This page will explain the different features found in the Forensics tab.
While some automated forensic testing was completed in the Setup phase (i.e. Credentials and Keyword searching), the Forensics tab allows the analyst to review ALL files from the application that are stored locally on the device. No additional tests are performed under this tab.
By default, the “File Tree” view allows the analyst to view the file system as it exists on the device; however, it may be the analyst’s preference to select “File List” to view a list of all files within the specified application folder, minus the directory structure.
With both options, the user can filter by file type to narrow down the list. It is recommended to view each file stored on the device, as there may be sensitive application data stored that was not found via the Keyword search.
Property lists, or plists (iOS) and some XML files can be stored in binary. If a preference file is stored in binary format, Workstation will attempt to automatically convert it to XML so that the content can be easily viewed by the user.
When a file is selected, its contents are displayed immediately to the right.
For example, with database files, the tables are displayed as well as the number of rows contained in each table. If you see a table with 1 or more rows, select the table and its contents will be shown in the space below.
If a file type is unknown or unreadable, its content will be displayed in hex format within Workstation:
Another option is to double-click any of the files to open in the Artifact Viewer. This will provide the user with additional options to view data.
While the app files are being reviewed, if the analyst comes across data of interest, they have the option to create a finding or a note at the bottom of the interface. For details on creating findings/notes, please refer to the Editors section.
You can go back to the Forensics tab at any time during your assessment to review files or add additional findings.