Has the user ever used the XYZ application? aka traces of application execution on mobile devices
A common question during a forensic investigation of a digital device is: " Has the user ever used the XYZ application? ". As always when answering this question, it is important to create and follow a solid process. In this blog post, I want to share a possible process that everyone should customize based on their needs and roles. The ability to answer the question depends on the acquisition that was obtained from the device. In this blog post, I will address the scenario where you have a full file system acquisition (or physical, for older devices). Check whether the XYZ application is installed First, check whether the XYZ application is still installed on the device at the time of the acquisition . On an iOS device, there are several easy ways to check this. To name just a few of the most common: Check if the XYZ bundle is available under \private\var\containers\Bundle\Application\<GUID> Check whether the XYZ App Sandbox folder is available under \private\var\mobile...