Mobile devices are involved in the majority of modern digital investigations — corporate data theft, fraud, harassment, and insider threat cases all commonly involve smartphones. Understanding how to acquire and analyse mobile evidence is a skill that sets candidates apart in both SOC analyst and digital forensics roles.
This post covers what I learned during my mobile forensics project investigating a sample iPhone image — the artefacts that matter most and the tools investigators actually use.
The Three Acquisition Methods
Before you can analyse a device, you need to acquire the data. There are three main approaches, each with different trade-offs:
1. Logical Acquisition
Extracts only the data visible through the iOS file system API — contacts, messages, photos, app data. Fast and non-destructive, but limited. Does not recover deleted data. This is what iCloud backups use.
2. File System Acquisition
Requires the device to be in "developer mode" or jailbroken. Extracts the full file system including hidden system directories. Much more data — but also more risk of altering evidence.
3. Physical Acquisition (Full Disk)
A bit-for-bit copy of the device's NAND flash storage. Theoretically allows recovery of deleted files. In practice, modern iPhones with Secure Enclave encryption make this extremely difficult without the unlock code. Forensic tools like Cellebrite UFED and GrayKey attempt this but are expensive law enforcement tools.
For student projects: Use a provided disk image from your course or a practice image from the NIST CFReDS repository. Never acquire data from a device you do not own without consent — this is a criminal offence in Australia under the Crimes Act 1914.
Key Artefacts Investigators Target
Messages and Communications
iMessage, SMS, and third-party app messages are stored in SQLite databases. The main one is HomeDomain/Library/SMS/sms.db. Investigators query this for message content, timestamps, and deleted message remnants (SQLite keeps deleted rows in WAL files until the database is vacuumed).
Location Data
iOS logs significant location history in com.apple.locationd. The consolidated.db file contains timestamped coordinates. This is frequently the most valuable evidence in fraud and alibi-related cases.
Application Artefacts
- Safari browsing history:
HomeDomain/Library/Safari/History.db - Recently deleted photos: Still recoverable from the iOS Photos trash for 30 days
- App usage timeline:
knowledgec.dblogs which apps were open and for how long — useful for establishing a timeline - Wi-Fi networks:
com.apple.wifi.known-networks.plist— every network the device has connected to
Device Metadata
EXIF data in photos includes GPS coordinates, device model, and timestamp. The DataUsage.sqlite file shows per-app cellular data consumption — useful for identifying unexpected data transfers.
Tools Used in the Investigation
Autopsy
Autopsy is a free, open-source digital forensics platform built on The Sleuth Kit. It handles iPhone backup images well, automatically parsing SQLite databases, plist files, and EXIF data. I used it to build a timeline of events from the sample device image — seeing all artefacts sorted chronologically is significantly more useful than examining individual databases in isolation.
DB Browser for SQLite
Many iOS artefacts are stored in SQLite databases. DB Browser lets you open them directly, run SQL queries, and export findings. Useful when Autopsy's automatic parsing misses something or you need to write a custom query.
iLEAPP
iOS Logs, Events, and Plists Parser — a free Python tool that automates extraction of the most forensically valuable artefacts from an iOS backup image. Generates an HTML report you can submit directly. Run it with:
python iLEAPP.py -t fs -i /path/to/image -o /path/to/outputWriting the Forensic Report
The report structure used in professional investigations:
- Executive Summary — what was found, in plain English
- Evidence Details — device model, iOS version, acquisition method, MD5/SHA-256 hash of the image
- Methodology — tools used, steps taken, chain of custody notes
- Findings — artefacts found, with screenshots and file paths as evidence
- Timeline of Events — chronological reconstruction
- Conclusion — what the evidence supports or does not support
Always record the hash of your evidence image before and after analysis. If the hashes differ, your analysis may be inadmissible. This is the chain of custody principle — and it comes up in every forensics-related interview.