Mobile Device Investigator (MDI) is the leading digital forensic triage tool for iOS and Android devices. In this short "How To" video, ADF's digital forensic specialist and trainer, Rich Frawley, will show you how to create a Search Profile with MDI.
In this smartphone forensic example, you'll learn how to create a Search profile that collects all the Communications Captures and the Device Information.
To get started:
- Click on the New Profile button in the Function Toolbar
- Enter a unique name for the profile
- Optional - Enter notes describing what the search profile will do
The left hand side of the Define Search Profile view contains categories of Captures available.
- Clicking on a Capture category displays the Captures on the right hand side.
- Clicking on an Artifact Capture allows the option to Expand: this shows further details for the type of data the Artifact Capture will collect. Clicking Collapse will return to the Capture selection view
To select a Capture click on the check box next to it. To select all Captures within a Category, Click on the check box next to the Category. When the desired Captures for the Search Profile have been selected, click the Next button to continue.
It is now possible to add or delete custom fields of information that the user enters at the point of starting a scan or to use scan information fields setup in the Settings view. By default there are three mandatory fields: Scan Name, Scan Date, and Scan Time. Additional fields can be added to prompt for more information by typing in the “enter new field name” text box. It is possible to include a default value and make this new field mandatory. To delete a custom field, click on the Delete button alongside it.
6 Other Scan Options:
- Skip files processed for more than is where you can set a time value for when files that are taking too long to process are skipped. This feature is useful if corrupt files are stopping scans from completing quickly. Type a numerical value and select minutes or seconds
- Collect skipped files – collects files less than 2GB that were skipped during a scan
- Collect protected files – this copies any password protected files detected by Captures to the Scan Results
- Collect files that crashed parser – this copies any files that Captures cannot read to the Scan Results
- Activate Bitlocker on Collection Key – this will encrypt any Scan Results written to the key securing the data against loss or theft
- Whitelists – add a whitelist based on a folder of files, a CSV file containing hash values or a JSON file of hash values
Once your selections have been made select Save. You profile is now part of your Search Profile Library. You can now Export, delete, copy, or edit the Search Profile. Search Profiles can also be customized by clicking the New Capture Button on the function toolbar. You can create captures to Collect files, Search for files by Hash and Search by Keyword.