Recovering Digital Evidence with Mobile Device Forensics

Dr. Stephenie Slahor

Mobile device forensics is an evolving specialty in the field of digital forensics which goes beyond devices that provide simple voice communication and text messaging capabilities.

No doubt about it – technology rules the crime scenes involving computers, tablets, external hard drives, smart devices, E-mails, SMS (text messages), social media, the cloud, data, and even electronic medical records. And, within all that lies more technology to retrieve, study, report, and use data for investigations and for the process of discovery.

Thomas Plunkett, an EnCase Certified Examiner and Certified Information Systems Security Professional, serves as the Director of Digital Forensics in southern California, working with ArcherHall Digital Forensics (, a national digital forensic resource firm.

Plunkett explains that digital forensics can involve text messages; message retrieval; photo retrieval; E-mail retrieval; deleted messages; Web browsing history retrieval; analysis of location history via GPS, cell tower data and other means; document and file retrieval; and app, messaging and chat applications retrievals. Much litigation and related discovery work involves digital evidence these days, especially cell phone data. Cell phones easily interact with other devices, too, providing communications, physical location, photos, and data. Says Plunkett, this applies to both “smart and not so smart” phones. Additionally, tablets mirror what cell phones can do and are, he says, “really big smart phones.” 

But, technology doesn’t stop there, he points out. Wearable devices may also figure strongly in investigations and litigation. New developments such as smart glasses, cameras, sensors, and even certain clothing can have tiny, but powerful electronics to control devices, make phone calls, take photos, and monitor vital signs for joggers, walkers, bikers, and others, and the trend toward more popularity for such devices is growing quickly.

Smart Homes 

Also, the “Internet of Things” has now emerged with technologies which turn an ordinary thermostat, light bulb, crock pot, garage door opener, door lock, refrigerator, camera system, and even a bed into an information system. “These kind of things can actually help you in an investigation,” says Plunkett, such as determining when someone was at home or what time an event occurred. “There’s a lot of these out there,” he said of the Internet of Things, and many more on the way. In fact, by 2025, if not sooner, there will be about 75 billion such devices in use. 

Using such data in a courtroom or during an investigation, though, requires the same careful and proper handling and chain of custody so much a part of the more traditional forms of physical evidence. Plunkett says it is important in preserving the evidence to know, for example, whether to leave a device on or off, when to set it to “airplane mode,” or how to gather passwords and pass codes. The assistance of those knowledgeable in this area of forensics can be vital to a successful investigation or prosecution. Digital forensics technicians are trained in such steps as photographing the device, using a Faraday Device bag to block Wi-Fi and cell signals, guaranteeing the proper chain of custody, and treating data as the volatile element that it is. Crucial data can be compromised, modified or even lost through such modalities as selective deletion, app updates, constant operating system updates, factory resets, and remote wipe capability. That data may affect proving what a person was doing, where the individual was, the time and date, and so on – all key elements in proving or disproving a case.     

Data moved to the trash or recycle bin can be recoverable in whole or in part, with the help of digital forensic specialists. Data can be partially overwritten, or a file fragmentized, purged, or even fully overwritten or wiped. Someone trying to “hide” data may be able to overwrite it with random data such as lines of “zeros.” But, digital forensics may be able to find what is left over, even in a file fragment, and that could still be useful as evidence. 

Has it Really Been Deleted?

Databases have their own file system as a form of storage. When a file is marked as “deleted,” it may still exist and, in fact, keep growing and storing. Users can set a system to keep messages for a certain time – 30 days, one year or “forever” – whatever the cell phone or device allows.    

Even if the user tries to destroy or smash the device in an attempt to hide data, a digital forensic expert may be able to retrieve the tiny chip which has stored the data. And, perhaps, the act of smashing hasn’t done enough damage to prevent accessing stored data. Of course, says Plunkett, it all depends on the particular device, the type of encryption used on the chip and the amount of damage done by the user. 

He explains that there are usually four types of data extraction. Logical extraction reaches accessible files such as the backup of the phone’s content and settings, but not deleted content. Advanced logical extraction can work on full databases and substantial amounts of deleted data. A file system extraction seeks files on the device and may even include some deleted material. And, physical extraction is useful for the data on a chip which might also contain deleted data. Encryption may cut into what can be accessed, but Plunkett points out that there are thousands of phones which can still be physically extracted because models manufactured years ago are still very much in use.   

Extraction software yields reports of Universal Forensic Extraction Device (UFED) use for the summary of all data on the phone. Answers to such questions as what did the user transfer out using the device; what account was being used; what was transferred; activities; apps installed and uninstalled; calendar items; physical location and movement; call logs; chats; social media chats; cookie and Web site trackers; passwords; account information; voicemails; and travel time, distance and place might be obtained. Again, it’s wise to seek expertise because, says Plunkett, “collecting it [information] properly can be very important” and can mean the difference to conviction, liability, activity, and other “compelling” evidence which creates a forensic “trail.”   

Just remember that the data is volatile, he reminds, so be as thorough as possible, get help if needed and treat it as key evidence. 

Stephenie Slahor, Ph.D., JD, is a writer in the fields of law enforcement and security. She can be reached at

Available Resource – Guidelines on Mobile Device Forensics

The National Institute of Standards and Technology has a downloadable publication entitled Guidelines on Mobile Device Forensics which provides an in-depth look into mobile devices and explains technologies involved and their relationship to forensic procedures. This document covers mobile devices with features beyond simple voice communication and text messaging capabilities. This guide also discusses procedures for the validation, preservation, acquisition, examination, analysis, and reporting of digital information.

Copies of Guidelines on Mobile Device Forensics can be downloaded at: