Mobile and Network Forensics: Scope and Discipline

Mobile device forensics addresses the acquisition and analysis of evidence from devices that people carry and use daily: smartphones, tablets, GPS units, smartwatches, and connected vehicles. These devices are attractive targets for investigators because they are personal, always with the user, and continuously generating evidence: call logs, message threads, location fixes, photographs with embedded metadata, app usage records, and network connection histories.

The hardware architecture of a modern smartphone, covered in depth in Mobile Hardware Architecture, shapes what evidence exists and how it can be reached. Flash storage, the application processor, baseband processor, and secure element each hold different categories of data. The baseband processor manages all radio communication and can hold call records and network registration events even after a factory reset of the main OS partition.

Key evidence categories in mobile forensics include: subscriber and device identity (IMEI, IMSI, phone number, linked email accounts), communications (calls, SMS, MMS, messaging apps such as WhatsApp and Signal), location data (GPS fixes, Wi-Fi and cell tower positioning, geotag metadata in photos), social media and app data, browser history and cached web content, financial app transactions, photographs and videos, and deleted file fragments recoverable from unallocated storage. The SIM card is a separate evidence source: it holds the IMSI, network authentication keys, stored SMS messages, and an abbreviated dialling directory, and must be examined independently of the handset.

Acquisition method selection is the most consequential decision in mobile forensics. The choice depends on the device model, operating system version, encryption status, and the investigative need. Applying the wrong method can corrupt data, trigger a remote wipe, or produce an incomplete image that later turns out to exclude critical evidence.

Full-disk encryption, enabled by default on iOS since iOS 8 and on Android since Android 6, has fundamentally changed how acquisition works. Without the device passcode, a physical or chip-off image yields encrypted ciphertext that is unreadable without the device key. This means logical acquisition on an unlocked device often provides more usable evidence than a physical acquisition on a locked one. Tools such as Cellebrite UFED, MSAB XRY, and Oxygen Forensic Detective have developed specialised exploits and bootloader-level methods that can extract data from specific device models without the passcode, but coverage is model-specific and changes with each OS update.

Regardless of method, the first step is always isolation: place the device in airplane mode or a Faraday bag to prevent remote wipe commands, incoming calls that alter call logs, or network activity that modifies file timestamps. A hardware write-blocker or a forensic tool configured in read-only mode must be used for all acquisition, and the hash value of the resulting image must be recorded before any analysis begins.

Network forensics is the capture, preservation, and analysis of data transmitted across networks. Its primary evidence sources are packet captures, router and switch logs, firewall logs, intrusion detection and prevention system (IDS/IPS) alerts, DNS query logs, DHCP lease records, proxy server logs, and NetFlow or IPFIX traffic summary records. Each source provides a different view of the same events: a firewall log shows what was permitted or blocked; a full packet capture shows what the permitted traffic actually contained.

Network forensics investigations fall into two broad categories. Retrospective analysis works from logs and captures already stored when an incident is discovered: the investigator reconstructs what happened from historical records. Live capture involves deploying capture infrastructure at a network choke point to collect traffic in real time, which requires lawful interception authority in most jurisdictions. Retrospective analysis is more common in practice because network equipment typically retains logs for a defined period, and those logs are available without the legal complexity of authorised interception.

Wireless network forensics adds complexity. Wi-Fi traffic can be captured by any device in radio range, raising jurisdictional questions about whether passive capture constitutes interception. IEEE 802.11 management frames, which are unencrypted even on WPA3 networks, reveal device MAC addresses, probe requests showing which networks a device has previously joined, and timing information that can locate a device within a building. IoT devices on the same network segment generate traffic patterns that can reveal usage behaviour, device identity, and firmware versions, each of which may be relevant evidence.

The legal authority to seize a mobile device, search its contents, obtain records from a network provider, or intercept live traffic varies substantially between jurisdictions. Investigators must identify the applicable law before taking any action, because evidence collected outside lawful authority can be excluded entirely or taint subsequent evidence collected using it as a lead.

In India, the Bharatiya Nagarik Suraksha Sanhita 2023 governs search and seizure of electronic devices during investigation. The Bharatiya Sakshya Adhiniyam 2023 governs the admissibility of electronic records as evidence, requiring a certificate from a responsible official attesting to how the record was produced and stored. The Information Technology Act 2000 (as amended) provides the authority for lawful interception of communications by designated agencies, with oversight requirements to prevent abuse. The Digital Personal Data Protection Act 2023 imposes obligations on how investigators may handle personal data obtained from devices or service providers.

In the United States, the Fourth Amendment requires a warrant for device searches in most circumstances following the Supreme Court's ruling in Riley v. California (2014), which held that a warrantless search of a mobile phone incident to arrest is unconstitutional. The Stored Communications Act governs requests to service providers for stored content and non-content records. In the European Union, the GDPR requires that personal data collected during investigations be limited to what is necessary for the purpose, and the European Investigation Order provides a mechanism for obtaining electronic evidence held in another EU member state. The UK maintains the Investigatory Powers Act 2016, which authorises interception and equipment interference under warrant.

Digital evidence can be altered by the act of examining it. Powering on a mobile device, connecting it to a computer without a write-blocker, or allowing it to connect to a network can all modify timestamps, create new files, or overwrite deleted data. The first obligation of any examiner is to avoid modifying the evidence during collection.

The standard practice for storage media is to create a verified forensic image: a bit-for-bit copy whose integrity is confirmed by computing a cryptographic hash (SHA-256 is current best practice; MD5 and SHA-1 are still used but are considered weaker) of both the source and the copy, then confirming they match. All analysis is performed on the copy; the source is sealed and stored as the exhibit. For mobile devices where a full physical image is not achievable, investigators document which acquisition method was used, what data was accessible, and what was not, and why.

Network evidence presents different integrity challenges. Packet captures are typically stored on the capturing device's disk and may be cycled out when storage fills. Log entries can be altered by system administrators, intentionally or through log rotation. Investigators must document the source system's time synchronisation (NTP server, time zone), confirm the log format and any gaps in the record, and where possible obtain the logs directly from the source system in a forensically sound manner rather than accepting an export prepared by a third party. Time correlation across multiple log sources is critical: a one-minute clock skew between a firewall and a proxy server can make sequential events appear simultaneous or out of order.

Mobile and network forensics investigations involve several distinct roles, and in a well-structured team these roles are separated to prevent conflicts of interest and ensure that each stage of the investigation can be independently reviewed. In smaller agencies, one person may perform multiple roles, but the functions themselves remain distinct.

The first responder handles scene management, device seizure, and initial isolation. Their job is to preserve the state of devices and networks without altering evidence. They do not analyse; they document and secure. The forensic examiner performs acquisition and extraction, producing verified images and extraction reports. The analyst reviews the extracted data, identifies relevant artefacts, and prepares findings. The expert witness translates technical findings into plain language for courts and investigators, and must be able to explain methodology, tool limitations, and the significance of specific artefacts under cross-examination.

Certification and accreditation vary by country. In the UK, the Forensic Science Regulator's Codes of Practice and Conduct impose quality standards on digital forensics providers including ISO/IEC 17025 accreditation for laboratory work. In the US, the Scientific Working Group on Digital Evidence (SWGDE) publishes standards that many agencies adopt. INTERPOL's Digital Forensics Expert Group coordinates best-practice guidance across member states. For mobile forensics specifically, vendor certification programmes from Cellebrite, MSAB, and Oxygen Forensics are widely recognised in practice even where no formal accreditation exists. Investigators should be prepared to explain in court which certifications they hold and what training underpins their methodology.