blogs
Mobile Forensics 101: What Your Phone Remembers That You've Forgotten
What smartphones retain that most people don't expect, and how mobile forensics differs from established desktop forensic practice.
Mobile Forensics 101: What Your Phone Remembers That You've Forgotten
Mobile forensics is one of the most practically relevant areas of digital forensics today. Smartphones are involved in nearly every kind of investigation — criminal cases, civil litigation, corporate HR investigations, and security incidents. Understanding what data these devices retain, how to extract it, and how to preserve it as evidence is a critical skill.
I took Mobile Forensics as part of my MS coursework at Boston University. Here's what I learned.
Why Mobile Forensics Is Different
Desktop forensics has decades of established practice. Mobile forensics is harder in several ways:
Diversity: Thousands of device models, multiple OS versions, manufacturer customizations, carrier modifications. An extraction technique that works on a Samsung Galaxy S22 may fail on a Galaxy S23 with a different security patch level.
Encryption: Modern iOS (since iOS 8) and Android (since Android 6.0) enable full-device encryption by default. Without the passcode, storage is cryptographically inaccessible.
Anti-forensics features: Face ID, Touch ID, biometric lockout, remote wipe, and Find My/Find My Device can destroy evidence remotely or prevent access.
Cloud integration: Much of what was on the phone may have already moved to the cloud — iCloud, Google Photos, WhatsApp backups. Investigating the cloud requires separate legal process.
Types of Data Found on Mobile Devices
Understanding what's potentially recoverable:
Call logs and SMS/MMS: Often retained in the device's telephony database. Even deleted messages may be recoverable if storage space hasn't been overwritten.
Application data: Every app stores data in its own sandbox directory. Chat apps (WhatsApp, Signal, Telegram), social media apps, dating apps, navigation apps — all retain logs, media, contact information.
Location data: iOS retains "Significant Locations" and geofence history. Android retains Google Location History. Apps independently store location data. GPS coordinates embedded in photos.
Browser history: Safari, Chrome, Firefox — browsing history, search history, cached pages, form data.
Photos and videos: Metadata includes GPS coordinates, timestamps, device model. Even "deleted" photos may remain in a "Recently Deleted" folder or in unallocated storage space.
Contacts, calendars, notes: Often synced to cloud but also retained locally.
Deleted data: When data is deleted, the file system marks storage as available but doesn't immediately overwrite it. Deleted data is potentially recoverable until overwritten — this window varies widely by device behavior.
Forensic Extraction Methods
Extraction methods range from least invasive to most invasive:
Logical Extraction: Uses the device's own file system APIs to extract accessible data — essentially a structured export. Requires the device to be unlocked. Gets you files, databases, contacts, and app data. Misses deleted data.
File System Extraction: Deeper access to the full file system. Requires exploiting vulnerabilities or using privileged modes (iTunes backup with encryption disabled for iOS; ADB with developer mode enabled for Android). Gets more raw data including some deleted artifacts.
Physical Extraction: A bit-for-bit copy of the device's storage — every sector, including unallocated space where deleted data may live. Provides the most comprehensive forensic image. Hardest to achieve on modern encrypted devices.
Chip-Off: Physically removing the storage chip and reading it directly with specialized hardware. Used when the device is severely damaged or locked. Highly specialized, requires chip-level expertise.
Tools of the Trade
Cellebrite UFED: The industry-standard commercial tool for law enforcement. Supports extraction and analysis of thousands of device models. Very expensive — not something you'll have in a home lab.
Oxygen Forensic Detective: Another commercial tool with strong app parsing and cloud extraction capabilities.
ADB (Android Debug Bridge): For Android devices with USB debugging enabled. Useful for logical extraction in authorized contexts.
iTunes/Finder Backups: For iOS devices. Backups can be analyzed with free tools like iMazing or Libimobiledevice.
Autopsy: Free, open-source digital forensics platform. Parses many mobile backup formats, file systems, and app databases.
SQLite Browser: Many mobile apps (WhatsApp, Signal, SMS, browser history) store data in SQLite databases. DB Browser for SQLite lets you directly inspect these files.
The Forensic Process
Preservation first: Before any extraction, document the device's current state — charge level, lock status, visible apps. Take photographs. Isolate from networks (Faraday bag to prevent remote wipe).
Establish chain of custody: Every person who handles the device, every action taken, every tool used must be documented with timestamps. Evidence integrity depends on this.
Make a forensic image: Work from a verified copy of the data, not the original device. Verify image integrity with hash values (SHA-256) before and after.
Non-destructive analysis: Analysis should not modify the original data. Write-blockers for physical media, verified copies for logical data.
Documentation: Every finding must be documented with the method used to find it, the tool version, and the exact location in the data (file path, database table, offset).
Privacy and Legal Considerations
Mobile forensics is powerful — and that power requires clear legal authorization. In law enforcement contexts, this means a warrant. In corporate investigations, it requires clear HR policies and employee agreements about device monitoring. In personal contexts, accessing someone else's device without authorization is a crime.
The technical capability to extract data does not constitute authorization to do so. This is a principle I take seriously, and it's one that's often overlooked in discussions of forensic tools.
A Practical Exercise: Analyzing a WhatsApp Backup
For my coursework, I analyzed a WhatsApp backup from a test device I owned. The backup is an SQLite database located at:
- Android:
/sdcard/WhatsApp/Databases/msgstore.db - iOS (via iTunes backup):
~/Library/Application Support/MobileSync/Backup/
Opening it in DB Browser for SQLite and querying the messages table:
SELECT
datetime(timestamp/1000, 'unixepoch') as message_time,
key_remote_jid as contact,
data as message_content,
media_url,
latitude,
longitude
FROM messages
WHERE deleted != 1
ORDER BY timestamp DESC;
Even a "basic" chat app database contains a detailed record: timestamps accurate to the millisecond, message content, media references, read receipts, and location data if location sharing was used.
This exercise made viscerally clear why mobile forensics is so powerful — and why privacy-preserving communication tools with proper encryption matter.
