Most importantly, which is the best OCR tool that officers can use to make an email investigation process easier?

These are the questions that come to mind while investigating an image file. Let’s find those answers!

What is OCR?

The main aim of Email Optical Character Recognition or OCR is to quickly and automatically convert scanned or photographed image files into machine-readable text format. Further, the result can be searched for keywords.

This modern and sophisticated tech is able to analyze scanned image data & search for patterns resembling letters, numbers, etc. Also, it converts any kind of image file containing text (be it typed, hand-written, or printed) into text format.

Anyway, while investigating emails, officers usually come across image files attached to an email. And, Email OCR can help them easily view the words in those image files.

Though many forensic tools can easily search through text documents, they rarely can read/process image files or documents attached to an email.

A Smart Tool that Comes with Email Optical Character Recognition?

Fortunately, yes!

The professional Email Forensic Tool – MailXaminer, has an in-built Email OCR technology that can search image content or keywords from email attachment files. It is so far the best email analyzing tool preferred by law enforcement agency professionals.

Through a systematic approach, you will be able to search for texts in Image using OCR technology.

Other than OCR, this software is capable of doing a lot of things. Such as,

• Advanced Keyword Search: Finding evidence from the bulk of electronic data through Robust Forensic Keyword Search.
• Intelligent Link Analysis: Helps in tracking connections between the suspects using Advanced Link Analysis.
• Forensic Analysis of Online Platform: Carries out forensic analysis on Skype data such as Calls, Chats, etc.
• Email Tagging: Tags Emails to differentiate them as per their importance & identify the exact email that relates to the case.
• Supports 20+ File Formats: Search Terabytes of data from 20+ different file formats such as PST, OST, EDB, MBOX, etc.
• Compatible with 80+ Email Clients: 80+ Email Clients like Gmail, Office 365, iCloud, Rackspace, Hotmail, etc.
• User-Friendly Interface: Anyone, be it, Non-technical, semi-skilled, or technical users can easily use the tool.

Now, let’s come to the next question, how Email OCR technology is helpful in different situations?

OCR in Email Investigation & eDiscovery

Given the benefits of OCR, it represents a great deal in eDiscovery and email analysis.

1. During an investigation, forensic experts have to go through hundreds of emails with image files at a time. And, Email Optical Character Recognition technology can certainly make the task easier by processing multiple photographed documents in the email(s) & converting them to machine-readable text format. In this way, investigators save their valuable time and utilize it in other important tasks.

2. Other than investigation, OCR becomes beneficial in information governance and proves to be helpful in legal matters. Since Optical Character Recognition can rapidly convert any image into a machine-readable and searchable format, it speeds up the process of finding specific information.

During an investigation, most courts require text searchability once the documents are eFiled. And, OCR simplifies the same.

Conclusion

Email optical character recognition or simply OCR helps forensic investigators and other law enforcement professionals in various ways. It is the most advanced technology that converts image files to a readable text format making it digitally searchable. And, these identifiable texts in electronic documents might act as crucial evidence in a forensic investigation. That’s why it’s recommended to have a professional forensic tool with in-built OCR technology.

The post Email OCR Tool to help you Recognize Text from Images & Docs appeared first on SysTools Software.

In 2020, a new report says that cybercrimes are increasing and affecting organizations with high speed. Therefore, companies should be aware and secure to protect themselves from these people-based attacks. They need to deploy tools and software to ceiling the loss of information and business disturbance.

Understand the Need of Forensics for Mac Outlook

In organizations, cybercriminals mostly target the communication medium of companies to theft information by phishing or spoofing emails, as it becomes the fastest rising consequence of cybercrime. Digital crimes are generally associated with several email clients, which is the communication medium of the companies. Emails play a major role in collaboration and information sharing processes throughout the business organization.

One of the most preferable email clients is MS Outlook which is capable to work on both platforms either on Windows as well as on Mac. OLK files are temporary files that are maintained by the profiles of the Microsoft Outlook email app for Mac. Files with .olk14/15 extension belong to multiple components of Microsoft 365 mail app profiles for Mac and these folder stores just a temporary copy of the message files. As a result, there is a high risk for Mac Outlook to involve in cyber-based criminal activities or cyberattacks. In the upcoming section, we will discuss the solution to investigate Outlook for Mac forensics by an investigation officer.

Here, some related queries are given below that has been taken from the forum site:

Concerning such user-queries, we have mentioned a reliable and effective solution to view and analysis Mac Outlook database for forensics in a perfect way, which is clearly described in the next section.

Proven Solution to Recover OLK Data for Mac Outlook Email Forensics

Mac Outlook Database Recovery Tool is the best and efficient way to get back permanently deleted or corrupted emails or other items for Mac Outlook forensics and analysis. The software to recop Outlook 2011, 2016, 2019 and Mac Office 365 is advanced enough to retrieve accidentally deleted as well as soft deleted emails, contacts, tasks, calendars, notes data items from Mac Outlook.

Moreover, the software provides 10 file formats to save Outlook data files in the local system including EML, EMLX, PDF, PST, TXT, HTML, MSG and VCF & ICS for contacts and calendars. This feature of Mac Outlook Forensics software makes it unique and more useful than other available software. Mac Outlook email forensics tool has many more advanced features, following as:

Some Additional Highlighted Features of the Software

• Get back permanently deleted or inaccessible Outlook for Mac data file.
• Keep data integrity intact while repossessing OLK14/OLK15 file data.
• Automatically retrieved attached items and components of Outlook data items.
• Supports the repossess on multiple Outlook for Mac profiles in a single attempt.
• Retrieve a huge volume of data in the desired file format.
• Provide advanced customization features while saving the data.
• “Select Category” option is available to select the items of the user’s choice.
• “Date Filter” option facilitates users to operate functionality on data within the selected range.
• “Naming convention” functionality provided to organize Outlook emails systematically for Outlook email forensics.
• Compatible to Mac OS X 10.8 / 10.9 / 10.10 / 10.11 / 10.12 / 10.13 / 10.14 / 10.15 versions.

Step-by-Step Guide to Repossess Outlook for Mac Forensics

It is very easy to repossess Outlook for Mac data files and can save it in the desired file format by using the Mac Outlook email forensics tool. Follow these simple procedure to reclaim Mac Outlook data files for Outlook email forensic:

Free Download Purchase Now 100% Secure

Step 1: Download & install software into the system.

Step 2: The next screen will display multiple Outlook versions. Select the radio button adjacent to the version you are working on.

Note: If selecting “Auto Locate Mac Outlook 2019 / 2016 / 2011 / office 365” then, proceed to select the identity/profile. Or else if choosing “Let me Browse”, then you can manually upload OLK files.

Step 3: In the next step, either you can select the “Auto Location Mac Outlook 2019 / 2016 / 2011 / office 365” for automatic detection of OLK files, then choose “Identity / Profile”.

Or

If you choose to select OLK files manually, then select to “Add Files / Folders” to the software & click “Open”.

Step 4: Click “Next”, and the scanning process will be started. It may take time, depending upon the size of the data file.

Step 5: You can click on “Advanced Settings” to set a Naming Convention or apply Category Type and Date Filter.

Step 6: Choose a file format to save the resultant files and check to “Maintain Folder Hierarchy”.

Step 7: “Select Destination Path” to save the resultant files at the desired location and click on “Export”.

Step 8: After completing the export process, an export report will generate automatically. It can also be saved to the local system for further use.

After following these simple steps, the user can check exported data along with attachments at the destination location. It will be saved according to the chosen file format keeping the original formatting. Now, you can open and view your data in the selected file format’s supported email client. By using this amazing utility one can open and view huge data belongs to multiple profiles of Mac Outlook in severalfile formats, within a single attempt.

Concluding Thoughts

This blog has elaborated on the need to get back deleted or corrupted Outlook for Mac forensics. Although, there are many Mac Outlook forensics tools available in the market to resolve Outlook cyber attacks, but their end results are quite disappointing. Because of this, we have recommended one of the best and an efficient Mac Outlook email forensics tool. This software incorporates various advanced features to conveniently analyze Mac Outlook data that helps an investigation officer to easily fetch the evidence.

The post Everything You Need to Know About – Outlook for Mac Forensics appeared first on SysTools Software.

Recently, one of the most downloaded iPhone applications around the world has been banned due to lack of privacy settings. This step has been taken by the cybersecurity experts who investigated that even the small children are exposing their identities publically on the platform. There were some other privacy concerns as well due to which the TikTok application is banned. Thus, the users cannot download it from the App Store and Play Store.

Therefore, a challenge occurs for the forensic examiners that how can they examine the communication done by the users using the app. So, in this article, we will be discussing the steps to retrieve TikTok messages from the iOS device using SQLite database.

Steps for TikTok Data Acquisition

The following segment of the article represents the steps to get user data from TikTok application in iOS.

Step 1 – First of all, you have to locate the Bundle ID name which is unique for every Apple application.

Step 2 – Go to /private/var/mobile/Library/FrontBoard/ location to access the applicationState.db file.

The above-mentioned database file will help you to provide the connection between bundle ID and the UUID number in the application directory. The users can access TikTok chats & messages in DB file with the help of SQLite Database Viewer Software. Here, find the bundle name in the application_identifier_tab table and mark the corresponding id number.

Step 3 – Now, find it in the “kvs” table in the “application_identifier” column. Export the blob in the value field. The output data which we get is the bplist which maps all the UUID numbers to the bundle ID or the application name.

Step 4 – After identifying the right application directory, move it to the forensic workstation.

Method to Recover Chat & Media from TikTok in iOS

The chats or the messages of the TikTok application can be accessed by combining the contents of two separate databases and two tables in them i.e. TIMMessageORM.db.sqlite and awemecontacts.AwemeIM.db which can be located at Support/ChatFiles/User-ID/db.sqlite /private/var/mobile/Containers/Data/Application/UU-ID/Documents/AwemeIM.db respectively.

The execution of message query in DFIR SQL Query Repo gives the following result:

The columns shown in the above table signify as follows:

1. sender – It indicates the numeric user ID. This value is used to join the tables which help to access the usernames.
2. profilepicURL – It contains the link of the user’s profile pic.
3. customID – This is the username of the account.
4. nickname – This field stores the nickname of account.
5. Local_create_time – It indicates the device time of a particular message.
6. servercreatedat – This is the server time of a sent message. If it shows 0 value, it means that the message did not leave the device.
7. message – It shows the content of the message.
8. localresponse – This field stores the additional information of a message. If any message does not leave the device, it provides some diagnostic information.
9. links_display_name – If the user responds with any image or some GIF, then this field shows the display name of the file.
10. links_gif_url – This entity contains the URL of the shared image or GIF. It can be accessed without any authentication.

The user data query in the DFIR SQL Query Repo provides the following output:

The columns in the above table denotes as follows:

1. uid – This field shows the numeric user id.
2. CustomID – This implies account username.
3. nickname – It contains the nickname of account.
4. latestchattimestamp – It stores the last timestamp of the chat.
5. url1 – This contains the link of the profile picture of the user.

The users can also use the UID number which will help them to access the public profile of the user on the browser. It will show all the public shared videos in the profile. The URL mentioned below can help them to do so:

https://m.tiktok.com/h5/share/usr/(insert username ID number from DB).html

Moreover, the users created in the TikTok application can be found in .mp4 format at the following directory:

/private/var/mobile/Containers/Data/Application/UU-ID/temp/

Conclusion

As the TikTok application has been banned a few days ago, the forensic examiners might face some issues while retrieving messages from TikTok app in iOS. So, we have come up with a solution to find messages from the application with the help of the database created in iOS. This DB file can be opened with the help of SQLite database viewer tool.

The post TikTok Forensics – Method to Get Messages from TikTok Database in iOS appeared first on SysTools Software.

Earlier, there was no MS Outlook for Mac, there was another email client i.e. Entourage. It provides ease while using the email application as it does not have any PST or OST file. It only uses a Main.db file to store all its mailbox data and users can also extract emails and attachments in the form of EMLX files.

Overview of OLK Files

While going to the Office Suite of Mac, Microsoft finally released Outlook for Mac in 2011. It didn’t create OST and PST to store its mailbox data. Instead, they created separate directories for storing emails, attachments, contacts and other mailbox items. Outlook for Mac uses .olk14folder file for storing email folders, .olk14contact file for storing contacts, .olk14search for storing saved searches, .olk14pref for saves software preferences, .olk14category file stores categories for tagging emails, calendar, contacts, etc. There is another file created in Outlook for Mac i.e. .olk14UID which is associated with Outlook only. Then, it uses .olk14signature file for saving saved signatures, .olk14msgsource for storing the content of email messages, .olk14schedule contains saved schedules. There is one another file which contains the recent email address i.e. .olk14recent file. The .olk14mailaccount file contains the login information of the email account and olk14MsgAttach file saves the attachments of Outlook for Mac. Different directories for different items are shown in the following segment:

\user_name\Documents\Microsoft User Data\Office 2011 Identities\Main Identity\Data Records\Messages\

&

\user_name\Documents\Microsoft User Data\Office 2011 Identities\Main Identity\Data Records\Message Attachments\

Most of the forensic investigators can easily handle the email files but the olk14MsgAttach files are a little different and difficult to handle. The hex view of the file is shown in the following section and the structure is also described:

Structure of olk14MsgAttach File

The different attributes of the olk14MsgAttach Outlook for Mac attachment file are as follows:

• Attc – This is the signature of the file and the hex value of it is 41 74 74 63.
• Content-type – It defines the file category and applicable application.
• Name – Here, the name of the file is mentioned.
• Content-disposition – It specifies whether the attachment is inline or attached for subsequent access.

Note – If this attribute contains “inline”, it means that the attachment is displayed when the message is opened. These attachments displayed in the same order as they occur in the message. On the other hand, if the content-disposition displays “attachment” in it, that means that these attachments require actions to be displayed and are placed out of the message part. They are stored to be accessed later.

• Filename – This entity is same as mentioned in “name”.
• Content-transfer-encoding – Always shown as “base 64” because binary file is encoded with it.

The data of the binary file which is encoded begins with “base 64” (hex value – 62 61 73 65 36 34). Then occurs 0D which probably signifies buffer and it can occur several times.

Now, for processing olk14MsgAttach file, users can go for a third party application i.e. OLK Converter for Mac which can be used to transfer your emails along with attachments. The software provides an option to move emails into multiple file formats along with attachments. It can support both olk14 and olk15 message files which makes easier for the users to perform conversion using a single tool only.

Working of Software to Extract olk14MsgAttach File

• Launch the software and click on Add Folder(s) button.
• Browse the OLK files and then press Next button.
• Choose the output file format from various available options.
• Apply filters if you want and then choose the destination location.
• Now, click on Export button.
• When the export process completes, go to the storage location where the olk15MsgAttach and other files are saved.
• Here, you can open and access the attachments stored in OLK file easily.

Conclusion

As discussed in the above section, the hex view of the olk14MsgAttach file is quite different from any other email attachment. Therefore, it becomes a little bit difficult for the forensic investigators to read it properly. To overcome this situation, a user is suggested to switch the file format of the olk14MsgAttach file to some other file format and read it in a proper manner. Thus, to do this, a user is suggested to use a third-party tool which is mentioned above, which can convert all data items stored in OLK file, including attachments to multiple formats. Using this tool, it becomes easy for investigators also to investigate olk14MsgAttach or olk15MsgAttach file in an appropriate manner.

The post OLK14MsgAttach File – Retrieve Attachments from Mac OLK File appeared first on SysTools Software.

Though almost all smartphone platforms are equally involved and affected in cyber based criminal activities. But the overtly excessive use of Android OS has resulted in its involvement being comparatively a little more than the others (iOS, Symbian, Blackberry, etc.). The OS is open source, thus is used on a wide range of devices and not just the top brands.

Android Smartphone Forensics

In a case, a device can be on any of the two ends; victim or suspect. This paper covers the forensic examination of Android based smartphones to capture artifacts from its internal storage, that is otherwise not acquirable. The methodologies used in the process are applicable for acquiring data from both; a victim and suspect device respectively. Followed techniques and steps are tested and executed under the surveillance of expert investigators, thus cause no harm in any manner to the potential evidence stored on device. Also, the procedures are applicable for examining and digging into an Android device of any brand or OS version.

Stage 1: An Introduction To Android And Its Architectural Built

Android is a mobile operating system that was developed by OHA or Open Handset Alliance. The team was built with the motive of serving an affordable yet rich mobile experience to users by accelerating innovation on different mobile devices. Architecture of the Android OS is based on Linux 2.6 kernel build, which is best illustrated in the figure given below:

The Android architecture is designed as a stack of software. It comprising of an operating system, application, middleware, runtime environment, libraries, and service. In order to extend the optimal development and execution environment for applications on different mobile devices. The stacks are arranged in layers with corresponding elements integrated within them carefully.

Kernel of Android is based on Linux kernel subdivisions. Primarily, 3.4 or 3.14 versions of the Linux kernel have been used by Android since April 2014. It is the dedicated layer for hardware abstraction that operates hardware & its resources. It maintains several drivers for almost all hardware.

Android On-Device Storage

Data storage done on an Android device is significantly larger than any other smartphone. This storage is categorized into five groupings, i.e. internal, external storage, shared preferences, network, and SQLite. Whereas, the app data can be in different forms depending upon the following factors, i.e. apps that are:

• Configured with the device or on its OS
• Integrated by the manufacturer
• Installed using wireless carriers
• Additional Google or Android based apps
• User installed

The files are located within the folder, access to which can only be gained via root.
The file system is a medium of arranging data in an efficient order, though the file system used by Android on different devices hasn’t remained the same but changes with the device. YAFFS, JFFS, and Ext* are some of the file systems that Android devices deal with. Ext4 FS has specifically been the most common one amongst all. Basically, any given FS that for which kernel can load drivers for is fair enough to be used for the OS.

Most devices in the initial days of the mobile OS have worked with older versions of Ext, YAFFS or JFFS. However, Ext version 4 has been the most reasonable choice amongst all due to its firm support for kernel and good enough achievements. In addition to the named file systems, many droid devices have also worked with the f2fs, i.e. Flash Friendly File System which belongs to Samsung. The file system was introduced only keeping in mind the medium for flash storage, as a result, maximizing performance of the NAND gated chip using devices.

Ext4 Replacing YAFFS

By the end of year 2010 Google announced usage of ext4 FS over YAFFS since then. These changes in file system were adopted with the motive of extending storage limit and add up other improvement on the performance end.

The FS supports larger volumes as well as file sizes and was introduced with backward compatibility to make mounting of previous FS versions possible. Moreover, YAFFS was single threaded and couldn’t be considered a FS supporting advancing changes. On the other hand, Ext4 is multi-threaded, i.e. capable of not only working with dual core devices, but also with the latest quad and octa core systems.

Nevertheless, these are not officially the only file systems that are used by Android. All files, operations, and directories, of an applet work through an abstract kernel layer, i.e. VFS (Virtual File System). And each file system is the implementation of the respective VFS that a device uses. The kernel module used for registering VFS supported operations of every file system is different.

NOTE: Knowing about the file system is a very important part of the investigation. It is thus considered the primary & most significant focus of the entire procedure. With the help of FS details, sensitive information/data can be carved out from allocated as well as allocated / deleted spaces.

Acquisition of Evidence for Investigation

Drawing important data from the collected evidence is known as the procedure of Data Acquisition. However, when a mobile device is concerned, the procedure doesn’t remain as easy as it seems in the case of a hard drive. This is due to the condition in which a device has been acquired, i.e. with password protection, without USB access, etc. Considering the conditions, there are basically three ways of acquiring data that are followed during an Android forensic investigation:

TIP: If a password protected device has been acquired in an unlocked state, investigators can retain the current state to avoid losing access to the device. To do so, go to Settings on the device and choose Developer Options then select Stay Awake. This will ensure that the device’s screen never turns off (while on charging).

• Manual. The case where an examiner manually, i.e. without the usage of any tool/technique captures data on the device by taking screenshots or pictures of every screen. The procedure is evidently time-consuming, tedious, and not completely reliable as, only the data accessible to users can be acquired.
• Physical. In this procedure imaging of each and every data present on the device is done, bit by bit. The bit by bit imaging includes copying – complete FS consisting of data, deleted data, along with unallocated spaces.
• Logical. Under this data acquisition scheme, the examiner uses the device manufacturing application for synchronizing the contents onto a desktop computer. However, most of the tools offering logical acquisition are free of cost and as the procedure is simply an extraction of user accessible data, potential evidence may get skipped in the form of deleted data or information present in unallocated space.

TIP: There are plenty of ways through which (for instance) a suspect can remotely access the device. Its data to wipe it, with no traces left behind. This makes the evidence vulnerable to tampering. Examiners can either keep the device in a Radio Frequency shielding bag or simply activate the device’s Airplane Mode to jam the networks. This will result in blocking any/all possible activities from taking place via network/remote access. i.e. the only way through which an outsider can get access of the device while it is under observation.

For the most part, data that are physically accessible (user accessible) is not of much use during an investigation. Thus, the internal storage of Android must be looked for, in order to capture strong, serviceable, dependable, and authentic information.

File Structure

Android system uses more than one partition for storing information/data belonging to or created on a device. The representation of these partitions is done by the name of directories on the file system, serving as mount points for them. Using the ‘df’ command on adb shell will list the Android directory. And the directories that will get listed are illustrated as follows along with the data type stored within each:

Highlighted directories are the ones that are specifically important from an investigative point of view. These directories are: /system, /cache, and /data. Upcoming segments elaborate the means to access these directories in order to browse through the data stored within them.

NOTE:  Accessing and analyzing address book is critical during forensic investigations into Android devices. This is where the SysTools VCF Viewer Tool comes. This application is intended to quickly browse and handle VCF (vCard) files, which are often used to store contact information on Android smartphones. The tool allows you to load one or more VCF files from the device and display all saved contact information. Once the VCF files are imported, you may quickly access detailed information about each contact, such as names, phone numbers, email addresses, and more.

Stage 2: Rooting and Accessing An Android Device

Access into the root folder/directories on the device offers rightful access to device memory. It stores a great set of valuable information. Contact lists, text messages, call logs, and other data stored by the device (possibly unavailable to user access) and any other such information, is located in the root folder. Investigators can get their hands on such data via rooting used as the medium.

Rooting is a procedure used by members of the Modding community. i.e. users who prefer modifying the device specifications above its official and manufactured capability. The procedure offers access to the root directory and permissions of the device to permit the modification of performance or technical specs as per custom requirements.

Role of Android SDK

Android Software Development Kit has many significant options and features offered for developer access and usage purpose. One of these is ADB – Android Debug Bridge provided as a communicating interface for the Android system over a desktop computer. A computer provisions easy access to command shell further useful for installing, removing applications, and transferring data, from the OS when connected via ADB.

There are multiple known procedures available to easily root a mobile device. Once the device has been rooted, the following procedure can be executed:

1. • Access to the device’s root folders using ADB

• Check – storage, size, used/unused space of each partition on the command shell
• Perform imaging of the directories via ‘dd’ command (.img file)

Chief Stages of Analysis: Imaging and Extraction

Imaging the system directories is the most crucial stage of any digital forensic investigation, including Android forensics. The permanent rule of all forensics is that, one cannot work on the primary evidence to abide by its representation in the court of law. Thus, bit by bit imaging of the involved device is considered very important.

We have used the ‘dd’ command for imaging Android system directories. ‘dd’ command is a Unix based utility meant for Unix or likewise OS. It is built with the purpose of emulating files into an image file. Given below is how the ‘dd’ command is used (for representational purpose):

Validating Acquired Data with Disk Image

It is highly necessary to calculate and take note of the original hash value of the disk before imaging it. However, MD5 hash value is not generated during the imaging process, thus a tool can be used for acquiring the same. For instance, ‘Busy Box’ is a complete toolkit of small Unix based utilities combined into a single executable file. It also happens to serve calculation of the hash value of a disk.

Once the hash value is acquired it must be calculated with the hash value of the disk image generated. Same hash values represent that, the evidence hasn’t been tampered with in any way during the process. Which is valuable information to be represented in the court of law during litigation.

Examining Disk Image for Evidence Extraction

This part of investigation uncovers evidence with the help of disk image mounting tools. You can either go for a program that mount as well as reads the disk image data by enlisting the folder structure emulated like; the FTK Imager.

Otherwise, an application that can extract and generate a database (preferably; user data directory) in SQLite DB format can be adopted for the task. Scalpel is a one such reliable tool. Later, a SQLite database browser can be used for loading the extracted database for examination purpose.

In this case, we have chosen the second method, i.e. extraction of data in SQLite DB with its further processing done via a DB browser, SysTools SQLite Recovery. Images of the findings within different database tables are provided below for exemplification purpose.

Contact List

The table shows last time of contacting, number of times the contact has been contacted with, display name given to them, and other related information.

Messages

Address field shows the contact numbers that have ever been involved in a conversation made using the device. While the date and time stamp helps track down the exact duration. At which a particular message was exchanged,the body field clearly lists the entire message exchanged in conversation with the corresponding contact number.

Call Logs

On examining the call logs table, the following tabular list was revealed. The fields depict particular information each, as briefed below:

• Number – The contact number
• Date – Date and time
• Duration – Call duration
• Name – Name of the contact
• Countryiso – Country

TIP: The timestamp fields list a numerical arrangement to depict the respective information. This is not a random numeric arrangement but rather the format in which Unix-based timestamp is generated. These numbers can easily be converted using an online Unix timestamp converter to disclose the actual information. One of the timestamps has been converted below for illustration:

Example: 1427512846 is equal to Sat, 28 Mar 2015 03:20:46 GMT

An Observational Verdict

Android is not just limited to, mobile/smartphones, but has also captured other gadgets like; tablets, computers, etc. Thus, the forensic arena has a lot to look forward to and upgrade their skills for. Analysis of different devices will certainly involve different procedures according to their storage type and directory. However, by following the detailed information discussed in the blog above.  Investigators can successfully acquire potential evidence from an Android phone to further investigate upon. End report of the entire forensic analysis has to be created by the investigator. Keeping in mind that the output is in a court-admissible format.

The post Android Forensics: The Meticulous Study of an Android Smartphone appeared first on SysTools Software.