Most computer users are generally aware that a computer’s hard drive contains more information and data than just the files that they create or download. That same awareness cannot be attributed to most cell phone users. Not surprisingly, cell phones can and do store data or information that the user may not be aware of. It was not too long ago that most phones had limited functionality, primarily being used to make phone calls and store the user’s phone book and call history. In recent years all that has changed. Many of today’s cell phones are also hand-held computers. Specific applications allow a user to access the Internet, take photos and videos, receive and send sophisticated multimedia files, use the integrated GPS functionality to find their location and businesses, and so forth. It should come as no surprise that all this increased functionality can provide a tremendous amount of potential probative information (evidence) to investigators. Indeed, over the past several years, law enforcement digital forensics examiners have experienced a phenomenal growth in the number of requests for cell phone forensics. With that being said, the forensic examination of cell phones and the extraction of any stored data that they may contain presents some unique challenges.

Data That Could Be In a Cell Phone
There is an enormous variety of cell phones currently available, many of which support and utilize proprietary operating systems, embedded file systems, and manufacturer specific applications, services, and peripherals. When new models are introduced, manufacturers often change or modify the phone’s functionality from their previous models. For investigative purposes, this makes it difficult to know just what functionality a particular phone contains or supports. The question often asked by investigators is “What potential probative information can be forensically extracted from a cell phone?” Although the specific answer depends upon the manufacturer, make, and model, the following list represents some of the data that can typically be extracted:

• Installed Applications
• Phone Book/Contacts
• Recently Dialed Numbers
• Call Logs
• Text Messages
• SMS Messages
• MMS Messages (Media Messages)
• Memos
• Browsing History
• E-mails
• Audio and Video Recordings
• Pictures
• Appointment Calendar Entries
• GPS Data (locations the phone has been)
• Location of Photos Taken
• Hot List
• Pin Data
• SIM Card Data
• Data Stored on Internal and Removable Memory
• Service Provider
• IMSI
• Spyware Artifacts
• Other Hidden Data

Depending upon a phone’s technology and access scheme (CDMA, GSM, etc.), data may be stored or found in three primary locations: in the handset, on the phone’s SIM, or on its memory card (if either is present). To complicate matters, some types of data or information may be stored in more than one location. For instance, the contacts can be located in the handset and on a SIM. Likewise, multimedia files may be found on a memory card or in the handset.