An empirical comparison of data recovered from mobile forensic toolkits

Mobile devices are increasingly being used as a source of digital evidence in criminal investigations. Mobile forensic toolkit manufacturers have responded to this trend by developing recovery methods capable of recovering evidence from the ever growing range of mobile device models. However, there is a considerable amount of concern as to the reliability of evidence produced from forensic software, with a number of authors documenting difficulties verifying evidence when it is obtained. This paper reports on a comparison of data recovered by a selection of software based methods available in three mobile device forensic toolkits. The results provide the first empirical evidence that there is considerable variation in results between recovery methods in terms of the proportion of data recovered from different devices by different toolkits. In addition, the results suggest that a forensics investigator will face serious challenges verifying the data recovered using one method using the data recovered by another. (c) 2013 Elsevier Ltd. All rights reserved.