Potential evidence stored on mobile phones

The range of information that can be obtained from mobile phones is detailed in this section. Data on a mobile phone can be found in a number of locations—SIM card, external storage card, and phone memory, for example. In addition, the service provider also stores communication-related information. This book primarily focuses on data acquired from a phone's memory. Mobile device data extraction tools recover data from a phone's memory. Even though data recovered during forensic acquisition depends on the mobile model, in general, the following data is common across all models and useful as evidence. Note that most of the following artifacts contain timestamps:

• Address book: This contains contact names, phone numbers, email addresses, and so on.
• Call history: This contains dialed, received and missed calls and call duration.
• SMS: This contains sent and received text messages.
• MMS: This contains media files such as sent and received photos and videos.
• E-mail: This contains sent, drafted, and received email messages.
• Web browser history: This contains the history of websites that have been visited.
• Photos: This contains pictures that were captured using the mobile phone camera, those downloaded from the internet, and those transferred from other devices.
• Videos: This contains videos that are captured using the mobile camera, those downloaded from the internet, and those transferred from other devices.
• Music: This contains music files downloaded from the internet and those transferred from other devices.
• Documents: This contains documents created using the device's applications, those downloaded from the internet, and those transferred from other devices.
• Calendar: This contains calendar entries and appointments.
• Network communication: This contains GPS locations.
• Maps: This contains places the user visited, looked-up directions, and searched and downloaded maps.
• Social networking data: This contains data stored by applications, such as Facebook, Twitter, LinkedIn, Google+, and WhatsApp.
• Deleted data: This contains information deleted from the phone.

Next, we will have a quick look at the final step of investigation: examination and analysis.