Mobile Device Triage Toolkit: Deterministic, Read-only Forensic Pre-Assessment

Abstract

Mobile investigations face evidence backlogs and limited time to decide whether a device merits full imaging. We present the Mobile Device Triage Toolkit, a read-only, deterministic workflow that inspects disk images (RAW and E01 via pytsk3/pyewf or E01 export) or backups/logical folders and summarizes high-value artifacts. MDTK provides a filesystem summary, app inventory, SQLite table counts, endpoint-pattern hits, and a mini-timeline, exporting both JSON and a uniform PDF. For forensic defensibility, MDTK records an append-only JSONL audit log, refuses writable mounts, pins the runtime environment, and fixes timestamps to UTC seconds; Ed25519 signing is supported. We evaluate MDTK on a manifest of sample images and report runtime, artifact coverage, and reproducibility by comparing JSON/PDF hashes across repeated runs. Results show byte-identical outputs, median execution under 8.33s and fast visibility into artifacts such as messaging and browser histories. MDTK targets triage escalation, not full analysis, and runs on Windows via WSL. Keywords − Digital Forensics, Evidence Integrity, SQLite Artifacts, Triage.