1. Open MOBILedit Forensic Express and click "Start".

2.  Plug your phone to USB. You will see that on your phone Forensic Connector screen will show up. MOBILedit will then find the connected phone.

[1] Shows the phone type currently connected 

[2] Shows if the phone is rooted or not

Click on "Next".

3. if you see the dialog about Old Connector as below, click Yes and wait until the Connector updates.

4. If your phone is rooted/jailbroken, you will probably see this dialog. Confirm by clicking OK.

5. Now you are in the main dialog where you choose what you want to do. Choose Application analysis and confirm by clicking Next.

6. Now you can see a list of all the applications installed on the mobile phone. Choose the one you want to analyze. You can either scroll down with the scrollbar or use the find field where you can write down the name of the app.

Let's say you want to analyze Ola Cabs app.  Write ola in the lookup field [1], OlaCabs will be listed. Make sure you check it up in the right box as shown in the picture [2]. Then click Next.

7. In the next frame, you will find details about the particular Case, Phone and Investigator. You can safely skip them all, don’t fill anything just click the Next button.

8. Now you can choose which output you want to have. If you are analyzing a particular app for the first time, you need to make a backup. It will create a backup XML file together with many other files and folders that will be discussed later. Choose MOBILedit backup and click Next.

9. On the next screen you will see the Export name of the folder [1] and the Destination [2] where the export folder will be. You can change both of them. Click Export.

By default, the Export name is the name of the phone together with timestamp when the backup was done and Destination is a path you can freely set.

10. You will see MOBILedit started to make the backup.

11. You will be prompt to confirm the device's backup, press OK.
Then you will also be prompt to Back up data on your phone, so do not forget to confirm that as well.

12. When everything went OK, you will see a screen similar to this. Click on the Result folder to see the folder with backed up data

13. You should have a folder at the path you specified in step 9). The folder contains mobiledit_backup.xml and other files and folder backup_files. It should look something like this picture

14. If you dig deeper into the backup_files folder, you will see it contains other subfolders called phone and file called fileHases.csv. In the phone folder, there are 4 subfolders with possible other sub/subfolders and files.

Which exact folders and files it contains and where they are is application-dependent.

In aplication0 there is a folder with the same name as is the name of the application package we just analyzed (in our case it is com.olacabs.customer), and inside there is a folder called live_data containing all the data from the backed-up application,

It is generally hard to say which data are important for further processing, and in which folders they are because it is different for each and every application. Some applications hold all of their data here and are quite simple for further processing and analyzing, other applications contain all of the data, but are quite difficult for further processing (they might be encrypted, etc..) and other applications don’t hold much data in the folder, but hold their data somewhere on the cloud in online databases or somewhere else. Thus, it is always from case to case how to do further processing.

But from the first sight, for example, we might see that there is a folder database, and it should contain some valuable data in SQL (in SQLite files). So this is the way to go to try it first. But here is an important note:

Never open the original database folder, because it can corrupt some data and you would have to make the backup once again.

Make a copy of the databases first, and if you want to look inside, open the copied file, NOT THE ORIGINAL ONE. What I would recommend is to copy the whole folder (to Desktop for example) and when you want to open a particular file, open it from that copy.

In order for us to further process and analyze an application from the backup, we need the whole original folder. In our case, the folder has a name "Samsung  Galaxy J3 2016 (2020-01-23 13h41m05s)".

Make a zip of the whole folder and send it to us via email.