When connecting MOBILedit Forensic to a device that has a Mobile Device Management (MDM) solution installed, data could be deleted from the device.
This should be considered by both law enforcement and investigators in the corporate and private sectors.
When examining a mobile phone, it is crucial to establish whether or not a Mobile Device Management (MDM) solution is installed or operating on the device. MDMs are used in Enterprise environments to manage company endpoint device configurations, allowed applications, and security. Assets can be tracked and remotely wiped if stolen, missing or in the case of unauthorised access.
Each MDM behaves differently due to the admin policies set by the organisation deploying the MDM. It is possible that by connecting an MDM device with MOBILedit Forensic, the device could become locked, factory reset or have data deleted.
Depending on the settings of the MDM solution, events could be triggered through actions and processes that MOBILedit Forensic takes to extract and analyse data from a device. Alternatively, the restrictions in place by the MDM may not allow MOBILedit Forensic to perform a complete extraction and analysis if the connection is possible.
If working on a suspect device, a “volunteered” device or at the request of the device owner, you should contact the owner or MDM administrator and ask them to change the settings on the device you are examining. This is so as to allow the correct functioning of MOBILedit Forensic without jeopardising the data. If this is not possible you may need to research the MDM online or, contact the MDM developer.
If you need further advice you should contact technical support.
Some of the known issues are:
MOBILedit Forensic connector causes data wiped.
Application downgrade cannot complete due to restrictions in creating ADB backups.