Digital Evidence in Mobile and Network Contexts

Digital evidence is only as useful as the demonstrable confidence that it has not been altered since it was collected. Courts in every jurisdiction that admits electronic records require the prosecution to establish authenticity, and chain of custody is the primary mechanism for doing so. Every transition in custody, from crime scene officer to digital forensics examiner to laboratory storage to courtroom exhibit, must be documented with the identity of each custodian, the date and time of transfer, the condition of the exhibit, and any seals or tamper-evident packaging applied.

Hash verification is the technical complement to the custody log. A cryptographic hash function (SHA-256 is now standard practice; MD5 is considered insufficient for new work) produces a fixed-length digest of a dataset. Any alteration to even a single bit produces a completely different digest. Investigators compute a hash of the acquired image immediately at acquisition, record it in the case notes, and recompute the hash before any subsequent analysis. If the hashes match at every stage, the data is demonstrably unchanged. If they do not match, the discrepancy must be explained or the evidence may be challenged.

For network evidence, integrity documentation works differently because the data was never a static file. Packet captures are time-stamped and hash-verified at collection. Log files are copied with hash verification. Where logs are collected from a third-party provider under a production order, the provider typically certifies the records and their collection method, which substitutes for direct chain-of-custody documentation. The Bharatiya Sakshya Adhiniyam 2023 (India), the UK's Criminal Justice Act 1988, and the US Federal Rules of Evidence all have provisions for certifying electronic records produced by business systems, which is the route used for operator-held logs.

Mobile devices present a hierarchy of acquisition methods, each giving progressively deeper access to stored data at the cost of progressively greater complexity, risk of device damage, and (in some jurisdictions) legal scrutiny. Choosing the right method depends on the device's encryption state, whether it is powered on, whether the passcode is known, and the urgency of the investigation.

Logical acquisition uses vendor-provided protocols such as Apple's backup protocol over USB or Android Debug Bridge (ADB) commands. Commercial tools including Cellebrite UFED, Oxygen Forensic Detective, and MSAB XRY can automate logical extraction. The data recovered includes the active file system: contacts, call logs, messages, installed app databases, photos, and browser history. Deleted records are generally not recoverable because the OS backup interfaces do not expose unallocated storage.

Physical acquisition on modern smartphones is significantly constrained by full-device encryption, which is on by default for all iPhones since the 5S (2013) and for most Android devices since Android 6.0 (2015). A raw flash image of an encrypted device is unreadable without the decryption key, which is derived from the user's passcode and stored in a hardware security element. Law enforcement in some jurisdictions use passcode extraction tools such as Cellebrite UFED Premium or GrayKey, which exploit OS vulnerabilities to access the secure enclave. These tools are subject to arms-export controls and are periodically rendered ineffective by OS updates.

The evidential value of a mobile device lies in the artefacts it accumulates through normal use. These artefacts are distributed across multiple storage locations: system databases, app-specific sandboxes, the SIM card, cloud backups, and operator records. A thorough mobile forensic examination considers all of these sources rather than relying on any single one.

Call logs and SMS records are stored in system databases (typically SQLite on both iOS and Android) that record the number dialled or received, the timestamp, duration, and call direction. Messaging app artefacts are more varied: WhatsApp stores its message history in a SQLite database at a known path within its app sandbox, encrypted with a key that is accessible to a logical extraction. iMessage stores messages in the CloudKit-backed Messages database, accessible in an iTunes or iCloud backup. Deleted messages leave recoverable remnants in SQLite page slack or in the WAL (write-ahead log) file until those are overwritten.

Location artefacts on a smartphone come from multiple independent sources: the device's GPS log, cell tower connection records (stored locally and held by the operator), Wi-Fi positioning logs (iOS stores these in a cache database), and app-specific location histories (Google Maps timeline, Uber trip history, camera EXIF geotags). The convergence of multiple location sources for the same time window produces strong positional evidence. SIM card forensics adds the operator-held call data records that associate the IMSI (the SIM's unique identifier) with cell towers. For more on these artefacts see Location History and Geolocation Artifacts and SIM Card Forensics.

Cloud accounts linked to a device are among the most productive sources in modern investigations. An iCloud account may hold a full device backup (photos, messages, app data), iCloud Drive files, and Health data. A Google account may hold Gmail, Drive, Maps timeline, and Android backups. Production orders served on Apple and Google (and their equivalents in other jurisdictions, such as a MLAT request for cross-border data) can compel disclosure of this data independently of whether the physical device is available. This matters when a device has been destroyed, encrypted, or is simply not in custody.

Network forensics is the systematic collection and analysis of data crossing a network to identify security incidents, reconstruct communications, and attribute activity to specific users or systems. The primary data sources are packet captures (full content of network traffic), NetFlow or IPFIX records (metadata about sessions: source IP, destination IP, port, protocol, duration, and byte count without the payload), firewall logs, DNS query logs, web proxy logs, and intrusion detection system alerts.

Packet capture requires a network tap or a managed switch with port mirroring configured to copy traffic to the capture interface. Tools such as Wireshark, tcpdump, and Zeek (formerly Bro) are standard for capture and analysis. A full packet capture preserves content, enabling reconstruction of web sessions, file transfers, and unencrypted communications. The widespread adoption of TLS 1.3 for web traffic means that payload content is typically encrypted; investigators must rely on metadata (IP addresses, SNI hostnames, certificate details, session timing) to establish communication patterns without decrypting content.

Log analysis is often more practical than real-time capture, because logs are already generated by infrastructure in the ordinary course of operation. Web server access logs record the IP address, timestamp, HTTP method, URI, and response code for every request. Firewall logs record permitted and blocked connections. DNS logs record every query and response, which is particularly useful for identifying command-and-control communications from malware that uses domain generation algorithms. DHCP logs map IP addresses to MAC addresses at specific times, helping attribute network activity to a specific physical device.

Wireless network forensics extends packet capture to 802.11 Wi-Fi traffic. A wireless adapter in monitor mode can capture all frames in range, including management frames (beacon, probe request, probe response, authentication, and association) that are not encrypted under standard WPA2/WPA3. Management frames reveal device MAC addresses, SSIDs of networks the device has previously connected to, and the timing of associations. This allows an investigator to place a specific device at a specific location at a specific time using only wireless traffic, without any data from the device itself.

Internet of Things (IoT) devices present new acquisition challenges. Smart home devices (routers, cameras, voice assistants, smart locks) generate logs and event records that may be stored locally on the device, in the manufacturer's cloud, or both. These devices often lack standard forensic acquisition interfaces: there is no USB debug mode, no backup protocol, and no documented storage format. Investigators may need to access logs via the manufacturer's API (under a production order), image the device's eMMC chip directly, or collect traffic from the local network that the device generates.

Bluetooth forensic artefacts are available on both the investigated device and potentially on nearby devices that were paired. The Bluetooth device address (BD_ADDR) functions like a MAC address and uniquely identifies each device. iOS and Android both maintain pairing databases that record the BD_ADDR and device name of every previously paired device, along with the pairing timestamp. These databases are accessible in a logical extraction and can establish that two specific devices were in proximity and were paired, which may be evidentially significant in contact tracing or in establishing the presence of an accessory device.

Digital evidence is structurally cross-jurisdictional in ways that physical evidence is not. A message sent from a device in one country may transit servers in a second country and be stored by a service provider incorporated in a third. The investigating jurisdiction must either obtain the evidence through Mutual Legal Assistance Treaties (MLATs), serve a domestic production order on the provider's local entity, or use an expedited legal mechanism such as the US CLOUD Act (2018), which allows US courts to compel US-incorporated providers to produce data stored abroad.

For domestic investigations, the relevant statutes govern both seizure and admissibility. The Bharatiya Sakshya Adhiniyam 2023 (Section 63, replacing Section 65B of the Indian Evidence Act 1872) requires an electronic record to be accompanied by a certificate from a responsible official of the computer system that produced it, attesting to the conditions of production and the record's authenticity. This certificate requirement has been the subject of extensive Indian case law defining who may issue it and in what form. The Bharatiya Nagarik Suraksha Sanhita 2023 governs search and seizure of electronic devices. UK investigators work under the Computer Misuse Act 1990 for authorisation to access computer material and under Police and Criminal Evidence Act 1984 for seizure. US investigators require either a search warrant or an applicable exception to the Fourth Amendment's warrant requirement, such as consent or exigent circumstances.

Data localisation laws in several jurisdictions (including India's Digital Personal Data Protection Act 2023, Russia's Federal Law 242-FZ, and China's Data Security Law 2021) impose requirements on where data may be stored and to whom it may be disclosed. These laws can create direct conflicts with foreign production orders: a US court order to a provider to produce data stored in India may conflict with Indian law restricting that disclosure. Investigators must be aware of these conflicts when planning evidence collection strategies, and should consult with legal counsel before issuing cross-border production requests.