08/07/2025
1. Mobile Forensic Analysis Process#
Mobile forensic analysis is an integral part of a criminal investigation, where every action must comply with strict legal requirements and maintain the integrity of evidence. This process consists of four main phases: Preservation, Acquisition, Examination/Analysis, and Final Report Writing. Each step plays a critical role in the traceability and judicial exploitation of the digital artefacts collected.
1.1 Preservation Phase#
The preservation phase is the first step of any digital investigation. It aims to secure the investigation scene, seize evidence securely, and ensure its integrity, through rigorous documentation and complete traceability. No data must be altered during this phase, and everything must be kept in a state admissible in court.
Before any action, the investigator must obtain legal authorization, under Article 73 of the Code of Criminal Procedure (caught in the act notion) or within a specific legal framework.
This authorization can take several forms:
- an Expert Commission Order (OCE) delivered by a magistrate,
- a requisition issued by a judicial police officer (OPJ, OPJA or APJ) with prior approval from the public prosecutor.
This requisition must specify:
- a description of the facts,
- the mission order,
- and sometimes specific expectations (e.g., recovery of a certain data type).
All these steps must strictly comply with applicable law.
Once authorized, the preservation phase involves:
- Securing and assessing the scene,
- Initial scene documentation,
- Physical seizure of evidence,
- Device isolation,
- Labeling and packaging of seized items.
Securing and Assessing the Scene#
The first task is to secure the physical environment to avoid alteration or destruction of evidence. Mishandling at this stage may cause irreversible data loss or contamination compromising legal admissibility.
Initial Documentation#
Every element must be photographed, described, and positioned (state, location, connections). For mobile devices, the following info must be documented:
- Power status (on/off),
- Lock status (PIN, biometrics),
- Displayed time and date,
- Battery level,
- Active apps or processes.
Evidence Seizure#
All relevant devices and accessories must be seized, including:
- Mobile phones or tablets,
- Data cables and power adapters,
- SIM cards and holders,
- Memory cards and other removable storage,
- Connected computers or terminals.
Network Isolation#
Seized devices must be isolated from any network to avoid remote interference (wiping, encryption, tampering). Common methods:
- Airplane mode (may leave GPS/NFC on),
- Faraday bag to block all signals,
- Signal jammer, used under legal and controlled conditions.
This is the first step of the forensic process: securing the crime scene and seizing digital evidence securely, formally, and without alteration, while preserving the chain of custody. Before starting, the investigator must obtain a search warrant in accordance with national laws. Note: some countries (e.g., USA) allow warrantless search in specific cases.
Tagging and Secure Storage#
Each item is tagged, bagged, and stored in sealed containers resistant to physical hazards (moisture, heat, shock). A chain-of-custody log is updated with time, location, responsible agent, and item description. The device is then ready for forensic acquisition in a lab.
1.2 Acquisition Phase#
This phase consists of copying or retrieving data from the seized device, without altering it, so it can be analyzed later. The reliability of the analysis depends heavily on this step.
Sources of data include:
- Internal storage (RAM/Disk),
- SIM card,
- Telecom operator,
- Cloud services.
Access to data held by telecoms or cloud providers requires judicial approval and is subject to local privacy laws.
First, the device must be properly identified, using physical characteristics, label info (e.g., under the battery), and identifiers such as:
- IMEI (for GSM),
- MEID/ESN (for CDMA),
- ICCID (SIM card).
Tools like Cellebrite UFED Phone Detective automate identification.
The chosen method of acquisition depends on the device:
- Logical acquisition: system-accessible data,
- Physical acquisition: bit-by-bit memory copy,
- Advanced acquisition: hybrid or targeted methods.
In urgent contexts (e.g., airport checks), Live Triage may be performed on-site. In most cases, acquisition occurs in a secure forensic lab.
Acquisition methods differ based on device status:
- If powered on, make an image of internal storage without removing SIM/SD card (which will be imaged separately).
- If powered off, remove SIM/SD first, then image internal storage.
Even when legally valid, some acquisitions may be challenged—especially if methods aren’t proportional or approved. Courts may distinguish personal vs. corporate data due to privacy/cost implications.
Accessing third-party data (e.g., Google, iCloud) is considered a remote search, requiring explicit authorization from a magistrate, generally within the Expert Commission Order.
1.3 Examination and Analysis Phase#
The examination identifies relevant artefacts, noting their state (deleted, hidden, encrypted…), location, content, and value to the case. The analysis interprets those artefacts to make sense of the findings—linking them, contextualizing, and assessing their relevance.
It’s essential that analysts receive clear context at the start, to understand the value of each data item and avoid missing critical evidence.
Tool reliability is key. Results should be cross-validated between different tools to ensure evidence robustness.
This phase should allow investigators to draw scientific conclusions that support or refute a suspect’s involvement.
1.4 Final Report Writing Phase#
The final step is writing the report. Though last, it’s just as important: it formalizes and communicates findings in a clear, usable format.
The report should summarize:
- Initial assumptions,
- Preservation and acquisition methods,
- Examination and analysis tools,
- Highlighted evidence.
Its form depends on the context:
- Formal written report for judicial use (civil/criminal),
- Informal or oral report for internal or administrative cases.
The report must be understandable to non-technical stakeholders (judges, jurors). Technical details should be placed in annexes. It must be structured, logical, self-contained, and free of typos or ambiguity.
2. Importance of Documentation and Timestamping#
Beyond technical aspects, rigorous documentation of each extraction step is essential to ensure the forensic admissibility of digital evidence. Recording the exact time, the tool used, its version, the acquisition method (logical, full file system, JTAG, etc.), and the applied settings forms the first building block of the chain of custody: anyone reviewing the case must be able to verify that the artifacts indeed originate from the seized device, that no intrusive manipulation altered their contents, and that the calculated fingerprints (SHA-256 hashes) from the moment of seizure still match those from later analyses.
Detailed documentation — including checklists of explored paths, screenshots, ADB command logs, and reports generated by forensic suites — also facilitates reproducibility: if the defense or another expert repeats the extraction, they should obtain the same files and timestamps.
Finally, in a legal context, this traceability allows the judge to assess the reliability of the conclusions and to dismiss any challenge related to an unclear or undocumented methodology.
However, if an artifact is not timestamped, it does not automatically render it inadmissible. Understanding and contextualizing the artifact can justify its evidential value. As long as the analyst is technically able to explain the origin and meaning of the log, it may be considered admissible.
