Training material

This guide provides a comprehensive walkthrough of a forensic investigation into a potential infection of an Android device, received by a civic society organization that operates as a helpline for individuals at risk. The focus is on consensual forensics, emphasizing a respectful, do-no-harm approach based on the unique challenges in this field. This guide takes an exploratory approach, given the limited tools and methodologies available for consensual forensics within the CSO context. While there are notable open-source resources created and maintained by trusted organizations and communities, they are limited compared to those in the law enforcement -non-consensual- forensic field.

This five-part guide covers the entire process from initial case reception and triage to in-depth technical forensic analysis, focusing on identifying traces of infection and analyzing the behavior of a malicious app. It concludes with guidance on cleaning the infected device and summarizing the findings. In this specific case, we simulate an infection caused by a malicious app, known as “TheTruthSpy,” which is recognized for its use as stalkerware in facilitating gender-based digital violence.

Originally posted on The Greater Internet Freedom and you can check it out here