Digital forensics

Computer Forensics: Mobile Forensics [Updated 2019]

Hashim Shaikh
July 6, 2019 by
Hashim Shaikh

Is There a Need for Mobile Device Forensics?

The use of Mobile devices in criminal investigations and similar activity has been present and widely recognized for some years. The forensic method and study of mobile devices is relatively new dates from the early 2000s.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Just as the regular population uses mobile devices, so do the criminals. The forensic investigations of mobile devices cannot be done in the conventional manner of a computer forensics investigation, as there are lots of hardware, software, and filesystem differences in mobile devices. In the case of mobile devices, there are many closed and open source operating systems which make mobile device forensics even more difficult. This gives rise to the field of Mobile Forensics, which covers feature phone, smart phone, tablets, and other mobile devices.

A mobile phone contains various information – ranging from contacts, notes, images, calendars, SMS, MMS.

A smart phone contains more than simply email or files. A mobile device can contain videos, web browsing, location, and social networks. All of these components are useful in Mobile Forensics to uncover useful evidence.

Challenges in Mobile Forensics

The mobile device undergoes a wide range of software and hardware upgrades. Various vendors push these upgrades. Different operating systems and their flavor add to the challenge. As another factor in the problem, there are lots of differences in architecture and filesystems. Different operating systems such as Android, Feature Phone or IOS requires different forensic methods. Thus, a Mobile Forensics examiner has to use different tools and techniques to address this issue.


Mobile device forensics is a field to obtain digital evidence from mobile devices for an investigation. Mobile Forensics is not only limited to a mobile phone, but it also covers GPS, tablets, PDA, and other mobile devices. The main goal in Mobile Forensics is to retrieve data from memory, SD card, SIM without any loss, damage, or manipulation of data.

Types of evidence found on mobile devices are not only limited to memory, SIM, or SD card, but it also includes all the smartphone evidence such as cloud storage, browser history, and geo location.

The evidence is stored in internal memory, flash memory or external memory devices, such as SIM and SD cards, call history, and details may be obtained from service providers.

The detailed list of evidence on mobile devices will include the following:

  • Subscriber and equipment identifiers
  • Date/time, language, and other settings
  • Phonebook/Contact information
  • Calendar information
  • Text messages
  • Outgoing, incoming, and missed call logs
  • Electronic mail
  • Photos
  • Audio and video recordings
  • Multimedia messages
  • Instant messaging
  • Web browsing activities
  • Electronic documents
  • Social media related data
  • Application related data
  • Location information
  • Geolocation data

Mobile Forensics process

There is a procedure to complete mobile device forensic activity. These processes are as follows:

  1. Seizure: The seizure of the mobile device is crucial in forensics. An examiner should use the best way to seize the mobile device and make sure changing, manipulating, overwriting the memory does not take place.

The mobile device is taken as it is from the site. If the examiner allows it to be connected to a network or the internet, then there is a chance the evidence from memory may be overwritten. To avoid this, the seizure is done in Faraday cage or a bag where the mobile device cannot make any connection to a network. It is highly recommended for an examiner to get the device in Airplane Mode at the time of seizure.

  1. Acquisition: To perform acquisition efficiently, identification of the mobile make and manufacturer is important. This can be identified just by having a look at the front and back of the mobile or by removing the cover and looking near battery area. Then comes the acquisition part, which is a process of collecting data from the mobile device. An examiner has to make sure that none of the components that possess data are left uncovered. The acquisition is not possible if the mobile device has drained battery, also it is not the best practice to charge the phone when still it is in Faraday cage or bag as the phone may detect network unreachability and it may change the status of some elements or overwrite the evidence, triggering memory manager to write data.
  2. Acquisition can be done in the following ways:

    • Manual acquisition: In this type of acquisition the forensic examiner collects the evidence from the mobile device manually by using it just as the normal user. This forensic scenario is rare as many mobile devices have a passcode or other security. There is a high chance of data getting lost if this method is used for the device in question.
    • Physical acquisition: In this type of acquisition, the forensic examiner tries to copy the entire physical storage (Flash memory) of the mobile device. This acquisition allows the examiner to uncover the deleted files and data, obviously with the help of some tools. The manufacturer prevents the direct access and reading of physical memory, so the forensic tools have to overwrite the bootloader to get access.
    • Logical acquisition: In this type of acquisition, the forensic examiner tries to extract all the logical storage that deals with the file system, data structures, etc. Logical acquisition can be achieved with the help of Manufacturers provided API in most of the cases. Synchronizing the mobile and forensic workstation with manufacturer’s API is what exactly examiner has to do. The API or forensic tools extract the data structure and data efficiently and organize the data to be presented to the examiner. However, the API is not a forensic tool hence there is a chance all the data is not acquired. To overcome this disadvantage and loss of evidence forensic tool manufacturing companies use an agent which is installed in the mobile and which helps to obtain forensically important data.
    • File system acquisition: The logical extraction does not fetch the deleted information. In the case of IOS and Android, databases are in the format of SQLite. When a database is deleted, it is just marked deleted in the memory and not removed. This part of the memory is then available for overwriting. In file system acquisition, even those deleted databases can be retrieved from the memory.
    • Bruteforce acquisition: In this method of acquisition the forensic examiner tries a “trial and error” method where series of passcodes are sent to the mobile device from 0000 to 9999 to get the correct password. There are some commercial tools and python scripts that help us getting the passcodes of the mobile device. Once the passcode is cracked then mobile is easily available for further forensic investigation.

    After the acquisition of a mobile device, a hash value is generated to maintain the integrity of evidence. This hash value is important in analysis and examination part when these processes are done on the acquisition; the image is likely to be tampered. Therefore, the hash value is used to determine whether the data from the mobile acquisition is manipulated or not.

    1. Examination and analysis: As the mobile devices are getting toward a smart phone generation most of them use a high-level file system as that of those used in computers. FAT file system is used in NAND memory, so basically, a forensic tool that is used to perform acquisition of computers can be reused with a bit of upgrade.
    2. Cloud Based Services for Mobile Devices

      Mobile cloud computing is the combination of mobile networks and cloud computing allowing user applications and data to be stored in the cloud (i.e., internet servers) rather than the mobile device memory. This data may be stored in geographically diverse locations. Cloud computing environments are complex in their design and frequently geographically disperse. Often, storage locations for cloud computing are chosen due to lowest cost and data redundancy requirements. One issue may be the identification of the location of the data. This is an emerging field.

      Tools used for Mobile Forensics

      Widely used and famous tools that can perform Logical, physical, file system acquisition are as follows

      1. XRY: It is a powerful commercial forensic tool that is installed on a Windows platform, fetches all the data from the mobile device with full integrity.
      2. Oxygen forensic suite: It is a commercial forensic tool that helps to perform logical and physical analysis of various mobile devices such as Android IOS Windows etc.
      3. Cellebrite UFED: This is a commercial forensic tool that performs data extraction for various mobile devices.

      List of more forensic related tools be it open source or commercial can be found in the URL

      Most of the tools support Android, IOS and Windows phone.


      The field of mobile device forensics is generally associated with law enforcement investigation, but it is implemented and used in different aspects such as corporate investigation, military, private investigations, criminal defense, civil defense, etc. Mobile Forensics is very challenging as the examiner has to face different problems including identification of mobile OS, manufacturers, which tools should be used to perform acquisition appropriately.

      If you're looking for a mobile forensics class, check out InfoSec Institute's course offerings by filling out the brief pricing form above. We've offered award-winning training for nearly twenty years, and guarantee you'll be satisfied with our computer and mobile forensics training boot camp!


      Learn Digital Forensics

      Learn Digital Forensics

      Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

      Hashim Shaikh
      Hashim Shaikh

      Hashim Shaikh currently works with Aujas Networks. Possessing a both OSCP and CEH, he likes exploring Kali Linux. Interests include offensive security, exploitation, privilege escalation and learning new things. His blog can be found here: and his LinkedIn Profile here: