The Helpline has acquired data from an Android device that could be infected or can be used a digital evidence, and needs to issue a report on the forensic acquisition.
Mobile Data Acquisition Report Guidelines
Guidelines for producing a report of a forensic data acquisition on a mobile device
Problem
All the steps detailed in Article #305: Android Devices Data Acquisition Procedure (SD Card and SIM card byte-copy, data acquisition with Android Debug Bridge) should be detailed in this report, along with the results of the previous research and data gathered on the device.
Solution
Create a report with the following sections:
- Title page: Case name (Access Now Ticket number), date, investigator’s name, and contact information
- Table of Contents
- Executive Summary
- Aim of the investigation and objectives
- Device research and data: general information, condition of the device, hardware structure, file system, etc.
- Selected acquisition tool and justification of the selection (include software and hardware used, version numbers, etc.)
- Procedures followed: SD Card and SIM card byte-copy, data acquisition with Android Debug Bridge
- Image information summary: image name, hashes, name of the encrypted container, etc.
- Timeline: concise timeline of important events
- Conclusion
- Signature
- Investigator’s curriculum vitae, chain of custody documentation, supporting document linked from the body of the report, etc.
Comments
Find an official format for the report here.