According to the CHFI v11 objectives under Mobile and IoT Forensics and Operating System Forensics , mobile devices often act as cross-platform interaction points , storing artifacts related to communications, file transfers, backups, or synchronization with Windows and Linux systems . These artifacts may include shared documents, SSH keys, SMB access traces, USB connection records, cloud sync remnants, or application logs indicating interaction with external operating systems.
A crucial forensic step in such cases is analyzing files to identify interactions and potential evidence across different operating systems . This enables investigators to reconstruct user activity beyond the mobile device itself and establish links between the mobile device and other systems involved in the incident. CHFI v11 emphasizes the importance of correlating evidence across heterogeneous platforms to build a complete and accurate timeline of events.
Focusing only on native mobile files (Options B and C) risks overlooking critical evidence that may demonstrate lateral movement, data exfiltration, or coordination between devices. Ignoring Windows- or Linux-related artifacts (Option D) directly contradicts forensic best practices and may lead to incomplete or flawed conclusions.
The CHFI Exam Blueprint v4 explicitly highlights Android and iOS forensic analysis , cross-platform evidence correlation , and file system analysis as key competencies. Therefore, analyzing cross-OS artifacts is essential for uncovering hidden relationships, validating investigative hypotheses, and ensuring legally defensible findings, making Option A the correct and exam-aligned answer
