Article
Uncovering hidden digital evidence: Mobile device forensics
1st October 2025
Mobile devices are at the center of how we work in today’s digitally driven world. Capable of much more than just helping people stay connected through calls, text messages, and emails when they are not at their desks, mobile phones and tablets can now perform functions that were possible only with a computer just a few years ago. In fact, there is a growing prevalence of mobile-only applications as many developers move away from cross-platform development for computers.
Whether mobile devices are used for communication, research, sharing information, storing confidential documents, transferring money, or a wide variety of other functions, they store millions of data records. If extracted and processed in a forensically sound manner, this data can provide crucial evidence for investigations related to employment matters, intellectual property, trade secrets, data exfiltration, and similar issues. Even if data has been deleted, much of the information can be recovered through mobile forensics — uncovering hidden digital trails that can make or break a case.
Types of data on mobile devices
The millions of data points stored on mobile devices translate to thousands of different data types. The most common types of data on mobile devices that are relevant to investigations include:
- Contacts: Names, phone numbers, email addresses, and other personal details
- Call logs: Records of incoming, outgoing, and missed calls, including timestamps, call duration, and caller/recipient details
- iMessage/SMS/MMS messages: Text, multimedia, and metadata exchanged between devices
- Emails: Message content, attachments, sender, recipient, and timestamps
- Web browser and data history: Websites visited, search queries, bookmarks, cookies, and cached files
- GPS location data and information: GPS coordinates, Wi-Fi connections, and geotagged media files
- Photos and videos: Stored photos, videos, and associated metadata
- App data: Installed applications such as social media, banking, and communication platforms collect information like user activity, preferences, and other personal data
- Cloud storage: Data synchronized or backed up to cloud services (e.g., iCloud, Google Drive, Dropbox, OneDrive, etc.)
These data points are critical pieces of the puzzle that can reveal a person’s actions, when and where those actions took place, and who else was involved. This information, which otherwise might not come to light, is often at the crux of legal arguments. A good example is the highly publicized Karen Read trial, where phone messages were at the heart of the case and indispensable for building the timeline that ultimately exonerated her for murder.
Essential role of trained digital forensic examiners
While digital data can serve as vital electronic evidence, it must be properly captured and managed with skill and precision to ensure it is forensically sound. Enter digital forensic investigations, which consist of identifying, preserving, and analyzing electronic artifacts to form conclusions and opinions used in legal or investigative proceedings.
Digital evidence is fragile and volatile. Improper handling of digital devices can alter or destroy the evidence contained on them, as can failing to collect the data in a timely manner. Further, if the digital device is not handled in accordance with digital forensics best practices, it can be impossible to determine what data was altered and whether those changes were intentional or unintentional.
Spoliation—which occurs when someone with a duty to preserve evidence fails to do so by destroying, damaging, or losing it—is a serious concern. Defendants commonly wipe physical devices like phones, tablets, computers, and external USB devices. Emails, chats, and backups often go “missing.” And features like disappearing messages, also known as ephemeral messages, in applications like iMessage, Signal, and WhatsApp add additional layers of complexity.
Digital devices need to be preserved and analyzed by a trained examiner using advanced forensic tools and techniques to protect evidence from being lost, overwritten, or changed.
Extracting and recovering data from mobile devices
Digital forensic examiners can extract data of interest from mobile devices by acquiring or forensically copying the desired information. Depending on the device manufacturer, operating system, chipset, and forensic protocol governing the scope of the investigation, a variety of methods may be employed.
- Targeted extraction (quickest extraction): A targeted collection is the quickest way to extract data. It copies granular data, such as messaging, pictures, videos, audio, contacts, Internet, and social media information related to a specific date or application.
- Advanced logical extraction (most common): A logical extraction backs up data from the mobile device, similar to an iTunes backup with additional data points. It collects files and folders contained on the mobile device, excluding unallocated space where data may have been stored previously. Typically, data collected through a logical extraction includes messaging, pictures, video, audio, contacts, application data, some location data, Internet history, search history, social media, and more.
- Full file system extraction (most complete): A full file system (FFS) extraction is the most complete and in-depth method for acquiring data from a mobile device. Once available only to law enforcement and intelligence agencies, this capability is now accessible to select private sector forensic teams through advanced tools such as Magnet Graykey™, Magnet Verakey™, and Cellebrite Premium™. These platforms enable forensic examiners to bypass many device security features and gain root-level access to the entire internal memory of supported iOS and Android devices.
Unlike standard logical or backup extractions, FFS extractions allow investigators to retrieve deleted records, system logs, write-ahead logging (WAL) journal data, and even encrypted app data, including access to the Keychain on iOS or Keystore on Android devices. These areas often store credentials, tokens, and encryption keys that can unlock data from secure messaging platforms such as Signal, Telegram, Wickr, Threema, and WhatsApp, apps typically inaccessible in logical acquisitions due to encryption and sandboxing.
In addition to capturing everything found in a traditional extraction (i.e., SMS/iMessage, photos, call logs, and contacts), FFS also collects hidden system files, crash logs, location caches, and app-specific databases stored in private directories. This means forensic analysts can recover deleted conversations, location trails, browser artifacts, and residual app data, even from uninstalled applications, making FFS extractions essential in high-stakes investigations involving corporate espionage or insider threats.
- Physical extraction: Physical extraction captures a bit-by-bit copy of a device’s storage, including deleted files and file fragments. However, data that is physically extracted from modern versions of Apple and Android devices is typically not usable due to file-based encryption.
- Local and cloud backups (recommended to collect): When a device is factory reset (the date of which can be determined by forensic analysis of logs and files) or is missing altogether, data cannot be collected using extraction methods. In these cases, local and cloud backups may contain the evidence needed. When mobile devices are connected and backed up to a computer, a local backup file is created (an option less used since cloud backups were introduced). Similarly, when a mobile phone is backed up to the cloud, a cloud backup is created and may be the only remaining copy of the mobile content. These backup files are similar to an advanced logical collection and can be ingested into most cell phone forensics software and analyzed just like a forensic extraction.
Forensic search and analysis methods
After the data is acquired, forensic experts use many different techniques to search and analyze the information. These methods entail searching by:
- MD5 hash value, a digital fingerprint of content represented as 32-digit hexadecimal numbers (e.g., aa55d3e698d289fa74g663725127babe), to identify all files that match the content regardless of the file name, location, or date
- File and folder names that exist or existed on servers, on computers, and in cloud repositories
- Specific terms such as client names, project names, vendor names, document authors, and other internal metadata
- Key dates to identify information created, accessed, or modified around important milestones, such as employee departure dates
- Forensic artifacts, which can be like “needles in a haystack” due to the high volume of records, require forensic experts to dive deep into the details of the data and timeline
- Concept and GenAI-driven search reveal emotional tone and intent, surfacing key insights even when keywords are hidden or language is indirect
While these methods may seem straightforward, applying them reliably and efficiently across large volumes of data is far more challenging. It’s not just about knowing where and how to find the information; it’s also about accurately interpreting and presenting it in a legally defensible manner. Successfully supporting or challenging a case requires advanced industry knowledge and extensive subject matter expertise.
Ensuring the quality of evidence
Using the right tools and techniques for mobile forensic investigations sets the foundation for identifying compelling evidence that holds up in court and avoiding spoliation. Ultimately, the quality of this data and the realities that surface from synthesizing various proof points rely on the capabilities of the forensic experts leading the effort. The importance of rigorously evaluating digital forensic teams based on authority, technical skills, and expert testimony experience is indisputable.
About the author
Andy Antunez is a digital forensics expert with over 20 years of professional experience in digital forensics, information technology, and security. He has expertise in matters involving data exfiltration, unauthorized data access, intellectual property theft, and misappropriation of trade secrets. Andy has personally imaged over 10,000 computer devices and more than 5,000 mobile devices. He specializes in forensic technology services, including data preservation, digital forensics, eDiscovery, data analysis, metadata manipulation, complex preservation and data collection, and eDiscovery consulting.
This article presents the views, thoughts, or opinions only of the author and not those of any HKA entity. The information in this article is provided for general informational purposes only. While we take reasonable care at the time of publication to confirm the accuracy of the information presented, the content is not intended to deal with all aspects of the referenced subject matter, should not be relied upon as the basis for business decisions, and does not constitute legal or professional advice of any kind. HKA Global, LLC is not responsible for any errors, omissions, or results obtained from the use of the information within this article. This article is protected by copyright © 2025 HKA Global, LLC. All rights reserved.
