Chapter 24 — Key Takeaways
The big idea
Mobile forensics is the forensic twin of mobile recovery — same soldered storage, same hardware-bound encryption — but now under a warrant, often against an uncooperative subject, with every action bound for court. Because there is no write-blocker for a running phone, the discipline shifts from never touch the original to minimize, document, and validate every necessary change. You acquire along a five-level pyramid, always at the highest forensically sound level your authority and the device's state permit, and you report findings — never inferences — with their limits intact. The phone is the witness that goes everywhere; your job is to take its testimony in a way a court will believe, and to say "extraction was not achievable" with the same confidence as "here is the full file system."
The acquisition pyramid — climb as high as you soundly can
| Level | Reaches | Misses | Cost |
|---|---|---|---|
| 1 Manual | Whatever the screen shows (photographed) | Metadata, deleted data, underlying DBs | Slow; changes device state |
| 2 Logical | Backup / API / providers — live records | App-private data, most deleted records | Needs unlock/backup password |
| 3 File-system | Full app-private tree; SQLite + -wal/freelist (deleted records!) |
Files with no FS pointer | Needs root/jailbreak/agent — a documented change |
| 4 Physical | Bit-for-bit: unallocated, slack, deleted files | — (but ciphertext on a modern locked device) | Invasive; usually needs keys anyway |
| 5 Chip-off/JTAG/ISP | Raw NAND | Decryption — returns ciphertext if encrypted | Last resort; destructive |
Deleted records appear at Level 3; deleted files explode at Level 4. Lower is not "better" — it is a decision under constraints.
iOS vs. Android — the security models, applied
- AFU vs. BFU governs everything. After First Unlock = keys live in memory, data decryptable; Before First Unlock = even the OS sees ciphertext. Keep a seized AFU phone powered, un-rebooted, and network-isolated — a reboot or dead battery drops it to BFU and re-locks the lot.
- iOS: Secure Enclave UID + Data Protection classes; encrypted iTunes backups expose keychain + Health that plain backups omit; APFS snapshots can reveal prior states; checkm8 owns A5–A11 (iPhone 4S–8/X), but A12+ is a genuine wall.
- Android: FBE (
fscrypt) default from Android 10, keys in TEE/StrongBox;adbgives a logical pull (USB debugging + unlocked + host authorized); file-system access needs root — never a bootloader unlock that wipesuserdata; EDL/MTK, like chip-off, return ciphertext on encrypted storage.
The evidence is SQLite — and deleted is not destroyed, inside a database
- Calls, SMS/MMS, RCS (
bugle_db, notmmssms.db!), contacts, geotagged photos, location caches (com.apple.routined,knowledgeC.db), Wi-Fi BSSID history (geolocates the device via WiGLE), and Health all live in SQLite. - iOS times are Mac absolute time (seconds, or nanoseconds since iOS 11, from 2001-01-01) — get the epoch wrong and the timeline is off by 31 years.
- A
DELETEfrees space within the file; deleted records linger in freelist pages and the-walwrite-ahead log. A file-system extraction recovers them; a logical one never sees them. - Device access ≠ app access. Signal (SQLCipher), WhatsApp crypt files, and others encrypt their own data; "present but not decodable" is a valid finding.
The wall: legal vs. technical, and findings vs. inferences
The cleanest unlock is a known passcode (consent, compulsion, AFU) — most cases solve that way. Exploit services (GrayKey, Cellebrite Premium) are model-, version-, and patch-dependent and often absent on the newest hardware; offline brute force does not work. Stay within authority and warrant scope (Riley, Carpenter, the unsettled law of compelled decryption), and stop-and-re-warrant on plain-view discoveries. A phone proves device activity, never who held it — keep findings rigorously separate from inferences.
You can now…
- ☐ Choose and justify a mobile acquisition level from the five-step pyramid for a given device, lock state, OS version, and authority.
- ☐ Apply the iOS (Secure Enclave, Data Protection classes, AFU/BFU, checkm8 vs. A12+) and Android (FBE, TEE/StrongBox, root, EDL/MTK) models to real acquisition decisions.
- ☐ Locate and parse core mobile artifacts — calls, SMS/MMS/RCS, geotagged photos, messaging stores, location/
knowledgeCdata, Wi-Fi history, Health — converting Mac-absolute timestamps correctly. - ☐ Recover deleted records from SQLite freelist pages and the WAL, and explain on the stand where each came from and why that proves deletion.
- ☐ Distinguish technical from legal approaches to a locked phone, stay in scope, and report findings (not inferences) with their limits intact.
Looking ahead
Chapter 25 — The Legal Framework. This closes Part III; Part IV makes the evidence count. Chapter 25 takes the warrants, consent, compelled-decryption questions, and scope discipline you met all through this chapter and treats them in full — the Fourth and Fifth Amendments, Riley and Carpenter, FRCP and eDiscovery, Daubert and Frye, GDPR, the CLOUD Act, and MLATs — because the most technically perfect extraction is worthless if the authority behind it does not hold.
One sentence to carry forward: The phone is the witness that goes everywhere — but it testifies only to what the device did, only as far as your authority reaches, and only as soundly as you acquired it; everything else is a question you must answer with honesty, not a tool.