How to Uncover Application Artifacts for Mobile Device Investigations
Application artifacts are an important data source in mobile device investigations. Identifying what applications are installed on the device and have been in use can be another investigative goal. This can help during the initial stages of an investigation when you may try to triage available data sources and determine which are of primary interest. Determining that a specific application is installed, like Snapchat, may help to corroborate other information case investigators have.
You may have encountered users that compartmentalize certain activity within specific applications. Along that line, many grooming or luring cases have started on something like a social media platform and the offender then transitioned the victim to something perceived to be a more private messaging application. In addition to the installed application artifacts, review of the device analytics artifacts (like battery statistics or application permissions) can help to show that not only a particular application was installed, but that it was in use during a certain period of time.
Application Artifacts in Investigations
Applications are the backbone of our mobile devices, providing us a with a plethora of functionality and entertainment options. When it comes to uncovering crucial evidence in a mobile device investigation, applications provide investigators with insights into the activities and interests of a suspect. Applications often hold the key to connecting the dots in an investigation.
Top Application Artifacts for Android and iOS
Magnet Forensics has curated the following list of top application artifacts and where they can be found on a given device. Magnet AXIOM and AXIOM Cyber will surface these artifacts for you quickly and easily, and Magnet GRAYKEY and VERAKEY provide same-day access to the latest iOS and Android devices; but it’s important you know where to look:
Mobile device applications reflect an individual’s life. In an investigation, they are an important source of data and insight into everything from a suspect’s preferences and hobbies to health and fitness habits, financial transactions, and work-related activities.
Leveraging Application Artifacts
While many examiners spend the bulk of their time using the artifact explorer in AXIOM Examine, other features like Timeline and Connections can help surface items of interest. The volume of artifacts from a modern mobile device examination can make it easy for potential application artifacts of interest to blend into the noise, almost hiding in plain sight.
Using the Timeline explorer can help to profile when a particular activity occurred on a device or provide context as to what a user was doing on their device at a certain time. The use of absolute and relative time filters can also help examiners find key details around points of interest in the timeline of a specific investigation.
The connections explorer provides a visual representation of how the various artifacts in your case are related. By using the distinct properties of each artifact, called artifact attributes, you can show relationships between an artifact of your choosing – such as a screen name or phone number – to see how they relate to other application artifacts in your case.
These days, mobile devices often have greater storage capacity, even rivaling traditional computers. Still, the always-on, always-connected nature of mobile devices means that cloud stored data cannot be overlooked. The Potential Cloud Evidence Leads dashboard is a great resource for identifying other sources of data which may be relevant to your investigation – particularly when mobile devices are involved.
Applications on a device may not always store data locally or there may be additional logs, usage, and analytics data available directly from the connected cloud account. The potential cloud evidence leads dashboard helps examiners by surfacing potential sources of cloud-stored data and accounts from the installed applications and accounts recovered on a device. This can help to provide an efficient method for directing further investigative efforts in a case.