Practical Mobile Forensics(Third Edition)
上QQ阅读APP看书,第一时间看更新

Potential evidence stored on mobile phones

The range of information that can be obtained from mobile phones is detailed in this section. Data on a mobile phone can be found in a number of locations--SIM card, external storage card, and phone memory. In addition, the service provider also stores communication-related information. The book primarily focuses on data acquired from the phone memory. Mobile device data extraction tools recover data from the phone's memory. Even though data recovered during a forensic acquisition depends on the mobile model, in general, the following data is common across all models and useful as evidence. Note that most of the following artifacts contain date- and timestamps:

  • Address book: This contains contact names, phone numbers, email addresses, and so on
  • Call history: This contains dialed, received, missed calls, and call duration
  • SMS: This contains sent and received text messages
  • MMS: This contains media files such as sent and received photos and videos
  • E-mail: This contains sent, drafted, and received email messages
  • Web browser history: This contains the history of websites that were visited
  • Photos: This contains pictures that were captured using the mobile phone camera, those downloaded from the internet, and the ones transferred from other devices
  • Videos: This contains videos that are captured using the mobile camera, those downloaded from the internet, and the ones transferred from other devices
  • Music: This contains music files downloaded from the internet and those transferred from other devices
  • Documents: This contains documents created using the device's applications, those downloaded from the internet, and the ones transferred from other devices
  • Calendar: This contains calendar entries and appointments
  • Network communication: This contains GPS locations
  • Maps: This contains places the user visited, looked-up directions, and searched and downloaded maps
  • Social networking data: This contains data stored by applications, such as Facebook, Twitter, LinkedIn, Google+, and WhatsApp
  • Deleted data: This contains information deleted from the phone