You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Mobile forensics is the recovery and analysis of digital evidence from smartphones, tablets, and other mobile devices. Mobile devices often contain a wealth of personal data — call logs, messages, photos, GPS locations, app data, and more — making them critical evidence sources in both criminal and civil investigations.
| Challenge | Description |
|---|---|
| Device diversity | Thousands of models from hundreds of manufacturers, each with different hardware and software |
| Operating system fragmentation | Multiple versions of iOS and Android in active use; each version changes data structures |
| Encryption by default | Modern iOS and Android devices use full-disk or file-based encryption |
| Passcode/biometric locks | PIN, password, pattern, fingerprint, and face recognition protect access |
| Rapid updates | OS updates change artefact locations and security mechanisms frequently |
| Cloud storage | Much data may exist only in the cloud, not on the device |
| Anti-forensic features | Remote wipe, self-destruct timers, encrypted messaging apps |
| SoC integration | System-on-chip designs make hardware-level access difficult |
Mobile forensic acquisition exists on a spectrum from least to most invasive:
| Level | Method | Data Recovered | Tools/Techniques |
|---|---|---|---|
| Manual | Photograph and document the screen | Only what is visible on screen | Camera; screen recording |
| Logical | Extract data through the device's APIs or backup mechanisms | Active files, databases, app data | Cellebrite, Oxygen, ADB |
| File system | Access the full file system (including unallocated space on some devices) | More data than logical; includes system files | Agent-based extraction; jailbreak/root |
| Physical | Bit-for-bit image of the device's flash memory | Everything including deleted data | Chip-off; JTAG; ISP; advanced tools |
| Chip-off | Physically remove the flash memory chip and read it directly | Raw flash data | Specialised equipment; risk of device damage |
Acquisition hierarchy (least to most invasive):
Manual ──▶ Logical ──▶ File System ──▶ Physical ──▶ Chip-off
(least data) (most data)
| Protection Class | Description |
|---|---|
| Complete Protection | Data is accessible only when the device is unlocked |
| Protected Unless Open | Data is accessible after first unlock until device is locked |
| Protected Until First User Authentication | Data is accessible after first unlock, even when locked (most common) |
| No Protection | Data is always accessible (used for system files) |
| Artefact | Location | Evidence |
|---|---|---|
| Call history | CallHistory.storedata | Phone calls with timestamps and durations |
| SMS/iMessage | sms.db | Text messages, attachments, timestamps |
| Contacts | AddressBook.sqlitedb | Contact names, phone numbers, email addresses |
| Safari history | History.db | Browsing history and bookmarks |
| Photos | DCIM/ and PhotoData/ | Photos and videos with EXIF metadata (GPS, timestamps) |
| Location data | cache_encryptedB.db, routined | Significant locations, Wi-Fi connections, cell tower data |
| App data | Application data containers | App-specific databases and files |
| Keychain | keychain-2.db | Stored passwords, tokens, certificates (encrypted) |
| Health data | healthdb_secure.sqlite | Step counts, heart rate, activity data |
| KnowledgeC | knowledgeC.db | Device usage, app usage, screen time |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.