Digital Forensics Dispatch

Digital Forensics Blog
by Sensei Enterprises, Inc.

Mobile Forensics: What You Need To Know

July 19, 2022

We often see more mobile devices come into our forensic lab than traditional computers (desktops and laptops). One reason for that is because mobile devices are consistently becoming more like computers. Device users can send and receive email, create and edit documents, save files and so much more.

Mobile device storage space has also skyrocketed. The most recent Apple iPhone, the iPhone 13 Pro, comes with storage sizes starting at 128 GB and goes to 1TB of storage. If you’re not an iPhone user, then the latest Samsung phone, the Galaxy S22 Ultra, has a very similar storage capacity range. Many mid-tier laptops and desktops have storage capacity like that of a device that people carry around in their pockets.

What is mobile forensics?

Mobile forensics is the process of acquiring, analyzing, and producing data from mobile devices. Mobile devices can include smartphones, tablets, and feature phones.

The mobile forensics process often starts with gathering information about the type of device that a person has in their possession. After determining whether there is support for that specific make and model, a forensic collection of the device will be performed.

Once a forensic collection of a device is done, the forensic analysis of the device begins. This is where a digital forensic analyst will run search terms, date and time filters, and review the data on the device according to the scope of work determined by their search authority.

After completing the analysis, there is usually a reporting phase. This includes generating some type of production containing the results of the analysis. This could range from a file containing relevant text messages to a report of findings for a review of a device for spyware or malicious activity.

What types of data can be found or examined from a mobile device?

The type of data found and examined on a mobile device again hinges on the forensic collection tool’s support for the make and model of device, as well as the analysis software’s support for interpreting the data. We find that, in most cases with mobile forensics, there are a few common data types that are requested:

  1. Communications, including text messages, chats, email, call records and instant messages.
  2. Internet browser history.
  3. Recovery of deleted data.

The fact is that mobile devices can store a lot of data, especially as their storage capacity increases. It is not uncommon for items such as location data and other application data to be found on these devices.

What about deleted data?

With mobile devices, there certainly is a chance to recover deleted data. Usually with mobile devices, when an item is deleted from the device, the space that the data was occupying is marked as available for new data to be written to.

To simplify, if you deleted a photo on your phone, space it was taking up now becomes available for new data to be saved to. This means that if you then received new messages or take a new photo or video, it is possible that those new data types have been saved over that deleted photo.

In the digital forensic world, this means that the original photo has now been overwritten. If data has been overwritten on a mobile device, then that data is no longer recoverable. If the data has not been overwritten then there is a chance, depending on the make and model of device, that deleted data can be recovered from the device.

What can you do to help?

Throughout there have been a few questions that are critically important and will likely be asked of you by a digital forensic expert before the start of a new case. Having the answers to these questions can help save you time and money.

What is the make and model of device?

With this question the digital forensic expert is trying to understand what type of device it is that you have. Do you have an Apple iPhone 12, a Samsung Galaxy S10? Do you know the specific model number? The answer to this question helps the digital forensic expert gauge the support for the device and helps to determine what types of data can and cannot be retrieved.

What is the device’s storage capacity?

Does the device have 128 GB, 512 GB or some other size storage capacity? This question helps the expert determine the potential length of time a device acquisition may take. The larger the storage capacity, the longer it is going to take to make the forensic collection.

What types of data are you looking for?

Knowing this ahead of time can help the expert determine the amount of time it will take to conduct the analysis as well as advise you of what data may or may not be found on that device.

Mobile devices are only getting more features and more storage capacity as technology advances. As those devices advance, so do the methods of collecting and analyzing data from the devices. We are walking around with what are small computers in our pockets and bags. They store a wealth of information about our lives, and we often find ourselves wondering how we would live without them.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology