Mobile Forensics
Mobile Forensics
Mobile Forensics
  • Introduction
  • Preparations
    • Knowledge
    • Safety
    • Trust
    • Backup
  • Methodology
  • Checking Windows Computers
    • Review Programs Launching at Startup
    • Review Running Processes
    • Review Network Connections
    • Extract Data for Further Analysis
  • Checking Mac Computers
    • Review Programs Launching at Startup
    • Review Running Processes
    • Review Kernel Extensions
    • Review Network Connections
    • Review XProtect Logs
    • Extract Data for Further Analysis
  • Checking Smartphones
    • Note: curriculum
    • Smartphone System Architecture
    • Check Devices Linked to Chat Applications
    • Check for Suspicious Messages
    • Monitor Network Traffic
    • Note: Monitoring Network Traffic on Linux
  • Checking Android Devices Basic
    • Review Installed Applications
    • Check Storage
    • Check if the Phone is under Android Device Policy
    • Check if the Phone is Rooted
    • Check if Developer Options is Enabled
    • Analyze Applications
    • Extract Data for Further Analysis
    • Optional : Check for Indicators of Stalkerware Installation
  • Checking Android Devices Advanced
    • Wireshark
    • MVT
    • Other Tools
  • Checking iOS Devices
    • Review iCloud Accounts
    • Review Installed Applications
    • Check for Mobile Device Management Profiles
    • Check for Shortcuts
    • Check for Jailbreaks
    • Enable and Check App Privacy Report
    • Extract Data for Further Analysis
    • Analyzing Extracted Data
    • About Lockdown Mode
  • Checking Devices Remotely
    • Mac Computers
    • Android
  • Concluding a Forensic Gathering
  • References and Further Learning
  • License and Credits
Powered by GitBook
On this page

Concluding a Forensic Gathering

PreviousAndroidNextReferences and Further Learning

Last updated 1 year ago

To conclude a forensic gathering, you should always:

  1. Inform user of the findings

  2. Preserve evidences

  3. Restore the device to its original state

Malware infections

If malware infections were found on a device, the usual Incident Response procedure applies:

  1. Containment

  2. Eradication

  3. Recovery

  4. Lessons learned / evidence retention

Refer to for more information.

The incident response procedure changes a lot depending on situations, to give a few examples:

  1. An app that steals the user's contacts were installed and used: decide whether leakage of the user's contacts would put anyone in danger. If not, simply remove the app.

  2. A malware that tries to steal other apps' login cookies: change passwords of all login accounts, logout all sessions, login again. If the malware exploit system protections, factory reset the system and install the latest system updates, if the device hardware is out of date, urge user to switch to a new device.

NIST Computer Security Incident Handling Guide