Physical Analyzer is one of the most well-known mobile forensic tools on the market. This tool is one of the best platforms to manually conduct an examination in addition to leveraging the data parsed by the tool. For application analysis, Physical Analyzer is good at parsing chats and contacts for each supported application. For data that is not parsed, Physical Analyzer provides an analytical platform that enables the user to browse the filesystem to uncover additional artifacts. Keyword searching is robust in this tool and is capable of searching raw hex as well as parsed data. In addition, a SQLite viewer is included.

To conduct a forensic examination of application data in Physical Analyzer, perform the following steps to get started:

1. Launch Physical Analyzer by double-clicking on the UFED shortcut image file or by double-clicking the tool icon.
2. Load the image file and wait until parsing completes.
3. Examine the parsed artifacts, as shown in the following screenshot:

We recommend examining what is parsed and referring to the hyperlink of where the data is being extracted. Navigate to this path and then examine the entire application directory.

To find the application directory, leverage built-in keyword searching capabilities to aid in the investigation. Remember, you may have to conduct research to determine the filenames associated with the app if this is not apparent.