328 Chapter9·ForensicAnalysisofMobileMalware Frequently Asked Questions Q: When I'm conducting a forensic investigation of a mobile device, what is the first step in the process? A: With any forensic examination, the first step is to have permission to seize the evidence that is required for the investigation. Q: What sort of tools do I use to conduct a forensic examination of a mobile device? A: Most of the forensic tools that work with images will create an image of a mobile device file system. The commercial software products FTK and EnCase have this capability, as does the Open Source Sleuthkit and Autopsy software on the Helix compilation. Where these differ is in the hardware. Some specialist tools (such as unusual screwdrivers and chip readers) may be needed. Chargers are also necessary to ensure that the battery does not go flat. Q: Why is it essential to maintain a battery charge in the device when preparing to conduct an investigation of a mobile device such as a smartphone?