Mobile devices use a variety of internal, removable and online data storage capabilities. In many scenarios, you shall be using more than one tool in order to extract the data from the mobile device and its associated storage media. 

         While the amount of data stored by phones is less when compared to the storage capacity of computer hard drives, the storage capacity of these devices continues to grow and it is critical to verify the accuracy of data obtained from mobile devices. We’ll discuss an overview of process considerations for the extraction and documentation of data from mobile devices

 Mobile Extractions_Process

Evidence Intake - Receive device as evidence & request for examination

This initial phase generally entails paperwork to document chain of custody, ownership information, and the type of incident the mobile device was involved in and the type of data/information the requester is seeking.

Identification - Identify device specifications and capabilities

As part of the examination, the identifying information for the phone should be documented. This assists the examiner in the determination about what tools might work with the phone and what techniques should be used for analysis.The goal of the exam can make a significant difference in what tools and techniques are used to examine the phone.

Preparation  Prepare method and tools to be used

The preparation phase involves specific research  regarding the particular mobile device to be examined, the appropriate tools to be used for analysis, preparation of the examination machine to ensure that all of the necessary equipment, cables, software and drivers are in place for the examination.

Isolation - Protect the evidence and isolate from Wi-Fi, Bluetooth and Cellular Network

Isolation of a cellular phone can be accomplished through the use of Faraday bags. Isolation prevents the addition of new data to the phone through incoming calls and text messages, destruction of data through remote access or remote wiping and accidental overwriting of existing data as new calls and text messages come in.

Processing – Perform forensic acquisition & analysis

Any installed data storage/memory cards should be removed from the phone prior to examination of the phone, and processed separately using traditional computer forensics methods to ensure that date and time information for files stored on the data storage/memory card are not altered during the examination. Performing multiple kinds of extractions from the same device may be helpful in decoding the data obtained from the phone, as well.

Verification – Validate acquisition and forensic findings

This phase involves ensuring the data which was extracted from the mobile device matches the data displayed by the device itself. Hash values can be used for verification of extracted data. Verification of extracted data can be accomplished in several ways.

Documentation / Reporting Documenting process and findings

The reporting phase includes drafting & finalizing forensic reports and documenting findings. The process used to extract data from the phone, the kind of data extracted and any evidentiary findings should be accurately documented in reports. Documentation of the examination should occur throughout the process & notes regarding what was done during the examination.

Presentation Prepare exhibits and present findings

Presentation phase involves presenting the findings along with reference information regarding source, date and time, EXIF data and pictures/video of the evidence as it existed on the mobile phone.

Archiving Preserve data in common formats for future reference

It is necessary to retain the data in a usable format for  future reference, and for record keeping requirements. Preservation of the data extracted and documented from the cellular phone is an important part of the overall process.

Photo by