Frequently asked questions

What is mobile device forensics?

Mobile device forensics involves the scientific examination via the acquisition and analysis of data stored on mobile phones and other portable devices to recover digital evidence. This process is essential in both legal and corporate contexts, helping to uncover data that can prove critical in criminal investigations, civil disputes, and compliance checks.

Which tool is used for mobile forensics?

In mobile forensics, various specialised tools are used depending on the device type and the data sought. These tools are designed to securely extract data such as call logs, messages, and application data while preserving the integrity of the information.

Where are most common data types found on a mobile device during a forensic investigation?

In a forensic investigation, common data types such as contacts, messages, call logs, photos, videos, web browser history and third-party application data are primarily found in the device's internal memory. However, understanding the data's storage requires specialist knowledge of the device's file system and structure.

For instance, Android and iOS have different file systems that store data in unique formats and locations. Understanding and explaining the architecture of these systems helps in comprehending how forensic tools navigate these structures to retrieve data effectively, and perhaps more importantly the limitations where data might not be recovered, and other techniques may be needed.

What type of evidence can be extracted from a mobile device?

Evidence extracted from mobile devices can range from communication records, location data, and internet browsing details to app-specific data and multimedia files. This evidence is pivotal in providing insights into user behaviour and proving or disproving case theories.

Can you recover all live and deleted data records created on a mobile device?

This is highly unlikely to achieve by any forensic tool or practitioner. Digital devices routinely flush out their systems of deleted, unwanted data to ensure the device functions efficiently for the device user. Whilst forensic tools might be able to recover some deleted data from digital devices, it can never be guaranteed what data will be recovered. CCL recommends corroborating deleted data recovery by as many other sources as possible. For example using billing records, CCTV, ANPR, witness testimony and other devices and storage locations such as recipient devices and/or cloud storage.

Do phones come back in the same state as submitted, what is the chance of something going wrong?

The forensic principles on which CCL operate aim to protect the device and its data from any accidental loss or corruption of data. Device physical condition and software settings is recorded and photographed when submitted to CCL’s laboratory. Faraday shielding equipment is used to power devices on and configure to safe, examination conditions in order to protect evidence from any external remote wipe commands that may result in loss of evidence.

CCL’s standard operating procedures and testing of forensic tools ensures the utmost protection of evidence particularly at the device acquisition phase. This is supported by extensive staff training and competency assessment including in device functionality and features to ensure no data corruption occurs.

Can you unlock all phones?

No, there are several variables which dictate whether standard and advanced forensic techniques are able to unlock mobile phones, and capability develops over time so if not supported when needed, retaining the device and asking again in several months might prove fruitful.
• Device make and model
• Operating system version
• Security firmware version
• Nature of lock on device (pattern, numeric, alphanumeric, biometric)
• Nature of encryption deployed on the device
• Presence of any custom build/management software

Where non-standard techniques are available, CCL has the expertise to assess whether advanced techniques might be deployed to unlock the device. These techniques include advanced software brute force, eMMC/JTAG or chip-off acquisition.

What specific types of wearable devices does CCL have the capability to forensically analyse?

CCL is equipped to handle a wide range of wearable devices, from fitness trackers and smartwatches to specialised wearable tech used in health monitoring. Each device type offers unique data recovery challenges that CCL's experts are trained to manage.

How does CCL ensure the privacy and security of the data extracted from mobile and wearable devices?

CCL adheres to strict data protection protocols and Standard Operating Procedures to ensure the privacy and security of all data handled during forensic examinations. This includes:
• Use of encrypted methods of data extraction and storage
• Detailed and up to date knowledge of device features to protect data vulnerable to loss
• Following legal guidelines for data handling

What are the common challenges encountered in mobile and wearable device forensics and how does CCL address them?

The challenges in mobile and wearable device forensics often include dealing with the latest encryption technologies and rapidly and ever-changing device formats. CCL addresses these challenges by continuously updating and testing our toolkits and training our mobile forensic experts on the latest technological advancements.

For instance, encryption can often be a significant hurdle; CCL utilises state-of-the-art decryption technologies that can bypass these securities depending on the encryption type and the legal allowances.

Can CCL recover data from damaged or non-functioning mobile and wearable devices?

Recovering data from damaged or non-functioning devices is a meticulous process that involves several sophisticated techniques which are not standard in the industry.

For example, if a smartphone has been water-damaged CCL technicians might disassemble the device to dry out the internal components before attempting to connect the storage chip to specialised equipment that can read off the data directly. This method, known as chip-off forensics, is used and available to CCL when conventional data extraction methods are not viable due to the device's condition.

What are the typical scenarios or cases that require mobile and wearable device forensics?

Typical scenarios include criminal investigations, corporate disputes, compliance audits, and private cases where data from devices can provide essential evidence or insights to resolve the issue at hand effectively.

What is Chip-off Forensics?

Chip-off forensics is a specialised technique used in mobile phone forensics where the memory chip of a device is physically removed and read directly using forensic acquisition software.

This method is typically employed when a device is severely damaged, making standard data recovery methods impossible, or when data is encrypted and the password is unknown.

This highly complex technique allows forensic principal experts to bypass security measures and access the raw data, offering a last-resort solution to recover crucial information from non-functional devices.

What is JTAG/eMMC Forensics?

JTAG or embedded MultiMediaCard (eMMC) forensics refers to a method of acquiring the data from a mobile device by using relevant test points on the device circuit board.

This technique is particularly useful for damaged devices that cannot be powered on or for devices protected by encryption. By connecting directly to these points forensic analysts can bypass the device's operating system and read the data directly from the hardware, providing a pathway to retrieve vital information while maintaining the integrity of the data.

What Role does accreditation have in Digital Forensics?

Accreditation seeks to provide assurance to the end user that the forensic examination carried out provides results which can be safely relied upon by the investigating body. This may be the Criminal Justic System or the corporate investigation team where results can have profound effects on people and their lives.

Accreditation in summary is achieved and maintained through an effective structural Quality Management System, which includes several distinct but equally important areas to provide assurance results of forensic work are reliable:
• Staff training and competency assessment
• Quality Assurance
• Document control and Standard Operating Procedure
• Proficiency testing
• Case auditing
• Validation and verification of tools, equipment and methods used in the laboratory

A Laboratory’s Quality Management Systems are reviewed regularly by independent assessment bodies to ensure compliance and practices actively conform to the relevant international standards.

Unlocking evidence with mobile & smart device forensics

Always a step ahead

Discover more

Practical Digital Forensics Services: Backlog Management

At your service

Frequently asked questions

Other Digital Forensics Services

Computer and Tablet Forensics

Cell Site Analysis

Outsourcing

Collections Services

Digital Forensic Accreditation Consultancy Services

Training

Get in touch

Always a step ahead

Discover more

Practical Digital Forensics Services: Backlog Management

At your service

Frequently asked questions

What is mobile device forensics?

Which tool is used for mobile forensics?

Where are most common data types found on a mobile device during a forensic investigation?

What type of evidence can be extracted from a mobile device?

Can you recover all live and deleted data records created on a mobile device?

Do phones come back in the same state as submitted, what is the chance of something going wrong?

Can you unlock all phones?

What specific types of wearable devices does CCL have the capability to forensically analyse?

How does CCL ensure the privacy and security of the data extracted from mobile and wearable devices?

What are the common challenges encountered in mobile and wearable device forensics and how does CCL address them?

Can CCL recover data from damaged or non-functioning mobile and wearable devices?

What are the typical scenarios or cases that require mobile and wearable device forensics?

What is Chip-off Forensics?

What is JTAG/eMMC Forensics?

What Role does accreditation have in Digital Forensics?

Other Digital Forensics Services

Computer and Tablet Forensics

Cell Site Analysis

Outsourcing

Collections Services

Digital Forensic Accreditation Consultancy Services

Training