Challenges of acquiring mobile devices while
minimizing the loss of usable forensics data
Herrera, Lazaro A
Computer Science
Nova Southeastern University
Miami, FL
[email protected]
Abstract—The move from computers to mobile devices
has placed forensic professionals in a tough spot when
performing analysis of seized hardware. Forensics
specialists must contend with hardware that is designed to
be secure as it is highly mobile, is capable of receiving
commands from a suspect after it has been seized which
could include commands that are capable of destroying
evidence remotely, obsolescence of certain forensics
methods such as deleted file recovery from block storage
while having to purchase expensive software and
hardware packages to extract any usable data.
Keywords—forensics, mobile forensics, challenges
I. I​NTRODUCTION
Capturing mobile devices for forensic examination is
complicated. Starting with seizure, changes must be
inherently made to the underlying hardware to keep it safe for
forensics (storing phones in faraday cages, putting phones in
airplane mode, hooking it up to power to keep it from dying).
Newer methods of authentication such as face recognition, or
fingerprint scanning can complicate the issues and may
inadvertently be triggered by an examiner while seizing the
physical hardware which would create a log of actions that
modify the underlying evidence. If a device was left open by a
user, removing a pin code or password causes certain data to
be removed so forensics examiners may need to keep a device
ut may end up being required if an examiner lacks the
tooling for a specific device such as an older phone or when
performing car forensics.
B. Logical acquisitions
Logical acquisitions utilize a mobile device’s ability to
generate backups and extract any data the device is able to
access within its storage system [2]. Both Android and iOS
have support for backups and are able to be extracted and
analyzed, sometimes even if the device is locked assuming the
device has been connected to a seized device.
C. File system acquisitions
File system acquisitions are used to ‘deep dive into the file
structure, Internet usage or look deep into the applications that
are being used on the device’ [3] through access to the files
978-1-7281-6939-2/20/$31.00 ©2020 IEEE
Authorized licensed use limited to: University of New Brunswick. Downloaded on November 20,2022 at 23:57:03 UTC from IEEE Xplore. Restrictions apply.
unlocked for an extended period of time. Additional actions to
capture data such as jailbreaking, installing applications(such
as AFLogical OSE for Android can modify the data contained
within a device, compromising the evidence extracted from a
mobile device. These challenges have been mostly solved on
existing devices such as desktops, laptops and flash drives,
but are unique to newer generation mobile devices. Mobile
devices offer a unique challenge when acquiring data. As
standalone devices, mobile devices are self managed and are
not as easy to image as a standard computer or storage
medium as a hard drive, flash drive or a multimedia card.
Extracting data from a mobile device is colloquially referred
to as ‘acquiring’ a device.
II. P​RIMER​ ​ON​ A​CQUISITIONS
The main types of acquisition are: manual, logical, file
system, physical, brute force, chip-based, and cloud.
A. Manual acquisitions
The simplest of acquisitions, manual acquisition tasks the
forensic investigator or specialist with examining a suspect’s
device directly [1]. Pictures are taken of the screen and the
contents of any apps containing any evidentiary value (emails,
photos, text messages, and so forth). Manual acquisitions are
rare due to the prevalence of security on mobile devices (pin,
password, fingerprint) b
and hidden files on the device. These usually require more
advanced tools like the Cellebrite UFED being used in the
referenced document and require more knowledge to operate
along with some additional software to interpret any output.
D. Physical acquisitions
Physical acquisitions enable ‘extracting data by copying
the total file system’ [1] off of a mobile device. These are the
closest to an image of a block device such as a hard drive and
may require specialized hardware and software to extract the
hardware but can be analyzed using any standard suite for
analyzing a disk image from a computer.

Fig 1. Extractions and expected data [32]
E. Brute force acquisitions
Brute force acquisitions directly attack a password or pin
code on a device [4] attempting to bypass the built in security.
Advances in security are usually met by advances in new tools
and require an advanced amount of knowledge.
F. Chip-based acquisitions
JTAG and Chip-off acquisitions attach directly to the
debug headers on a mobile device (for JTAG) or remove the
chips from the mobile device board and analyze them directly
(for Chip Off) in order to bypass any hardware and read the
underlying memory [5,22].
Fig 2. JTAG Setup for Mobile Device [33]
Authorized licensed use limited to: University of New Brunswick. Downloaded on November 20,2022 at 23:57:03 UTC from IEEE Xplore. Restrictions apply.
G. Cloud acquisitions
Cloud acquisitions look into extracting data from the cloud
a device may be connected to or backed up to [6]. Both
Android and iOS have their respective clouds for backups and
an easy way to retrieve data is to merely restore a backup
from Google Drive or iCloud respectively and examine the
data that was recovered.
Fig 3. Cloud Extraction via Oxygen Forensics® [34]
III. I​SSUES​ ​AROUND​ U​NLOCKING​ H​ARDWARE
A. Looking at a device or touching the device
Mobile devices in the 21st century support advanced
biometric unlock schemes with higher end devices supporting
face unlocking technology [7] or having support be standard
in the coming months [8]. Accidentally looking at a device or
attempting to point the device at a suspect to force an unlock
can cost a forensic specialist one chance at unlocking the
device.
Mobile devices in the 21st century come equipped with
fingerprint scanners starting at budget devices (a BLU Studio
device at $64.99 comes equipped with a back mounted
fingerprint scanner as an example) and heading into flagship
devices with ultrasonic under screen fingerprint scanners [9]
or under existing buttons [10] that were considered safe
previously. Accidentally pressing a finger against one of these
fingerprint scanners can cost a forensic specialist one chance
at unlocking the device.
Forensics suites relying on biometric bypasses or even
compelling a suspect legally (through social engineering) to
unlock the device rely on forensics specialists retrieving
devices without losing too many of those attempts at
unlocking.
Use of some sort of material (duct tape is a commonly
cited one) to cover any possible fingerprint readers or front
facing cameras (placing duct tape facing upwards and placing
a phone’s camera on the tape) is recommended but the
knowledge of this issue’s forensic implications is far more
important than the countermeasures.
Fig 2. Duct tape setup for blocking face recognition
B. Keeping devices powered on
Mobile devices and how they can be managed for
forensics should be something that each forensics specialist
should spend a large portion of their time looking into. Unlike
existing devices such as computers, and storage media,
common sense may lead a forensics expert into shutting off
devices [11] and depriving themselves of access to evidence
from devices.
The most common mobile devices (Android and iPhone)
implement different types of security based on their current
state. On iOS-based devices, shutting off the device will
Authorized licensed use limited to: University of New Brunswick. Downloaded on November 20,2022 at 23:57:03 UTC from IEEE Xplore. Restrictions apply.
switch it from AFU (After First Unlock) into BFU (Before
First Unlock) which will reduce the amount of data that can
be forensically retrieved from the full filesystem down to just
a partial keychain [12]. On Android-based devices, shutting
off the device with ‘require pin to start device’ mode enabled
will lock the bootloader, making low level acquisitions not
possible [13] for most devices.
Keeping devices alive by connecting them to a power
outlet or using a portable battery power bank are the preferred
methods of maintaining or transporting mobile devices while
powered for analysis.
C. Isolating hardware from networks
Mobile devices have the inherent capability of safely
deleting all data in case of theft or loss [14,15]. This
capability makes users of mobile devices more safe and
supports their privacy but criminals also use mobile devices
so these features make mobile device capture more complex.
Existing forensics of computers, and storage media have no
such constraints (since those devices will generally not require
such strict measures) so ongoing education is required.
As a forensics specialist, it might seem like common
sense: just remove the SIM card from the device [11] as
recommended by the first responder guides. This path on
newer iOS devices (iOS 11, 12, and 13) will immediately
disable all biometrics, cause USB restricted mode to be
enabled (more on this later on), and lock the device [16]. As
explored in the previous section, this could cost valuable
methods of evidence retrieval to be outright lost (fingerprints,
face unlock) and make it difficult to retrieve data (as USB
restricted mode) would be enabled.
Common guides for evidence seizing [11] still recommend
that a device should be placed in airplane mode but modern
mobile operating systems require unlocking for airplane mode
to be added to the quick settings menu (in the case of Android
[17]) or can be configured to require unlocking (in the case of
iOS [18]). There is no risk to trying to enable airplane mode
on older devices, but it’s not a guaranteed solution to the
problem of isolating these mobile devices from wireless
networks. As an additional word of caution, even if airplane
mode is on: iOS devices will not always turn off Bluetooth in
airplane mode [19] and both Android and iOS will allow
radios (wifi and bluetooth) to be enabled even while in
airplane mode [19,20] so accidental activation can still occur
by the person collecting the device or the person examining
the device in a lab.
Faraday bags or lockboxes can be used to isolate devices
from networks before transport (and are usually large enough
to allow for adding a power bank per the previous section). In
an emergency, enterprising individuals have been known to
use empty metal paint cans or arson cans as makeshift faraday
cages [21], although not a lot of research has been performed
on these methods and there is no guarantee of success.

Fig 4. Metal arson cans for isolating mobile devices
IV. I​SSUES​ ​AROUND​ E​XTRACTING​ I​NFORMATION
A. JTAG and Chip Off vs Encryption
JTAG and Chip Off techniques have been used for years
[22] as the common ways to bypass any hardware features
available in mobile devices. Recent advances in encryption in
iOS and Android have made these methods highly
unsuccessful against more modern devices [23] but they can
be a successful way to extract physical data from an older
device that is not supported by a forensic specialist’s tools.
B. Issues connecting to a computer
On modern iOS devices, USB Restricted Mode has gone
through multiple iterations but will generally ‘cut off USB
data after one hour’ [24], and can ‘disable all USB
connections immediately if it has been longer than 3 days’
[25] (original beta release was slated to be seven days [26])
without being unlocked. This makes any sort of operation to
unlock the device extremely limited in scope unless an
examiner sets the devices to accept “USB Accessories” in
Settings.
On modern Android devices, USB debugging can be used
to perform sudo level actions [27]. Many common forensic
suites use the Android Debug Bridge (ADB) in order to
perform extractions against mobile devices but recent
advances in security have made using ADB dependent on
having an unlocked device [28] unless extractions are
performed on a device that Android has already accepted as a
debug device such as a seized computer.
C. Software syncing
One of the most common ways of retrieving data from
both Android and iOS devices accessible to most forensics
specialists is analysis of exported backups [29]. However this
path has some issues [16,30] with device syncing causing the
Authorized licensed use limited to: University of New Brunswick. Downloaded on November 20,2022 at 23:57:03 UTC from IEEE Xplore. Restrictions apply.
data of the device to be appended to or deleted. Properly set
up workstations on Windows or Mac can be set up to never
sync data to a device but lack of knowledge is the enemy in
this instance.
V. I​SSUES​ ​AROUND​ U​NLOCKED​ D​EVICES
A. Removing a PIN code or a backup password
In a hypothetical scenario where a device was found
unlocked or a user willingly unlocked a device, common
sense might lead a forensic specialist to try to remove the
backup password (or the device’s pin code) before performing
logical acquisition. Modern iOS will reset the iPhone
passcode leading to a total loss of ‘the saved Wi-Fi
passwords, Apple Pay transaction history, downloaded
Exchange mail and some other data’ [16] as well as ‘access to
end-to-end encrypted data in iCloud including the iCloud
keychain, synced messages, Health data’ [16]. There’s no
limit to the amount of backups you can take on iOS devices so
there is no downside to taking both a password protected and
non-password protected backup in case the password is found
later. A password protected backup can also be restored to
another device if the password is found later on giving more
options when dealing with locked devices [31].
F​UTURE​ W​ORK
Future work into validating some of the countermeasures
(duct tape, faraday cages) can be used to show how much
zcan be gained by being prepared when capturing devices on
the scene and how to best allocate a limited budget to
maintain a minimum kit of hardware. Additional work can be
done to make awareness of these issues more prevalent within
the forensics industry.
C​ONCLUSION
In this paper, some common types of extraction of data in
mobile devices were defined, as well as some common pitfalls
that can limit the amount of evidentiary data that can be
retrieved from a device. The issues keeping mobile devices
from becoming easy to be forensically examined start beyond
the walls of a forensics lab as compared to other methods.
Privacy protecting and user assistance features on the scene
can become potential land mines for forensics specialists to be
tripped and cause additional strain on limited resources.
A​CKNOWLEDGMENT
I would like to acknowledge Dr James Kiper for
continuously encouraging me to take on research into fringe
and underserved topics within the field of computer forensics.
R​EFERENCES
[1] E. Casey, Handbook of computer crime investigation: forensic tools and
technology. Amstersdam: Academic, 2003.
[2] S. K. Reddy Mallidi and P. Palli, “A Comprehensive Analysis of
Smartphone Forensics & Data Acquisitions ,” International Journal of
 Advanced Research in Computer Science and Software Engineering, https://support.apple.com/guide/iphone/change-access-to-items-when-ip
vol. 6, no. 2, pp. 270–276, Feb. 216AD. hone-is-locked-iph9a2a69136/13.0/ios/13.0. [Accessed: 28-Feb-2020].
[3] “Quick Look - Cellebrite UFED Using Extract Phone Data & File [19] “Use Airplane Mode on your iPhone, iPad, iPod touch, and Apple
System DumpQuick Look - Cellebrite UFED Using Extract Phone Data Watch,” Apple Support, 12-Nov-2019. [Online]. Available:
& File System Dump,” SANS Digital Forensics and Incident Response https://support.apple.com/en-us/HT204234. [Accessed: 28-Feb-2020].
Blog | Quick Look - Cellebrite UFED Using Extract Phone Data & File [20] “Connect through Bluetooth on your Android device - Android Help,”
System Dump | SANS Institute, 22-Sep-2010. [Online]. Available: Google. [Online]. Available:
https://www.sans.org/blog/quick-look-cellebrite-ufed-using-extract-pho https://support.google.com/android/answer/9075925?hl=en. [Accessed:
ne-data-file-system-dump/. [Accessed: 23-Feb-2020]. 28-Feb-2020].
[4] S. Bommisetty, R. Tamma, and H. Mahalik, Practical mobile forensics: [21] “Paint Can Faraday Cage,” Alpha Rubicon, 29-Jun-2017. [Online].
dive into mobile forensics on iOS, Android, Windows, and Blackberry Available:
devices with this action-packed, practical guide. Packt Publishing http://www.alpharubicon.com/elect/faradaytooshiegalore.htm.
Limited, 2014. [Accessed: 28-Feb-2020].
[5] A. N. Yakovlev and A. S. Danilova, “JTAG and Chip-Off Technologies [22] K. Curran, A. Robinson, S. Peacocke, and S. Cassidy, “Mobile Phone
in Computer Forensics,” Theory and Practice of Forensic Science, vol. Forensic Analysis,” International Journal of Digital Crime and
13, no. 3, pp. 109–115, 2018. Forensics, vol. 2, no. 3, pp. 15–27, 2010.
[6] M. Faheem, N.-A. Le-Khac, and T. Kechadi, “Toward a new mobile [23] O. Afonin, “iOS vs. Android: Physical Data Extraction and Data
cloud forensic framework,” 2016 Sixth International Conference on Protection Compared,” ElcomSoft blog, 20-Oct-2017. [Online].
Innovative Computing Technology (INTECH), 2016. Available:
[7] “About Face ID advanced technology,” Apple Support, 26-Feb-2020. https://blog.elcomsoft.com/2017/10/ios-vs-android-physical-data-extract
[Online]. Available: https://support.apple.com/en-us/HT208108. ion-and-data-protection-compared/. [Accessed: 28-Feb-2020].
[Accessed: 27-Feb-2020]. [24] O. Afonin, “iOS 12 Enhances USB Restricted Mode,” ElcomSoft blog,
[8] “Turning it up to 11: the first Developer Preview of Android 11,” 09-Oct-2019. [Online]. Available:
Android Developers Blog, 19-Feb-2020. [Online]. Available: https://blog.elcomsoft.com/2018/09/ios-12-enhances-usb-restricted-mod
https://android-developers.googleblog.com/2020/02/Android-11-develo e/. [Accessed: 28-Feb-2020].
per-preview.html. [Accessed: 29-Feb-2020]. [25] V. Katalov, “USB Restricted Mode Inside Out,” ElcomSoft blog,
[9] “What is the Ultrasonic Fingerprint scanner on Galaxy S20, S20 , and 12-Jul-2018. [Online]. Available:
S20 Ultra?,” The Official Samsung Galaxy Site. [Online]. Available: https://blog.elcomsoft.com/2018/07/usb-restricted-mode-inside-out/.
https://www.samsung.com/global/galaxy/what-is/ultrasonic-fingerprint/. [Accessed: 29-Feb-2020].
[Accessed: 27-Feb-2020]. [26] O. Afonin, “iOS 11.4 to Disable USB Port After 7 Days: What It Means
[10] “Use Touch ID on iPhone and iPad,” Apple Support, 24-Apr-2019. for Mobile Forensics,” ElcomSoft blog, 09-Oct-2019. [Online].
[Online]. Available: https://support.apple.com/en-us/HT201371. Available:
[Accessed: 27-Feb-2020]. https://blog.elcomsoft.com/2018/05/ios-11-4-to-disable-usb-port-after-7
[11] “Best Practices for Seizing Electronic Evidence v4.2.” [Online]. -days-what-it-means-for-mobile-forensics/. [Accessed: 29-Feb-2020].
Available: [27] M. Xu, W. Sun, and M. Alam, “Security enhancement of secure USB
https://www.cwagweb.org/wp-content/uploads/2018/05/BestPracticesfo debugging in Android system,” 2015 12th Annual IEEE Consumer
rSeizingElectronicEvidence.pdf. [Accessed: 27-Feb-2020]. Communications and Networking Conference (CCNC), 2015..
[12] V. Katalov, “BFU Extraction: Forensic Analysis of Locked and [28] “Configure on-device developer options : Android Developers,”
Disabled iPhones,” ElcomSoft blog, 26-Dec-2019. [Online]. Available: Android Developers. [Online]. Available:
https://blog.elcomsoft.com/2019/12/bfu-extraction-forensic-analysis-of- https://developer.android.com/studio/debug/dev-options. [Accessed:
locked-and-disabled-iphones/. [Accessed: 27-Feb-2020]. 29-Feb-2020].
[13] O. Afonin, “Forensic Acquisition: Android,” ElcomSoft blog, [29] J. Han and S. Lee, “A practical approach to analyze smartphone backup
07-Mar-2020. [Online]. Available: data as a digital evidence.”
https://blog.elcomsoft.com/2016/01/forensic-acquisition-android/. [30] “Use iTunes to sync your iPhone, iPad, or iPod with your computer,”
[Accessed: 27-Feb-2020]. Apple Support, 13-Feb-2020. [Online]. Available:
[14] “Find, lock, or erase a lost Android device,” Google Account Help. https://support.apple.com/en-us/HT210612. [Accessed: 29-Feb-2020].
[Online]. Available: [31] “Restore your iPhone, iPad, or iPod touch from a backup,” Apple
https://support.google.com/accounts/answer/6160491?hl=en. [Accessed: Support, 09-Oct-2019. [Online]. Available:
28-Feb-2020]. https://support.apple.com/en-us/HT204184. [Accessed: 29-Feb-2020].
[15] “Erase a device in Find My iPhone on iCloud.com,” Apple Support. [32] “What Happens When You Press that Button?” [Online]. Available:
[Online]. Available: https://smarterforensics.com/wp-content/uploads/2014/06/Explaining-C
https://support.apple.com/guide/icloud/erase-your-device-mmfc0ef36f/i ellebrite-UFED-Data-Extraction-Processes-final.pdf. [Accessed:
cloud. [Accessed: 28-Feb-2020]. 29-Feb-2020].
[16] V. Katalov, “The Worst Mistakes in iOS Forensics,” ElcomSoft blog, [33] “JTAG Forensics,” Binary Intelligence, 25-Mar-2013. [Online].
30-Jan-2020. [Online]. Available: Available:
https://blog.elcomsoft.com/2020/01/the-worst-mistakes-in-ios-forensics/ http://www.binaryintel.com/services/jtag-chip-off-forensics/jtag-forensi
. [Accessed: 28-Feb-2020]. cs/. [Accessed: 29-Feb-2020].
[17] “Control airplane mode, private DNS & other network settings on [34] “OXYGEN FORENSICS,” Oxygen Forensics - Mobile forensic
Android - Android Help,” Google. [Online]. Available: solutions: software and hardware. [Online]. Available:
https://support.google.com/android/answer/9089903?hl=en. [Accessed: http://www.oxygen-forensic.com/en/products/oxygen-forensic-detective
28-Feb-2020]. . [Accessed: 29-Feb-2020].
[18] “Change access to items when iPhone is locked,” Apple Support.
[Online]. Available:

Authorized licensed use limited to: University of New Brunswick. Downloaded on November 20,2022 at 23:57:03 UTC from IEEE Xplore. Restrictions apply.