> For the complete documentation index, see [llms.txt](https://pellaeon.gitbook.io/mobile-forensics/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://pellaeon.gitbook.io/mobile-forensics/methodology.md). # Methodology The methodology for doing quick forensics can be quite ad-hoc, and eventually with time you will develop your own. This guide should help in this process. Generally, when trying to triage a possible infection, you will look for any anomaly that you are able to identify on the device. Such anomalies, for example, can be: 1. Applications and processes running on the device that you and the owner of the device do not recognize. Applications and processes that show some unusual characteristics, such as suspicious names and file locations, or attempts at hiding. 2. Because spyware normally would want to be able to survive a shutdown of the device, you will look for applications which maintain persistence over the device and are therefore registered for automatic execution at startup. 3. Suspicious network connections to infrastructure and services that you and the owner of the device do not recognize. 4. Accounts, profiles or configurations that do not belong to the device owner. While it is not possible to compile an exhaustive checklist of precise anomalies to look out for, the process of developing a robust quick forensics methodology will require *training your eye*, by inspecting as many devices as you can get your hands on. Eventually, you will start recognizing patterns across various operating systems, and become more rapid and efficient at discarding legitimate applications and spotting those that stand out. It takes practice. **Warning**: the methodology we describe in this guide heavily relies on using tools that are publicly available and highly popular. Because of this, more sophisticated malware might be capable of bypassing or evading these tools and trick you into believing you are looking at a clean system. Therefore, **this methodology needs to be considered a best effort.** You have to take into account the possibility of false negatives and adjust your assessment accordingly (particularly in relation to the device owner's [safety](/mobile-forensics/preparations/safety.md)). ## Considerations on legal litigation Under some circumstances, it is possible that the owner of the device has an interest in pursuing some legal action against the perpetrators of the attack you are documenting, or perhaps the producers of the technology used to conduct it. This could be the case, for example, with victims of domestic abuse, or perhaps with activists seeking to prove some illegal surveillance of their communications. If you believe the person you are assisting might be interested in any form of legal litigation, especially based on your work, you might need to adapt your methodology. From country to country, from jurisdiction to jurisdiction, rules and best practices for gathering digital evidence admissible in court can vary. Generally, because of [chain of custody](https://en.wikipedia.org/wiki/Chain_of_custody) and to safeguard the integrity of the device, data acquisition (especially from phones) might be heavily restricted. You should inform yourself about the laws and the standard practices from the jurisdiction you normally operate in. Ideally, you should seek advise from local forensics specialists and maybe even seek the assistance of an accredited forensics firm. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://pellaeon.gitbook.io/mobile-forensics/methodology.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.