Mobile Phone Forensics: Acquisition and Examination

A modern smartphone is not a small computer. It is a tightly integrated device with a baseband, an application processor, a Secure Enclave or TrustZone, encrypted storage tied to a hardware key, and an application sandbox per installed app. Roughly 700 mobile OS variants are in active use across the Android ecosystem (vendor skins on top of stock AOSP), and Apple ships a new iOS major version every September. Every release closes exploits the previous generation of tools relied on, which is why Cellebrite UFED and Magnet AXIOM ship monthly updates.

Five technical realities make the discipline distinct from disk forensics:

1. Full-disk encryption is default. Android (file-based encryption since Nougat) and iOS (Data Protection classes) tie keys to the passcode plus a hardware key. Raw NAND reads return ciphertext.
2. Proprietary hardware. Apple A-series and M-series, Samsung Exynos, Qualcomm Snapdragon and MediaTek each have different secure-boot chains.
3. App-level encryption on top of FDE. WhatsApp's msgstore.db.crypt15 and Signal's SQLite store hold their keys in app-private storage or the Android Keystore.
4. Cloud backup risk. iCloud, Google Drive and OneDrive copies often hold more recent data than the handset.
5. Remote wipe. Find My iPhone and Find My Device can erase the device the moment it touches a network.

The first responder's seizure, volatility and imaging protocol for a phone is fundamentally different from the protocol for a desktop.

NTA loves identifier MCQs because the answers are crisp one-liners.

• IMEI (International Mobile Equipment Identity). 15 digits, burned into the baseband. Dial *#06# to display. Dual-SIM handsets carry two IMEIs. The DoT's CEIR database blacklists stolen IMEIs across Indian telcos.
• IMSI (International Mobile Subscriber Identity). 15 digits on the SIM. Structure: 3-digit MCC (404, 405 for India), 2-3 digit MNC, then the MSIN. Authenticates the subscriber during attach.
• MSISDN. The dialable phone number. Lives in the telco HLR, not always on the SIM.
• ICCID. Up to 19 digits, the SIM card serial, printed on the card body.
• Bluetooth and Wi-Fi MAC. 48-bit radio identifiers, useful for placing a handset on a specific access point at a specific time.

For the cellular technology background (2G GSM, 3G UMTS, 4G LTE, 5G NR), see the book topic on mobile technologies 2G to 5G.

Both share a Unix lineage and per-app sandboxing, but their on-disk layouts differ enough for clean comparison MCQs.

Android. Linux kernel, Bionic libc, the Android Runtime (ART, formerly Dalvik), APK package format. User data lives in /data/data/<package> (app-private) and /sdcard (shared). File system is ext4 or F2FS. Apps store structured data in SQLite: WhatsApp in msgstore.db, Telegram in cache4.db, contacts in contacts2.db. ADB is the host interface; root is usually needed for anything deeper than a logical pull.

iOS. Darwin kernel, BSD userland, Objective-C and Swift, IPA package format. User data lives in /var/mobile/Containers/Data/Application/<UUID>. File system is APFS since iOS 10.3, with native FDE tied to the Secure Enclave. Apps mix SQLite and Apple property-list (.plist) files. The iTunes backup yields .plist, .db and .mddata files identified by SHA-1 hashes of their original paths, which tools re-map.

Both platforms enforce app sandboxing and full-disk encryption, which is why a logical pull rarely gives the analyst more than what an app chooses to expose through ADB or the iTunes backup protocol.

NTA tests the acquisition ladder as a sequence. Memorise the rungs and what each one recovers.

1. Manual examination. Examiner navigates the UI and photographs each screen. Used when nothing else is feasible.
2. Logical acquisition. Host-side protocol pull (ADB on Android; iTunes backup or libimobiledevice on iOS; MTP for media). Recovers what the OS chooses to expose. No deleted records, no unallocated NAND.
3. File-system acquisition. Full copy of the user-data partition, usually requiring root on Android or a jailbreak on iOS. Recovers SQLite databases with their journal and WAL files (so deleted rows are recoverable), plus .plist and .db files outside the user-visible backup.
4. Physical acquisition. Bit-by-bit NAND image. Gold standard. Recovers allocated and unallocated space, deleted files and slack. Needs a vendor exploit, bootloader unlock, or a hardware method below.
5. JTAG and ISP, then chip-off. JTAG reads NAND through the SoC's Joint Test Action Group debug pins; ISP (In-System Programming) connects to the eMMC test pads; chip-off desolders the NAND chip and reads it on a programmer. Destructive, and increasingly defeated by FDE (the image is ciphertext without the passcode).

The book chapter on JTAG, ISP and chip-off toolkits walks through the test-pad maps, the desoldering rigs (PCB preheater, hot-air rework station, infrared rework), and the NAND programmers (Easy JTAG Plus, Medusa Pro) used in Indian state cyber-cell labs.

The Indian forensic-tool landscape is dominated by a handful of vendors.

• Cellebrite UFED (Universal Forensic Extraction Device). Gold standard, used by CFSL Hyderabad, NFSU Gandhinagar and state cyber cells in Maharashtra, Gujarat, Telangana, Karnataka and Delhi. Supports logical, file-system, physical and Advanced Services (cloud and locked-device extractions).
• Magnet AXIOM. Strong examination and reporting, deep parsers for Android and iOS app artefacts. Frequently paired with UFED.
• MSAB XRY. Swedish UFED competitor, broad handset matrix.
• Oxygen Forensic Detective. Strong cloud parsing and Telegram decoding.
• GrayKey. iOS passcode-bypass appliance from Grayshift, law-enforcement only.

Open-source alternatives NET candidates should recognise: Andriller (Android suite with screen-lock cracking), ALEAPP/ILEAPP (community Python parsers for Android and iOS logs), and libimobiledevice (iOS host protocol, iTunes-style backup from Linux).

For practical Android and iOS app-artefact parsing (which SQLite tables map to which app features, where Signal stores its key), see the book topic on Android and iOS SQLite app forensics.

Once an image is acquired, the examiner mines a predictable set of artefacts.

On-device artefacts. SQLite databases for call logs, SMS, contacts and per-app messaging; property lists (iOS) and XML (Android) for settings; the Photos library and /sdcard/DCIM for media with EXIF metadata (GPS, camera model, timestamp); browser history (Chrome's History, Safari's History.db); Apple's Significant Locations and Google's Timeline for geolocation history. End-to-end encrypted messengers (WhatsApp, Signal, Telegram secret chats) protect data in transit, but the local SQLite store is decryptable from the handset itself, which is why physical possession of the device is the difference between recovering messages and not recovering them.

Cloud backups. iCloud Backup, Google Drive WhatsApp Backup, OneDrive and Samsung Cloud often hold messages and media the handset has rotated out. Access requires a legal request to Apple, Google or Microsoft via the MLAT framework or under BNSS Section 94 for India-stored data. See the book chapter on mobile cloud and backup forensics for the request templates and what each provider returns.

CDR analysis. Call Detail Records are telco-side logs. Each row carries A-party number, B-party number, start timestamp, duration, IMEI, IMSI and serving cell-tower ID. CDR is obtained under the Indian Telegraph Act and the IT Act, with lawful-intercept orders issued under BNSS provisions. Investigators correlate CDR rows with cell-tower coordinates to triangulate the handset using two or three BTS hits. A tower dump is a windowed list of every IMEI that registered with a tower in a defined time window. Tower dumps and CDR analysis featured in the Nirbhaya case (December 2012), the Aarushi Talwar case, and the Sushant Singh Rajput investigation.

Two seizure rules are non-negotiable. First, isolate the handset from cellular, Wi-Fi and Bluetooth the instant it is seized, using a Faraday bag, airplane mode (only if unlocked), or SIM removal. This blocks Apple Find My and Google Find My Device from pushing a remote wipe. Second, keep the handset charged: a dead iPhone enters Before First Unlock, which re-encrypts user data with the Secure Enclave and locks out most tools.

Indian institutional capacity sits at CFSL Hyderabad (central mobile and cyber lab), NFSU Gandhinagar (training and research), and the state cyber cells in Maharashtra, Gujarat, Telangana, Karnataka and Delhi, all equipped with Cellebrite UFED.

The legal frame for admissibility runs through the BNS 2023 cyber provisions and BSA 2023 electronic evidence regime. Every electronic record produced from a mobile extraction must carry a BSA Section 63 certificate (the BSA 2023 replacement for the IEA Section 65B certificate). The Indian Telegraph Act and IT Act Section 69 govern lawful interception and decryption directives, and the DPDP Act 2023 adds purpose-limitation constraints. The whole pipeline rides on a clean chain of custody, without which the BSA 63 certificate is worthless.

Five recurring challenges show up in real cases and short-answer questions.

1. End-to-end encryption. WhatsApp and Signal encrypt messages in transit, so telco intercept yields ciphertext. Recovery depends on the handset's local SQLite store.
2. Secure boot and hardware-backed keys. Modern Snapdragon and Apple SoCs verify every boot stage, blocking the rooting and jailbreaking older physical acquisitions depended on.
3. OS updates that break tools. Each iOS major release closes the exploit chain UFED was using; each Android Security Bulletin patches a Cellebrite Advanced Services vector.
4. Cloud-only data. iMessage in iCloud and the Photos library rotate older items off the handset. Without a legal cloud request, that data is gone from the device.
5. Burner handsets and dual-SIM use in organised crime. Suspects rotate cheap handsets and pre-paid SIMs (often acquired with fake KYC). Investigators counter with cell-tower co-location analysis to link a known IMSI to a previously unknown IMEI used at the same places and times.

For UGC-NET, also recall the sibling computer forensics, cyber crimes and digital evidence bullet, which sets the broader digital-evidence frame.