Chapter 20: Mobile Device Forensics & Digital Artifacts

Mobile Device Forensics & Digital Artifacts analyzes the complex hardware and software ecosystems forensic examiners must navigate, distinguishing between circuit-switched legacy networks (using GSM and CDMA standards) and modern native IP environments. Key storage components are meticulously detailed, including Subscriber Identification Module (SIM) cards—which contain critical identifiers like the International Mobile Subscriber Identity (IMSI) and Integrated Circuit Card Identifier (ICCID)—and nonvolatile Secure Digital (SD) cards used for memory expansion. The text contrasts the two primary data acquisition methods: physical extraction, which generates a bit-by-bit copy of the storage to potentially recover deleted artifacts from unallocated space, and logical extraction, which captures the active file system as viewed by the user. Significant attention is given to the procedural necessities of digital investigations, such as the use of Faraday bags to block network signals and prevent remote wiping, and the challenges posed by proprietary operating systems like Apple iOS and Google Android. Furthermore, the chapter explores analytical techniques such as hybrid crime assessment, where digital timelines derived from call logs, SMS text messages, and geolocation data are overlaid with physical crime events to establish temporal chains of evidence. The discussion concludes with an overview of legal and privacy issues, including the Carpenter v. United States Supreme Court ruling regarding search warrants for cell site location information (CSLI), the debate over encryption backdoors, and the deployment of surveillance tools like StingRay IMSI catchers.