Mobile Forensics: How Digital Forensics Experts Extract Data from Phones

Search For Schools


It’s an exciting career, and it’s very rewarding to work behind the scenes. To those who find themselves being tech-savvy, and also wanting to make a difference through everyday life and for victims of crimes, this is an excellent and growing career option.

Mario Merendon, Mobile Device Forensics Chairman for the International Association of Computer Investigative Specialists (IACIS)

Perhaps nothing has changed the modern investigative procedure as much as mobile forensics. A subset of digital forensics, mobile forensics involves the retrieval of data from a mobile device, typically a cell phone or tablet, but potentially a smartwatch, camera, GPS device, or drone. With over 400 million mobile-cellular subscriptions in the United States today, it’s now unusual for a modern investigation to not involve mobile forensics in some fashion.

“When it comes to investigations, those devices are key,” says Mario Merendon, a computer forensic investigator for Denton County Criminal District Attorney’s Office and the mobile device forensics chairman for the International Association of Computer Investigative Specialists (IACIS). “The type of information that these devices hold helps us piece together a timeline of events. That timeline can give us a full picture of a conversation. It can give us the motive of a crime. It can give us location data. Compared to what was available to assist in solving crimes ten years ago, there’s just a vast amount of information that these mobile devices now hold.”

Mobile forensics is a complicated discipline. Today’s mobile forensics experts need to be trained in the best practices of mobile forensics and investigative procedure, but they also need to stay abreast of the changes and characteristics in cutting-edge technology.

“One of the biggest challenges we’re facing right now is the various types of encryption that each phone has,” Merendon says. “Different software and different operating systems have different go-to encryptions, whether it’s full-disk encryption, or file-based encryption, or password-protected devices. If we’re faced with that type of obstacle, then we have to explore different routes in order to extract that data.”

The complexity of the discipline extends beyond encryption. The proper procedure for investigating an Android phone may not be the same for investigating an Apple phone, and differences in software patches and network connectivity must be accounted for during a mobile forensics investigation. Two different phones seized on two different days may both have the same app, but an investigator’s level of access to the information in that app may be drastically different.

“What we have to do is learn to not solely depend on a single forensic tool, because it will be behind the curve in decoding certain applications,” Merendon says. “The more training that we have in recognizing behind the scenes how a phone works and how databases are created and put together, [the more] we’re able to dig in and get information without having to solely depend on the decoding of a particular forensic tool.”

There’s no one-size-fits-all approach to mobile forensics, as each investigation will have its own unique characteristics—that’s why training programs at IACIS focus on tool-agnostic skills. However, there is a somewhat standard process for mobile forensics: data needs to be seized, retrieved, and analyzed in a forensically sound manner. This ensures that evidence is collected in a way that ensures chain-of-evidence processes and avoids modification or destruction of the data in question.

Mobile Forensics Phase 1: Seizure

When a mobile device is seized, it usually needs to be isolated from the network, to prevent incoming data from overwriting older data. It can then be transported in a Faraday cage or a specialized Faraday bag. The seized device can also be placed in airplane mode (with Wi-Fi disabled), or the SIM card cloned, as circumstances dictate.

Ideally, the device should be seized while awake and unlocked and should be kept on at all times. In the case of a locked device, it’s important to remember that while PIN codes are protected by the 5th amendment, fingerprints may not be.

Mobile Forensics Phase 2: Acquisition

After a device is seized, it’s ready for data acquisition. Mobile data falls into three main types: internal memory, external memory, and system logs. Internal memory is usually stored on the phone itself, while external memory is usually stored on SD cards or memory sticks. System logs may come from the telecom provider and wireless networks that the phone has been using.

Smartphone data of interest to mobile forensics professionals can include GPS information, social network data, browsing history, contacts, text messages, image data, geolocation tags, emails (sent, received, and in drafts), and personal notes. That’s a lot of data to sift through, and investigators often need technical assistance in the form of third-party tools, most of which are automated commercial solutions that can have both a hardware and software component.

There are four main forms of data acquisition: manual acquisition, logical acquisition, physical acquisition, and brute force acquisition.

Manual Acquisition

In manual acquisition, a mobile forensics expert will navigate the phone’s user interface manually, capturing screen images along the way. This isn’t much different than simply using the phone, except that the purpose is investigative. Manual acquisition is a time-consuming process, and its scope is limited to the data currently available on the operating system.

Logical Acquisition

In logical acquisition, a mobile forensics expert will copy over a phone’s file system onto a separate device. This is similar to syncing one’s phone with one’s laptop, bringing over the phone’s data in branched, logical structures that are easier to organize and navigate. For some phones’ operating systems, the extracted data may include files marked for deletion but not yet overwritten.

Physical Acquisition

In physical acquisition, forensics experts ‘flash’ over all the contents of a phone onto a separate device. This is a bit-for-bit copy of the mobile device’s flash memory and might allow an examiner to review deleted or partially deleted data. However, most phones are locked to a specific wireless operator and protect against access to flash memory. To circumvent this, some mobile forensics experts may turn to boot loaders and other forensics tools to bypass the lock.

Brute Force Acquisition

To bypass lock screens and passcodes, some investigators may apply brute force, which again usually involves third-party tools. These tools, in their earliest forms, would physically attempt all possible iterations of a numerical PIN code to one’s phone. Newer lock screens and better security systems have rendered that method relatively primitive; today’s brute force acquisition tools are more sophisticated than the name implies.

Mobile Forensics Phase 3: Analysis

Once the data has been acquired, mobile forensics experts will need to analyze it. But a typical smartphone has 64GB of internal storage, which amounts to approximately 33,500 reams of paper. Within that astronomical amount of data, the critical piece of evidence could be both tiny and innocuous: missed calls can be as important as sent text messages, discarded email drafts as important as selfies.

“Depending on the type of case, we may be interested in only a certain category of data,” Merendon says. “In child abuse cases, for example, we’re very interested in web search histories and pictures. When we’re only looking at certain categories, we’re able to filter out the other things we don’t need to look at.”

In big cases, though, where many different categories of data are potentially of interest—chats, pictures, contacts—the process can be much more time-intensive. To combat that swamp of data requires multiple technical solutions.

Each forensics tool comes with different analytic features, some in the form of timeline viewing and link analysis to aid data visualization for the forensic investigator. Further keyword search and targeted filtering can make the murky waters of data analysis a little more transparent and a little more shallow.

In any event, a mobile forensics investigator will likely need to be proficient with more than one analytical tool, and well-trained in preserving a proper chain of evidence.

The Future of Mobile Forensics

Mobile forensics is a rapidly evolving field—one that needs to keep pace with the innovations of the tech industry at large. The market share of certain hardware as well as certain operating systems can fluctuate significantly over a short timespan, changing the tools and procedures that mobile forensics need to use in order to acquire and analyze a smartphone’s data.

Additional security measures, such as two-factor authentication on cloud-stored data and an increasing level of base-layer encryption, add further layers of complexity. New generations of analytical toolkits and overlapping laws around jurisdiction call for today’s mobile forensics investigator to be expertly trained.

“A lot of colleges now are offering bachelor’s and master’s degrees in computer forensics,” Merendon says. “Some of our examiners have industry certifications, and then college degrees on top of it. Others come from a law enforcement background. It all ties in together—investigative skills along with computer certifications—to help pinpoint the type of information we need to solve crimes.”

Mobile forensics isn’t just about catching criminals, though. Merendon and his colleagues often use their mobile forensics skills on behalf of victims, too. The learning curve of mobile forensics may be high, but so are the stakes: truth and justice may be just a few clicks away.

“It’s an exciting career, and it’s very rewarding to work behind the scenes,” Merendon says. “To those who find themselves being tech-savvy, and also wanting to make a difference through everyday life and for victims of crimes, this is an excellent and growing career option.”


Matt Zbrog

Matt Zbrog is a writer and freelancer who has been living abroad since 2016. His nonfiction has been published by Euromaidan Press, Cirrus Gallery, and Our Thursday. Both his writing and his experience abroad are shaped by seeking out alternative lifestyles and counterculture movements, especially in developing nations. You can follow his travels through Eastern Europe and Central Asia on Instagram at @weirdviewmirror. He’s recently finished his second novel, and is in no hurry to publish it.