With ADF digital forensic software tools, it's possible to scan multiple devices simultaneously and have them as part of one scan. However, there are some items we need to keep in mind when preparing to scan multiple devices.
First, are the devices similar or are we combining computer with mobile?
If we're combining computer and mobile, we want to ensure the search profile is properly configured. With our search profiles we give you default out-of-the-box search profiles for you use: Quick, Intermediate, Comprehensive, and Mobile.
The Quick and the Intermediate search profiles are to be used on the system drive a computer. The Quick and Intermediate Search Profiles target the directory structure of the computer and more specifically the User Profiles of that computer
Comprehensive will target the entire file system and will run all artifact captures. If you are running a Search Profile on a single device this would not necessarily be the best option for mobile as there would be computer artifacts that would have zero results, therefore we give you a Mobile Search Profile as well.
Usually, investigators and forensic analysts are working off of one device, which makes it easy to pick a search profile for either a computer or mobile. Here, investigators would want to do multiple devices. In order to do so, there are a couple of options.
You can copy one of these profiles and adjust it- or you can start from scratch with a new profile and create what you want out of each of these scans.
In order to start from scratch, investigators need to step through each category and select which items they would like to have parsed out. Artifact Captures recover specific records or information; for example, browsing history records or user account information. Artifact Captures are denoted by icons that represent OS or apps that they will parse.
When selecting or creating a new File Capture it is imperative that you select "Comprehensive" for an existing File Capture. Another important consideration when creating a File Capture is to ensure that “Entire File System” is chosen as your file source. Before scanning it is also suggested that you use the label feature to label each one of the devices for ease of filtering and sorting.
Once the Search Profile is complete, analysts and investigators can then go to Scan Devices and Images and select the multiple devices to scan. This can be a combination of any attached device, folder, forensic image file, mobile device, and mobile device backup.
When analyzing the results you can go to any table containing your results and filter by the label name you assigned or the OS that the information was parsed from. When filtering tables such as Pictures and Video, you can sort by path which would begin with the label named assigned. When filtering artifacts such as Connection Logs you would filter by OS, such as Windows and Apple iOS. In the case where no records were located on one device the ability to filter by that device will not be available.
