Skip to content

Mobile Phone Forensics: Acquisition and Examination

Mobile phone forensics. IMEI, IMSI, Android and iOS acquisition, Cellebrite, chip-off, CDR analysis, Faraday isolation.

Last updated:

Share

Mobile phone forensics is the discipline of acquiring and examining evidential data from handsets, SIM cards, and associated cloud backups. It differs from disk forensics in three material ways: full-disk encryption is enabled by default on both Android and iOS, tying decryption to a hardware key inside the Secure Enclave or TrustZone; roughly 700 active Android OS variants mean tooling must be continuously updated; and remote-wipe services can erase a seized device the moment it touches a network. Acquisition follows a six-rung ladder from manual examination through logical, file-system, physical, JTAG/ISP, and chip-off methods, each trading invasiveness for data yield.

Mobile phone forensics is its own bullet because nothing else in cyber forensics moves this fast. Roughly 700 mobile OS variants are in active circulation, full-disk encryption is default on Android and iOS, the Secure Enclave and TrustZone block easy root, and remote-wipe pushes from iCloud or Find My Device can erase a seized handset in seconds. examiners test the bullet through crisp MCQs (IMEI is 15 digits, dial*#06#IMEI vs IMSI distinctions) and short-answer questions on the acquisition ladder and on Call Detail Record (CDR) analysis under the IT Act and BNSS.

Treat this as memorisation built on three pillars: identifiers (IMEI, IMSI, MSISDN, ICCID, MAC), acquisition methods (manual, logical, file-system, physical, JTAG, ISP, chip-off), and examination targets (SQLite, plist, EXIF, CDR, cloud backups). The book companions on JTAG and chip-off acquisitionand Android and iOS app forensicscarry the full picture.

By the end of this topic you will be able to:

  • Identify the key mobile device identifiers (IMEI, IMSI, MSISDN, ICCID, MAC) and explain where each is stored and what it uniquely identifies.
  • Arrange the six acquisition methods from least to most invasive and describe what data each method recovers and what it cannot.
  • Explain how full-disk encryption on Android and iOS affects the yield of physical and chip-off acquisitions.
  • Describe the correct seizure protocol for a mobile phone, including Faraday isolation and the consequences of remote-wipe exposure.
  • Interpret a Call Detail Record and explain how cell-tower triangulation and tower dumps are used in Indian criminal investigations.
Key terms
IMEI
International Mobile Equipment Identity. 15-digit unique identifier burned into the handset baseband. Dial *#06# to display. Logged in every CDR.
IMSI
International Mobile Subscriber Identity. 15-digit subscriber identifier stored on the SIM (first 3 MCC, next 2-3 MNC, rest MSIN). Authenticates the subscriber to the network.
MSISDN
Mobile Station International Subscriber Directory Number. The dialable phone number. Stored on the HLR, not always on the SIM.
ICCID
Integrated Circuit Card Identifier. Up to 19-digit serial of the physical SIM card, printed on the SIM body.
CDR
Call Detail Record. Telco-side log of A-party, B-party, start time, duration, IMEI, IMSI and serving cell ID. Lawful-intercept output under the IT Act and Indian Telegraph Act.
Faraday bag
RF-shielded pouch that isolates a seized handset from cellular, Wi-Fi and Bluetooth networks, preventing remote wipe and Find My pings.
FDE
Full Disk Encryption. Default on modern Android (file-based encryption since Nougat) and iOS. Encryption keys are tied to the user passcode and a hardware key in the Secure Enclave or TrustZone.
Chip-off
Destructive physical acquisition. The NAND or eMMC chip is desoldered from the PCB, read on a specialist programmer, and the raw image is parsed offline.

Why mobile is its own forensic discipline

A modern smartphone is not a small computer. It is a tightly integrated device with a baseband, an application processor, a Secure Enclave or TrustZone, encrypted storage tied to a hardware key, and an application sandbox per installed app. Roughly 700 mobile OS variants are in active use across the Android ecosystem (vendor skins on top of stock AOSP), and Apple ships a new iOS major version every September. Every release closes exploits the previous generation of tools relied on, which is why Cellebrite UFED and Magnet AXIOM ship monthly updates.

Five technical realities make the discipline distinct from disk forensics:

  1. Full-disk encryption is default. Android (file-based encryption since Nougat) and iOS (Data Protection classes) tie keys to the passcode plus a hardware key. Raw NAND reads return ciphertext.
  2. Proprietary hardware. Apple A-series and M-series, Samsung Exynos, Qualcomm Snapdragon and MediaTek each have different secure-boot chains.
  3. App-level encryption on top of FDE. WhatsApp'smsgstore.db.crypt15and Signal's SQLite store hold their keys in app-private storage or the Android Keystore.
  4. Cloud backup risk. iCloud, Google Drive and OneDrive copies often hold more recent data than the handset.
  5. Remote wipe. Find My iPhone and Find My Device can erase the device the moment it touches a network.

The first responder's seizure, volatility and imagingprotocol for a phone is fundamentally different from the protocol for a desktop.

Mobile identifiers

  • IMEI (International Mobile Equipment Identity).15 digits, burned into the baseband. Dial*#06#to display. Dual-SIM handsets carry two IMEIs. The DoT's CEIR database blacklists stolen IMEIs across Indian telcos.
  • IMSI (International Mobile Subscriber Identity).15 digits on the SIM. Structure: 3-digit MCC (404, 405 for India), 2-3 digit MNC, then the MSIN. Authenticates the subscriber during attach.
  • MSISDN. The dialable phone number. Lives in the telco HLR, not always on the SIM.
  • ICCID. Up to 19 digits, the SIM card serial, printed on the card body.
  • Bluetooth and Wi-Fi MAC.48-bit radio identifiers, useful for placing a handset on a specific access point at a specific time.

For the cellular technology background (2G GSM, 3G UMTS, 4G LTE, 5G NR), see the book topic on mobile technologies 2G to 5G.

Mobile OS forensics: Android vs iOS

Both share a Unix lineage and per-app sandboxing, but their on-disk layouts are distinct enough to affect acquisition strategy.

Android. Linux kernel, Bionic libc, the Android Runtime (ART, formerly Dalvik), APK package format. User data lives in/data/data/<package>(app-private) and/sdcard(shared). File system is ext4 or F2FS. Apps store structured data in SQLite: WhatsApp inmsgstore.dbTelegram incache4.dbcontacts incontacts2.db. ADB is the host interface; root is usually needed for anything deeper than a logical pull.

iOS. Darwin kernel, BSD userland, Objective-C and Swift, IPA package format. User data lives in/var/mobile/Containers/Data/Application/<UUID>. File system is APFS since iOS 10.3, with native FDE tied to the Secure Enclave. Apps mix SQLite and Apple property-list (.plist) files. The iTunes backup yields.plist.dband.mddatafiles identified by SHA-1 hashes of their original paths, which tools re-map.

Storage architecture comparison; Android exposes per-app SQLite via /data/data and shared media via /sdcard, while iOS isolat
Storage architecture comparison; Android exposes per-app SQLite via /data/data and shared media via /sdcard, while iOS isolates each app in a container under /var/mobile.

Both platforms enforce app sandboxing and full-disk encryption, which is why a logical pull rarely gives the analyst more than what an app chooses to expose through ADB or the iTunes backup protocol.

Acquisition methods: the five-rung ladder

  1. Manual examination. Examiner navigates the UI and photographs each screen. Used when nothing else is feasible.
  2. Logical acquisition. Host-side protocol pull (ADB on Android; iTunes backup orlibimobiledeviceon iOS; MTP for media). Recovers what the OS chooses to expose. No deleted records, no unallocated NAND.
  3. File-system acquisition. Full copy of the user-data partition, usually requiring root on Android or a jailbreak on iOS. Recovers SQLite databases with their journal and WAL files (so deleted rows are recoverable), plus.plistand.dbfiles outside the user-visible backup.
  4. Physical acquisition. Bit-by-bit NAND image. Gold standard. Recovers allocated and unallocated space, deleted files and slack. Needs a vendor exploit, bootloader unlock, or a hardware method below.
  5. JTAG and ISP, then chip-off. JTAG reads NAND through the SoC's Joint Test Action Group debug pins; ISP (In-System Programming) connects to the eMMC test pads; chip-off desolders the NAND chip and reads it on a programmer. Destructive, and increasingly defeated by FDE (the image is ciphertext without the passcode).
Acquisition ladder ordered by invasiveness; each rung up requires more skill, recovers more data, and risks more device damag
Acquisition ladder ordered by invasiveness; each rung up requires more skill, recovers more data, and risks more device damage. Yields collapse to ciphertext for the bottom rungs once FDE is enabled.

The book chapter on JTAG, ISP and chip-off toolkitswalks through the test-pad maps, the desoldering rigs (PCB preheater, hot-air rework station, infrared rework), and the NAND programmers (Easy JTAG Plus, Medusa Pro) used in Indian state cyber-cell labs.

Tools: commercial and open-source

The Indian forensic-tool landscape is dominated by a handful of vendors.

  • Cellebrite UFED (Universal Forensic Extraction Device). Gold standard, used by CFSL Hyderabad, NFSU Gandhinagar and state cyber cells in Maharashtra, Gujarat, Telangana, Karnataka and Delhi. Supports logical, file-system, physical and Advanced Services (cloud and locked-device extractions).
  • Magnet AXIOM. Strong examination and reporting, deep parsers for Android and iOS app artefacts. Frequently paired with UFED.
  • MSAB XRY. Swedish UFED competitor, broad handset matrix.
  • Oxygen Forensic Detective. Strong cloud parsing and Telegram decoding.
  • GrayKey. iOS passcode-bypass appliance originally from Grayshift, now operated under Magnet Forensics following their 2023 merger, law-enforcement only.

Open-source alternatives examiners candidates should recognise:Andriller(Android suite with screen-lock cracking),ALEAPP/ILEAPP(community Python parsers for Android and iOS logs), and libimobiledevice(iOS host protocol, iTunes-style backup from Linux).

For practical Android and iOS app-artefact parsing (which SQLite tables map to which app features, where Signal stores its key), see the book topic on Android and iOS SQLite app forensics.

Examination targets, CDR analysis and cloud backups

Once an image is acquired, the examiner mines a predictable set of artefacts.

On-device artefacts. SQLite databases for call logs, SMS, contacts and per-app messaging; property lists (iOS) and XML (Android) for settings; the Photos library and/sdcard/DCIMfor media with EXIF metadata (GPS, camera model, timestamp); browser history (Chrome'sHistorySafari'sHistory.db); Apple's Significant Locations and Google's Timeline for geolocation history. End-to-end encrypted messengers (WhatsApp, Signal, Telegram secret chats) protect data in transit, but the local SQLite store is decryptable from the handset itself, which is why physical possession of the device is the difference between recovering messages and not recovering them.

Cloud backups. iCloud Backup, Google Drive WhatsApp Backup, OneDrive and Samsung Cloud often hold messages and media the handset has rotated out. Access requires a legal request to Apple, Google or Microsoft via the MLAT framework or under BNSS Section 94 for India-stored data. See the book chapter on mobile cloud and backup forensicsfor the request templates and what each provider returns.

CDR analysis. Call Detail Records are telco-side logs. Each row carries A-party number, B-party number, start timestamp, duration, IMEI, IMSI and serving cell-tower ID. CDR is obtained under the Indian Telegraph Act and the IT Act, with lawful-intercept orders issued under BNSS provisions. Investigators correlate CDR rows with cell-tower coordinates to triangulate the handset using two or three BTS hits. A tower dump is a windowed list of every IMEI that registered with a tower in a defined time window. Tower dumps and CDR analysis featured in the Nirbhaya case (December 2012), the Aarushi Talwar case, and the Sushant Singh Rajput investigation.

Faraday isolation, BNS/BSA admissibility and Indian institutions

Two seizure rules are non-negotiable. First, isolate the handset from cellular, Wi-Fi and Bluetooth the instant it is seized, using a Faraday bag, airplane mode (only if unlocked), or SIM removal. This blocks Apple Find My and Google Find My Device from pushing a remote wipe. Second, keep the handset charged: a dead iPhone enters Before First Unlock, which re-encrypts user data with the Secure Enclave and locks out most tools.

Indian institutional capacity sits at CFSL Hyderabad(central mobile and cyber lab),NFSU Gandhinagar(training and research), and the state cyber cells in Maharashtra, Gujarat, Telangana, Karnataka and Delhi, all equipped with Cellebrite UFED.

The legal frame for admissibility runs through the BNS 2023 cyber provisions and BSA 2023 electronic evidenceregime. Every electronic record produced from a mobile extraction must carry a BSA Section 63 certificate (the BSA 2023 replacement for the IEA Section 65B certificate). The Indian Telegraph Act and IT Act Section 69 govern lawful interception and decryption directives, and the DPDP Act 2023 adds purpose-limitation constraints. The whole pipeline rides on a clean chain of custodywithout which the BSA 63 certificate is worthless.

Challenges and what defence counsel attacks

Five recurring challenges arise in operational casework.

  1. End-to-end encryption. WhatsApp and Signal encrypt messages in transit, so telco intercept yields ciphertext. Recovery depends on the handset's local SQLite store.
  2. Secure boot and hardware-backed keys. Modern Snapdragon and Apple SoCs verify every boot stage, blocking the rooting and jailbreaking older physical acquisitions depended on.
  3. OS updates that break tools. Each iOS major release closes the exploit chain UFED was using; each Android Security Bulletin patches a Cellebrite Advanced Services vector.
  4. Cloud-only data. iMessage in iCloud and the Photos library rotate older items off the handset. Without a legal cloud request, that data is gone from the device.
  5. Burner handsets and dual-SIM use in organised crime. Suspects rotate cheap handsets and pre-paid SIMs (often acquired with fake KYC). Investigators counter with cell-tower co-location analysis to link a known IMSI to a previously unknown IMEI used at the same places and times.

also recall the sibling computer forensics, cyber crimes and digital evidencebullet, which sets the broader digital-evidence frame.

What is the difference between IMEI, IMSI and ICCID?
IMEI is the 15-digit International Mobile Equipment Identity burned into the handset baseband and displayed by dialling *#06#. IMSI is the 15-digit International Mobile Subscriber Identity stored on the SIM, structured as Mobile Country Code (3 digits) + Mobile Network Operator code (2 or 3 digits) + Mobile Subscriber Identification Number; it authenticates the subscriber to the network. ICCID is the up-to-19-digit serial of the physical SIM card, printed on the SIM body. IMEI identifies the device, IMSI identifies the subscriber, ICCID identifies the SIM card.
List the mobile-phone acquisition methods in order of increasing invasiveness.
Manual examination (photograph each UI screen), logical acquisition (ADB or iTunes backup pull), file-system acquisition (full user-data partition, needs root or jailbreak), physical acquisition (bit-by-bit NAND image), JTAG (debug-pin read through the SoC) or ISP (eMMC test-pad read), and chip-off (desolder the NAND chip and read on a programmer). Each rung up recovers more data but increases risk of device damage and tool failure, and full-disk encryption increasingly turns physical and chip-off yields into ciphertext without the passcode.
Why is a Faraday bag mandatory when seizing a mobile phone?
A Faraday bag is an RF-shielded pouch that isolates the seized handset from cellular, Wi-Fi and Bluetooth networks. Without it, Apple's Find My iPhone or Google's Find My Device can push a remote wipe command the moment the device touches a network, erasing all evidence. The accepted SOP is to bag the handset at seizure, charge it inside the bag, and only break isolation inside a shielded forensic lab. Airplane mode and SIM removal are fallback options when the device is unlocked at seizure.
What is CDR analysis and how is it used in Indian investigations?
Call Detail Record analysis uses telco-side logs of A-party number, B-party number, start time, duration, IMEI, IMSI and serving cell-tower ID to reconstruct a suspect's communications and approximate movements. CDR is obtained under the Indian Telegraph Act and IT Act with lawful-intercept orders. Investigators triangulate the handset's location using hits across two or three Base Transceiver Stations and use tower dumps (lists of every IMEI registered with a tower in a defined window) to identify unknown handsets near a crime scene. CDR analysis featured in high-profile Indian cases including Nirbhaya 2012, Aarushi Talwar and Sushant Singh Rajput.
How does full-disk encryption affect mobile forensic acquisition?
Modern Android (file-based encryption since Nougat) and iOS (Data Protection class system) encrypt user data with a key derived from the user passcode and a hardware key in the TrustZone or Secure Enclave. Without the passcode, even a successful chip-off acquisition returns ciphertext that cannot be decrypted offline. This is why passcode-bypass appliances like GrayKey and Cellebrite Advanced Services exist, why the file-system and physical rungs of the acquisition ladder now often fall back to logical pulls of whatever the unlocked OS will expose, and why cloud backups (iCloud, Google Drive) have become a critical secondary evidence source.

Test yourself on UGC-NET Forensic Science with free, timed mocks.

Practice UGC-NET Forensic Science questions

Found this useful? Pass it along.

Share

Spotted an error in this page? Report a correction or read our editorial standards.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.