Cell Phone / Mobile Device Forensics

Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including GPS devices and tablet computers.


Mobile devices can be used to save several types of personal information such as contacts, photos, calendars and notes, SMS and MMS messages. Smartphones may additionally contain video, email, web browsing information, location information, and social networking messages and contacts.

Mobile device forensics can be particularly challenging on a number of levels:

- To remain competitive, original equipment manufacturers frequently change mobile phone form factors, operating system file structures, data storage, services, peripherals, and even pin connectors and cables. As a result, forensic examiners must use a different forensic process compared to computer forensics.

- Storage capacity continues to grow thanks to demand for more powerful "mini computer" type devices.

- Not only the types of data but also the way mobile devices are used constantly evolve.

- Hibernation behaviour in which processes are suspended when the device is powered off or idle but at the same time, remaining active.


As a result of these challenges, a wide variety of tools exist to extract evidence from mobile devices; no one tool or method can acquire all the evidence from all devices. It is therefore recommended that forensic examiners, especially those wishing to qualify as expert witnesses in court, undergo extensive training in order to understand how each tool and method acquires evidence; how it maintains standards for forensic soundness; and how it meets legal requirements such as the Daubert standard or Frye standard.


As mobile device technology advances, the amount and types of data that can be found on a mobile device is constantly increasing. Evidence that can be potentially recovered from a mobile phone may come from several different sources, including handset memory, SIM card, and attached memory cards such as SD cards.


Traditionally mobile phone forensics has been associated with recovering SMS and MMS messaging, as well as call logs, contact lists and phone IMEI/ESN information. However, newer generations of smartphones also include wider varieties of information; from web browsing, Wireless network settings, geolocation information (including geotags contained within image metadata), e-mail and other forms of rich internet media, including important data—such as social networking service posts and contacts—now retained on smartphone 'apps'.

Mobile devices have become an integral part of peoples’ daily lives, and as such, they are prone to facilitating criminal activity or otherwise being involved when crimes occur. Whereas computers, laptops, servers, and gaming devices might have many users, in the vast majority of cases, mobile devices generally belong to an individual.


Mobile devices present many challenges from a forensic perspective. With new models being developed each day, it is extremely difficult to develop a single process or tool to address all the possibilities an examiner may face. Court cases such as Riley v. California also need to be taken into consideration as mobile devices are being seized and analyzed.

 Examples of commonly recoverable data includes:

  • Text Messages (SMS – Short Message Service)
  • Photo/Multimedia Messages (Multimedia Messaging Service)
  • Pictures and Images
  • Video and Audio Recordings
  • Call History Logs (Received calls, Missed calls, Dialed calls)
  • Phonebook and Contacts
  • Calendar and Task List Entries
  • Emails stored on handset
  • Internet Browsing History
  • Social Networking Artifacts (Facebook, Twitter, IM)
  • Application Artifacts (data from programs installed on Smartphone devices)

Since 2010, tablet devices have proliferated, spreading through homes, businesses, hospitals, and schools, fulfilling a wide range of functions and storing many kinds of data. Tablets come in just about as many shapes and sizes as smartphones; like smartphones, they can contain a treasure trove of valuable data when they turn up in forensic investigations. If you are in need of tablet forensics services, IncidentResponse.us can assist you with your investigation for all types and brands of tablets, including the Microsoft Tablet PC and Surface Pro, Samsung Galaxy Note, and iPad.


There is no “one size fits all” approach to tablet forensics. The tools and techniques used to acquire the contents of these devices vary in effectiveness depending on the manufacturer, model, O/S version, and circumstances. The wide variety of tablet devices out there, with dozens of new models being released every year, means that forensic investigation techniques must constantly evolve to keep up with the times. A skilled digital forensics expert is well-versed in all of the tools and tricks of the trade. With years of digital forensics experience, we are well-equipped to deal with the ever-changing face of tablet forensics.