Leaving validation to one side, when I am teaching mobile phone examination I get delegates on the course to try lower level tests, at first instance.
Try this experiment:
1) Conduct acquisition and harvesting of the handset's SMS text message logical data.
2) Produce a paper printout report of all those text messages (this will be one test guide).
3) Through the handset reading tool you are using display the text messages on the screen of your computer (this will be another test guide)
4) With the test handset switched ON view the text on the screen and take screen shots. The information in the screen shots should be as complete as that which can be viewed on the screen of the handset by the ordinary user (this will be yet another test guide).
The purpose of this experiment is, having cross-referenced all the three test guides, to see if they are, in the first instance, identical in every way? Moreover, can the tests be replicated by an examiner with the same system or another system?
Another simple experiment to consider:
To consider and, through trial and error, discover when would you apply a hash value?
Does your tool currently produce a hash displayed on the screen for each text message or are all of the saved text messages given a hash value?
Specifically, when your computer produces the output of data on to printed paper, is a hash value displayed (somewhere) and, if so, is the hash value the same as seen in the program on the computer screen or is it the hash value for the data that is actually printed on the paper (or would you need another value for that)?
With respect to the handset screen shots, would they need a hash value and would the hash value be created by the screen shot program for the images or the printed out data.
The purpose of this experiment is to identify exactly the relevance of hash values and to what they are being attributed, to what they technically prove (or who they exonerate), apart from having loads of hash values needing to be explained to a Court where the hash values do not exactly corroborate each other, but different things.
Now re-run the experiments with two different handset readers.
Previous discussions about some issues associated with validation and verification: