Mobile Device Hardware Architecture

The SoC is the central decision-making component. Apple's A-series chips (A14 onward) and Google's Tensor G-series tightly integrate the Secure Enclave or Titan M security chip directly onto the same package, giving a small physical attack surface. Qualcomm Snapdragon SoCs implement the TEE through ARM TrustZone software partitioning, with the Secure Processing Unit handling key storage. MediaTek Dimensity SoCs follow a similar TrustZone model. These architectural differences mean that the same exploit that bypasses the TEE on one SoC generation does not transfer to another.

The secure boot chain matters forensically because it determines whether custom recovery environments, bootloaders, or debugging modes can be activated. On locked Apple devices, the Secure Boot process verifies each stage from the Boot ROM upward using Apple-signed keys. An unsigned image will not load. On Android devices with an unlocked bootloader, a forensic boot image can be loaded to extract a full file system image without touching device storage. With a locked bootloader, that path is closed and the examiner must rely on logical extraction through the OS or on hardware techniques.

The application processor cores within the SoC run the mobile OS and all user applications. They typically use ARM Cortex-A cores in a big.LITTLE configuration: high-performance cores for demanding tasks and efficiency cores for background work. RAM is provided by LPDDR4X or LPDDR5 chips, packaged separately or in a Package on Package (PoP) stack directly above the SoC. RAM is volatile and loses its contents seconds to minutes after power loss, but in live acquisition scenarios or when the device is found powered on, RAM may contain decrypted keys, active session tokens, and plaintext message content that is not available in storage.

NAND flash is the non-volatile storage technology in every modern smartphone. It stores the OS, applications, and all user data. NAND cells are organised into pages (the minimum read/write unit, typically 4 to 16 KB) and blocks (the minimum erase unit, typically 256 to 512 pages). Writing to NAND requires an erase-before-write cycle at the block level, which creates the need for the Flash Translation Layer.

For chip-off acquisition, the storage chip is removed from the board using hot-air rework or infrared soldering equipment, then read directly by a chip reader that bypasses the device OS entirely. eMMC chips are well-supported by forensic chip readers from vendors such as Cellebrite, MSAB, and Octoplus. UFS chips require dedicated UFS socket adapters and more specialised equipment. The extracted image is a raw NAND dump, which must then be parsed by software that understands the file system structure and the FTL's address mapping.

Wear levelling creates the main forensic opportunity in NAND flash. When the OS deletes a file, it updates the file system metadata to mark those blocks as free. The FTL does not immediately erase the underlying NAND blocks; it marks them as invalid and reclaims them for new writes when it needs the space. Until that recycling happens, the original data remains in the physical NAND cells. Physical acquisition tools that read raw NAND can find these out-of-mapping blocks and recover data that the logical file system reports as deleted. The window of recovery is unpredictable: on a lightly used device with plenty of free space, deleted files may persist for weeks; on a heavily used device, the FTL may recycle blocks within hours.

The baseband processor, sometimes called the radio processor or modem chip, manages all wireless communication between the device and cellular networks. On many Android devices it is a discrete chip: Qualcomm MDM, Intel XMM, or Samsung Shannon series are common examples. On Apple devices since the iPhone 12, the modem is integrated into the same package as the main SoC, though it still runs its own firmware and maintains its own data partition.

The baseband processor runs its own real-time operating system, separate from Android or iOS. It has its own non-volatile memory, typically a small NOR flash or dedicated NAND partition, that stores cellular network parameters, IMEI, band preferences, and logs of network events. These logs can include cell tower registration records, handover events, and SIM interaction history. That data is forensically relevant in call record investigations, location analysis, and IMEI tracking cases.

The radio subsystem also includes a separate GPS module or integrated GNSS block, a Wi-Fi and Bluetooth combo chip, and an NFC controller. Each of these components may maintain its own small cache of recent activity. GPS modules may hold recent fix data; Wi-Fi chips may hold a list of recently connected SSIDs and their authentication parameters. On most devices these caches are managed through the application processor and appear in the main file system, but on some implementations they are stored in the peripheral chip itself.

Every current flagship smartphone uses hardware-backed encryption. The encryption key hierarchy starts with a device-unique hardware root key, sometimes called the UID key on Apple devices or the Hardware Derived Key on Qualcomm platforms. This key is fused into the SoC at manufacture and is not readable by any software running on the device, including the OS itself. Cryptographic operations that use this key are performed inside the Secure Enclave or TEE; the key never appears in the register file or RAM of the application processor.

iOS uses a two-factor key derivation: the hardware UID key is combined with the user passcode using a key derivation function (PBKDF2 with many iterations on modern devices) to produce the per-file encryption key. If you have the passcode, you can derive the key on the device. Without the passcode, the hardware key is inaccessible and the storage image cannot be decrypted offline. The practical effect is that a chip-off extraction of a locked, current-generation iPhone yields an encrypted image that cannot be cracked with off-device compute power, regardless of how much processing time is available.

Android devices with Android 9 or later and modern hardware use file-based encryption (FBE) rather than full-disk encryption (FDE). FBE assigns different encryption keys to different categories of data. Some files, such as the alarm clock settings, are encrypted with a key available before first unlock (BFU state). Others, including most user data, are encrypted with a key that is only derived after the correct passcode is entered (AFU state). Forensic tools such as Cellebrite UFED and Oxygen Forensic Detective attempt to extract data in the AFU state when they can obtain a file system image, because in AFU the keys are loaded in memory and the OS exposes files through its normal interfaces.

The forensic significance of the BFU versus AFU distinction is large. A device found powered off and seized is in BFU state once powered on; most user data is inaccessible through any logical means. A device found powered on and unlocked is in AFU state; a full file system image may be extractable immediately. A device found powered on but screen-locked may be in AFU state if the user had unlocked it since last reboot; tools that exploit the OS through the USB interface can sometimes access AFU-state data without the passcode. This is why first-responders are instructed to keep the device powered on, isolated from networks, and avoid letting it lock if possible.

Mobile devices expose hardware debugging interfaces that were intended for factory testing and repair but are used by forensic examiners when software-based acquisition is not possible. The three main interfaces are JTAG, Qualcomm's Emergency Download Mode (EDL), and MediaTek's Preloader/Download mode. Each provides a different level of access and carries different risks.

JTAG (Joint Test Action Group, IEEE 1149.1) is a standard boundary scan interface present on most mobile SoCs. It allows a connected debugger to halt the processor, read and write memory, and access internal registers. For forensics, JTAG is used to dump the contents of flash storage by reading through the memory controller. The technique requires soldering fine wires to test points on the board, which is complex and carries a risk of permanent damage. JTAG acquisition is described in detail in the JTAG and Chip-Off Acquisition topic.

Qualcomm EDL mode (Emergency Download Mode, also called 9008 mode for its USB product ID) is a low-level boot mode built into the Qualcomm boot ROM. When triggered by a button combination or by grounding a test point, the device presents as a Qualcomm diagnostic interface over USB. With the correct Firehose programmer binary for the specific SoC, this interface can read full flash storage dumps without loading the main OS. EDL mode was the basis for many forensic tools on Qualcomm devices before vendors began restricting the Firehose programmers. Some devices have PKM (Programmer Key Manifest) restrictions that require a signed programmer, limiting who can use this technique.

Apple, Samsung, Google, Xiaomi, and other manufacturers all make different choices about how to implement the hardware components described above, and those choices create real differences in forensic outcomes. Apple's tight integration of the Secure Enclave with the application processor means that the hardware key is never accessible outside the chip boundary, and Apple has consistently resisted creating backdoors in this design. The result is that locked, fully updated iPhones present the highest barrier to physical extraction of any mainstream device class.

Samsung's Galaxy devices use Qualcomm Snapdragon or Samsung Exynos SoCs depending on the market region. Exynos devices have historically had fewer publicly known forensic exploit paths than Snapdragon devices, partly because the Qualcomm EDL ecosystem is more mature. Samsung also implements Knox, a hardware-backed security architecture that includes a physical fuse that permanently records whether the bootloader has ever been unlocked. A Knox-blown device cannot restore its attestation status, which affects both data security and the interpretation of forensic evidence: if Knox is blown, the device's security state has been altered.

From a legal standpoint, the hardware-determined encryption barrier has produced significant case law and legislative debate. In the US, the Department of Justice has sought court orders compelling Apple and Google to assist with device decryption, leading to public disagreements about the limits of lawful assistance. In the UK, the Investigatory Powers Act 2016 permits notices requiring technical assistance but does not explicitly compel the creation of decryption backdoors. In India, the Information Technology Act 2000 and the Digital Personal Data Protection Act 2023 address data access obligations, but hardware-level encryption remains outside the reach of any purely legal demand. EU member states operate under the European Investigation Order framework for cross-border requests.

Understanding which SoC, storage type, and security implementation a target device uses is the starting point for any physical acquisition strategy. See Physical Acquisition Techniques for how these hardware characteristics translate into specific acquisition decisions, and Data Persistence and Evidence Locations for how data survives at the storage layer.