The mobile phone evidence extraction process

Evidence extraction and forensic examination of each mobile device may differ. However, following a consistent examination process will assist the forensic examiner to ensure that the evidence extracted from each phone is well-documented and that the results are repeatable and defendable. There is no well-established standard process for mobile forensics.

However, the following figure provides an overview of process considerations for the extraction of evidence from mobile devices. All methods used when extracting data from mobile devices should be tested, validated, and well-documented:

As shown in the preceding figure, forensics on a mobile device includes several phases, from the evidence intake phase to the archiving phase. The following sections provide an overview of various considerations across all the phases.