Today's smartphones can perform functions that were possible only with a computer just a few years ago. In fact, the tables have turned. Many applications are only supported on phones, with developers choosing to ignore cross-platform development for computers entirely. While you may use your computer at work and at other intermittent times throughout the day, you don't have constant access all the time as you do to the phone in your pocket.

Cell phones are used for everything from making calls and sending texts to transferring money and storing confidential documents. Cell phones store millions of data records in the form of emails, messages, pictures, location data, financial information, and thousands of others. Much of this data can be recovered even if it has been deleted.

Mobile Device Forensics

Our experts are certified and highly experienced in mobile device forensics. Coupled with access to state-of-the-art forensic hardware and software, our team possesses the technology and expertise to provide comprehensive consultation and analysis to help you achieve the best possible outcome in your case.

Our cell phone forensics experts can recover, analyze and report on the following common data types, among thousands of others:

• Text messaging
• Social media
• Location History
• Internet activity
• Search activity
• Email communication
• Photos and videos
• Voice calls
• Application data
• Biometric data
• Financial data

The Mobile Device Forensic Examination Process

Digital evidence is fragile and volatile. Improper handling of a mobile phone can alter or destroy the evidence contained in the device. Further, if the mobile phone is not handled following digital forensics best practices, it can be impossible to determine what data was changed and if those changes were intentional or unintentional. To protect the evidence and prevent spoilation, mobile devices must be analyzed by a trained examiner using mobile device forensic tools.

The initial handling of digital evidence can be divided into four phases: identification, collection, acquisition, and preservation.

Identification

The identification phase's purpose and scope are to identify the digital evidence relevant to the case. It is possible that this evidence will span multiple devices, systems, servers, and cloud accounts. With a mobile phone, the data is not isolated only to the device. The data contained in the device can be synced to cloud storage or another mobile device or backed up onto a computer.

Identification also requires comprehensive documentation. Documentation is critical throughout the entire investigative process, but especially in the beginning, as any mistakes can taint the evidence. The acquisition phase gives us a perfect snapshot in time (forensic copy) of how the data exists. Since identification is the first step and before the acquisition, mistakes made here are carried out throughout the process.

Collection

The collection phase involves gathering physical devices, such as smartphones and other mobile devices. Since digital evidence can span multiple devices, systems, and servers, collecting it can become more complicated than securing more traditional forensic evidence. There are vital functions that should be performed to protect the evidence.

Isolating Device Users

The primary goal of the collection process, other than ensuring all relevant electronic items are collected, is to protect digital evidence from contamination. One way this is done is by isolating the devices from their respective users until a forensic acquisition of the mobile device can be performed. While in their custody, the user could delete, create, or change data before the forensic acquisition (the perfect snapshot in time of the mobile phone data) is performed. They could also factory reset or wipe the device, permanently destroying some data or potentially everything on the mobile phone. 

Isolating Devices

Along with isolating the mobile phone from the user, we also need to isolate the device itself. By design, mobile phones are intended for communication, and they are continually sending and receiving data even when they are on the bedside table charging overnight. If data transmission occurs, even with no person physically touching the phone, data can be lost, changed, or destroyed.  
 
Isolation of the device itself is achieved by eliminating all forms of data transmission, including the cellular network, Bluetooth, wireless networks, and infrared connections. By isolating the phone from all networks, the mobile phone is prevented from receiving any new data that would cause other data to be deleted or overwritten.

Acquisition

The acquisition process is where a digital forensic examiner acquires, or forensically copies, the data from a mobile device using a variety of methods.

Logical Extraction

A logical extraction of data from a mobile phone collects the files and folders contained on the device without any unallocated space. While what is commonly called "deleted space" is not recovered, deleted data on a mobile phone can be recovered using forensic tools and methods via a logical extraction. This data comes in the form of various database files, especially SQLite. Typically, data collected via a logical extraction includes messaging, pictures, video, audio, contacts, application data, some location data, internet history, search history, social media, and more.

File System Extraction

A file system extraction is an extension of a logical extraction. It collects much of the same data as a logical extraction along with additional file system data. During a file system extraction, the forensic tool accesses the internal memory of the mobile phone, which means that the forensic software can collect system files, logs, and database files from the device that a logical acquisition cannot.

Most applications store their data in database files on a mobile phone. Since a file system extraction recovers more of these database files, more deleted data like database files and data related to application usage on the device can be recovered.

Physical Extraction

The physical extraction of a mobile phone captures the entirety of the device's data, including all files, user content, deleted data, and unallocated space. While this extraction method is the most extensive, it is also the least supported. Like the forensic imaging of a computer hard drive, a physical extraction creates a bit-by-bit copy of the mobile phone's entire contents.

With a bit-by-bit copy, the logical and file system data are recovered, as well as unallocated space. This extraction method allows for the recovery of deleted data that would otherwise be inaccessible to a forensic examiner, including location information, email, messages, videos, photos, audio, applications, and almost any other data contained on a mobile phone.

Backup Files

When you connect your mobile phone to a computer to make a backup of your device, it creates a file. This file can be ingested into cell phone forensics software and analyzed just like a forensic extraction of a mobile phone. Even if someone deleted the mobile phone data or the phone is missing, hope is not lost. The backup file can still contain the evidence you need in the case.