This chapter covers mobile device forensics and MDM evidence, a critical area for the CS0-003 exam's Incident Response domain (Objective 3.3). Mobile devices are ubiquitous in enterprises, and incidents often involve compromised or misused smartphones and tablets. Expect roughly 5-8% of exam questions to touch on forensic acquisition methods, MDM evidence sources, and chain-of-custody considerations. We will explore the unique challenges of mobile forensics—encryption, volatile data, and logical vs. physical acquisition—alongside MDM logs and remote wipe risks.
Jump to a section
Imagine a car crash investigation. The crash scene itself is the mobile device—damaged, maybe on fire. The MDM server is like the car manufacturer's telematics system. It logs speed, location, airbag deployment, and maintenance history. But the car's internal black box (the device's flash memory) stores the last few seconds of throttle, brake, steering angle, and accelerometer data. The investigator (forensic analyst) must first stabilize the scene (isolate the device from network and power) to prevent overwriting volatile data. Then they carefully extract the black box data (physical acquisition) while the telematics logs are pulled from the manufacturer's cloud (MDM logs). The telematics data shows the car's route and driver behavior over time, but the black box has the precise crash details. If the investigator plugs in a diagnostic tool that sends a reset command (remote wipe), the black box might be erased. So they must disable all communications first. In mobile forensics, the device is the crash scene, and MDM is the telematics cloud. Both are needed for a complete picture, but each has chain-of-custody and preservation requirements.
What is Mobile Device Forensics?
Mobile device forensics is the process of recovering digital evidence from mobile devices (smartphones, tablets, wearables) in a forensically sound manner. Unlike traditional computer forensics, mobile devices present unique challenges: they are always connected to networks, have volatile memory, use proprietary operating systems (iOS, Android), and employ strong encryption by default. The goal is to preserve data integrity, maintain chain of custody, and extract actionable evidence such as call logs, SMS, app data, GPS locations, and media files.
Why MDM Evidence Matters
Mobile Device Management (MDM) systems like Microsoft Intune, VMware Workspace ONE, and Jamf manage enterprise mobile devices. They enforce policies, deploy apps, and can remotely wipe devices. MDM servers log device compliance status, location data, app inventory, and security events. In an incident investigation, MDM logs can provide a timeline of device activity, show when a device went offline, or reveal a remote wipe command that destroyed evidence. Understanding how MDM interacts with device forensics is crucial for the exam.
Forensic Acquisition Methods
Forensic acquisition falls into two categories: logical and physical.
Logical Acquisition: Copies files and data at the OS level. This requires the device to be unlocked and often uses APIs like Apple's Backup or Android's ADB. It retrieves accessible data but may miss deleted files or encrypted areas. Tools: Cellebrite UFED Logical, Magnet AXIOM.
Physical Acquisition: Creates a bit-for-bit copy of the device's flash memory (NAND or eMMC). This requires exploiting bootloaders or using JTAG/chip-off techniques. Physical acquisition recovers deleted data and hidden partitions but is more invasive and may cause damage. Tools: Cellebrite UFED Physical Analyzer, XRY.
Volatile Data and Order of Volatility
Mobile devices contain volatile data that disappears when power is lost. The order of volatility (RFC 3227) applies:
Registers and cache – lost immediately.
RAM – lost within seconds to minutes.
Process table and kernel data – lost on shutdown.
File system data – persists until overwritten.
For mobile devices, RAM may contain encryption keys, recent app data, and network connections. Capturing RAM is difficult; tools like Android RAM dumper exist but require root. In practice, analysts prioritize preserving the device's state by placing it in Faraday bag or airplane mode to prevent remote wipes.
iOS vs. Android Forensics
iOS: Apple devices use HFS+ or APFS with hardware encryption. Full-disk encryption (FDE) is always enabled on modern iPhones (since iPhone 5s). Acquisition methods:
Logical: iTunes backup (unencrypted or encrypted). Encrypted backups preserve more data (keychain, health data) but require the backup password.
Physical: Limited; only possible on older devices with bootrom exploits (e.g., checkm8). Modern iPhones (A12+) are largely unbreakable for physical acquisition.
Advanced: Checkra1n for older devices, or using Cellebrite's GrayKey for passcode bypass.
Android: Devices use ext4 or F2FS with optional file-based encryption (FBE) since Android 7.0. Acquisition methods:
Logical: ADB backup (Android 4.0-6.0), or using vendor-specific backup protocols. Requires USB debugging enabled.
Physical: Using custom recovery (e.g., TWRP) if bootloader is unlocked. Or using exploit-based tools like Cellebrite's Android Physical.
Chip-off: Removing the NAND chip and reading it with a programmer. This is destructive and requires expertise.
Evidence Sources on Mobile Devices
Key evidence locations:
Call logs – stored in SQLite databases (e.g., /data/data/com.android.providers.contacts/databases/contacts2.db).
SMS/MMS – in /data/data/com.android.providers.telephony/databases/mmssms.db.
Browser history – Chrome uses /data/data/com.android.chrome/app_chrome/Default/History.
GPS locations – Google Maps uses /data/data/com.google.android.apps.maps/databases/gmm_drive.
App data – each app has its own sandboxed directory under /data/data/.
Deleted files – recovered from unallocated space or SQLite WAL files.
MDM Logs as Evidence
MDM servers log:
Device enrollment and check-in times – shows when device was active.
Policy compliance status – e.g., jailbreak detection, encryption status.
Remote actions – lock, wipe, unenroll commands with timestamps.
Location data – if location tracking is enabled.
App inventory – list of installed apps and versions.
These logs are often stored in SQL databases or cloud logs (e.g., Azure Log Analytics). In an investigation, MDM logs can corroborate or contradict device evidence. For example, an MDM log showing a remote wipe at 10:00 AM explains why the device is empty.
Chain of Custody and Documentation
Every step must be documented: who, what, when, where, how. For mobile devices:
Seize and isolate – power off or place in Faraday bag.
Photograph – device state, connections, screen.
Label – with case number, evidence tag.
Transport – in anti-static bag.
Acquire – using write-blockers (for chip-off) or forensic tools.
Hash – SHA-256 of acquired image.
Store – on encrypted media.
Legal and Privacy Considerations
Mobile devices often contain personal data intertwined with corporate data. Investigators must respect privacy laws (GDPR, CCPA) and obtain proper authorization. The exam emphasizes understanding the difference between corporate-owned (COPE) and personally-owned (BYOD) devices. For BYOD, only corporate data can be acquired without employee consent, but separation is difficult. MDM can enforce containerization (e.g., Android Work Profile) to separate data.
Interaction with Related Technologies
Cloud backups: iCloud or Google Drive backups may contain evidence. Acquiring them requires legal authority and cloud provider cooperation.
Encryption: Full-disk encryption prevents physical acquisition without passcode. File-based encryption allows logical acquisition of unencrypted files.
Remote wipe: MDM can trigger a wipe that destroys evidence. Analysts must isolate devices from network to prevent this.
SIM cards: Contain contacts and SMS on older phones. Modern phones store these in internal memory.
Default Values and Timers
iOS backup encryption: Default off; if enabled, uses 256-bit AES.
Android USB debugging: Default off.
Android FRP (Factory Reset Protection): Enabled by default on Android 5.0+; requires Google account credentials after reset.
iOS Activation Lock: Enabled if Find My iPhone is on; requires Apple ID.
MDM check-in interval: Typically every 15-60 minutes, configurable.
Verification Commands
Forensic tools provide verification:
Cellebrite: generates hash report (MD5, SHA-1, SHA-256).
XRY: creates XRY file with metadata and hash.
Linux dd: hashdeep -a -l -r /mnt/image
ADB: adb backup -apk -shared -all -f backup.ab (logical backup command).
Common Pitfalls
Not disabling network: device receives remote wipe command.
Not capturing RAM: losing encryption keys.
Using device as a USB drive: causes writes to evidence.
Assuming logical acquisition is sufficient: may miss deleted data.
Ignoring MDM logs: missing context of remote actions.
Identify and Secure the Device
Upon discovery of a mobile device involved in an incident, the first step is to secure it to prevent data alteration or remote wipe. Place the device in airplane mode or a Faraday bag to cut network connectivity. If the device is powered on, do not power it off unless necessary; volatile data in RAM may be lost. Document the device's state: screen contents, LED indicators, and any connected cables. Photograph the device and record its IMEI/MEID, model, and OS version. This step aligns with RFC 3227's order of volatility and ensures evidence preservation.
Determine Acquisition Method
Based on device model, OS version, and lock state, choose between logical and physical acquisition. For locked devices, consider passcode bypass techniques if legally authorized. For iOS, physical acquisition is only possible on devices with bootrom exploits (e.g., iPhone X and older with checkm8). For Android, physical acquisition may require an unlocked bootloader. Document the rationale for the chosen method. If the device is unlocked, logical acquisition via USB backup may be fastest. Always prefer physical acquisition for completeness, but accept logical if physical is not feasible.
Perform Forensic Acquisition
Use a write-blocker if performing chip-off acquisition. For logical acquisition on iOS, use tools like Cellebrite UFED or iTunes backup. For Android, enable USB debugging and use ADB backup or vendor-specific tools. For physical acquisition, boot the device into custom recovery (Android) or use JTAG/chip-off. Tools like Cellebrite Physical Analyzer automate the process. Ensure the acquisition tool creates a forensic image (e.g., .dd, .e01, .aff). Verify the image with hash values (MD5/SHA-256) and record the hash in the chain-of-custody log.
Analyze Acquired Image
Load the forensic image into analysis software (e.g., Cellebrite Physical Analyzer, Magnet AXIOM). Recover deleted files from SQLite WAL files and unallocated space. Parse call logs, SMS, app data, GPS coordinates, and browser history. Timestamp analysis helps reconstruct user activity. For iOS, parse the keychain for passwords. For Android, parse the /data/system/ directory for device settings. Correlate findings with MDM logs to validate timelines. Generate reports with evidence highlights.
Collect MDM Evidence
Access the MDM server (e.g., Intune, Workspace ONE) and export logs covering the incident timeframe. Look for device check-in events, compliance failures, remote commands (wipe, lock), and location history. Export these logs in CSV or JSON format. Correlate MDM timestamps with device forensic findings. For example, if MDM shows a remote wipe at 09:15 and the device image shows no data after 09:10, the wipe likely destroyed evidence. Document the MDM log source and maintain chain of custody.
Document and Report Findings
Create a forensic report detailing the acquisition process, analysis results, and conclusions. Include hash values, timestamps, and screenshots of key evidence. Describe the chain of custody and any legal authorizations. The report should be understandable to non-technical stakeholders (e.g., legal team, management). For the CS0-003 exam, understand that the report must include methodology, findings, and preservation steps. Avoid opinions; stick to facts.
Enterprise Scenario 1: BYOD Incident
A financial firm experiences data exfiltration via a compromised employee's personal Android phone. The incident response team seizes the device but finds it encrypted and locked. They cannot perform physical acquisition due to Android's FBE and locked bootloader. Instead, they obtain a logical backup via ADB (USB debugging was enabled). The backup reveals the employee installed a malicious app that exfiltrated trade secrets. MDM logs from Microsoft Intune show the device had a compliance policy violation (jailbreak detected) two days before the incident, but no action was taken. The logs also show a remote wipe command was issued after the incident, but the device was already in a Faraday bag. The forensic report includes the logical backup analysis and MDM logs, showing the timeline of compromise. The firm updates its BYOD policy to enforce containerization and automatic quarantine on compliance failure.
Enterprise Scenario 2: Corporate-Owned iPhone
Theft
A sales executive's corporate iPhone 14 is stolen. The device is enrolled in Jamf MDM. The IT team immediately issues a remote lock and wipe command. However, the forensic investigation needs to determine if any sensitive data was accessed before the device went offline. The MDM logs show the last check-in was 30 minutes before the theft, and location data shows the device moving away from the office. Since the device was wiped, no forensic image exists. The investigation relies solely on MDM logs and cloud backups (iCloud). They obtain a court order for the iCloud backup, which contains contacts and emails up to the last backup (which was 2 hours before theft). The lesson: remote wipe destroys device evidence, but MDM logs and cloud backups can still provide valuable data.
Scenario 3: Insider Threat
An employee is suspected of leaking customer data. The company uses COPE devices with Workspace ONE MDM. The device is seized while powered on. The forensic team places it in a Faraday bag and performs a physical acquisition using Cellebrite (the device is an older Android with unlocked bootloader). The image reveals deleted WhatsApp messages containing customer information. MDM logs show the device was out of compliance (no encryption) but the policy was not enforced. The forensic report includes the recovered messages and the MDM compliance logs. The company revises its MDM policies to enforce encryption and auto-remediate non-compliant devices. This scenario highlights the importance of MDM policy enforcement and the value of physical acquisition for recovering deleted data.
What CS0-003 Tests on Mobile Forensics and MDM Evidence
The exam focuses on Objective 3.3: "Given a scenario, analyze potential indicators associated with incident response." For mobile devices, this means: - Acquisition methods: Know when to use logical vs. physical acquisition. The exam loves asking which method recovers deleted files (physical). - Order of volatility: Expect a question on the sequence of volatile data capture. Remember: RAM > process tables > disk. - MDM logs: Understand that MDM logs can show remote actions (wipe, lock, unenroll) and compliance status. A common question: "What evidence would show a remote wipe occurred?" Answer: MDM logs with a wipe command timestamp. - Chain of custody: Questions on documentation requirements. Always choose the option that includes photographing, labeling, and hashing. - Legal considerations: BYOD vs. COPE. The exam may ask which data can be acquired without employee consent (corporate data only).
Common Wrong Answers and Why
Choosing logical acquisition when physical is needed: Candidates often pick logical because it's easier, but the question may specify "recover deleted files" – only physical acquisition can recover deleted data from unallocated space.
Assuming iOS physical acquisition is always possible: Many candidates think tools like GrayKey work on all iPhones. In reality, physical acquisition is limited to older devices (pre-A12). The exam may test this with a scenario involving a modern iPhone.
Ignoring MDM logs as evidence: Some candidates focus only on device data, forgetting that MDM logs can show remote actions. A question might ask: "What explains missing data on a device?" The answer could be a remote wipe from MDM.
Not isolating the device from network: Candidates may skip the Faraday bag step. The exam will test that failure to isolate can result in remote wipe or data alteration.
Specific Numbers and Terms
iOS encryption: 256-bit AES hardware encryption since iPhone 5s.
Android file-based encryption: Default since Android 7.0.
ADB backup: Works on Android 4.0-6.0; requires USB debugging.
Faraday bag: Blocks RF signals (Wi-Fi, cellular, Bluetooth, NFC).
SHA-256: Standard hash for forensic images.
Cellebrite UFED: Common forensic tool.
Edge Cases
Device is damaged: Chip-off acquisition may be required. This is destructive and may not preserve device functionality.
Device is water-damaged: Drying and cleaning may be needed before acquisition.
Multiple users/simulated space: Android allows multiple user profiles; each has separate data partitions. The examiner must image each profile.
How to Eliminate Wrong Answers
If the question asks about recovering deleted data, eliminate any option that does not involve physical acquisition or chip-off.
If the question involves a remote wipe, look for an answer that includes MDM logs.
If the question mentions chain of custody, eliminate any answer that skips documentation steps.
For legal questions, remember that BYOD personal data is protected; only corporate data can be accessed without consent.
Mobile device forensics requires specialized tools and techniques due to encryption and proprietary OS.
Physical acquisition recovers deleted data; logical does not.
Always isolate a mobile device from networks (Faraday bag/airplane mode) to prevent remote wipe.
MDM logs provide evidence of remote actions, compliance status, and device location.
Chain of custody must include photographing, labeling, hashing, and documenting every step.
iOS physical acquisition is only possible on older devices with bootrom exploits (pre-A12).
Android file-based encryption (FBE) is default since Android 7.0, complicating physical acquisition.
For BYOD, only corporate data can be acquired without employee consent; personal data is protected.
These come up on the exam all the time. Here's how to tell them apart.
Logical Acquisition
Copies only files accessible via OS
Requires device to be unlocked
Faster and less invasive
Cannot recover deleted files
Works on most devices
Physical Acquisition
Bit-for-bit copy of entire flash
May work on locked devices (via exploit)
Slower and may damage device
Can recover deleted files from unallocated space
Limited to devices with known exploits or chip-off
Mistake
Mobile devices are just like computers and can be imaged with the same tools.
Correct
Mobile devices require specialized tools due to proprietary operating systems, encryption, and non-standard storage interfaces. Tools like dd do not work directly; forensic tools like Cellebrite or XRY are needed.
Mistake
A logical acquisition recovers all data on a mobile device.
Correct
Logical acquisition only copies files accessible through the OS. It misses deleted files, unallocated space, and hidden partitions. Physical acquisition is needed for full recovery.
Mistake
MDM logs are not useful for forensic investigations.
Correct
MDM logs provide critical evidence of device activity, policy violations, and remote actions. They can explain missing data (remote wipe) and corroborate timelines.
Mistake
Turning off a mobile device preserves evidence.
Correct
Powering off may cause loss of volatile data (RAM) and may trigger encryption locks. It is better to keep the device powered on but isolated from networks.
Mistake
All iPhones can be physically acquired using GrayKey.
Correct
GrayKey works on some iOS versions but physical acquisition is limited to devices with bootrom exploits (iPhone X and older). Modern iPhones (A12+) are not physically acquirable without passcode.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Logical acquisition copies files and data accessible through the operating system, like a backup. It does not recover deleted files or data in unallocated space. Physical acquisition creates a bit-for-bit copy of the entire flash memory, allowing recovery of deleted files and hidden partitions. Physical acquisition is more thorough but may require exploits or chip-off techniques.
MDM logs record device check-ins, policy compliance, remote commands (wipe, lock), and location. They provide a timeline of device activity and can explain missing data (e.g., a remote wipe). They also show when a device became non-compliant, which may correlate with malicious activity.
It depends on the acquisition method. Logical acquisition via iTunes backup may not recover deleted messages because the backup only contains existing data. Physical acquisition (if possible) can recover deleted messages from unallocated space or SQLite WAL files. However, modern iPhones with strong encryption often prevent physical acquisition.
The first step is to isolate the device from all networks to prevent remote wipe or data alteration. Place it in a Faraday bag or enable airplane mode. Then document the device state, photograph it, and record identifying information (IMEI, model). Finally, decide on the acquisition method based on device characteristics.
The order of volatility (RFC 3227) for mobile devices is: registers and cache (lost immediately), RAM (lost within seconds to minutes), process table/kernel data (lost on shutdown), file system data (persists until overwritten). Analysts should capture RAM first if possible, then proceed to disk imaging.
Sometimes. If the bootloader is unlocked, you can boot into custom recovery (e.g., TWRP) and create a physical image. If the bootloader is locked, physical acquisition may require exploiting a vulnerability or using chip-off techniques. On newer Android devices with FBE, physical acquisition is difficult without passcode.
A Faraday bag blocks electromagnetic signals, preventing the device from communicating with cellular networks, Wi-Fi, Bluetooth, and NFC. This stops remote commands (like wipe) and prevents the device from receiving new data. It preserves the device's state for forensic acquisition.
You've just covered Mobile Device Forensics and MDM Evidence — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?