Blog: 11.02.26

Forensics in Falkor

Think about your phone and computer for a moment. How much of your life is stored on them locally or in whichever cloud storage systems you use?

Every phone call record, photo, file, email, text and app that you’ve ever taken, used or sent is stored somewhere on your device, and those are just a few of the types of data you can expect. Phones nowadays include often a minimum of 128 gigabytes of storage, with many offering one terabyte or beyond.

In short, phones and devices are where we store most of our data and the main method by which we live our lives in terms of practicality. There’s a reason that mobile devices and computers are seized from criminals, terrorists and any other person of interest or suspect in an investigation, as they provide an embarrassment of riches of data that simply can’t be matched anywhere else. However, that same richness of data poses a significant challenge to investigators: understanding that data and then learning how to make the most of it via digital forensics.

As part of their digital forensics investigations, investigators nowadays are used to either poring over datapoints individually or using siloed, standalone systems for digital forensics to analyze devices. These systems are often legacy systems with highly specific capabilities that require significant training to get their money’s worth.

The training, cost and deployment of a dedicated solution itself isn’t even the biggest issue necessarily. The data acquired via mobile or digital forensics can be critical in of itself as part of an investigation when analyzed, but it also serves as an important role as providing key datapoints for further investigation. For example, let’s say we take the contacts list of a given seized device. While useful in of themselves, it’s difficult to glean further information from it by itself without manually checking each and every person and phone number.

Here’s where Falkor comes in. We can then take those names and phone numbers and look them up in open-source intelligence sources at scale to quickly enrich, contextualize, and connect them to a broader investigative picture. Instead of treating forensic artifacts as static evidence to be reviewed one by one, Falkor turns them into dynamic leads. A single contacts list can become a living network: identities resolved, phone numbers linked to online profiles, aliases uncovered, and relationships mapped across platforms. What once required days or weeks of manual cross-checking can now happen in minutes, allowing investigators to move from raw extraction to actionable insight far faster.

Beyond contacts, the same enrichment applies to many other high-value sources commonly recovered in digital forensics, such as messages sent via SMS, email, or third-party messaging applications. Conversations often contain phone numbers, usernames, email addresses, links, locations, and informal references that are difficult to interpret in isolation. When analyzed at scale and enriched with external data, these messages can reveal patterns of communication, timelines of activity, intent, and coordination between individuals. A single message thread can point to additional accounts, previously unknown associates, or real-world events, turning unstructured text into a structured narrative that strengthens both investigative understanding and evidentiary value.

In addition to messages and contacts, there are many other categories of digital forensic data that benefit from enrichment and contextual analysis. Location data, for example—derived from GPS records, Wi-Fi connections, or app usage—can be correlated with known addresses, points of interest, and historical events to establish movement patterns or confirm presence at key locations. Photos and videos often contain metadata such as timestamps, device identifiers, and geolocation, while the visual content itself can be matched against online imagery, social media posts, or known environments to identify places, objects, or people.

App and browser data is another rich source of insight. Search histories, bookmarks, cookies, and installed applications can reveal interests, intent, planning behavior, or access to specific services and platforms. Financial artifacts such as payment apps, transaction logs, or cryptocurrency wallets can be linked to known accounts, marketplaces, or prior activity, helping trace the flow of money. Even seemingly mundane data—like calendar entries, notes, or deleted artifacts—can provide critical context when connected to external intelligence, filling gaps in timelines and revealing how digital actions translate into real-world behavior.

More importantly, this approach breaks down the traditional silos between digital forensics and open-source intelligence. Device data no longer exists in isolation; it becomes a starting point for deeper discovery. Messages, locations, files, and call records can all be correlated with public data, past cases, and external signals, helping investigators understand not just what is on a device, but what it means in context. This shift reduces cognitive overload, lowers the barrier to effective analysis, and lets teams focus on judgment and strategy rather than repetitive, mechanical work.

Ultimately, devices will only continue to grow as repositories of our lives, and the volume and complexity of data will keep increasing. The future of digital investigations depends on tools that can scale with that reality—tools that augment human investigators rather than slow them down. By unifying forensic data with intelligence enrichment and analysis, Falkor helps transform overwhelming datasets into clear, defensible insights, enabling investigators to spend less time digging and more time solving cases.