Filtering
Filtering is a powerful feature in MOBILedit Forensic that allows investigators to narrow down extracted data and focus on relevant information. Filters can be applied globally across multiple data types or locally within specific analysis modules such as files, messages, and contacts.
Both Global and Local Filters can be set for time, text, location, and contacts, depending on the modules being analyzed.
If you are studying for the MOBILedit Forensic certification, remember this: TTLC
Global filters
Global Filters apply across all specific selection modules that support filtering, such as files, messages, contacts, and locations, before displaying results. These filters help narrow down large datasets at the outset, making it easier to locate key information quickly. They are set before analysis and affect all relevant data categories.
Local filters
Local Filters are applied within individual analysis modules in the "Specific selection" section, allowing for more precise refinement of results after extraction. These filters enable targeted searches within particular datasets and are useful when investigators need to drill down into specific areas of interest, such as filtering messages by keyword or narrowing by location.
Highlight
This option creates a special section where all identified data will be present in a dedicated section.
Filtering
This option will create a report showing only the matched data according to the filters.
Considerations when using filters
Within Specific selection there is a list of analysis modules. Some have local filters, some don’t. For ones with local filters, they may only have one or two filter options available e.g. time & contact or, they may have all.
Global filters are accessible from the “Choose what to extract” screen and contain all available filters; time, contact, text string, & location.
If you enter a search parameter in “Location” it will search only those specific selection modules that also have the option to search for location as a local filter. For example, searching Location in Global would not search contacts, as contacts cannot be searched by location, only by time and contact.
Here is a table to show what is searchable with Global & Local filters.
Table of local filters
Specific selection module | Time | Contact | Text string | Location |
|---|---|---|---|---|
Screenshots of report settings | No | No | No | No |
Summary | No | No | No | No |
Highlighted data | No | No | No | No |
Deleted data | No | No | No | No |
Captured phone photos | No | No | No | No |
Accounts | No | No | No | No |
Contacts | Yes | Yes | No | No |
Messages | Yes | Yes | Yes | No |
Time | Yes | Yes | Yes | No |
Calls | Yes | Yes | No | No |
Organizer | Yes | No | Yes | No |
Applications | No | No | No | No |
Applications list | No | No | No | No |
Photo Recognizer | Yes | No | Yes | Yes |
Face Matcher | Yes | No | Yes | Yes |
Photos | Yes | No | Yes | Yes |
Image files | Yes | No | Yes | Yes |
Large images | Yes | No | Yes | Yes |
Audio files | Yes | No | Yes | No |
Video files | Yes | No | Yes | No |
Documents | Yes | No | Yes | No |
Files | Yes | No | Yes | No |
Matched files | No | No | No | No |
Activities | No | No | No | No |
Application usage | No | No | No | No |
Bluetooth pairings | No | No | No | No |
Cell towers | No | No | No | No |
Clouds (see below) | Yes | No | No | No |
Contacts analysis | No | No | No | No |
Cookies | No | No | No | No |
GPS locations | No | No | No | Yes |
Malware detection | No | No | No | No |
Notifications | No | No | No | No |
Passwords | No | No | No | No |
Screen unlocking history | No | No | No | No |
SIM card | No | No | No | No |
System logs | No | No | No | No |
User dictionary | No | No | No | No |
Wi-Fi networks | No | No | No | No |
Web | Yes | No | No | No |
Timeline | Yes | No | No | No |
Data extraction log | No | No | No | No |
Clouds - Additional filters are available specifically for Clouds. These are “Filter by size” and “Filter by extension”
How Filters Work in MOBILedit Forensic
MOBILedit Forensic searches across metadata, file names, and content within directories analyzed by the relevant specific selection modules. This means that a search term might match:
A folder name rather than just a file name.
Partial text within a file path, not only the direct file name.
Certain variations if special characters (such as underscores) are treated differently.
To ensure filtering is as precise as possible, users should:
Use double quotes for exact matches (e.g.,
"WhatsApp Chat -").List multiple terms using semicolon separation (e.g.,
"WhatsApp Chat -";"chat.txt";"chat 1";"chat 2").Ensure they are using the correct filter type (Global vs. Local) for their search.
Be mindful of how metadata influences search results.
Applying Filters Correctly
To filter file names precisely, use double quotes around each search term. Example:
"WhatsApp Chat -";"chat.txt";"chat 1.txt";"chat 2.txt"This ensures that MOBILedit Forensic treats each term as a literal match, avoiding unwanted results like partial matches on words such as "Snapchat" when filtering for "chat".
Special Character Considerations
Underscores (
_), hyphens (-), and spaces are treated as distinct characters.Double quotes ensure that spaces within search terms are preserved.
Filters are case-insensitive, so uppercase and lowercase variations do not impact results.
Reference
By following these best practices, investigators can refine their searches effectively and ensure they retrieve only the most relevant forensic evidence.