Consensual Digital Forensic Community Survey 2026

Consensual Digital Forensic Community Survey 2026

Understanding the practitioners who support at-risk communities through consensual device analysis and threat detection all over the globe

Summary

The consensual forensic community worldwide

We have conducted a community survey to learn about the current usage of consensual forensic analysis tools, specifically Mobile Verification Toolkit (MVT) and Android Quick Forensics (AndroidQF) by civil society organizations. We aimed to outreach a large scope of users from the digital freedom community, to learn about their expectations on features, capabilities, and adoption. This included mapping how widely these tools are used and identifying key users and/or organizations within the community.

Section 01: Practicioners profiles

Who is the consensual forensic analyst?

Who are the practitioners conducting consensual digital forensics work?
Understanding their backgrounds, experience levels, and primary roles.

Professional roles

Connections show selections of two or more roles inside the organization. Thicker ribbons indicate stronger overlaps. Practitioners usually combine multiple roles, with trainers appearing as a notably common role alongside technical functions.

Years of experience

Most respondents have been working in the field for 1 to 5 years, suggesting a young practitioner community within an emerging field.

Common tasks performed

Tasks that practitioners report doing often as part of their consensual forensic work. Practitioners seem to take on many roles at once. Their work goes far beyond forensic analysis and often includes handling inquiries from human rights defenders, providing digital security support, carrying out extractions and doing OSINT and threat intelligence research. This points to a multifaceted technical role with many different angles.

How would you define consensual digital forensics?

As an emergent discipline, there may be different approaches on how to define this sensible work. We plotted the most frequent words used by practitioners when describing what consensual digital forensics means to them. At the hover you can see a quote using that word.

Based on the responses, consensual digital forensics can be defined as the process of analyzing a device's behavior and content with the owner's informed consent, emphasizing transparency and collaboration throughout the process. The individual who requests the analysis must be made aware of what this engagement entails, including the methods used, data being aquired, potential risks, and the implications of any findings.

The forensic investigation occurs in partnership with the person, and making sure their preferences and emotional state are taken into account. This collaborative effort often includes ongoing dialogue throughout the process.

As an emergent discipline, there may be different approaches on how to define this sensible work. We plotted the most frequent words used by practitioners when describing what consensual digital forensics means to them.

Motivations

Diverse consensual forensic profiles can have different motivations for doing this work. These are the highest-ranked motivations for doing this work, based on respondents' priority ordering. Political and Social Justice is the main motivation for forensic analysts to do their work, followed by gaining skills and experience. As the strongest motivator, it emerges that this work is driven more by mission and community protection than by purely technical interest.
Section 02: Organizations types

Who does the practitioner work with?

Most practisioners are emebedded in different organizational contexts. Most of them are technologists and researchers, embedded in organizations of between 11 and 24 members, who work in teams. Let's explore the vast array of organizational configurations.

Organization type

How practitioners describe their organizations. Respondents could select multiple descriptions.

Organization size

Number of members in practitioners' organizations. Bubble area is proportional to respondent count.

Organization Type → Size → Team

No matter the type of organization they are embedded in, most practitioners belong to a team. This sankey renders the flow from organization type through size to whether practitioners work with a team.

Team Roles by Team Size

Which roles are present in teams, broken down by team size. Technical roles are present across all team sizes but holistic care ones are not.
Section 03: Context

Local threat models for consensual forensic analysis

Regarding threats, the most relevant are physical access such as seizure, followed by social engineering and phishing, along with highly invasive spyware, while analog surveillance appears as the least relevant among the threats considered.

Threat Landscape

How relevant different threats are to organizations. Darker cells indicate higher respondent counts for that threat-relevance combination.
Section 04: Workflow

How the consensual forensic analyst work?

Based on the open responses from the surveyed contestants, we have gathered and cathegorized them into general steps taken to do the consensual forensic analysis work. The workflow is relatively structured, with analysis and acquisition at the core, but strong emphasis on vetting and consent shows the process is intentionally careful and ethical.

When asking about workflows, we also checked on pains and improvements that could be made. These include developing a structured triaging process to manage requests more effectively, standardization of workflows and reporting mechanisms has been expressed as crucial for consistency for a clear chain of custody for handling cases and would contribute to threat intelligence and situational awareness.

Some constraints were also identified, such as operational risks and the current political context, limiting the ability to assist individuals more openly. Unlawful control and surveillance from government to make reputational and legal persecutions of human rights defenders is a perceived threat.

Another pain is that there isn't enough human capacity to provide adequate assistance to every person who reaches out, which can be frustrating. Emotional support processes are somewhat intuitive and could benefit from further development.

Case Intake Process

Common steps practitioners take when someone approaches with a possible device infection. We mapped the steps into a workflow diagram. The node size reflects how many respondents mention each step. If you click each step, you can see which kinds of tasks are mentioned for that step.

    Step 1: Initial Contact

  • Initial contact and get description of the situation
  • Interview to understand the context
  • Receive the person in our offices
  • Listen to the person to understand well the context
  • Verify the request
  • Folks visit us and inform us about the issue
Section 05: Tooling

Which tools are used by the consensual forensic community?

The software tools and platforms used by practitioners for device acquisition, analysis, and threat intelligence.

Pre-Acquisition steps

This is a particularly sensitive moment because, before any data is acquired, practitioners must assess not only the technical risk but also whether they have the mandate, capacity and support structures needed to handle the case responsibly. These steps, taken before acquiring data from a potentially compromised device, make this process fundamentally different from a law-enforcement forensic workflow.

Acquisition methods

Whether data acquisition happens in-person or remotely. Most practitioners seem to rely on a combination of in-person and remote acquisition. Beyond that, in-person-only extractions are much more common, while fully remote acquisition is still quite unusual.

Extractions workflow

What practitioners do with the data they extract during forensic analysis. The limited use of data for litigation or court evidence points to a gap, and a potential area for improvement, in legal chain of custody practices.

Data types extracted

The types of data practitioners extract during consensual forensic analysis. Answers are relatively homogeneous, centering on a small set of commonly extracted data types, especially AndroidQF outputs, Sysdiagnose files, Android bugreports and iTunes backups.

Ecosystem of consensual forensic tools

Forensic toolset landscape grouped by main function: extraction, analysis, threat intelligence and collaboration. Bubble size reflects adoption across practitioners A clear predominance emerges around a small number of tools in each function, with AndroidQF standing out for extraction, MVT for forensic analysis and VirusTotal for threat intelligence. This points to a fairly consolidated ecosystem, with strong reliance on a small number of specific tools.

Platforms used

Operating systems and devices used during extraction and analysis work. GNU/Linux clearly stands out as the main platform used in this work. The relatively high reliance on Raspberry Pi is also remarkable, while desktop environments are followed by macOS usage.
Section 06: Futures

Futures and wishes from practicioners

In a continuos evolving discipline, consensual forensic tool needs from practicioners are always moving. Some ideas are rendered here.

Feature Requests

What practitioners wish they had in a tool for extraction and analysis in consensual forensic work. Feature requests point most clearly to a need for better remote workflows and stronger detection capabilities. Practitioners ask for tools that support modularization, correlated detections and more granular confidence levels, as well as support for iOS acquisition.
"Post-processing of the outputs for better identification of malicious patterns"
"I would like to see more modular, fully FLOSS tools, accompanied by clear statements about their limitations."
"Integration with compromised online account checks, such as Have I Been Pwned, to support preventative assessment and account security recommendations."
"To have a direct link to the files that generated the WARNING or the INFO."
"For analysis, something with more clear/verbose information in the output"
"Extensibility (bring-your-own-modules)."
"(A tool that has) confidence levels for detections."
"(A tool that has) correlated detections from multiple modules."
"Something that would make it easier to do android acquisition remotely and easily."
"I think if more remote analysis was possible, that would be amazing!"
"(To have a) full remote extraction."
"More user friendly tools for extraction, especially when there is a need for remote extraction. Command line can be scary to a lot of people."
"One that can cover both iOS and Android."
"iphoneQF :)"
"(Having) automatic sysdiagnose creation tool."
"I would like to have a proper GUI."
"(A tool that has a) Graphical timeline/timesketch integration."
Sample size reduction:
"A tool that compress as much as possible to reduce the acquisition file size."
"Like an iphone backup minimisation but in a format usable by MVT. We run into cases where internet connections can be very unreliable so it is not always possible to connect to and upload via some of the portals that the likes of AmTech have."
Sharing:
"A tool that makes the process of sharing a collection of forensic evidence easy."
"To have an easy way to share IOC and integrate them in those tools."
Chain of custody preservation:
"For extraction, something that could help to preserve the chain of custody."
Completeness verification:
"Confirmation that the data I extracted is complete and we can verify it."
Consent & data control:
"A tool that provides some level of control to the victim, in terms of their personal information, and maybe incorporates aspects of documenting consent."
Localization:
"To have comprehensive documentation explaining how they can be adapted to different operational contexts, and designed to be extended and maintained by technologists from diverse regions."
Maximize data extraction:
"A tool that extracts as much relevant data as possible."
Minimize data extraction:
"Tools to minimize the data collection on the computer."
On-device acquisitions:
"(Having) on-device one-click acquisition tools"
Reporting / Export:
"The ability to export formatted reports, like Autopsy."
Sample management:
"(Having) systems for managing uploads and automated scanning."

Excerpts are lightly edited for brevity and consistency.

Methodology

This report presents findings from a survey of consensual digital forensics practitioners conducted in December 2025 - January 2026. The survey collected responses from 55 participants across multiple countries, focusing on their roles, organizational contexts, tooling preferences, and workflow processes. Responses were voluntary and anonymized. For added privacy protection, responses are shown reordered to prevent reconstruction of the full response set. Not all participants completed all questions, so sample sizes vary by section.

This report is anchored in community survey results and forms part of a broader assessment that also includes a heuristic analysis and a security assessment, available on 0xche's website.