Digital forensics

Mobile forensic process: Steps and types

Hashim Shaikh
December 30, 2017 by
Hashim Shaikh

Mobile forensics is a branch of digital forensics related to the recovery of digital evidence from mobile devices. "Forensically sound" is a term used extensively in the digital forensics world to qualify and justify the use of a particular forensic technology or methodology. The central principle for a sound forensic examination is that the original evidence must not be modified. Let's understand this very important process step by step.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.


  • Identifying is the location of evidence (on a mobile phone). Preserving it means making sure that the integrity of the digital evidence is not manipulated in any way, shape, or form. Preservation must also consist of protecting or shielding the evidence from any radio interference such as a mobile data network, Wi-Fi, Bluetooth, or any other application which can give the device a remote connection. One of the best ways to isolate a mobile device is by putting it into a Faraday Bag which prevents the transmission of the electromagnetic waves. Seizing the evidence is the process to protect it from physical damage which includes the secure evacuation of evidence and proper transportation of it to protect it from any electromagnetic, electric shock, excessive heat, etc. This is to protect from any tampering.
  • In hand with these steps, clear documentation is to be maintained (aka the "Chain of Custody" forms) for future reference, such as in a court of law. This chain of custody contains details pertaining to evidence values, any special notes, a chain which describes the handover of the evidence from an individual to another entity, with the date and time captured in these instances. Another part of documentation is taking pictures (photographs) of the crime scene, capturing the original state of the mobile device, as well as the make, model, serial numbers and so on. The other of the phone - such as IMEI number or operating system version - which would help during the acquisition phase and need to be captured as well.
  • Forensic acquisition is the process of acquiring the original evidence in a forensically sound manner while maintaining the integrity of it. This process is also known as "Imaging." It can be done on site (at the scene) and can also be done off-site (in the lab. The acquisition tools of today now possess the technical capabilities to break the passcode/pin/pattern of just about any mobile device.
  • In the examination phase, the image is captured from the original evidence. It also consists of data which is deleted or hidden on the mobile device. In these instances, the relevant and irrelevant data is segregated by the forensic analyst based on the case background shared by the investigator. In the analysis phase, the analyst looks for the correlation between the relevant data (revealed during the examination phase) and sets priorities to this data set based on the proceeding investigation. In summary, the examiner looks to collect as much information as he or she can, and builds up the evidence. Some of the common types of evidence are the contacts, call logs, SMS, Audio and Video files, emails, any saved notes (this might contain passwords for other accounts), saved geographic location, web activity, and social media updates and chats.
  • Reporting is a comprehensive summary of the results of the mobile forensics investigation. This phase also explains the reason why a particular step was performed with the result that followed from it. The final report also consists of all the compiled documentation, which include the Chain of Custody forms, photographs, etc.


There are several types of mobile forensics Processes which are based on the below-mentioned parameters:

  1. Type of phone (Make, Model, Manufacture)
  2. Operating System
  3. Encryption level
  4. Availability of necessary passcode/pin code/pattern

Manual method

In the manual method, the device is browsed through manually by the forensic specialist. The data on the phone is directly seen/observed/accessed by using its keypad or touchpad. It is a quick method as the examiner is aware of which data to browse first. This method holds the advantage of viewing specific data in a readable format using its native application as it is being observed directly by the forensics investigator. However, this method is prone to human error and biases. Also, it would take a lot of time to capture all the needed data from the mobile device in question.

Logical method

The Logical Method is a quick way of extracting data from the user files directly. The advantage of this method is that it can be viewed easily in the mobile forensic tools. The size of the extracted data is less as the data is not acquired from the flash memory. However, the disadvantage of this method is that it cannot recover deleted data/items from the mobile device.

Physical method

The Physical Method consists of accessing flash memory of the mobile phone and extracting data from that space. In this case, the flash memory is being accessed directly to garner the existing data, and the deleted data also gets captured as well. This method proves to be very beneficial in many forensics cases. To access the flash memory, tools use a bootloader to bypass the security patch of the mobile device.

File system

The File System method extracts data from the system level of the mobile device in question. In this process, information and data related to the applications of the mobile device also get extracted. It is the OS which stores information related to the deleted files in the file system.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.


With the growing demand for the examination of cellular phones and other mobile devices, a need has also developed for the creation of process guidelines. While the specific details of the examination of each device may differ, the adoption of consistent examination processes will assist the examiner in ensuring that the evidence extracted from each phone is well documented and that the results are admissible in a court of law.

Hashim Shaikh
Hashim Shaikh

Hashim Shaikh currently works with Aujas Networks. Possessing a both OSCP and CEH, he likes exploring Kali Linux. Interests include offensive security, exploitation, privilege escalation and learning new things. His blog can be found here: and his LinkedIn Profile here: