Mobile Forensics Skill (MSAB)
Digital forensics workflow for mobile device data extraction and analysis.
Advanced References
- •Extraction Patterns: See xry-extraction.md
- •Analysis Techniques: See xamn-analysis.md
- •Chain of Custody: See evidence-handling.md
Note: XRY, XAMN, and XEC are commercial tools requiring valid licenses from MSAB.
Workflow Overview
text
Extract (XRY) → Analyze (XAMN) → Manage (XEC)
XRY - Data Extraction
Extraction Methods
- •Logical extraction - App data, contacts, messages, call logs
- •Physical extraction - Full file system, deleted data recovery
- •Cloud extraction - iCloud, Google accounts, social media
- •Chip-off extraction - Direct memory chip reading
Supported Data Types
- •SMS/MMS, call history, contacts
- •Photos, videos, audio files
- •App data (WhatsApp, Telegram, Signal, etc.)
- •Location data, WiFi history
- •Browser history, bookmarks
- •Deleted content recovery
XAMN - Analysis & Visualization
Key Features
- •Timeline analysis
- •Communication mapping
- •Keyword search across all data
- •Geolocation mapping
- •Link analysis between contacts
- •Media gallery viewer
Analysis Workflow
- •Import XRY extraction
- •Apply filters and searches
- •Create timeline of events
- •Map communications between parties
- •Tag and bookmark evidence
- •Generate reports
XEC - Workflow Management
Capabilities
- •Team performance monitoring
- •License management
- •Remote deployment of updates
- •Case management
- •Audit trail logging
Evidence Handling Best Practices
Chain of Custody
- •Document device receipt (date, time, condition)
- •Photograph device before processing
- •Use write-blockers when applicable
- •Hash all extracted data (MD5, SHA-256)
- •Document all actions taken
- •Secure storage with access controls
Court-Ready Reports
- •Include extraction method used
- •Document hash values for integrity
- •Include analyst credentials
- •Provide detailed methodology
- •Export in standard formats (PDF, Excel)