SANS Digital Forensics and Incident Response Blog

Top 7 ways investigators catch criminals using Mobile Device Forensics

Modern day mobile devices are a double-edged sword, creating new security risks while providing valuable sources of evidence for digital forensic investigators. Their ever expanding capabilities make mobile devices more like personal computers that accompany us as we navigate the world. Digital forensic investigators can use information stored on and generated by mobile devices to reconstruct our movements, communications, and other personal details.

If you need to extract information from cell phones, smart phones, and other mobile devices, or are concerned about the security of data on such devices, here are some important things you should know.

Bypassing Security Codes: Digital forensic investigators can extract the security code from some locked mobile devices using specialized tools. The screenshot below shows the security code "12345" recovered from a Nokia 6230 using .XRY (subscriber identifier redacted). Being able to bypass security mechanisms on a mobile device enables digital forensic investigators to acquire data from the device with forensic software.

Nokia 6230 security code recovered using .XRY

Safe SIM Card: Inserting the wrong SIM card into a cell phone destroys some useful data in memory. To mitigate this issue, digital forensic investigators can create "safe" SIM cards designed for forensic examination purposes.

Live Acquisition: Removing the battery from a cell phone before performing a forensic acquisition may destroy valuable evidence. In some cases, to ensure that all available evidence is preserved, digital forensic investigators will leave a mobile device powered on until a forensic acquisition can be performed, taking precautions to prevent external influences from altering data on the device.

Trusted Time Source: Even if the clock on the evidentiary device is incorrect, some time stamps on the device may still be accurate because they are generated by system on the core network. For instance, the time stamp in a received SMS message is set by the Short Message Service Center, not by the phone.

Tracking Movements: Some mobile devices store location-based information associated with certain media and actions on the device. Digital forensic investigators can recover this information to determine the geographic location of the mobile device at a particular time. For instance, the following screenshot shows Exif metadata extracted using JPEGsnoop from a digital photograph taken using a G1 mobile device. This metadata includes the date and time the photograph was taken and GPS coordinates of the location (location details redacted).

JPEGsnoop used to extract Exif data from a GPS tagged digital photograph

Recovering Deleted Data: When the user clears the call log from a cell phone, it may still be recoverable with relative ease. Therefore, even when call logs are not displayed on the device, digital forensic investigators may be able to view details about dialed, received, and missed calls on the device using readily available tools.

Getting Physical: Digital forensic investigators can recover substantial amounts of deleted data from an increasing number of mobile devices by acquiring and analyzing the full contents of memory. This screenshot shows a physical memory acquisition of a Nokia 6610 using the Sarasoft application via a Twister flasher box.

Physical memory dump of Nokia 6610 using Twister flasher box and Sarasoft

Deleted data like photographs, call logs, and traces of user activities (e.g., Web browsing and file viewing) recovered from a mobile device can provide digital forensic investigators with some of the most useful and incriminating evidence in a case.

To learn how to perform these and other Mobile Device Forensics techniques, joins us for the debut of SEC563 Mobile Device Forensics in Baltimore, July 27 - 31 (register here). This is an intensive technical course with plenty of hands-on exercises to familiarize you with the inner workings of various mobile devices and show you the benefits and limitations of various approaches and tools. We not only demonstrate state-of-the-art mobile forensic tools and techniques, we peel back the layers of digital evidence on mobile devices to show what is going on behind the scenes. In this way, you obtain a deeper knowledge of the information you rely on when investigating cases involving mobile devices.

SEC563 - Mobile Device Forensics

Eoghan Casey is founding partner of cmdLabs ( , author of the foundational book Digital Evidence and Computer Crime, and coauthor of Malware Forensics. He has been involved in a wide range of digital investigations, including network intrusions, fraud, violent crimes, identity theft, and on-line criminal activity. He has testified in civil and criminal cases, and has submitted expert reports and prepared trial exhibits for computer forensic and cyber-crime cases.


Posted July 1, 2009 at 2:43 PM | Permalink | Reply


Could you post a reference link for that Sarasoft tool? I assume it's not freeware?

Posted July 1, 2009 at 4:42 PM | Permalink | Reply


The information provided in the article should be tempered with a healthy dose of MAYBE and POSSIBLY. For instance, the two phones you cite in your screen shot examples are discontinued from any major provider's current offerings ( Yes, the software mentioned works, but only on SUPPORTED phones. Also, for certain models of phones, the battery must be removed then reconnected in order to conduct an exam. Finally, I would be cautious in using the word "forensic" when discussing cell phones as it can give the listener the wrong impression that cell phone exams are identical to other digital media exams in regards to write blocking, imaging, and data recovery. My comments are not meant to disparage the author, but rather to provide additional insight into, what I believe, is one of the fastest growing fields in digital forensics.

Posted July 1, 2009 at 7:46 PM | Permalink | Reply


The Sarasoft is packaged with the Twister box, and there are other flasher boxes that support different phones. To get a sense of the options, you can review the flashing products available at Your choice of flasher box will be driven by the types of phones you most commonly encounter.

Posted July 1, 2009 at 7:59 PM | Permalink | Reply


Good points. Any experienced practitioner will tell you that you need multiple tools to deal with the wide variety of devices out there. Applying forensic principles to mobile devices is an extremely important aspect of our work, and we emphasize this in our training.

Posted July 1, 2009 at 8:20 PM | Permalink | Reply

randy marchany

We've been doing a lot of research attacking PDA, smartphones as well as using them as IDS sensors. We've got blended Wifi and Bluetooth attack kits. Most of them have been around, we just put them in one spot. See for some of the tools developed by our students here.