The Value of Mobile Device (cell phone) Forensic Examination During an Investigation

By Steve Attwood

As a compliance professional, you are often brought into situations where an investigation is required. This article discusses one aspect of the investigation that is often overlooked – information that is stored on the individual’s mobile device(s). The process of extracting this information is called mobile device forensics.

Mobile device forensics is a process of gathering Electronically Stored Information in a manner that, should it be necessary, is admissible in Court. Extraction of mobile device information is the primary function of digital forensics companies like Califorensics. Examples of mobile devices are cell phones, tablets, laptops, digital cameras, digital media players and thumb drives. Just look around you right now! You probably have at least one mobile device within arm’s reach.

A mobile device forensic examination can extract information from email, voicemail, text messages, location data (maps, WiFi, apps, photos and latitude/longitude data) as well as network detail from the local network or carrier network. Information can also be extracted from device storage media such as SIM or SD cards, chip offs, backup’s and cell site analysis.

As information is gathered, it must be forensically stored to ensure it is legally admissible, should the investigation go that direction, and prevent the deletion or damage of important information. Challenges to the collection of information can come from the device manufacturers that frequently change mobile device form factors, operating system file structures, data storage, services, peripherals, and even pin connectors and cables. There is also an ever-increasing number of tools available to delete or corrupt the information on the mobile device available to those trying to hide their tracks. However, even if an individual attempts to delete information from their device, it can often be retrieved through a thorough forensic examination.

Today, mobile devices are so pervasive, and because they are with us nearly 24 hours a day, a significant amount of information about our day-to-day lives can be extracted. Mobile device forensic analysis can reveal a great deal of data, including:

  • Dialed, incoming and missed calls (history logs)
  • Text messages
  • Instant message activity
  • Email
  • Internet activity including search histories
  • Software, programs, and apps
  • Video and audio recordings
  • Electronic documents and attachments
  • Device setting information
  • Device location information (using GPS) and cell phone tower triangulation

Mobile device forensics can be critical to an investigation and it’s clear that an ad hoc approach to the acquisition and preservation of electronically stored information will not work. From a legal perspective, Lawyers need to be equipped to adequately advise clients, and failure to properly preserve text messages or other mobile data could result in severe sanctions. Mobile device analysis is not a quick or easy process, and not something that should be undertaken by an amateur – especially if it uncovers information that may be used in HR or legal proceedings. An individual that is not experienced in mobile device forensics might inadvertently destroy evidence, corrupt files or make the information inadmissible.

When you have any indication that mobile device forensics could be beneficial, be sure to consult with a professional organization. It’s far better to be safe and assured that data will be collected and stored within guidelines than to risk a successful outcome because proper procedures were not followed.

[clickToTweet tweet=”The Value of Mobile Device (cell phone) Forensic Examination During an Investigation” quote=”The Value of Mobile Device (cell phone) Forensic Examination During an Investigation” theme=”style3″]


  1. Great points in article. They need to be caveated with the requirement to have probable cause to have access to any of the devices mentioned. I consult with our general counsel to see if we have probable cause before proceeding. That includes digital forensics of employee or student computers/laptops, campus accounts, etc.

    • Hawk, Thanks for the thoughtful comments. Another angle to consider is making the analysis of laptops or cell phones returned by employees that are leaving the company a standard part of company policy & procedure. Analysis doesn’t have to be limited to an active investigation. –Steve

  2. That is a good point that information gathered must be forensically stored to be legally admissible. Maybe something I would want to do sometime is to have some cell phone forensics done if I were needing it for some reason. That is something I am sure a lawyer would want to do with a detective for a case.

Comments are closed.