Mobile Device Forensics

With a global mobile device forensics team and a proven track record in investigation and litigation support, Kroll enables key digital insights to be accessed quickly and securely.
Talk to an Expert

Unparalleled Expertise in Mobile Device Forensics

Mobile Forensics

When mobile phone data is required to serve as evidence, Kroll ensures that no relevant information is overlooked. Our mobile phone forensics specialists can assist at any stage of an investigation or litigation to analyze key digital clues and quickly and defensibly uncover critical information.

With a global network of over 650 forensic examiners and laboratories across 19 countries, we respond to more than 3,000 incidents a year and work with over 100 law firms across the globe. Our highly experienced mobile forensics practitioners maintain SANS and other industry certifications associated with a range of mobile device forensics software. The Kroll team includes certified Cellebrite instructors, thought leaders and lecturers on digital forensics courses. We deploy forensically sound, best-practice methodologies to gather data for electronic investigation and forensic analysis, or forensic discovery.

With a reputation founded on extensive experience in forensically sound investigations and electronic data discovery, our mobile phone forensics services deliver high-caliber insight when it matters most.

Mobile Forensics Services from Kroll: Mobile Devices as an Attack Vector

To you, your network of mobile devices is a critical business asset. To a cybercriminal, it’s a source of valuable data and a potential point of access to your financial, cloud, and business assets and intellectual property. From smishing to malware to malicious apps, the security risks associated with smartphones and other mobile devices are significant. The rise in recent years of remote and hybrid working has further increased this challenge for organizations, combined with bring your own device (BYOD) and security corporate mobile inventories.


Threat actors take advantage of mobile devices through a wide range of vectors. The most commonly used approaches include:


Smishing is a form of phishing that involves the use of text messages purporting to be from a reputable source, such as a bank or government body, in order to trick recipients into disclosing personal information. This allows the threat actor to gain access to financial resources or valuable data or to download mobile malware. Smishing now includes mobile messaging apps, such as Facebook Messenger and WhatsApp. While smishing targets individuals, it is frequently used as part of broader campaigns to compromise a company, with attackers seeking to gain access to networks and data.

SIM Swapping

SIM swapping, also referred to as port-out scamming, SIM splitting, smishing and simjacking, is a type of account takeover fraud. It involves a threat actor contacting the mobile service provider and impersonating the legitimate phone owner, stating that they have a new SIM card to activate for the account. Once the provider enables this, the attacker gains full access to the device.

Attacks via Malicious Applications

With so many apps in use, there is a considerable risk of employees unknowingly downloading a malicious app containing malware to an organization’s mobile devices. Once on the mobile devices, the apps can then steal or encrypt data. This risk is increased by the wide range of available malicious apps and the continual evolution of permission implementations and permission acceptances that many users grow complacent about or resistant to approving in order to “just use their device.” This can result in accidental app approvals with over-reaching permissions across the device.

Injection Attacks

Injection attacks lead to the execution of malicious code on the mobile device through a mobile app. The malicious code is usually in the form of data that the attacker inputs to the mobile app. Depending on the vulnerability, zero-day exploit or remote code execution (RCE), these can sometimes be triggered by something as simple as a user accessing a malicious website.

Jailbreaking and Rooting Techniques

In jailbreaking, the bad actor removes the security limitations on devices running the Apple iOS operating system to gain full access to the root of it and to all the features, enabling privilege escalation. Rooting is a similar process undertaken on a mobile device with the Android operating system, allowing the attacker to gain system administrator privileges and the ability to perform operations on the device. While jailbreaking only removes some restrictions in the software and is usually used to install applications from outside the App Store, Android rooting enables attackers to obtain full control of the operating system.

How Kroll Mobile Forensics Experts Help

Once seized, devices used to perpetrate a crime against you or your business have the potential to provide a wealth of data that can help to prove the intentions or actions of the individual concerned. Our mobile forensics team is highly skilled at investigating mobile phone data at all levels to provide vital insights about attacker behaviors and goals, ensuring the best outcome for your case or investigation. Types of forensic data retrieved usually cover three key areas, as outlined below:

SIM Forensics

The SIM is the one location where a permanent copy of a person’s contacts, phone book entries, text messages, the last numbers dialed and email addresses may be stored. It provides a great deal of valuable insight to help inform an investigation.

Removable Memory Card Forensics

Removable memory cards used to store information, such as photos taken with the phone’s camera and application data can provide useful information.

Internal Memory Forensics

This type of data is usually created by applications provided with the mobile devices. It may also include records of connectivity, such as Wi-Fi connections, audio and email use.

The Kroll Mobile Device Forensics Process

Retrieving potentially incriminating information at quickly and safely from a seized mobile phone is a complex process that presents many risks. Kroll’s approach draws on extensive experience, ensuring that critical evidence is accessed securely and within your required time frame. As experts in forensic mobile phone analysis and mobile phone data recovery, our team follows a proven process, based on industry standard chain of custody (CoC) guidelines. Our collection methodologies and CoC documentation meet the stringent standards required for acceptance in court.

Mobile Forensics

Mobile Phone Seizure

With potential evidence at stake, this stage is critical to the success of the mobile phone forensics process. Each device should be handled and stored carefully to ensure that as much data as possible is preserved. During this phase, the data held on the device is vulnerable to two key risks: lock activation and network connection. Investigators protect against this by isolating the network and the device using the following methods:


Mobile Data Extraction and Acquisition

Once the mobile device has been seized and secured, investigators then extract the evidence by duplicating the files on it, using a software imaging tool, a process referred to as acquisition. Creating a duplicate in this way maintains the integrity of the original files so that it is suitable for use as evidence. After the media file with the duplicate has been carefully stored, it is verified in a process called “hashing” to ensure that all the data in the file is in its original state.

Regardless of the operating system your organization relies on, Kroll’s seasoned experts can provide in-depth mobile phone data forensics and analysis. Our team understands the data extraction challenges, risks and opportunities presented by the two main types of operating system.

Digital Investigation and Analysis

As the first step of every digital investigation involving a mobile device(s), the forensic expert needs to identify:

  • Type of mobile device(s): For example, is it a smartphone or a tablet? 
  • Type of network: The mobile phone industry uses many digital networks, including Global System for Mobile Communication (GSM), Code Division Multiple Access (CDMA) and Time Division Multiple Access (TDMA).
  • Carrier: The type of wireless service provider providing mobile connectivity services to the subscriber or owner of the mobile device.
  • Service provider (reverse lookup): While reverse lookup through the mobile service provider can provide some clues in an investigation, it should not be relied upon as it may or may not be correct due to mobile number portability.  

Reporting and Expert Testimony 

At this stage, the evidence collected is presented to other forensic examiners, if appropriate, or to a court that will determine its relevance to the case. Depending on an organization’s specific requirements, Kroll’s experts can author declarations, affidavits and any expert reporting necessary. We can also serve as expert witnesses, providing expert testimony in presenting findings to judges, juries and arbitrators, with many of our team having served as special masters at the court’s appointment. 

Our experts are recognized for the quality and independence of their insight and have been appointed as expert witnesses on the world’s largest and most complex disputes. We have extensive testifying experience in business and commercial disputes that are resolved through litigation, including in federal courts in the U.S. and Canada, the U.S. state courts, the U.S. Tax Court, the Tax Court of Canada, bankruptcy courts, the International Trade Commission and the UK High Court. 

Accelerate Response to Mobile Device Fraud with a Cyber Risk Retainer

Kroll’s cyber risk retainer enables organizations to manage and minimize the potential impact of mobile device fraud. Delivering more than a typical incident response retainer, our cyber risk retainer includes elite digital forensics and incident response capabilities, with maximum flexibility for proactive and notification services.. The Kroll cyber risk retainer guarantees expedited response as well as notification and proactive services to minimize the impact of an incident. Learn more.


Key Insight When It Matters Most

When mobile device data has the potential to impact on criminal, civil and corporate legal proceedings, a fast, effective investigation is critical. Highly experienced and supported with state-of-the-art forensic hardware and software, Kroll’s mobile phone forensics specialists ensure that any extracted data is forensically sound and suitable for use as admissible evidence.

Frequently Asked Questions

Mobile devices hold huge amounts of extremely sensitive data, making them an attractive target for bad actors as well as vulnerable to risks of accidental loss and data sharing. Mobile device forensics enables organizations to quickly and securely contain and retrieve data and preserve it in a forensically sound condition. The fast-changing nature of mobile technology means that specialist expertise is required to successfully undertake the seizure, acquisition, examination, analysis and reporting of mobile forensics data.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Cyber Litigation Support

Whether responding to an investigatory matter, forensic discovery demand, or information security incident, Kroll’s forensic engineers have extensive experience providing litigation support and global eDiscovery services to help clients win cases and mitigate losses.

RelativityOne Litigation Support Services

Kroll’s Litigation Support team has seasoned digital forensics investigators and Relativity-certified administrators to help your team defensibly preserve evidence and gain valuable insights faster, anywhere in the world.

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.