Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.
Faraday-bag seizure, the NIST SP 800-101 R1 six-level extraction ladder from manual through chip-off and micro-read, JTAG soldering on test points, chip-off BGA reballing, Cellebrite UFED and Magnet AXIOM workflows in Indian state cyber cells, CDR-driven location reconstruction and SQLite WAL recovery.
A phone is the densest single source of evidence a forensic examiner encounters today. A 2024 internal audit by a Tier-1 Indian state cyber cell reported that around 80% of cases opened in that year had at least one mobile device as primary or secondary evidence, ahead of laptops, USB drives and CCTV combined. The reason is the device's role: it is the wallet, the camera, the calendar, the chat log, the location tracker, the email client, the second-factor token and the social-media identity for the average Indian user above eighteen. Everything the user touches in a day leaves a record on the phone, and most of those records have higher fidelity than the corresponding records on any server the examiner can subpoena.
This topic covers mobile phone forensics as the digital forensics Mobile paper and the NFSU MSc course structure it. The arc runs from on-scene seizure and Faraday containment through the NIST SP 800-101 R1 six-level extraction ladder (manual, logical, file system, physical, chip-off, micro-read), the JTAG and chip-off hardware workflows used when easier acquisitions fail, the Cellebrite UFED and Magnet AXIOM workflow stacks Indian state cyber cells run on the job, the call detail record and location triangulation methods used for movement reconstruction, and the deleted-data recovery techniques that round out the discipline. Cross-link references run to digital first responder, mobile operating systems and SQLite, wireless and mobile network attacks and the chain of custody primer.
The first ten minutes at the scene decide what is recoverable in the lab.
Mobile evidence handling starts before the device reaches the lab. The on-scene first responder makes three decisions in quick sequence: containment (block radios), state preservation (do not power-cycle if avoidable), and documentation (photograph everything before touching it). Each decision has a knock-on effect on what an examiner can recover later, and each one is testable on the digital forensics paper.
Containment is the first decision because remote wipe is the highest-impact loss event. A live phone with mobile data and Wi-Fi enabled is reachable through the manufacturer's account ecosystem (Find My iPhone, Find My Device for Android, Samsung Find My Mobile, Xiaomi Mi Cloud) and the linked account holder, who is often the suspect or the suspect's accomplice, can issue a remote wipe in under a minute. Faraday bag is the default control: a conductive mesh pouch that blocks cellular, Wi-Fi, Bluetooth and NFC signals. Quality matters: a cheap pouch attenuates only by 60 dB at 1800 MHz and may still pass an EDGE signal at the cell tower's edge. CFSL specification calls for at least 85 dB attenuation across 800 MHz to 6 GHz and a tested seal. If a Faraday bag is not available, the responder enables airplane mode and disables Wi-Fi and Bluetooth manually, then removes the SIM, then powers off only if no other option exists.
State preservation is the second decision. If the phone is unlocked at seizure, the responder enables the longest available screen timeout, disables auto-lock if possible, and immediately starts a live logical acquisition with a portable Cellebrite UFED Touch 2 or a laptop running mvt (Mobile Verification Toolkit) plus a USB cable. Charge is the practical concern: a phone running low will power off mid-acquisition. Indian cyber cell responder kits include a 20,000 mAh power bank and a small armoured USB cable specifically for this case. Live acquisition while the phone is unlocked recovers session cookies, in-memory app states (active WhatsApp Web pairings, currently-running banking sessions) and SQLite WAL pages that vanish after the next reboot.
Three storage tiers, three different acquisition stories.
A modern Indian smartphone carries three distinct storage tiers from the examiner's view. The SIM is the smallest and most regulated; the internal user-data partition is the densest; the external SD card (where present) is the most variable. Each tier needs a different acquisition path and yields a different evidence class.
The SIM card carries an ICCID (Integrated Circuit Card Identifier, 19 to 20 digits printed on the SIM and burned into ICCID file 0x2FE2), an IMSI (the subscriber identity used at the cellular layer), and a small EF (Elementary File) tree with operator-defined data. Practical evidence on a SIM is limited and shrinking: the SMS storage area (EF_SMS) holds the last few messages the OS chose to store on the SIM rather than in the OS database, the ADN (Abbreviated Dialling Numbers) phonebook holds contacts the user explicitly saved to the SIM, the LND (Last Numbers Dialled) file holds recent dialled numbers, and the LOCI file holds the last cell ID the SIM registered with. Most modern Android and iOS handsets store contacts and SMS in OS databases rather than on the SIM, so the SIM yield is small. The SIM is read with a smart card reader (a basic PC/SC reader plus pyscard, or the Cellebrite UFED SIM extractor) and the data is dumped through the operator's STK (SIM Toolkit) interface.
Internal memory is the volume case for forensics. The user-data partition holds the app sandboxes (each app's /data/data/<package>/databases/ and /data/data/<package>/files/ on Android, the equivalent in the container path on iOS), the Photos and Videos camera roll, the Downloads folder, the system logs (/data/system/, /data/log/, dropbox logs on Android), the call log database, the SMS database, the location-history databases (Google Location History cache, Apple Significant Locations), the Wi-Fi network history, the Bluetooth pairing history, and the deleted-but-not-yet-overwritten regions that file system extractions and physical extractions reach. The relative density per app is the working examiner's mental model: WhatsApp's msgstore.db plus the media cache typically yields the highest-volume content per case; Google Maps Timeline yields the highest-fidelity location data; Truecaller and the dialler database yield the most reliable contact resolution.
External memory is where the user stored what the OS would not. SD cards still carry photos, videos, app caches, WhatsApp media (when the user moved it off internal storage), encrypted backups and occasional deliberate evidence hiding (steganographic image hosts, encrypted containers). The SD card is removed and imaged separately with a write-blocker (USB write-blocker for forensics, or a Linux on a mounted device) using or for the bit-for-bit copy, then carved with or for deleted content. Carving recovers JPEG, MP4, PDF and similar files even when the file system metadata is gone, because the format-specific headers and footers are recognisable in raw blocks. The full carving workflow lives at .
Each step up the ladder costs more, risks more, and recovers more.
NIST Special Publication 800-101 Revision 1, "Guidelines on Mobile Device Forensics" (2014, still the working reference) defines a six-level extraction ladder. The ladder is doctrine in Indian state cyber cell training and at CFSL Hyderabad's mobile forensics laboratory, and digital forensics questions reliably test the level numbering and the trade-off at each step. The examiner climbs only as far as needed; each level costs more time and more risk than the level below.
Soldering iron, hot-air station, NAND reader, and a steady hand.
JTAG extraction is the bridge between software-only physical acquisition and full chip-off. The Joint Test Action Group standard (IEEE 1149.1) defines a Test Access Port left on most phone PCBs for manufacturer-side debugging. The TAP exposes a Boundary Scan interface that, with the right command sequence, lets a forensic tool read the NAND memory through the SoC without removing the chip. The practical work is locating the JTAG test points on the board (vendor schematics, board-view files leaked or licensed from repair shops, or community resources like the AllinBox or Z3X database), soldering thin enamelled wires to the test points, and connecting them to a JTAG interface tool.
| JTAG tool | Strength | Typical India price | Notes |
|---|---|---|---|
| RIFF Box 2 | Wide phone coverage, established firmware library | Around 40,000 to 50,000 INR | Classic choice in Indian forensic labs; supported by many older Android boards |
| Easy Jtag Plus / Easy Jtag Z3X | Best Qualcomm and MTK support, eMMC + UFS read | Around 65,000 to 80,000 INR | Most common at CFSL and state cyber cells in 2024 to 2026 |
| Medusa Pro Box | Strong on damaged-board recovery, ISP support | Around 55,000 to 70,000 INR |
What Indian state cyber cells actually run, day to day.
The commercial mobile forensics market is dominated by four vendors and a long tail of niche tools. Indian state cyber cells and CFSL Hyderabad standardised on Cellebrite UFED as the primary acquisition platform from around 2015 onward; Magnet AXIOM Mobile was added widely from 2019 onward as a cross-validation and analysis tool; MSAB XRY (Sweden) and Oxygen Forensic Detective (originally Russia, with significant team relocation to Czech Republic after 2022) appear in select labs. Belkasoft Evidence Center and MOBILedit Forensic show up in smaller deployments and at private digital forensic consultancies.
| Tool | Vendor / origin | Primary use | Indian footprint |
|---|---|---|---|
| Cellebrite UFED + Physical Analyzer | Cellebrite (Israel) | Acquisition (logical/FS/physical) + analysis | Dominant in state cyber cells and CFSL Hyderabad; multiple licences per major lab |
| Magnet AXIOM Mobile | Magnet Forensics (Canada) | Analysis with strong app-parser coverage and AI categorisation | Widely used for cross-validation alongside Cellebrite; growing share since 2020 |
| MSAB XRY | MSAB (Sweden) | Acquisition + analysis, strong cellular signalling |
Where was the phone, when, and what did it say before it deleted the message?
Location reconstruction from a mobile device runs across four layers. Each yields a different fidelity and a different ease of acquisition.
Cell tower data is the foundation, especially for the period before the device is in the examiner's hands. The Indian telco supplies a Call Detail Record (CDR) under a Section 91 CrPC (now BNSS Section 94) request from the investigating officer. The CDR lists every call, SMS and data session for the target MSISDN within the requested period, with timestamps, duration, originating and terminating party, and the cell ID the device was registered with at the time of each event. The cell ID, mapped to the telco's tower coordinates, places the phone within a sector (a slice of the cell tower's coverage, typically 120 degrees wide) at each event. Multiple events at known towers across an evening triangulate a movement path. Indian state cyber cells run CDR analysis as a near-routine first step in any phone-linked case; the typical timeline is two to ten business days from request to receipt of CDR.
GPS data, where the user enabled it, is the highest-fidelity source. Google's Location History (when the user opted in) is stored at com.google.android.gms on the device and as a Google Takeout export Records.json from the Google account; each record has a latitude, longitude, accuracy radius (often 10 to 100 metres in open sky), timestamp, source (GPS, Wi-Fi, cell), and the device that originated the record. Apple's Significant Locations is stored on-device only at ~/Library/Caches/com.apple.routined/ (file system extraction required) and aggregates frequent visits with timestamps. App-specific GPS logs (Uber, Ola, Zomato, Swiggy, Google Maps Timeline) supplement the OS-level data and are often the highest-fidelity record of a specific journey.
Wi-Fi positioning fills the gap when GPS is unavailable indoors. Phones scan Wi-Fi networks continuously and submit BSSID-to-location samples to Google (via Google Play Services) and Apple (via the Location Services API). Forensic look-up of a BSSID in the WiGLE database (a community-maintained BSSID-to-coordinate map) or in the device's own scan cache (wpa_supplicant, iOS com.apple.wifi.plist) places the phone within range of a known AP at a known time. BLE beacon proximity, less common in current Indian deployments outside large airports and malls, adds another fidelity layer.
Under NIST SP 800-101 R1, which extraction level is described as a bit-for-bit image of the device NAND obtained via JTAG?
Documentation is the third decision and the easiest to skip in a hurry. The responder photographs the phone face-up showing the lock-screen content (visible notifications, time, carrier name, signal bars, battery percentage), then face-down showing model, IMEI label if visible and any accessories. The responder records the IMEI from *#06# if the phone is unlocked, the IMSI from the SIM packaging if present, the SIM tray for iPhones via the eject pin, the device serial from Settings if available, and a description of any attached cables, chargers or SD cards. The chain of custody form (see chain of custody) is opened with the seizure timestamp, the seizing officer's name and badge, the location of seizure, the storage type used (Faraday bag model and serial), and the next custodian.
The Indian anchor for seizure procedure is the CCTNS (Crime and Criminal Tracking Network and Systems) standard operating procedure for digital evidence, which Indian state police forces adopted in stages from 2019 onward. The CCTNS module for mobile seizure explicitly requires the Faraday containment step, the on-scene photograph of lock-screen state and a recorded IMEI before the device leaves the scene. The 2023 Karnataka State Cyber Crime Police Station handbook adopted the same checklist verbatim. Deviations are not fatal but degrade evidentiary weight at trial under Bharatiya Sakshya Adhiniyam Section 63 (electronic evidence), where the chain of custody for the underlying device must be demonstrable.
blockdev --setrodddc3ddphotorecscalpel| Storage tier | Typical size | Acquisition tool | Evidence yield |
|---|---|---|---|
| SIM card | 16 KB to 1 MB | PC/SC smart-card reader, Cellebrite UFED SIM | ICCID, IMSI, last cell ID, small SMS and contact subset, LND |
| Internal user-data | 32 GB to 1 TB | ADB logical, AFU/BFU exploit chains, UFED full FS, JTAG, chip-off | App sandboxes, photos, system logs, location DBs, call/SMS, WhatsApp, OS-level deletions |
| External SD card | 0 to 1 TB | USB write-blocker plus dd/dc3dd, then carve with photorec | Photos, videos, app cache, hidden containers, deleted media recoverable by carving |
| Internal eMMC controller cache | Few MB | Chip-off plus eMMC controller register read | Wear-levelling spare blocks may contain pre-overwrite copies of deleted data |
The forensic interpretation per data class is its own discipline. Call logs and SMS reconstruction from calllog.db and mmssms.db (Android) or CallHistory.storedata and sms.db (iOS) is straightforward. Location data reconstruction requires understanding the source-specific quirks: Google Location History Records.json is per-event with confidence radii; Apple Significant Locations is aggregated by visit and stored on-device only, requiring file system extraction; Wi-Fi positioning history is in wpa_supplicant.conf plus per-OS scan caches; BLE beacon proximity is in app-specific logs. Social media app data lives in the app sandbox under app-specific schemas: WhatsApp's msgstore.db with WAL pages, Telegram's cache4.db, Signal's encrypted SQLite with the key in Android Keystore. The cross-link to mobile operating systems and SQLite covers the per-app database layout in depth.
The trade-off at each level is the practical guidance. Levels 1 and 2 are fast (minutes to a couple of hours), reversible, and yield maybe 30% of what a full physical extraction would recover. Level 3 is the workhorse: most modern cases stop here because the file system extraction includes the app sandboxes that contain the case-relevant evidence, and the cost (a few hours per device on Cellebrite UFED with a current licence) is acceptable. Level 4 is reserved for cases where Level 3 hits a locked partition or the case requires unallocated-space carving. Levels 5 and 6 are reserved for damaged devices, locked devices that exploits cannot bypass, and cases where the loss of the device is acceptable to the case's evidentiary needs.
The Indian anchor here is the CFSL Hyderabad mobile forensics SOP, last revised in 2024, which formally adopts the NIST six-level ladder and adds an India-specific Level 0 step: a documented attempt at user-consented unlock and PIN entry, photographed and timestamped, before any tool acquisition. This Level 0 step exists because Indian courts under Bharatiya Sakshya Adhiniyam Section 63 expect a clear chain of attempts that did not coerce the suspect, and an unprompted user-provided passcode resolves the bulk of acquisition friction at zero cost when the suspect cooperates.
| Used alongside chip-off recovery for badly damaged devices |
| Octoplus Pro Box | Broad phone repair support with forensic capability | Around 50,000 to 65,000 INR | Repair-first tool that doubles for forensic acquisition |
The JTAG workflow has six practical phases. The examiner identifies the phone model and locates the board diagram; opens the phone with manufacturer-specific separators and heat; locates the JTAG test points (typically labelled TPxx on the PCB); solders enamelled wires using a fine-tip iron and a steady microscope; connects the JTAG tool to the board; powers the board through the tool's controlled supply; reads the eMMC or UFS through the SoC into a raw image file; and re-images the board to verify the read. The whole operation takes between two and six hours depending on board complexity and examiner skill. The output is a raw image identical to what a chip-off would produce, with the advantage that the device is still functional and can be returned to the owner or retained for re-acquisition.
Chip-off is the destructive alternative. The examiner desolders the NAND (or in modern phones the combined eMMC or UFS package, which is a single BGA chip on the PCB) using a hot-air rework station at 280 to 320 Celsius with low-residue flux, lifts the chip, and reads it in a specialised NAND or eMMC programmer (UFI Box for eMMC, Medusa Pro with NAND adapter, ProgSkeet for raw NAND). After reading, the chip may be reballed (replacement solder balls applied to the BGA pads using a reballing stencil and a hot-air pass) and re-soldered to the original board or to a donor board to verify the read. The verification step is non-trivial; most chip-off in Indian state cyber cells is one-way (chip read, image preserved, chip not returned to the board).
Chip-off use cases in Indian state cyber cell labs cluster around three scenarios. First, water damage: a phone dropped in a river or sewer that no longer boots after 48 hours of rice. JTAG often fails because the board's TAP traces are corroded; chip-off lifts the NAND from the corrosion. Second, fire damage: a phone burned but the chip package intact. The PCB is unusable; the chip is read in a programmer. Third, severe physical damage plus device lock: a screen-smashed phone where the user cannot enter the passcode and JTAG is unavailable on the model. In all three the FBE caveat applies: chip-off recovers ciphertext, and the user passcode (or a Cellebrite-Premium-grade passcode brute-force capability) is still required to decrypt.
| Select state labs; used in higher-tier military and intelligence forensic settings |
| Oxygen Forensic Detective | Oxygen Forensics (CZ/US) | Acquisition + cloud + analysis with social media focus | Smaller footprint in Indian state labs; common in private DFIR consultancies |
| Belkasoft Evidence Center | Belkasoft (US/EU) | Hybrid disk + mobile analysis | Used at smaller private consultancies and some training labs |
| MOBILedit Forensic | Compelson (Czech Republic) | Lightweight logical acquisition with built-in app parsers | Entry-level kit in district-level cyber cells |
| iLEAPP / ALEAPP (open source) | Brigs / community | Parsing of iOS and Android artefacts from acquired images | Used alongside commercial tools to validate parser output |
| Andriller (open source) | Den4uk | Logical Android extraction and SQLite/WAL parsing | Used in training and as a low-cost field tool |
| iPhone Backup Analyzer | Mario Piccinelli (open source) | Parsing of iTunes/Finder iOS backups | Used in legacy iPhone case work and training labs |
The workflow in a representative Indian state cyber cell case looks roughly as follows. The phone arrives in a Faraday bag with a chain-of-custody form. The examiner records the case number, takes high-resolution photographs of the device, and queues the device for acquisition on the Cellebrite UFED Touch 2 or 4PC station. Cellebrite's Selected Manufacturer flow identifies the make and model and prompts the examiner to pick the acquisition profile (Logical, File System, Physical, Advanced Logical). For most Android devices below Android 13 with a Qualcomm or MediaTek SoC, an Advanced Logical or File System acquisition completes in 2 to 6 hours. The output is loaded into Physical Analyzer for parsing. Cross-validation against Magnet AXIOM Mobile runs in parallel on a second workstation against the same image, and the parsed output (timelines, contact graphs, location maps, chat exports) is compared. Discrepancies are investigated; consistent output is exported into a structured case file.
The open-source stack matters for two reasons. First, validation: a parser is only as good as its assumptions, and a critical case benefits from running iLEAPP (iOS) and ALEAPP (Android) against the same image as Cellebrite and Magnet to catch parser drift. Second, court-facing reproducibility: open-source tools allow defence experts to verify the examiner's results without licensing Cellebrite. Indian courts under BSA Section 63 require that the process be demonstrable; an open-source replay of a key artefact (a deleted WhatsApp message recovered from WAL, say) significantly strengthens the report. iLEAPP and ALEAPP, maintained by Alexis Brignoni and the Brigs/community team, are the de facto standard open-source mobile parsing toolkit and are now part of NFSU MSc lab assignments.
Deleted and encrypted data recovery is the long tail of mobile forensics. SQLite is the dominant database format on both Android and iOS, and SQLite's Write-Ahead Log holds recent transactions that the main database has not yet absorbed. Deleted rows often survive in the WAL file for hours or days after the user-visible deletion. Tools like Andriller and the SQLite Forensic Toolkit parse WAL pages and recover deleted records. The cross-link to mobile operating systems and SQLite covers the schema-level details.
Live ADB pull while the phone is running unlocked is the highest-yield deleted-data recovery technique on Android. The examiner ADBs into the device, becomes root if available, and copies the WAL and the journal files for the target databases (WhatsApp's msgstore.db-wal, the SMS provider's WAL, the call log WAL) before they are merged or zeroed. On a rooted or jailbroken device, a full file system pull retrieves the same plus the device's keychain and Keystore-protected keys, enabling decryption of certain app data offline. Chip-off plus a passcode brute-force is the last-resort path for deleted-data recovery on a locked, modern, FBE-encrypted device.
The Indian anchor for this section is the body of CDR-driven case work that Indian state cyber cells produce monthly. The 2G spectrum case at the CBI in 2011 to 2014 included CDR analysis as a key plank of the prosecution's timeline, mapping accused parties' phones to meeting locations across a multi-month window. More recent Indian state cyber cell work, including the 2023 Karnataka SIM-swap and UPI fraud crackdown, used CDR plus device-side GPS plus Google Location History together to triangulate a Telegram-coordinated mule network across three states. CDR analysis is so routine in Indian cyber cell practice that NFSU's MSc curriculum includes a full lab module on it.