Mobile Forensics
What is Mobile Forensics?
Mobile ForensicsThe forensic acquisition and analysis of smartphones, tablets, and wearables to extract communications, app data, location, and other artefacts.
Mobile forensics tackles devices with strong encryption, locked bootloaders, and constant cloud synchronisation. Acquisition levels range from manual/photographic to logical (backups), file system (privileged extractions), and physical (chip-off, JTAG, ISP). Commercial suites such as Cellebrite UFED, Magnet AXIOM, MSAB XRY, GrayKey, and Oxygen Forensic Detective handle iOS and Android extraction, parsing SQLite stores for messages, call logs, contacts, geolocation, and app artefacts (WhatsApp, Signal, Telegram). Investigators must consider keystore-protected data, Secure Enclave/Knox boundaries, and lawful access constraints. Process and documentation align with NIST SP 800-101 and ISO/IEC 27037.
● Examples
- 01
Performing a Full File System extraction of an iPhone with Cellebrite to recover deleted messages.
- 02
Decoding an Android device's WhatsApp database to reconstruct chat history.
● Frequently asked questions
What is Mobile Forensics?
The forensic acquisition and analysis of smartphones, tablets, and wearables to extract communications, app data, location, and other artefacts. It belongs to the Forensics & IR category of cybersecurity.
What does Mobile Forensics mean?
The forensic acquisition and analysis of smartphones, tablets, and wearables to extract communications, app data, location, and other artefacts.
How do you defend against Mobile Forensics?
Defences for Mobile Forensics typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Mobile Forensics?
Common alternative names include: Smartphone forensics, Cellphone forensics.