Join the Webinar | Strong Protection Against Cyber Threats

Mobile Device Forensics

The term “mobile devices” includes a wide range of gadgets, from cell phones, smartphones, tablets and GPS units to wearable devices. What they all have in common is that they can contain a lot of user information. The accusations do not occur independently of technological trends; Therefore, mobile device forensics has become an important part of computer forensics.

Mobile Forensics Process

The mobile forensics process aims to recover digital evidence or related data from a mobile device in a way that forensically preserves the evidence. To achieve this, data is isolated, analyzed and turned into digital evidence during the mobile forensic process. This is a useful tool that investigators use as a method of collecting criminal evidence from a digital data trail that is often difficult to delete. Excavating deleted cell phone files used as criminal evidence is the primary work of cell phone forensic investigators.


Types of cell phone forensics include taped conversations, digital phone pictures, cell phone texts or emails, phone number lists, and sometimes even cell phone digital video recordings. Once evidence has been collected for legal purposes, it can be stored to prevent the deletion or damage of important digital material through systems developed for mobile phone data extraction. In short, mobile forensics, similar to computer forensics, depends on the investigative techniques and experience of investigators. Once the data has been successfully extracted, appropriate analysis is needed. We use our extensive computer forensics experience, backed by proven methodologies, to accurately interpret data.

Frequently Asked Questions About Mobile Forensic

Why Should I Use Mobile Forensics Service?

Smartphones offer many different features and allow users to do almost anything that was previously done with computers. Smartphones replace desktop computers in almost every way, with the advantages of portability; It is more suitable for use in most applications, from private use to business, from photography to online banking. As a result of this situation, smartphones carry valuable information for many researches. It helps the forensic investigator to identify the target person and obtain information about the person's recent activities by providing access to data such as recent chats, call logs, location data, pictures. In most cases, they carry more personal information than a traditional PC used to be. Thus, analyzing mobile phones has become the main part of a forensic investigation.

How to Structure a Typical Mobile Forensic Investigation Process?

A forensic investigation has 4 main parts: • Seizure: The responsible agency seizes the mobile device and protects it from network communication. • Data Extraction: Extraction of data from a mobile device with a known set of mobile forensic tools. (Cellebrite, UFED, MSAB XRY, Oxygen Extractor, Hancom GMD, etc.) • Analysis: Analysis of extracted data with the help of a mobile forensic toolset. Evidence search and verification. • Reporting: Export of found evidence in an easy-to-understand format for subsequent use by non-technical personnel.

What to Do When Smartphones and Other Mobile Devices are Seized?

• Environmental documentation: When it comes to evaluating evidence in any forensic institution, preparing documents as they should be is one of the most important tasks. First of all, photographs should be taken of the mobile device itself and its environment (especially cables, adapters, docking station, etc.). In addition, the status of the device (operating/not working; locked/unlocked; visible damage, etc.) should be noted in the documentation. • Documentation of IMEI: As an identifier for smartphones, documents often use IMEI (International Mobile Station Equipment Identity). Since IMEI is supposed to identify a device in cellular network, dual SIM phones have two IMEIs, phones made for CDMA network have MEID instead of IMEI. Tablets without the ability to connect to a cellular network do not have an assigned IMEI. Usually the IMEI is printed on the back of the phone or on a sticker under the battery. If you can't find an IMEI this way, you can usually find it in the phone's menu or by pressing *# 06. • Using Locked Mobile Devices: If the phone is found in the unlocked state, the first priority is to stop the phone from locking, tap the screen and set the screen timeout setting to maximum. The next step is to go to the security settings and check if any lock codes are set. If the lock code is present and the code is unknown, data extraction from the phone may be considered immediately at the scene. If the screen is not active when the device is found, the screen should not be touched; so that possible blemishes on the screen can be removed and resolved with possible unlock patterns of the phone. All modern smartphones have the option to lock the phone or delete all data on the phone with the command of the remote control. This imposes your risk of losing all evidence of a device. Additionally, data coming into the device after the seizure can alter or overwrite evidence and undermine the forensic soundness of your examination. Therefore, the next priority should be to disconnect the device from the network.