Time is valuable. And time spent performing tedious tasks not only takes away from our productivity but could have devastating effects on time-sensitive investigations.
We (examiners and investigators) rely on our mobile forensic tools to obtain, decode, and present data with speed and integrity. However, it is not possible for our tools to support every mobile device and app that exists. It is inevitable that we will need to manually process data from an extraction in order to obtain the evidence we need. That manual processing can require hours of forensic analysis.
That is where Python comes to the rescue! Python is a scripting language ideal for iterating through and parsing data. Once we identify a pattern, we can unleash the power of Python to automate processes and save countless hours of manual labor.
Here is an example of a feature phone that was not supported by any commercial mobile forensic tools on the market and the potential hours of manual processing that would have been required if it weren’t for Python.
A “similar profile” was used to obtain a logical extraction of an LG feature phone. The similar profile did not decode the texts, calls, or contacts from the device. In fact, the only messages decoded using the similar profile were the auto reply messages that came with the phone. But fortunately, the file system was obtained providing hundreds of files with the naming convention of “inbox####.dat” found in the SMS/inbox folder of the device. It became apparent that these were incoming text messages that were not decoded.