Mobile Forensics: How Digital Forensics Experts Extract Data from Phones

Search For Schools

“It’s an exciting career, and it’s very rewarding to work behind the scenes. To those who find themselves being tech-savvy, and also wanting to make a difference through everyday life and for victims of crimes, this is an excellent and growing career option.”Mario Merendon, Training Chair for Mobile Forensics with the International Association of Computer Investigative Specialists (IACIS)

Perhaps nothing has changed the modern investigative procedure as much as mobile forensics. A subset of digital forensics, mobile forensics involves the retrieval of data from a mobile device, typically a cell phone or tablet, but potentially a smartwatch, camera, GPS device, or drone. With over 370 million mobile-cellular subscriptions in the United States today, it’s now unusual for a modern investigation to not involve mobile forensics in some fashion.

“When it comes to investigations, those devices are key,” says Mario Merendon, Training Chair for Mobile Device Forensics with the International Association of Computer Investigative Specialists (IACIS). “The type of information that these devices hold helps us piece together a timeline of events. That timeline can give us a full picture of a conversation. It can give us the motive of a crime. It can give us location data. Compared to what was available to assist in solving crimes ten years ago, there’s just a vast amount of information that these mobile devices now hold.”

Mobile forensics is a complicated discipline. Today’s mobile forensics experts need to be trained in the best practices of mobile forensics and investigative procedure, but they also need to stay abreast of the changes and characteristics in cutting-edge technology.

“One of the biggest challenges we’re facing right now is the various types of encryption that each phone has,” Merendon says. “Different software and different operating systems have different go-to encryptions, whether it’s full-disk encryption, or file-based encryption, or password-protected devices. If we’re faced with that type of obstacle, then we have to explore different routes in order to extract that data.”

The complexity of the discipline extends beyond encryption. The proper procedure for investigating an Android phone may not be the same for investigating an Apple phone, and differences in software patches and network connectivity must be accounted for during a mobile forensics investigation. Two different phones seized on two different days may both have the same app, but an investigator’s level of access to the information in that app may be drastically different.

“What we have to do is learn to not solely depend on a single forensic tool, because it will be behind the curve in decoding certain applications,” Merendon says. “The more training that we have in recognizing behind the scenes how a phone works and how databases are created and put together, [the more] we’re able to dig in and get information without having to solely depend on the decoding of a particular forensic tool.”

There’s no one-size-fits-all approach to mobile forensics, as each investigation will have its own unique characteristics—that’s why training programs at IACIS focus on tool-agnostic skills. However, there is a somewhat standard process for mobile forensics: data needs to be seized, retrieved, and analyzed in a forensically sound manner. This ensures that evidence is collected in a way that ensures chain-of-evidence processes and avoids modification or destruction of the data in question.

Meet the Expert: Mario Merendon

Mario Merendon is CEO and chief forensic investigator for VX Digital Defense, a digital forensics and digital investigations company. He is also the Training Chair for Mobile Device Forensics with the International Association of Computer Investigative Specialists (IACIS), which trains federal, state, local law enforcement, and private examiners.

Merendon is a 17-year law enforcement veteran with experience in criminal investigations, including homicides, sex crimes, crimes against children, and internet crimes. He is also experienced in digital forensics, having managed the Denton County Criminal District Attorney’s Office Digital Forensic Lab where he supported 27 police agencies across three counties, and has testified as an expert witness.

Merendon holds a Master’s in Cyber Security and Information Assurance from Sam Houston State University and a Bachelor’s in Criminal Justice Administration from Columbia College. He also holds certifications in Certified Forensic Computer Examiner (CFCE), IACIS Certified Mobile Device Examiner (ICMDE), CompTia Security +, and CompTia A+.

Merendon was first interviewed for this article in September 2020, and again in April 2024.

Mobile Forensics Phase 1: Seizure

When a mobile device is seized, it usually needs to be isolated from the network, to prevent incoming data from overwriting older data. It can then be transported in a Faraday cage or a specialized Faraday bag. The seized device can also be placed in airplane mode (with Wi-Fi disabled), or the SIM card cloned, as circumstances dictate.

Ideally, the device should be seized while awake and unlocked and should be kept on at all times. In the case of a locked device, it’s important to remember that while PIN codes are protected by the 5th amendment, fingerprints may not be.

Mobile Forensics Phase 2: Acquisition

After a device is seized, it’s ready for data acquisition. Mobile data falls into three main types: internal memory, external memory, and system logs. Internal memory is usually stored on the phone itself, while external memory is usually stored on SD cards or memory sticks. System logs may come from the telecom provider and wireless networks that the phone has been using.

Smartphone data of interest to mobile forensics professionals can include GPS information, social network data, browsing history, contacts, text messages, image data, geolocation tags, emails (sent, received, and in drafts), and personal notes. That’s a lot of data to sift through, and investigators often need technical assistance in the form of third-party tools, most of which are automated commercial solutions that can have both a hardware and software component.

There are five main forms of data acquisition: manual acquisition, logical acquisition, full file system acquisition, physical acquisition, and brute force acquisition.

Manual Acquisition

In manual acquisition, a mobile forensics expert will navigate the phone’s user interface manually, capturing screen images along the way. This isn’t much different than simply using the phone, except that the purpose is investigative. Manual acquisition is a time-consuming process, and its scope is limited to the data currently available on the operating system.

Logical Acquisition

In logical acquisition, a mobile forensics expert will copy over a phone’s file system onto a separate device. This is similar to syncing one’s phone with one’s laptop, bringing over the phone’s data in branched, logical structures that are easier to organize and navigate. For some phones’ operating systems, the extracted data may include files marked for deletion but not yet overwritten.

Full File System Acquisition

In a full file system acquisition, mobile forensic experts are able to obtain deeper folder and file system structures from both iOS and Android devices. The data that is obtainable contains less data than a physical acquisition, but still includes many data stores that contain deleted data and important user data. Due to certain restrictions in mobile device software, full file system acquisitions are the new go-to method supported by many commercial forensic tools.

Physical Acquisition

In physical acquisition, forensics experts ‘flash’ over all the contents of a phone onto a separate device. This is a bit-for-bit copy of the mobile device’s flash memory and might allow an examiner to review deleted or partially deleted data. However, most phones are locked to a specific wireless operator and protect against access to flash memory. To circumvent this, some mobile forensics experts may turn to boot loaders and other forensics tools to bypass the lock.

Brute Force Acquisition

To bypass lock screens and passcodes, some investigators may apply brute force, which again usually involves third-party tools. These tools, in their earliest forms, would physically attempt all possible iterations of a numerical PIN code to one’s phone. Newer lock screens and better security systems have rendered that method relatively primitive; today’s brute force acquisition tools are more sophisticated than the name implies.

Mobile Forensics Phase 3: Analysis

Once the data has been acquired, mobile forensics experts will need to analyze it. But a typical smartphone has 64GB of internal storage, which amounts to approximately 33,500 reams of paper. Within that astronomical amount of data, the critical piece of evidence could be both tiny and innocuous: missed calls can be as important as sent text messages, discarded email drafts as important as selfies.

“Depending on the type of case, we may be interested in only a certain category of data,” Merendon says. “In child abuse cases, for example, we’re very interested in web search histories and pictures. When we’re only looking at certain categories, we’re able to filter out the other things we don’t need to look at.”

In big cases, though, where many different categories of data are potentially of interest—chats, pictures, contacts—the process can be much more time-intensive. To combat that swamp of data requires multiple technical solutions.

Each forensics tool comes with different analytic features, some in the form of timeline viewing and link analysis to aid data visualization for the forensic investigator. Further keyword search and targeted filtering can make the murky waters of data analysis a little more transparent and a little more shallow.

In any event, a mobile forensics investigator will likely need to be proficient with more than one analytical tool, and well-trained in preserving a proper chain of evidence.

The Future of Mobile Forensics

Mobile forensics is a rapidly evolving field that needs to keep pace with the innovations of the tech industry at large. The market share of certain hardware and operating systems can fluctuate significantly over a short time span, changing the tools and procedures that mobile forensics needs to use to acquire and analyze a smartphone’s data.

Additional security measures, such as two-factor authentication on cloud-stored data and increasing base-layer encryption, add further layers of complexity. New generations of analytical toolkits and overlapping laws around jurisdiction call for today’s mobile forensics investigator to be expertly trained.

“A lot of colleges now are offering bachelor’s and master’s degrees in computer forensics,” Merendon says. “Some of our examiners have industry certifications, and then college degrees on top of it. Others come from a law enforcement background. It all ties in together—investigative skills along with computer certifications—to help pinpoint the type of information we need to solve crimes.”

Mobile forensics isn’t just about catching criminals, though. Merendon and his colleagues often use their mobile forensics skills on behalf of victims, too. The learning curve of mobile forensics may be high, but so are the stakes: truth and justice may be just a few clicks away.

“It’s an exciting career, and it’s very rewarding to work behind the scenes,” Merendon says. “To those who find themselves being tech-savvy, and also wanting to make a difference through everyday life and for victims of crimes, this is an excellent and growing career option.”

Update 2024: More Devices, More Data, More Tools

The last four years have seen significant change, particularly in technology, but if there’s one constant, it’s more: more devices, more data, more tools, and more need for highly skilled mobile examiners.

“From an investigative side, mobile examinations are now a part of nearly every major crime, from crimes against children to vehicle crashes and burglaries,” Merendon says. “Plus, data stored in the cloud is more accessible thanks to more support offered by forensic tool provider, which allows examiners to extract that data and pair it with mobile data and third-party apps.”

The proliferation of new and numerous devices presents both challenges and opportunities for mobile examiners. Hardware and software are changing, too. Newer versions of file systems that make storage and access more efficient for users can act as hurdles for examiners and forensic tool companies who want to keep pace.

“Having access to both commercially available tools and open-source tools is more important than ever,” Merendon says. “Fortunately, we have seen the cost of tools with features that allow examiners to acquire full file systems and physical extractions for newer devices slowly becoming more affordable.”

But it’s important for examiners not to get too attached to any particular tool. Meredon is a strong proponent of tool-agnostic training, such as that offered by IACIS. By focusing on the deep fundamentals of how mobile devices actually store data and how that can affect an examination, examiners can future-proof their knowledge and skills.

“Once you understand the nuances involved, no matter the forensic tool, you’ll know where to go and how it’s decoded,” Merendon says. “This is especially important when a forensic tool doesn’t support an application or automatically parse it out, but the data is there waiting to be discovered.”

Going forward, new tools should make accessing a mobile device’s data and artifacts easier. Research into new methods of access and retrieval will continue. Already, open source tools like iLEAPP/aLEAPP have been filling the gaps where commercial tools fall short. But as devices continue to evolve, the forensic examiner’s tools will need to evolve, too. And as the frontier of mobile forensics continues to increase, so will the importance of skilled mobile examiners.

“The available data within mobile devices, along with the increasing amount of forensic tool support, provide a promising future for examiners and investigations,” Merendon says.


Matt Zbrog

Matt Zbrog is a writer and researcher from Southern California. Since 2018, he’s written extensively about the increasing digitization of investigations, the growing importance of forensic science, and emerging areas of investigative practice like open source intelligence (OSINT) and blockchain forensics. His writing and research are focused on learning from those who know the subject best, including leaders and subject matter specialists from the Association of Certified Fraud Examiners (ACFE) and the American Academy of Forensic Science (AAFS). As part of the Big Employers in Forensics series, Matt has conducted detailed interviews with forensic experts at the ATF, DEA, FBI, and NCIS.