by Jessica Hyde, Founder of Hexordia
Recent updates to mobile phone technology have changed the current playing field in terms of ensuring the most complete technology, rendering the traditional mindset of placing the phone in the faraday enclosure and imaging later in the lab obsolete as data degradation begins immediately. To preserve evidence, ensuring the most comprehensive data available requires near-immediate acquisition. Recently, the Scientific Working Group on Digital Evidence (SWGDE) took up this issue in their Position Paper titled “Position on Timely Preservation via Digital Acquisition” which was published on March 10, 2025.
What recent changes are affecting data availability? Quite a few…
1. Data security protocols requiring access to be near a recognized location.
For example, Apple’s newer Stolen Device Protection enables additional security protocols when the device is not near a Significant Location, essentially locking down the phone when away from those locations. Significant Locations are places where Apple determines an iPhone and/or devices that are connected to iCloud have been recently.
2. Auto-reboot features hampering data collection on locked mobile devices.
Once a mobile phone has been unlocked at least once since a power cycle, forensic tools may be able to acquire significant user data without the need for the passcode via “After First Unlock” or “AFU” acquisition methods. Both Graphene OS, a security-rich mobile operating system that some users install on Google Pixel phones, and Apple’s iOS have automatic reboot features that cause a phone to reboot after a prescribed amount of time since the device was last unlocked by the user. For Graphene, the feature is set to reboot at 18 hours since the last unlock by default – but can be set for as little as 10 minutes or as great as 72 hours. Apple’s version of the feature is currently set to 72 hours. These reboots greatly reduce the amount of data available to forensic extraction techniques.
3. USB restricted mode preventing data connection to mobile phones.
Continuing with privacy features, Graphene and iOS also disable certain types of connections via USB on phones that have not been recently unlocked. These protections also reduce the ability of forensic tools to acquire data when these ports are disabled for normal data communications.
4. Some artifacts degrade over time with data becoming unrecoverable when acquisition is delayed.
There are a variety of temporal artifacts on modern mobile phones. Examples of these temporal artifacts include location data, call history, and deleted photos. These and other artifacts only store artifacts for a limited amount of time. The temporal nature of these artifacts leads to data being permanently removed from the mobile phone each day. Some of these artifacts are retained for 7 days, some for 30 days, and other time variances. Mobile data is volatile regardless of whether there is connectivity to a network.
5. Anti-forensics techniques, also known as “dead-man switches” can wipe devices that aren’t interacted with by a user performing a specific function.
Applications, like Wasted for Android, can permanently wipe a mobile phone by factory resetting it if it is not unlocked at a specific interval. This means that if the user sets the app to wipe the phone after four hours of not being unlocked by a user pin, the device will be factory reset when digital forensics personnel go to create a forensic image if the clock has run out.
How do we combat this? Preserve the mobile phone with an acquisition immediately.
The Challenge
As with many digital forensics situations, the challenge is more policy and legal-based than technical. From a technical perspective, creating a forensic acquisition on site as close as possible in time to seizure is an effective strategy to ensure the most complete digital evidence collection. However, jurisdictions vary on whether the preservation is considered a search requiring additional documentation. Courts are relying often on old information that states that network isolation, the use of a Faraday enclosure to reduce radio signals reaching the device, or placing the phone in airplane mode, is sufficient to prevent loss of data. Network isolation does prevent remote wipe commands from being received in many situations, but it is not a mitigation for temporal data loss, location access issues, device reboots, or dead-man switches.
There is some work to be done by vendors of tools that make forensic acquisition of mobile phones, namely, ensuring that no evidence is presented to the practitioner performing the data extraction. Providing a preservation mode for forensic tools that creates the acquisition would meet this need, and some tools already allow for this functionality.
It should be recognized that any modern mobile device seized may have an issue of exigency in terms of data destruction. The most effective way of combatting this issue to preserve both exculpatory and inculpatory evidence is to acquire data from the mobile device as a method of preservation as quickly as possible. This is the only true way for preservation to be ensured on mobile devices today due to the multiple ways that data availability can be reduced rapidly over time. Timely acquisition is critical to data preservation on mobile devices.
About the author
Jessica Hyde, founder of Hexordia, specializes in cutting-edge mobile forensic analysis. She is dedicated to developing innovative solutions for complex investigations.