Mobile Device Forensics

iOS, Android & App Data Analysis

Section 8 of 12

Mobile Device Forensics Overview

Definition: Extraction, analysis, and preservation of evidence from mobile devices including smartphones, tablets, and wearables.

Key Challenges

Encryption: Full-disk and file-based encryption
Device Variety: Different OS versions & manufacturers
Cloud Storage: Data synced to cloud services
Quick Evolution: Frequent OS updates
Anti-Forensics: Remote wipe, secure delete
Screen Locks: PINs, patterns, biometrics

Types of Data

Communication: SMS, calls, emails, chats
Location: GPS, cell tower, WiFi data
Media: Photos, videos, audio recordings
Browsing: History, bookmarks, cookies
App Data: Social media, banking, notes
System: Contacts, calendar, accounts

Mobile Acquisition Methods

1. Manual Extraction

Method: Photograph screen, document visible data

✅ No special tools required
❌ Time-consuming, limited data
❌ No deleted data recovery

2. Logical Extraction

Method: OS-level backup (iTunes, ADB backup)

✅ Easy to perform, widely supported
✅ Structured data extraction
❌ Only accessible files (no deleted data)
❌ Requires device to be unlocked

3. File System Extraction

Method: Direct access to file system (jailbreak/root)

✅ Access to all files and folders
✅ App sandboxes, system files
❌ Requires jailbreak/root
❌ May alter device state

4. Physical/Chip-Off Extraction

Method: Direct memory dump or chip removal

✅ Bypasses OS protections
✅ Can recover deleted data
❌ Highly technical, expensive
❌ Destructive (chip-off)

Android Forensics

Android Debug Bridge (ADB)

Command-line tool for communicating with Android devices

# Check connected devices

adb devices

# Create full backup (requires USB debugging)

adb backup -apk -shared -all -f backup.ab

# Pull specific file/folder

adb pull /sdcard/DCIM/ ./photos/

# Get device info

adb shell getprop ro.build.version.release # Android version

adb shell dumpsys battery # Battery info

# List installed packages

adb shell pm list packages

Key Android Locations

/data/data/ - App private data
/data/system/ - System settings
/sdcard/ - User-accessible storage
gesture.key - Lock pattern hash
accounts.db - Google accounts
mmssms.db - SMS/MMS messages

Rooting Considerations

• Provides full file system access
• Required for deep analysis
• Changes device state
• May void warranty
• Document everything!

iOS Forensics

iOS Backup Analysis

iTunes/Finder creates local backups containing device data

Backup Locations

Windows:

%APPDATA%\Apple Computer\MobileSync\Backup\

macOS:

~/Library/Application Support/MobileSync/Backup/

Backup Types

Unencrypted: Basic data, no passwords
Encrypted: Includes keychain, health data, WiFi passwords

Note: Encrypted backups require password

Key iOS Artifacts

SMS.db - Text messages
CallHistory.db - Call logs
AddressBook.sqlitedb - Contacts
Safari/History.db - Browser history
consolidated.db - Location cache
.plist files - App preferences

Jailbreaking

• Removes Apple restrictions
• Full file system access
• SSH access possible
• Version-dependent exploits
• Alters device state

SQLite Database Analysis

Most mobile apps store data in SQLite databases (.db, .sqlite, .sqlitedb files)

SQLite Command-Line Access

# Open database

sqlite3 database.db

# List all tables

.tables

# Show table schema

.schema table_name

# Query data

SELECT * FROM messages LIMIT 10;

# Export to CSV

.headers on

.mode csv

.output messages.csv

SELECT * FROM messages;

.quit

Common Databases

WhatsApp: msgstore.db
Facebook: fb.db
Chrome: History
SMS: mmssms.db (Android), sms.db (iOS)

GUI Tools

DB Browser for SQLite - Free, cross-platform
SQLite Expert - Advanced features
Autopsy - Integrated with forensic suite

App-Specific Forensics

WhatsApp

Location:

• Android: /data/data/com.whatsapp/
• iOS: Backup file

Key Files:

• msgstore.db - Messages
• wa.db - Contacts
• Media/ - Images, videos

Facebook / Messenger

Artifacts:

• threads_db2 - Conversations
• contacts_db2 - Friends list
• Cached images
• Location check-ins

Email Apps

Native Mail:

• Account credentials
• Email cache (headers & bodies)
• Attachments
• Draft messages

Browser Apps

Chrome/Safari/Firefox:

• History.db - URLs visited
• Cookies - Session data
• Cache - Downloaded files
• Bookmarks & downloads

Encryption Note

Many apps use end-to-end encryption. Local data may still be readable if device is unlocked.

Location & Geolocation Data

Location Data Sources

GPS Coordinates

• Photos EXIF: Embedded GPS in images
• Location Services: System logs
• Maps Apps: Search history, saved places
• consolidated.db (iOS): Historical location cache

Cell Tower & WiFi

• Cell Site: Connected cell towers
• WiFi Networks: Connected SSIDs with location
• Google Timeline: Cloud-stored location history
• Fitness Apps: Route tracking

Extract EXIF from Photos

# Using exiftool

exiftool image.jpg | grep GPS

# Extract GPS coordinates

exiftool -gpslatitude -gpslongitude -n image.jpg

# Batch process all photos

exiftool -csv -gpslatitude -gpslongitude -n *.jpg > gps_data.csv

Android Locations

/data/data/com.google.android.gms/
cache.cell, cache.wifi

iOS Locations

consolidated.db
~/Library/Caches/locationd/

Mobile Forensics Tools

Cellebrite UFED

Industry-standard commercial tool

• Physical & logical extraction
• Bypass lock screens
• Wide device support
• $$$$ Expensive

Oxygen Forensics

Cloud & mobile device forensics

• iOS, Android, cloud extraction
• App-specific parsers
• Social media analysis
• $$$ Commercial

Autopsy (Mobile Module)

Open-source forensic platform

• Parse backups & images
• SQLite analysis
• Timeline generation
• ✅ Free

Andriller

Android data extraction tool

• ADB-based extraction
• Decode app data
• Pattern lock cracking
• ✅ Free (CE edition)

iBackup Viewer

iOS backup browser

• View iTunes backups
• Extract photos, messages
• No jailbreak needed
• Free/Paid versions

libimobiledevice

Open-source iOS communication

• Command-line tools
• Backup, file access
• Cross-platform
• ✅ Free