Cell Phone Forensics: A Primer

Mobile device evidence in litigation and investigations.

Mobile devices, including cellphones, smartphones, and tablets, contain an astonishing amount of information about their users and the people or organizations they interact with. With the right equipment and expertise, this raw data can be collected and interpreted and reveal details that may be critical to a case.

There are several categories of information that can be collected from phones and tablets:

Communications: Call logs, text messages, email, chat, social media, and other types of communication can be recovered from a mobile device. Phones are designed for communication and for many people it is their primary communication tool. Furthermore, people tend to be less careful about communicating on cellphones; it is common for individuals to write things in a text message that they would have avoided sending in an email from their computer.

Location Data: The location of a mobile device at a certain time is very likely to be the location of the owner. Most cellphones track location data constantly, in several ways. Communicating with a cell tower identifies the approximate location of the phone. Phones with Wi-Fi enabled can reveal which Wi-Fi network the phone was near at a certain time. Modern phones with GPS receivers capture precise location data, and store it on the phone in ways the user may not be aware of.

Images: Cameras are a ubiquitous feature of cellphones and tablets. Photo and video sharing is also a core feature of most the top mobile apps. The average smartphone contains over 600 photos and 24 videos. The images may provide details about the activities, relationships, and interests of a user that are relevant to a case. Furthermore, digital images contain embedded metadata which can reveal facts about where and when the photo was taken or received.

Deleted Data: Information that a user has attempted to remove might be the most valuable. Deleted data can often be recovered using forensic tools, even if it is no longer accessible through the user interface. Damaged and non-functional devices can yield data as well, even if the device doesn’t turn on.

App Data:Mobile apps store data on the phone or tablet. This data can be collected and could be critical information in some cases. It is easy to imagine how extracting data from the Uber ride-sharing app or the Expedia travel booking app might be valuable to an investigation. Each app stores information specific to its function, providing an array of data source options for different circumstances.

Biometric Data: Fingerprints, iris scans, and facial recognition are all commonly used for security on modern smartphones. Unlike a pin or other mechanisms used to unlock a mobile device, biometric access methods can only be used by the owner. This data can be used to positively link a unique individual to activity on the device or to the device location at a specific time.