Targeted Data Extraction System (TDES) for Mobile Devices

This verification assessment report discusses the evaluation of the Targeted Data Extraction System (TDES), to verify claims regarding TDES prototype’s ability to perform targeted extraction of data that were generated and stored on a mobile phone during defined time intervals to the exclusion of information that was not generated and stored during those incident-related intervals. The authors of this report note that one performance requirement was that the TDES should offer at least comparable performance to existing digital forensic software tools available for examining and analyzing mobile devices. The TDES verification testing plan was executed using a phase-gate approach. The ability of the TDES tool to read a file system was assessed by three parameters: the tool correctly read a data system as demonstrated by the calculation of a cryptographic hash for a file; it correctly read the file path for the files of interest; and it correctly interpreted and displayed the metadata of a file, as demonstrated by examination of the file modified/accessed/created times and dates. Assessment outcomes suggested the following: TDES does not have an acquisition function that would allow for more extensive analysis and confirmation of findings; the TDES software operates differently relative to other commercially available mobile forensic tools in that the file is executed by the examiner’s computer, which installs the TDES drivers automatically onto the device when it is connected to the computer; TDES functions differently because it is a manual operation driven by the operator, once the analysis is complete the artifacts from TDES remain on the phone and will be detectable later when a forensic analysis is performed; TDES does not allow for a forensic copy of the data and requires actions that do not reflect sound forensic practice; and TDES does not allow the export of data from other messaging apps.