Mobile Phone Forensics: Acquisition and Examination
Mobile phone forensics. IMEI, IMSI, Android and iOS acquisition, Cellebrite, chip-off, CDR analysis, Faraday isolation.
Last updated:
Mobile phone forensics is the discipline of acquiring and examining evidential data from handsets, SIM cards, and associated cloud backups. It differs from disk forensics in three material ways: full-disk encryption is enabled by default on both Android and iOS, tying decryption to a hardware key inside the Secure Enclave or TrustZone; roughly 700 active Android OS variants mean tooling must be continuously updated; and remote-wipe services can erase a seized device the moment it touches a network. Acquisition follows a six-rung ladder from manual examination through logical, file-system, physical, JTAG/ISP, and chip-off methods, each trading invasiveness for data yield.
Mobile phone forensics is its own bullet because nothing else in cyber forensics moves this fast. Roughly 700 mobile OS variants are in active circulation, full-disk encryption is default on Android and iOS, the Secure Enclave and TrustZone block easy root, and remote-wipe pushes from iCloud or Find My Device can erase a seized handset in seconds. examiners test the bullet through crisp MCQs (IMEI is 15 digits, dial*#06#IMEI vs IMSI distinctions) and short-answer questions on the acquisition ladder and on Call Detail Record (CDR) analysis under the IT Act and BNSS.
Treat this as memorisation built on three pillars: identifiers (IMEI, IMSI, MSISDN, ICCID, MAC), acquisition methods (manual, logical, file-system, physical, JTAG, ISP, chip-off), and examination targets (SQLite, plist, EXIF, CDR, cloud backups). The book companions on JTAG and chip-off acquisitionand Android and iOS app forensicscarry the full picture.
By the end of this topic you will be able to:
- Identify the key mobile device identifiers (IMEI, IMSI, MSISDN, ICCID, MAC) and explain where each is stored and what it uniquely identifies.
- Arrange the six acquisition methods from least to most invasive and describe what data each method recovers and what it cannot.
- Explain how full-disk encryption on Android and iOS affects the yield of physical and chip-off acquisitions.
- Describe the correct seizure protocol for a mobile phone, including Faraday isolation and the consequences of remote-wipe exposure.
- Interpret a Call Detail Record and explain how cell-tower triangulation and tower dumps are used in Indian criminal investigations.
- IMEI
- International Mobile Equipment Identity. 15-digit unique identifier burned into the handset baseband. Dial *#06# to display. Logged in every CDR.
- IMSI
- International Mobile Subscriber Identity. 15-digit subscriber identifier stored on the SIM (first 3 MCC, next 2-3 MNC, rest MSIN). Authenticates the subscriber to the network.
- MSISDN
- Mobile Station International Subscriber Directory Number. The dialable phone number. Stored on the HLR, not always on the SIM.
- ICCID
- Integrated Circuit Card Identifier. Up to 19-digit serial of the physical SIM card, printed on the SIM body.
- CDR
- Call Detail Record. Telco-side log of A-party, B-party, start time, duration, IMEI, IMSI and serving cell ID. Lawful-intercept output under the IT Act and Indian Telegraph Act.
- Faraday bag
- RF-shielded pouch that isolates a seized handset from cellular, Wi-Fi and Bluetooth networks, preventing remote wipe and Find My pings.
- FDE
- Full Disk Encryption. Default on modern Android (file-based encryption since Nougat) and iOS. Encryption keys are tied to the user passcode and a hardware key in the Secure Enclave or TrustZone.
- Chip-off
- Destructive physical acquisition. The NAND or eMMC chip is desoldered from the PCB, read on a specialist programmer, and the raw image is parsed offline.
Why mobile is its own forensic discipline
A modern smartphone is not a small computer. It is a tightly integrated device with a baseband, an application processor, a Secure Enclave or TrustZone, encrypted storage tied to a hardware key, and an application sandbox per installed app. Roughly 700 mobile OS variants are in active use across the Android ecosystem (vendor skins on top of stock AOSP), and Apple ships a new iOS major version every September. Every release closes exploits the previous generation of tools relied on, which is why Cellebrite UFED and Magnet AXIOM ship monthly updates.
Five technical realities make the discipline distinct from disk forensics:
- Full-disk encryption is default. Android (file-based encryption since Nougat) and iOS (Data Protection classes) tie keys to the passcode plus a hardware key. Raw NAND reads return ciphertext.
- Proprietary hardware. Apple A-series and M-series, Samsung Exynos, Qualcomm Snapdragon and MediaTek each have different secure-boot chains.
- App-level encryption on top of FDE. WhatsApp's
msgstore.db.crypt15and Signal's SQLite store hold their keys in app-private storage or the Android Keystore. - Cloud backup risk. iCloud, Google Drive and OneDrive copies often hold more recent data than the handset.
- Remote wipe. Find My iPhone and Find My Device can erase the device the moment it touches a network.
The first responder's seizure, volatility and imagingprotocol for a phone is fundamentally different from the protocol for a desktop.
Mobile identifiers
- IMEI (International Mobile Equipment Identity).15 digits, burned into the baseband. Dial
*#06#to display. Dual-SIM handsets carry two IMEIs. The DoT's CEIR database blacklists stolen IMEIs across Indian telcos. - IMSI (International Mobile Subscriber Identity).15 digits on the SIM. Structure: 3-digit MCC (404, 405 for India), 2-3 digit MNC, then the MSIN. Authenticates the subscriber during attach.
- MSISDN. The dialable phone number. Lives in the telco HLR, not always on the SIM.
- ICCID. Up to 19 digits, the SIM card serial, printed on the card body.
- Bluetooth and Wi-Fi MAC.48-bit radio identifiers, useful for placing a handset on a specific access point at a specific time.
For the cellular technology background (2G GSM, 3G UMTS, 4G LTE, 5G NR), see the book topic on mobile technologies 2G to 5G.
Mobile OS forensics: Android vs iOS
Both share a Unix lineage and per-app sandboxing, but their on-disk layouts are distinct enough to affect acquisition strategy.
Android. Linux kernel, Bionic libc, the Android Runtime (ART, formerly Dalvik), APK package format. User data lives in/data/data/<package>(app-private) and/sdcard(shared). File system is ext4 or F2FS. Apps store structured data in SQLite: WhatsApp inmsgstore.dbTelegram incache4.dbcontacts incontacts2.db. ADB is the host interface; root is usually needed for anything deeper than a logical pull.
iOS. Darwin kernel, BSD userland, Objective-C and Swift, IPA package format. User data lives in/var/mobile/Containers/Data/Application/<UUID>. File system is APFS since iOS 10.3, with native FDE tied to the Secure Enclave. Apps mix SQLite and Apple property-list (.plist) files. The iTunes backup yields.plist.dband.mddatafiles identified by SHA-1 hashes of their original paths, which tools re-map.

Both platforms enforce app sandboxing and full-disk encryption, which is why a logical pull rarely gives the analyst more than what an app chooses to expose through ADB or the iTunes backup protocol.
Acquisition methods: the five-rung ladder
- Manual examination. Examiner navigates the UI and photographs each screen. Used when nothing else is feasible.
- Logical acquisition. Host-side protocol pull (ADB on Android; iTunes backup or
libimobiledeviceon iOS; MTP for media). Recovers what the OS chooses to expose. No deleted records, no unallocated NAND. - File-system acquisition. Full copy of the user-data partition, usually requiring root on Android or a jailbreak on iOS. Recovers SQLite databases with their journal and WAL files (so deleted rows are recoverable), plus
.plistand.dbfiles outside the user-visible backup. - Physical acquisition. Bit-by-bit NAND image. Gold standard. Recovers allocated and unallocated space, deleted files and slack. Needs a vendor exploit, bootloader unlock, or a hardware method below.
- JTAG and ISP, then chip-off. JTAG reads NAND through the SoC's Joint Test Action Group debug pins; ISP (In-System Programming) connects to the eMMC test pads; chip-off desolders the NAND chip and reads it on a programmer. Destructive, and increasingly defeated by FDE (the image is ciphertext without the passcode).

The book chapter on JTAG, ISP and chip-off toolkitswalks through the test-pad maps, the desoldering rigs (PCB preheater, hot-air rework station, infrared rework), and the NAND programmers (Easy JTAG Plus, Medusa Pro) used in Indian state cyber-cell labs.
Tools: commercial and open-source
The Indian forensic-tool landscape is dominated by a handful of vendors.
- Cellebrite UFED (Universal Forensic Extraction Device). Gold standard, used by CFSL Hyderabad, NFSU Gandhinagar and state cyber cells in Maharashtra, Gujarat, Telangana, Karnataka and Delhi. Supports logical, file-system, physical and Advanced Services (cloud and locked-device extractions).
- Magnet AXIOM. Strong examination and reporting, deep parsers for Android and iOS app artefacts. Frequently paired with UFED.
- MSAB XRY. Swedish UFED competitor, broad handset matrix.
- Oxygen Forensic Detective. Strong cloud parsing and Telegram decoding.
- GrayKey. iOS passcode-bypass appliance originally from Grayshift, now operated under Magnet Forensics following their 2023 merger, law-enforcement only.
Open-source alternatives examiners candidates should recognise:Andriller(Android suite with screen-lock cracking),ALEAPP/ILEAPP(community Python parsers for Android and iOS logs), and libimobiledevice(iOS host protocol, iTunes-style backup from Linux).
For practical Android and iOS app-artefact parsing (which SQLite tables map to which app features, where Signal stores its key), see the book topic on Android and iOS SQLite app forensics.
Examination targets, CDR analysis and cloud backups
Once an image is acquired, the examiner mines a predictable set of artefacts.
On-device artefacts. SQLite databases for call logs, SMS, contacts and per-app messaging; property lists (iOS) and XML (Android) for settings; the Photos library and/sdcard/DCIMfor media with EXIF metadata (GPS, camera model, timestamp); browser history (Chrome'sHistorySafari'sHistory.db); Apple's Significant Locations and Google's Timeline for geolocation history. End-to-end encrypted messengers (WhatsApp, Signal, Telegram secret chats) protect data in transit, but the local SQLite store is decryptable from the handset itself, which is why physical possession of the device is the difference between recovering messages and not recovering them.
Cloud backups. iCloud Backup, Google Drive WhatsApp Backup, OneDrive and Samsung Cloud often hold messages and media the handset has rotated out. Access requires a legal request to Apple, Google or Microsoft via the MLAT framework or under BNSS Section 94 for India-stored data. See the book chapter on mobile cloud and backup forensicsfor the request templates and what each provider returns.
CDR analysis. Call Detail Records are telco-side logs. Each row carries A-party number, B-party number, start timestamp, duration, IMEI, IMSI and serving cell-tower ID. CDR is obtained under the Indian Telegraph Act and the IT Act, with lawful-intercept orders issued under BNSS provisions. Investigators correlate CDR rows with cell-tower coordinates to triangulate the handset using two or three BTS hits. A tower dump is a windowed list of every IMEI that registered with a tower in a defined time window. Tower dumps and CDR analysis featured in the Nirbhaya case (December 2012), the Aarushi Talwar case, and the Sushant Singh Rajput investigation.
Faraday isolation, BNS/BSA admissibility and Indian institutions
Two seizure rules are non-negotiable. First, isolate the handset from cellular, Wi-Fi and Bluetooth the instant it is seized, using a Faraday bag, airplane mode (only if unlocked), or SIM removal. This blocks Apple Find My and Google Find My Device from pushing a remote wipe. Second, keep the handset charged: a dead iPhone enters Before First Unlock, which re-encrypts user data with the Secure Enclave and locks out most tools.
Indian institutional capacity sits at CFSL Hyderabad(central mobile and cyber lab),NFSU Gandhinagar(training and research), and the state cyber cells in Maharashtra, Gujarat, Telangana, Karnataka and Delhi, all equipped with Cellebrite UFED.
The legal frame for admissibility runs through the BNS 2023 cyber provisions and BSA 2023 electronic evidenceregime. Every electronic record produced from a mobile extraction must carry a BSA Section 63 certificate (the BSA 2023 replacement for the IEA Section 65B certificate). The Indian Telegraph Act and IT Act Section 69 govern lawful interception and decryption directives, and the DPDP Act 2023 adds purpose-limitation constraints. The whole pipeline rides on a clean chain of custodywithout which the BSA 63 certificate is worthless.
Challenges and what defence counsel attacks
Five recurring challenges arise in operational casework.
- End-to-end encryption. WhatsApp and Signal encrypt messages in transit, so telco intercept yields ciphertext. Recovery depends on the handset's local SQLite store.
- Secure boot and hardware-backed keys. Modern Snapdragon and Apple SoCs verify every boot stage, blocking the rooting and jailbreaking older physical acquisitions depended on.
- OS updates that break tools. Each iOS major release closes the exploit chain UFED was using; each Android Security Bulletin patches a Cellebrite Advanced Services vector.
- Cloud-only data. iMessage in iCloud and the Photos library rotate older items off the handset. Without a legal cloud request, that data is gone from the device.
- Burner handsets and dual-SIM use in organised crime. Suspects rotate cheap handsets and pre-paid SIMs (often acquired with fake KYC). Investigators counter with cell-tower co-location analysis to link a known IMSI to a previously unknown IMEI used at the same places and times.
also recall the sibling computer forensics, cyber crimes and digital evidencebullet, which sets the broader digital-evidence frame.
What is the difference between IMEI, IMSI and ICCID?
List the mobile-phone acquisition methods in order of increasing invasiveness.
Why is a Faraday bag mandatory when seizing a mobile phone?
What is CDR analysis and how is it used in Indian investigations?
How does full-disk encryption affect mobile forensic acquisition?
Test yourself on UGC-NET Forensic Science with free, timed mocks.
Practice UGC-NET Forensic Science questionsSpotted an error in this page? Report a correction or read our editorial standards.