Chapter 24 — Key Takeaways

The big idea

Mobile forensics is the forensic twin of mobile recovery — same soldered storage, same hardware-bound encryption — but now under a warrant, often against an uncooperative subject, with every action bound for court. Because there is no write-blocker for a running phone, the discipline shifts from never touch the original to minimize, document, and validate every necessary change. You acquire along a five-level pyramid, always at the highest forensically sound level your authority and the device's state permit, and you report findings — never inferences — with their limits intact. The phone is the witness that goes everywhere; your job is to take its testimony in a way a court will believe, and to say "extraction was not achievable" with the same confidence as "here is the full file system."

The acquisition pyramid — climb as high as you soundly can

Level Reaches Misses Cost
1 Manual Whatever the screen shows (photographed) Metadata, deleted data, underlying DBs Slow; changes device state
2 Logical Backup / API / providers — live records App-private data, most deleted records Needs unlock/backup password
3 File-system Full app-private tree; SQLite + -wal/freelist (deleted records!) Files with no FS pointer Needs root/jailbreak/agent — a documented change
4 Physical Bit-for-bit: unallocated, slack, deleted files — (but ciphertext on a modern locked device) Invasive; usually needs keys anyway
5 Chip-off/JTAG/ISP Raw NAND Decryption — returns ciphertext if encrypted Last resort; destructive

Deleted records appear at Level 3; deleted files explode at Level 4. Lower is not "better" — it is a decision under constraints.

iOS vs. Android — the security models, applied

  • AFU vs. BFU governs everything. After First Unlock = keys live in memory, data decryptable; Before First Unlock = even the OS sees ciphertext. Keep a seized AFU phone powered, un-rebooted, and network-isolated — a reboot or dead battery drops it to BFU and re-locks the lot.
  • iOS: Secure Enclave UID + Data Protection classes; encrypted iTunes backups expose keychain + Health that plain backups omit; APFS snapshots can reveal prior states; checkm8 owns A5–A11 (iPhone 4S–8/X), but A12+ is a genuine wall.
  • Android: FBE (fscrypt) default from Android 10, keys in TEE/StrongBox; adb gives a logical pull (USB debugging + unlocked + host authorized); file-system access needs root — never a bootloader unlock that wipes userdata; EDL/MTK, like chip-off, return ciphertext on encrypted storage.

The evidence is SQLite — and deleted is not destroyed, inside a database

  • Calls, SMS/MMS, RCS (bugle_db, not mmssms.db!), contacts, geotagged photos, location caches (com.apple.routined, knowledgeC.db), Wi-Fi BSSID history (geolocates the device via WiGLE), and Health all live in SQLite.
  • iOS times are Mac absolute time (seconds, or nanoseconds since iOS 11, from 2001-01-01) — get the epoch wrong and the timeline is off by 31 years.
  • A DELETE frees space within the file; deleted records linger in freelist pages and the -wal write-ahead log. A file-system extraction recovers them; a logical one never sees them.
  • Device access ≠ app access. Signal (SQLCipher), WhatsApp crypt files, and others encrypt their own data; "present but not decodable" is a valid finding.

The cleanest unlock is a known passcode (consent, compulsion, AFU) — most cases solve that way. Exploit services (GrayKey, Cellebrite Premium) are model-, version-, and patch-dependent and often absent on the newest hardware; offline brute force does not work. Stay within authority and warrant scope (Riley, Carpenter, the unsettled law of compelled decryption), and stop-and-re-warrant on plain-view discoveries. A phone proves device activity, never who held it — keep findings rigorously separate from inferences.

You can now…

  • ☐ Choose and justify a mobile acquisition level from the five-step pyramid for a given device, lock state, OS version, and authority.
  • ☐ Apply the iOS (Secure Enclave, Data Protection classes, AFU/BFU, checkm8 vs. A12+) and Android (FBE, TEE/StrongBox, root, EDL/MTK) models to real acquisition decisions.
  • ☐ Locate and parse core mobile artifacts — calls, SMS/MMS/RCS, geotagged photos, messaging stores, location/knowledgeC data, Wi-Fi history, Health — converting Mac-absolute timestamps correctly.
  • ☐ Recover deleted records from SQLite freelist pages and the WAL, and explain on the stand where each came from and why that proves deletion.
  • ☐ Distinguish technical from legal approaches to a locked phone, stay in scope, and report findings (not inferences) with their limits intact.

Looking ahead

Chapter 25 — The Legal Framework. This closes Part III; Part IV makes the evidence count. Chapter 25 takes the warrants, consent, compelled-decryption questions, and scope discipline you met all through this chapter and treats them in full — the Fourth and Fifth Amendments, Riley and Carpenter, FRCP and eDiscovery, Daubert and Frye, GDPR, the CLOUD Act, and MLATs — because the most technically perfect extraction is worthless if the authority behind it does not hold.

One sentence to carry forward: The phone is the witness that goes everywhere — but it testifies only to what the device did, only as far as your authority reaches, and only as soundly as you acquired it; everything else is a question you must answer with honesty, not a tool.