1) Open MOBILedit Forensic Express and click "Start"
2) Plug your phone to USB. You will
see that on your phone Forensic Connector screen will show up. MOBILedit will then find the connected phone.
 Shows the phone type currently connected
 Shows if the phone is rooted or not
Click on "Next"
3) if you see this dialog about Old
Connector, click Yes and wait until the Connector updates
4) If your phone is rooted/jailbroken,
you will probably see this dialog. Confirm by clicking OK
5) Now you are in the main dialog
where you choose what you want to do. Choose Application analysis and confirm by
6) Now you can see a list of all the
applications installed in the mobile phone. Choose the one you want to analyze.
You can either scroll down with the scrollbar or use the find field where you can write down the name of the app.
Let' s say you want to analyze Ola
Cabs app. Write ola in the lookup field
, OlaCabs will be listed. Make sure you check it up in the right box as shown in the picture . Then click Next.
7) In another frame, there are details about the particular Case, Phone and Investigator. You can safely skip them all, don’t fill anything just hit the Next button.
8) This dialog is important, here you
choose, which output you want to have. If you are analyzing a particular app
for the first time, you need to do a backup. It will create a backup XML file
together with many other files and folders that will be discussed later. So
choose MOBILedit backup and hit Next
9) The final shows the Export name of
the folder  and the Destination  where the export folder will be. You
can change either of these.
By default, the Export name is the name of the phone
together with timestamp when the backup was done and Destination is a path you can freely set. Click Export
10) You will see MOBILedit started to
make the backup
11) You will be prompt to confirm device's backup, press OK.
Then you will also be prompt to Back up data on your phone, so do not forget to confirm that as well.
12) When everything went OK, you will
see a screen similar to this. Click on the Result folder to see the folder with
backed up data
13) You should have a folder at the
path you specified in the step 9). The folder contains mobiledit_backup.xml and
other files and folder backup_files. It should look something like this picture
14) If you dig deeper into the
backup_files folder, you will see it contains other subfolders called phone and
file called fileHases.csv. In the phone folder, there are 4 subfolders with
possible other sub/subfolders and files.
Which exact folders and files it
contains and where they are is application-dependent.
In aplication0 there is a
folder with the same name as is the name of the application package we just
analyzed (in our case it is com.olacabs.customer), and inside there is a folder
called live_data containing all the data from the backed-up application,
It is generally hard to say which data
are important for further processing, and in which folders they are, because it is
different for each and every application. Some applications hold all of their data
here and are quite simple for further processing and analyzing, other
applications contain all of the data, but are quite difficult for further
processing (they might encrypted etc..) and other applications don’t hold much
data in the folder, but hold their data somewhere on the cloud in online databases or somewhere else. Thus, it is always from case to case how to do further
But from the first sight, for example, we might see that there is a folder database, and it should contain some
valuable data in SQL (in SQLite files). So this is the way to go to try it first.
But here is an important note:
Never open the original database folder,
because it can corrupt some data and you would have to make the backup once again.
Make a copy of the databases first, and if you want to look inside,
open the copied file, NOT THE ORIGINAL ONE. What I would recommend is to
copy the whole folder (to Desktop for example) and when you want to open a
particular file, open it from that copy.
In order for us to further process and
analyze an application from the backup, we need the whole original folder. In
our case the folder has name "Samsung
Galaxy J3 2016 (2020-01-23 13h41m05s)".
Make a zip of the whole folder and
send it to us via email.