+91 11 47074263
Sifs India
Mobile Forensics | Tools, Process, ChallengesFebruary 19, 2023 - BY SIFS India

Mobile Forensics | Tools, Process, Challenges

Mobile phones have become part of our day to day lives. Today almost every person is using cellphone or mobile phones for their needs, entertainment, studies and etc.

It has come a long way from just communication devices to feature mobile kits such as high-quality cameras, 4G/5G technology and etc, and also a means to explore social media, online games etc.

These contain a lot of information about users and user activity. Mobile devices such as tablets, laptops, and smartphones develop very rapidly because of the market demands and sometimes it becomes difficult for the investigator to investigate.

Mobile phones can provide a lot of information. The most obvious type of data is call records, contact lists and text messages.

The other various types of evidence are documents, files, notes as well as location which can also provide valuable clues for investigation. This evidence is very friable in nature and can be tampered easily so it must be handle very carefully.

Challenges in Mobile Forensics Investigation

One of the biggest forensic challenges when it comes to the mobile platform is the fact that data can be accessed, stored, and synchronized across multiple devices.

As the data is volatile and can be quickly transformed or deleted remotely, more effort is required for the preservation of this data.

Mobile forensic is different from computer forensic and present unique challenges to forensic examiners or investigator.

Forensic examiner often struggle to obtain digital evidence from mobile devices. The following reasons are:

Mobile Operating System: Unlike personal computer where windows have dominated the market for years, mobile device widely use more operating systems, including Apple’s ios, Google’s Android, RIM’s Blackberry OS, Microsoft’s windows mobile, and many others. Even within these operating systems, there are several versions which make the task of forensic investigator more difficult.

Lack of Resources: As mentioned earlier, with the growing number of mobile phones, the tools required by forensic examiner would also increase. 

Anti-Forensic Technique: Anti-forensic techniques, such as data forgery, data hiding and secure wiping, make investigations on digital media more difficult.

Dynamic Nature of Evidence: Digital evidence may be easily either intentionally or unintentionally altered. For example, browsing an application on the phone might alter the data stored by that application on the device.

Communication Shielding: Mobile device communicate over cellular network, wi-fi network, Bluetooth, and infrared. As device gets connected to other communication network, the present data of the device can get altered.

Passcode Recovery: If the device is protected with the pass code, the forensic examiner needs to gain access to the device without damaging the data on the device. While there are techniques to bypass the screen lock, they may not work always on all the versions. 

Lack of Availability of Tools: There are a wide range of mobile devices. A single tool may not support the entire device or perform all the necessary functions, so a combination of tools needs to be used. Choosing the right tool for a particular phone might be difficult.

Malicious Programs: The device might contain malicious software or malware, such as a virus or a Trojan. Such malicious program may attempt to spread over the device. That device may be a wired or wireless.

Legal Issues: Mobile device might be involved in crimes, which can cross geographical boundaries. In order to tackle these multijurisdictional issues, the forensic examiner should be aware of the nature of the crime and the regional laws.

Mobile Forensics Techniques to Collect Data from Mobile Devices

Data that can be collected from mobile devices are SIM card, contacts, call records, media, app data, files, hidden data, documents and deleted files. Techniques to gather such data are:

Physical Acquisition: It is a technique for capturing all data including deleted data from a mobile device. The received data is originally in raw format which is converted into human readable format.

Logical Acquisition: It is a technique for extracting files and folder without any deleted data from the device. It makes a copy of the file using a software tool. For example, iTunes backups are used to create logical image for the iPhone or iPad.

Mobile Forensics Tools

In recent years, various tools related to hardware, software and packages have emerged to recover the logical and physical evidence of mobile devices.

The hardware contains various cables to connect the phone to the forensic acquisition engine. The package is designed to extract evidence and often analyze it.

Recently, a rhetoric tool for mobile device was developed. This is often a response to both military unit requirements, and anti-terrorist information and execution is a rhetorical foresight in crime scenes, execution of arrest warrants or emergency situations.

In general, for any one tool to capture all evidence from all mobile devices is not possible it requires various different working model software.


Mobiledit: Can extract deleted data and perform a deep analysis of the features of a phone.

Oxygen Forensics: Practitioner toolset capable of extracting forensic data, and generating reports.

Cellebrite: It provides tools for federal, state, local law enforcement agencies, businesses and services provide to collect, review and analyze the digital data.

Elcomsoft Los Forensic Toolkit: it performs complete file system and logical survey of iphone, ipad ,ipod Touch devices. It creates image of the device file system, extract the password, encryption key, protected data and can decrypt file system image.

Free Tools

• FTK Imager

• Andriller

• Autopsy

• Linux Memory Extractor

• AFLogical OSE


With the help of open source digital forensic tools like Mobiledit lite and autopsy, details such as SMS, call registers, Images, songs, videos and files can be stored for further investigation.

Mobiledit Lite comes with write blocker (read only) feature so as to ensure the integrity of the mobile phone is maintained and the evidence is not contaminated.

Mobiledit lite and Autopsy alone are not sufficient to recovery of deleted items. Other open source tools or commercial tools can be used with them for additional functions such as authentication bypass, SIM cloning and Retrieval of browsing internet data.

Using Timeline Analysis report of autopsy, the sequence of events can be established and useful in event reconstruction.

Need help?

Contact by WhatsApp

Hello SIFS Forensic Lab