Mobile Forensics

Comprehensive mobile forensics skill for analyzing iOS and Android device data. Enables extraction and analysis of communications, app data, location history, media files, and system artifacts from mobile device backups and extractions.

Capabilities

• iOS Analysis: Parse iTunes/Finder backups, file system images

• Android Analysis: Parse ADB backups, file system extractions

• Communications Analysis: Extract SMS, MMS, calls, messaging apps

• App Data Analysis: Parse application databases and caches

• Location Analysis: Extract GPS data, location history, geofences

• Media Analysis: Catalog photos, videos with metadata

• Contact Analysis: Extract contacts from all sources

• Browser History: Mobile browser artifact analysis

• Cloud Data: Analyze synced cloud service data

• Timeline Generation: Create device activity timeline

Quick Start

from mobile_forensics import MobileAnalyzer, iOSParser, AndroidParser

Analyze iOS backup

ios = iOSParser("/evidence/ios_backup/") messages = ios.get_messages() calls = ios.get_call_history()

Analyze Android extraction

android = AndroidParser("/evidence/android_extraction/") contacts = android.get_contacts()

Usage

Task 1: iOS Backup Analysis

Input: iTunes/Finder backup directory

Process:

• Load and decrypt backup (if encrypted)

• Parse Manifest database

• Extract and analyze data

• Parse application data

• Generate device report

Output: Comprehensive iOS backup analysis

Example:

from mobile_forensics import iOSParser

Initialize parser

parser = iOSParser("/evidence/ios_backup/")

Get backup info

info = parser.get_backup_info() print(f"Device: {info.device_name}") print(f"iOS Version: {info.ios_version}") print(f"Serial: {info.serial_number}") print(f"IMEI: {info.imei}") print(f"Backup Date: {info.backup_date}") print(f"Encrypted: {info.is_encrypted}")

Decrypt if needed

if info.is_encrypted: parser.decrypt(password="backup_password")

Get messages (SMS/iMessage)

messages = parser.get_messages() for msg in messages: print(f"[{msg.date}] {msg.sender} -> {msg.recipient}") print(f" Text: {msg.text}") print(f" Type: {msg.message_type}") print(f" Delivered: {msg.is_delivered}") print(f" Read: {msg.is_read}")

Get call history

calls = parser.get_call_history() for call in calls: print(f"[{call.date}] {call.call_type}: {call.phone_number}") print(f" Duration: {call.duration}s") print(f" Location: {call.location}")

Get contacts

contacts = parser.get_contacts() for contact in contacts: print(f"Contact: {contact.name}") print(f" Phone: {contact.phone_numbers}") print(f" Email: {contact.emails}")

Get Safari history

safari = parser.get_safari_history() for entry in safari: print(f"[{entry.visit_date}] {entry.title}") print(f" URL: {entry.url}")

Get photos

photos = parser.get_photos() for photo in photos: print(f"Photo: {photo.filename}") print(f" Date: {photo.date_taken}") print(f" Location: {photo.gps_location}") print(f" Camera: {photo.camera_info}")

Get location history

locations = parser.get_location_history() for loc in locations: print(f"[{loc.timestamp}] {loc.latitude}, {loc.longitude}") print(f" Accuracy: {loc.accuracy}m") print(f" Source: {loc.source}")

Export all data

parser.export_all("/evidence/ios_export/") parser.generate_report("/evidence/ios_report.html")

Task 2: Android Analysis

Input: Android backup or extraction

Process:

• Load Android data

• Parse databases

• Extract communications

• Analyze applications

• Generate report

Output: Android device analysis

Example:

from mobile_forensics import AndroidParser

Initialize parser

parser = AndroidParser("/evidence/android_extraction/")

Get device info

info = parser.get_device_info() print(f"Device: {info.manufacturer} {info.model}") print(f"Android: {info.android_version}") print(f"Build: {info.build_number}") print(f"Serial: {info.serial_number}") print(f"IMEI: {info.imei}")

Get SMS messages

sms = parser.get_sms() for msg in sms: print(f"[{msg.date}] {msg.direction}: {msg.address}") print(f" Body: {msg.body}") print(f" Read: {msg.read}")

Get call logs

calls = parser.get_call_logs() for call in calls: print(f"[{call.date}] {call.type}: {call.number}") print(f" Duration: {call.duration}s") print(f" Name: {call.cached_name}")

Get contacts

contacts = parser.get_contacts() for contact in contacts: print(f"Contact: {contact.display_name}") print(f" Numbers: {contact.phone_numbers}") print(f" Account: {contact.account_type}")

Get Chrome history

chrome = parser.get_chrome_history() for entry in chrome: print(f"[{entry.visit_time}] {entry.title}") print(f" URL: {entry.url}")

Get WiFi networks

wifi = parser.get_wifi_networks() for network in wifi: print(f"SSID: {network.ssid}") print(f" Security: {network.security}") print(f" First connected: {network.first_connected}")

Get installed apps

apps = parser.get_installed_apps() for app in apps: print(f"App: {app.name}") print(f" Package: {app.package_name}") print(f" Version: {app.version}") print(f" Installed: {app.install_date}")

Get location data

locations = parser.get_locations()

Export and report

parser.export_all("/evidence/android_export/") parser.generate_report("/evidence/android_report.html")

Task 3: Messaging App Analysis

Input: Mobile device data

Process:

• Identify installed messaging apps

• Locate app databases

• Parse message content

• Extract media and attachments

• Build conversation timeline

Output: Messaging app analysis

Example:

from mobile_forensics import MessagingAnalyzer

Initialize analyzer

analyzer = MessagingAnalyzer("/evidence/device_extraction/")

Detect available messaging apps

apps = analyzer.detect_messaging_apps() for app in apps: print(f"Found: {app.name}") print(f" Data available: {app.has_data}")

Parse WhatsApp

whatsapp = analyzer.parse_whatsapp() print(f"WhatsApp messages: {len(whatsapp.messages)}") print(f"WhatsApp contacts: {len(whatsapp.contacts)}") print(f"WhatsApp groups: {len(whatsapp.groups)}")

for chat in whatsapp.chats: print(f"Chat with: {chat.contact_name}") print(f" Messages: {chat.message_count}") print(f" Last message: {chat.last_message_date}")

for msg in chat.messages[-5:]:  # Last 5 messages
    print(f"    [{msg.timestamp}] {msg.sender}: {msg.content}")

Parse Telegram

telegram = analyzer.parse_telegram() for chat in telegram.chats: print(f"Telegram: {chat.title}") print(f" Type: {chat.chat_type}") print(f" Messages: {chat.message_count}")

Parse Signal

signal = analyzer.parse_signal() for conversation in signal.conversations: print(f"Signal: {conversation.recipient}") print(f" Messages: {conversation.message_count}")

Parse Facebook Messenger

messenger = analyzer.parse_messenger()

Parse Instagram DMs

instagram = analyzer.parse_instagram()

Export media

analyzer.export_media("/evidence/messaging_media/")

Generate unified timeline

timeline = analyzer.create_timeline() for event in timeline: print(f"[{event.timestamp}] {event.app}: {event.summary}")

Generate report

analyzer.generate_report("/evidence/messaging_report.html")

Task 4: Location Analysis

Input: Mobile device data

Process:

• Extract GPS data from photos

• Parse location databases

• Analyze location history

• Identify significant locations

• Create location timeline

Output: Location analysis with maps

Example:

from mobile_forensics import LocationAnalyzer

Initialize analyzer

analyzer = LocationAnalyzer("/evidence/device_extraction/")

Get all location data

locations = analyzer.get_all_locations() print(f"Total location points: {len(locations)}")

for loc in locations[:10]: print(f"[{loc.timestamp}] {loc.latitude}, {loc.longitude}") print(f" Source: {loc.source}") # GPS, WiFi, Cell, Photo print(f" Accuracy: {loc.accuracy}m") print(f" Address: {loc.reverse_geocode}")

Get significant locations (iOS)

significant = analyzer.get_significant_locations() for loc in significant: print(f"Significant: {loc.label}") print(f" Visits: {loc.visit_count}") print(f" Average duration: {loc.avg_duration}")

Get location history from Google

google_history = analyzer.get_google_location_history()

Get photo locations

photo_locations = analyzer.get_photo_locations() for photo in photo_locations: print(f"Photo: {photo.filename}") print(f" Location: {photo.latitude}, {photo.longitude}") print(f" Time: {photo.timestamp}")

Find locations at specific time

time_locations = analyzer.get_locations_at_time( start="2024-01-15 09:00", end="2024-01-15 18:00" )

Find visits to location

visits = analyzer.find_visits_to_location( latitude=40.7128, longitude=-74.0060, radius_meters=100 )

Create KML export

analyzer.export_kml("/evidence/locations.kml")

Create timeline map

analyzer.create_map("/evidence/location_map.html")

Generate location report

analyzer.generate_report("/evidence/location_report.html")

Task 5: Application Data Analysis

Input: Mobile device extraction

Process:

• Inventory installed applications

• Locate app data directories

• Parse app databases

• Extract cached data

• Analyze user activity

Output: Application analysis report

Example:

from mobile_forensics import AppAnalyzer

Initialize analyzer

analyzer = AppAnalyzer("/evidence/device_extraction/")

Get installed apps

apps = analyzer.get_installed_apps()

for app in apps: print(f"App: {app.name}") print(f" Package: {app.package_name}") print(f" Version: {app.version}") print(f" Install date: {app.install_date}") print(f" Last used: {app.last_used}") print(f" Data size: {app.data_size_mb}MB")

Analyze specific app

app_data = analyzer.analyze_app("com.example.app") print(f"Databases: {app_data.databases}") print(f"Shared prefs: {app_data.shared_preferences}") print(f"Cache files: {app_data.cache_files}")

Parse SQLite databases in app

for db in app_data.databases: tables = analyzer.get_db_tables(db) print(f"Database: {db.name}") for table in tables: print(f" Table: {table.name} ({table.row_count} rows)")

Get app permissions

permissions = analyzer.get_app_permissions("com.example.app") for perm in permissions: print(f"Permission: {perm.name}") print(f" Granted: {perm.granted}") print(f" Dangerous: {perm.is_dangerous}")

Find apps with sensitive permissions

sensitive_apps = analyzer.find_apps_with_permissions([ "READ_CONTACTS", "READ_SMS", "ACCESS_FINE_LOCATION", "CAMERA" ])

Export app data

analyzer.export_app_data("com.example.app", "/evidence/app_export/")

Generate app inventory report

analyzer.generate_report("/evidence/app_report.html")

Task 6: Communications Timeline

Input: Mobile device data

Process:

• Extract all communication types

• Parse timestamps

• Build unified timeline

• Identify patterns

• Detect anomalies

Output: Unified communications timeline

Example:

from mobile_forensics import CommunicationsTimeline

Initialize timeline

timeline = CommunicationsTimeline("/evidence/device_extraction/")

Add all sources

timeline.add_sms() timeline.add_calls() timeline.add_imessage() timeline.add_whatsapp() timeline.add_telegram() timeline.add_messenger() timeline.add_email()

Build unified timeline

events = timeline.build()

for event in events: print(f"[{event.timestamp}] {event.type} - {event.app}") print(f" From: {event.sender}") print(f" To: {event.recipient}") print(f" Summary: {event.summary}")

Filter by contact

contact_timeline = timeline.filter_by_contact("+1234567890") print(f"Communications with contact: {len(contact_timeline)}")

Filter by date range

date_timeline = timeline.filter_by_date( start="2024-01-01", end="2024-01-31" )

Get communication patterns

patterns = timeline.analyze_patterns() print(f"Most contacted: {patterns.top_contacts}") print(f"Peak hours: {patterns.peak_hours}") print(f"App usage: {patterns.app_distribution}")

Detect anomalies

anomalies = timeline.detect_anomalies() for a in anomalies: print(f"ANOMALY: {a.description}") print(f" Time: {a.timestamp}") print(f" Significance: {a.significance}")

Export timeline

timeline.export_csv("/evidence/communications_timeline.csv") timeline.generate_report("/evidence/communications_report.html")

Task 7: Media Analysis

Input: Mobile device photos and videos

Process:

• Extract all media files

• Parse EXIF metadata

• Extract GPS coordinates

• Identify faces/objects

• Build media timeline

Output: Media analysis with metadata

Example:

from mobile_forensics import MediaAnalyzer

Initialize analyzer

analyzer = MediaAnalyzer("/evidence/device_extraction/")

Get all media

media = analyzer.get_all_media() print(f"Total photos: {media.photo_count}") print(f"Total videos: {media.video_count}") print(f"Total size: {media.total_size_gb}GB")

Analyze photos

photos = analyzer.get_photos() for photo in photos: print(f"Photo: {photo.filename}") print(f" Date taken: {photo.date_taken}") print(f" Camera: {photo.camera_make} {photo.camera_model}") print(f" Location: {photo.latitude}, {photo.longitude}") print(f" Size: {photo.width}x{photo.height}")

Analyze videos

videos = analyzer.get_videos() for video in videos: print(f"Video: {video.filename}") print(f" Duration: {video.duration}s") print(f" Date: {video.date_created}") print(f" Location: {video.latitude}, {video.longitude}")

Get media with locations

geotagged = analyzer.get_geotagged_media() print(f"Media with GPS: {len(geotagged)}")

Find media in date range

dated = analyzer.find_by_date( start="2024-01-01", end="2024-01-31" )

Find media by location

location_media = analyzer.find_by_location( latitude=40.7128, longitude=-74.0060, radius_km=1 )

Export with metadata

analyzer.export_media("/evidence/media_export/") analyzer.export_metadata("/evidence/media_metadata.csv")

Generate media report

analyzer.generate_report("/evidence/media_report.html")

Task 8: Cloud Data Analysis

Input: Mobile device cloud sync data

Process:

• Identify synced services

• Extract cloud tokens

• Analyze synced data

• Identify cloud accounts

• Document cloud activity

Output: Cloud service analysis

Example:

from mobile_forensics import CloudAnalyzer

Initialize analyzer

analyzer = CloudAnalyzer("/evidence/device_extraction/")

Detect cloud services

services = analyzer.detect_cloud_services() for service in services: print(f"Cloud service: {service.name}") print(f" Account: {service.account}") print(f" Data available: {service.has_data}")

Analyze iCloud data

icloud = analyzer.analyze_icloud() print(f"iCloud account: {icloud.account_email}") print(f"iCloud Drive files: {len(icloud.drive_files)}") print(f"iCloud Photos: {icloud.photo_count}") print(f"Synced contacts: {icloud.contact_count}")

Analyze Google account data

google = analyzer.analyze_google() print(f"Google account: {google.account_email}") print(f"Drive files: {len(google.drive_files)}") print(f"Photos: {google.photo_count}")

Get cloud tokens (for authorized access)

tokens = analyzer.extract_cloud_tokens() for token in tokens: print(f"Token for: {token.service}") print(f" Type: {token.token_type}") print(f" Expires: {token.expiry}")

Analyze cloud backup data

backups = analyzer.get_cloud_backups() for backup in backups: print(f"Backup: {backup.service}") print(f" Date: {backup.backup_date}") print(f" Size: {backup.size_mb}MB")

Generate cloud report

analyzer.generate_report("/evidence/cloud_report.html")

Task 9: Deleted Data Recovery

Input: Mobile device file system

Process:

• Analyze free space

• Recover deleted files

• Parse deleted database records

• Reconstruct deleted messages

• Document recovery results

Output: Recovered deleted data

Example:

from mobile_forensics import DeletedDataRecovery

Initialize recovery

recovery = DeletedDataRecovery("/evidence/device_extraction/")

Recover deleted SQLite records

messages = recovery.recover_deleted_messages() for msg in messages: print(f"RECOVERED: [{msg.date}] {msg.sender}") print(f" Content: {msg.content}") print(f" Recovery confidence: {msg.confidence}")

Recover deleted photos

photos = recovery.recover_deleted_photos( output_dir="/evidence/recovered_photos/" ) for photo in photos: print(f"Recovered: {photo.filename}") print(f" Original path: {photo.original_path}") print(f" Confidence: {photo.confidence}")

Recover deleted contacts

contacts = recovery.recover_deleted_contacts()

Recover deleted call logs

calls = recovery.recover_deleted_calls()

Recover from WhatsApp

whatsapp = recovery.recover_deleted_whatsapp()

Analyze SQLite WAL files

wal_data = recovery.analyze_wal_files() for entry in wal_data: print(f"WAL recovery: {entry.table}") print(f" Records: {entry.record_count}")

Generate recovery report

recovery.generate_report("/evidence/recovery_report.html")

Task 10: Mobile Malware Analysis

Input: Mobile device data

Process:

• Scan for known malware

• Identify suspicious apps

• Analyze permissions abuse

• Check for rootkit indicators

• Generate threat report

Output: Mobile threat analysis

Example:

from mobile_forensics import MobileThreatAnalyzer

Initialize analyzer

analyzer = MobileThreatAnalyzer("/evidence/device_extraction/")

Scan for known malware

malware = analyzer.scan_for_malware() for m in malware: print(f"MALWARE: {m.app_name}") print(f" Package: {m.package_name}") print(f" Family: {m.malware_family}") print(f" Confidence: {m.confidence}")

Check for suspicious apps

suspicious = analyzer.find_suspicious_apps() for app in suspicious: print(f"SUSPICIOUS: {app.name}") print(f" Reason: {app.reason}") print(f" Permissions: {app.suspicious_permissions}")

Check for root/jailbreak

root_status = analyzer.check_root_status() print(f"Device rooted: {root_status.is_rooted}") print(f"Indicators: {root_status.indicators}")

Check for spyware indicators

spyware = analyzer.detect_spyware() for s in spyware: print(f"SPYWARE INDICATOR: {s.indicator}") print(f" Details: {s.details}")

Analyze app network behavior

network = analyzer.analyze_app_network() for app in network: print(f"App: {app.name}") print(f" Domains contacted: {app.domains}") print(f" Suspicious: {app.suspicious_connections}")

Generate threat report

analyzer.generate_report("/evidence/threat_report.html")

Configuration

Environment Variables

Variable Description Required Default

ADB_PATH

Path to ADB binary No System PATH

BACKUP_PASSWORD

iOS backup password No None

MAPS_API_KEY

API key for map generation No None

MALWARE_HASHES

Path to malware hash database No None

Options

Option Type Description

decrypt_backup

boolean Attempt backup decryption

recover_deleted

boolean Attempt deleted data recovery

extract_media

boolean Extract media files

geocode_locations

boolean Reverse geocode coordinates

parallel

boolean Enable parallel processing

Examples

Example 1: Criminal Investigation

Scenario: Analyzing suspect's phone for evidence

from mobile_forensics import MobileAnalyzer

Load device extraction

analyzer = MobileAnalyzer("/evidence/suspect_phone/")

Get all communications

timeline = analyzer.get_communications_timeline()

Filter for relevant time period

incident_comms = timeline.filter_by_date( start="2024-01-14", end="2024-01-16" )

Get location during incident

locations = analyzer.get_locations_at_time( start="2024-01-15 22:00", end="2024-01-16 02:00" )

Find communications with specific number

suspect_contact = timeline.filter_by_contact("+1234567890")

Export evidence

analyzer.export_evidence("/evidence/case_evidence/")

Example 2: Corporate Investigation

Scenario: Investigating data theft via mobile device

from mobile_forensics import MobileAnalyzer, CloudAnalyzer

Analyze company phone

analyzer = MobileAnalyzer("/evidence/employee_phone/")

Check for unauthorized cloud services

cloud = CloudAnalyzer("/evidence/employee_phone/") services = cloud.detect_cloud_services()

Find file sharing activity

file_activity = analyzer.search_for_files( extensions=[".pdf", ".xlsx", ".docx"] )

Check messaging for data sharing

messaging = analyzer.get_messaging_data() attachments = messaging.find_attachments()

Limitations

• Encrypted devices require passcode/credentials

• Some app data may be encrypted by app

• Cloud data access requires proper authorization

• Deleted data recovery success varies

• Some features require physical extraction

• App-specific parsing may have limited support

• Location data depends on user settings

Troubleshooting

Common Issue 1: Encrypted Backup

Problem: Cannot read encrypted iOS backup Solution:

• Provide backup password

• Use backup password recovery tools

• Request password from device owner

Common Issue 2: ADB Connection Issues

Problem: Cannot connect to Android device Solution:

• Enable USB debugging

• Accept RSA fingerprint

• Try different USB cable/port

Common Issue 3: Missing App Data

Problem: Expected app data not found Solution:

• App may use cloud-only storage

• Data may be encrypted by app

• Check for app-specific backup location

Related Skills

• memory-forensics: Device memory analysis

• disk-forensics: Device storage analysis

• network-forensics: Mobile traffic analysis

• cloud-forensics: Cloud-synced data analysis

• timeline-forensics: Timeline integration

References

• Mobile Forensics Reference

• iOS Artifact Guide

• Android Artifact Guide