
On the Android device: Settings > Developer Options > Enable USB Debugging. When prompted on the device, authorize the computer's RSA key fingerprint.
Verify Connection
MOBILedit should detect the device and display its information. Verify the device model and serial number match your documentation.
Configure Extraction
Select
Phone > Extract Data. Choose "Full extraction" to capture all available data. Select destination folder: C:\Cases\[CaseNumber]\[DeviceID]\
Execute Extraction
Click "Extract" and monitor progress. Do not disconnect the device during extraction. Note: extraction time varies based on data volume (typically 15-45 minutes for a full extraction).
Verify Hash Values
After extraction, MOBILedit generates MD5 and SHA-256 hashes. Document these values in your case notes. These hashes prove data integrity.
Generate Report
Select
Reports > Generate Report. Choose PDF format. Include: case information, device details, extraction summary, hash values, and all extracted data categories.
MOBILedit Extraction Interface Screenshot
Actual tool interface will vary based on version
Actual tool interface will vary based on version
⚠ Important Notes
Always verify that USB debugging authorization persists across reconnections. Some devices may require re-authorization. If extraction fails, try different USB ports or cables. Document all issues encountered.
Exercise 2: Android Image Analysis with Autopsy
2
Analyzing Android Extraction with Autopsy
Estimated time: 60 minutes
Objective
Import an Android extraction into Autopsy, analyze SQLite databases, extract messages and contacts, perform keyword searches, and create a timeline of device activity.
Step-by-Step Instructions
Create New Case
Launch Autopsy. Select
Case > New Case. Enter case name, number, and examiner details. Choose case folder location. Click "Finish".
Add Data Source
Select
Add Data Source. Choose "Logical Files" if you have extracted folders, or "Disk Image" if you have an image file. Browse to your extraction location.
Configure Ingest Modules
Enable the following ingest modules:
Android Analyzer, Hash Lookup, Keyword Search, Recent Activity, Email Parser. Click "Next" then "Finish".
Wait for Processing
Monitor the ingest progress in the lower right corner. Processing time depends on data volume. You can begin analysis while ingest continues.
Review Data Artifacts
Navigate to
Data Artifacts in the left panel. Expand categories: Contacts, Call Logs, Messages, Web History, etc. Double-click entries to view details.
Analyze SQLite Databases
Navigate to
/data/data/ in the directory tree. Find app databases (e.g., com.whatsapp/databases/msgstore.db). Right-click > View File in External Viewer or use Autopsy's built-in SQLite viewer.
Keyword Search
Click
Keyword Search in the toolbar. Create a keyword list with terms relevant to your investigation. Run the search and review results in the "Keyword Hits" section.
Generate Timeline
Select
Tools > Timeline. Configure date range based on investigation scope. Review events chronologically to understand device activity patterns.
Generate Report
Select
Generate Report. Choose report type (HTML recommended for readability). Select data to include. Click "Generate Report" and review output.
Autopsy Data Artifacts View
Shows parsed messages, contacts, and call logs
Shows parsed messages, contacts, and call logs
Exercise 3: WhatsApp Analysis
3
WhatsApp Database Forensic Analysis
Estimated time: 45 minutes
Objective
Locate and analyze WhatsApp databases from an Android extraction, extract message content, identify contacts, and correlate media files with messages.
Step-by-Step Instructions
Locate WhatsApp Databases
Navigate to
/data/data/com.whatsapp/databases/. Identify key files: msgstore.db (messages), wa.db (contacts).
Export Databases
Right-click each database > Extract File(s). Save to your analysis folder. Also export any associated journal files (
.db-wal, .db-shm).
Open in SQLite Browser
Open DB Browser for SQLite (free tool). Open
msgstore.db. Navigate to "Browse Data" tab and select the "messages" table.
Query Messages
Go to "Execute SQL" tab. Run this query to extract readable messages:
SELECT datetime(timestamp/1000, 'unixepoch', 'localtime') as time, key_remote_jid, CASE key_from_me WHEN 0 THEN 'Received' ELSE 'Sent' END, data FROM messages WHERE data IS NOT NULL ORDER BY timestamp;
Correlate Media
Navigate to
/sdcard/WhatsApp/Media/ in your extraction. Cross-reference media_name values from the database with actual files. Verify timestamps match.
Document Findings
Export query results to CSV. Document relevant conversations, noting timestamps, participants, and any evidence of interest. Include screenshots in your report.
Case Study: Missing Person Investigation
🔎 Scenario
A 25-year-old individual has been missing for 72 hours. Law enforcement has obtained their Android smartphone with proper legal authorization. Your task is to extract and analyze the device to identify: last known location, recent communications, and any planned activities or meetings.
Analysis Approach
- Document and Extract: Full logical extraction with hash verification
- Location Analysis: Check Google Maps timeline, GPS coordinates in photos, location history in various apps
- Communications: Analyze WhatsApp, SMS, call logs for recent contacts and conversation content
- Calendar/Notes: Review calendar events, reminders, and notes for planned activities
- Browser History: Check for travel bookings, directions searches, location-related queries
- Timeline Creation: Build chronological timeline of last 7 days of activity
- Report: Document all findings with timestamps and supporting evidence
Key Evidence Locations
- Google Location History: /data/data/com.google.android.gms/databases/
- WhatsApp Messages: /data/data/com.whatsapp/databases/msgstore.db
- SMS: /data/data/com.android.providers.telephony/databases/mmssms.db
- Call Logs: /data/data/com.android.providers.contacts/databases/
- Photo EXIF: /sdcard/DCIM/ - check GPS coordinates
- Calendar: /data/data/com.google.android.calendar/databases/
Report Writing Guidelines
A forensic report must be clear, accurate, and legally defensible. Follow these guidelines for professional reports.
Report Structure
- Executive Summary: Brief overview of findings for non-technical readers
- Case Information: Case number, dates, examiner details, authorization
- Device Information: Make, model, IMEI, serial number, OS version
- Acquisition Details: Method used, tools, hash values, timestamps
- Findings: Detailed analysis results organized by category
- Timeline: Chronological summary of relevant events
- Conclusions: Summary of evidence relevance to investigation
- Appendices: Hash logs, tool outputs, supporting data
⚠ Section 63 BSA Requirements
For Indian courts, include a Section 63 BSA certificate with your report. Ensure it covers: device identification, regular operation, faithful reproduction, and is signed by a person in responsible position with knowledge of the device/system.
📚 Key Takeaways
- Always document device state before beginning any extraction
- MOBILedit provides comprehensive logical extraction with built-in reporting
- Autopsy's Android Analyzer automatically parses common data types
- WhatsApp analysis requires both database extraction and media correlation
- Hash verification is essential for evidence integrity
- Timeline analysis helps establish sequence of events
- Reports must be clear, accurate, and include Section 63 BSA certificate for Indian courts
- Practice with test devices before handling actual evidence