When I enter on felony cases as the defendant's attorney we also file what is termed a motion for discovery. Part of that motion includes a request for all digital data that may exist in the case. I routinely receive such data that has been extracted from cellular phones or received via subpoena at law enforcement's request. Many times the cellular phone data is analyzed in house by a detective who has been certified to conduct such a analysis. We routinely receive Cellebrite reports from these detectives. Cellebrite is one form of software that allows the users to compile data in usable form. The data is divided in many different ways including, geographically, by individual category, by time, and the data can also include online searches and results received/sent by the device. The reports can be very large (over 20,000 pages). The reports normally generate a summary which directs the viewer to images/data that the detective believes is pertinent to the case. As an example, if there are 10,000 pictures on the device the detective may summarize the 50 pictures that are relevant to the investigation (such as in a child pornography case). Web searches, text messages, SMS, Imessages, photos, videos, memes, email messages sent and received are some of the data we view in the report. Geographic location evidence also exists.
I receive the general report and summary report if one has been created. It is in PDF format. However, we request in all such cases that the raw data along with a copy of the software be provided so that we can read the analysis ourselves. This allows us to access other information that may have been omitted from the original report. The omission may not have been intentional but deemed irrelevant.
This evidence is subject to introduction at trial or hearing by the detective as an expert witness. In order for an expert witness to introduce his opinion and findings he must first lay a proper foundation. One issue that i have not seen yet is a video that shows from start to finish the detective actually performing the search. This is required under current standards as stated by NIST. When a cellular device is first seized it must be placed in a Farraday bag (which prevents the device from interacting with data outside the device). Most of the times in the cases I review neither is used. And in many cases the seizing officer attempts to manually search the device. This, of course, alters data on the device. Any of these breaches should be attached with a motion to suppress evidence.
Experts may need to be retained to get foundational information in before the court. There are many experts that may provide this service.