Smartphones are some of the most prevalent types of electronic media that exist today. Most people have at least one mobile device, and, commonly, that device will be a smartphone. Will you know how to handle these devices? Do you know what the data looks like and, more importantly, do you know where the data will be stored?  Smartphones can have a variety of data storage capabilities and contain (and/or may be connected to) other storage components that may need to be addressed during the forensics process. These include:

•  Read-only memory for firmware

•  RAM

•  Flash memory for data storage

•  SIM card

•  Storage expansion cards (microSD)

•  Other cloud-based storage

•  Data on synced computer(s)

•  Servers hosting backup data

Evidentiary data may exist on the smartphone, on a data-expansion card (SD type card) installed in the smartphone, in a cloud-based account that is synced or connected with the phone, or on computers that the smartphone has been synced with. Also, remember that any other phones the smartphone has communicated with may also contain evidence that may be useful to your investigation, and if what you are looking for no longer exists on the smartphone itself, that data may have been transferred to another phone it communicated with.

Smartphones also use RAM, and there are recent developments in methodology for the collection and examination of RAM from smartphones. Most devices will require additional accesses in order to extract data from RAM. This is commonly done by jailbreaking or rooting the device. More on accessing specific data categories will be covered in sections 2 and 3 of this course.