Mobile Device Forensics in Litigation: Lessons from the Front Lines

An overview of mobile data collection, preservation, and the high-stakes cases that shaped modern digital forensics

In an era when our smartphones hold more evidence than filing cabinets ever did, understanding mobile device forensics is critical to litigation success. Michael Ciaramitaro, Chief Operating Officer at ILS, a subject matter expert in digital forensics and a Cellebrite Certified Physical Analyst, recently shared insights from some of the most consequential cases in digital evidence history—and the lessons they offer legal teams today.

When Encryption Meets the FBI: The San Bernardino Case

The 2015 San Bernardino iPhone case remains one of the most publicized battles over access to encrypted data. After recovering a locked iPhone 5C from the shooting suspect, the FBI encountered an encrypted device that seemed completely inaccessible. What followed was a high-profile standoff with Apple.

The FBI demanded that Apple create a backdoor to bypass the device’s security. Apple refused, arguing that doing so would compromise the privacy and security of all iPhone users—a precedent it was unwilling to set. When legal efforts to compel Apple’s cooperation failed, the FBI turned to a third-party vendor who developed a custom exploit to access the device.

The outcome? Despite the effort and expense, no material evidence was recovered.

The Critical Takeaway: Encrypted data isn’t always inaccessible. Whether data can be recovered depends on timing, preservation methods, and available expertise. Legal teams should never assume that locked or encrypted devices are beyond reach—when the right processes and technical resources are in place, recovery is often possible.

In fact, recent research has shown that even end-to-end encrypted messaging apps like Signal, while encrypted at rest, can be discoverable on iOS devices that have been imaged using full file system extraction methods.

The $92,000 Lesson: Skanska and the Cost of Spoliation

If the San Bernardino case demonstrated the technical challenges of mobile forensics, the Skanska litigation illustrated the legal consequences of getting it wrong.

Following Hurricane Sally, Skanska Construction faced a lawsuit after its barges broke loose and caused significant damage. Despite issuing a litigation hold, the company catastrophically mishandled the preservation of mobile devices:

• 13 custodians were targeted for data preservation
• 5 custodians had their data completely wiped, deleted, or lost
• False statements were made to the court about device ownership
• A custodian’s personal phone used for work was “discovered” only after initial denials
• Evidence showed selective message deletion among preserved devices

Magistrate Judge Hope T. Cannon in Florida didn’t mince words, calling this a “textbook case of spoliation” and finding evidence of bad faith. The only explanation Skanska offered for the data loss was essentially an “oops.”

The Consequences:

• Adverse inference instructions against Skanska
• $92,000 in sanctions
• Severe credibility damage

As the plaintiff’s mobile forensic expert in this case, Mr. Ciaramitaro testified that even among the data Skanska produced, there were clear signs of selective deletion—evidence that informed the court’s findings.

Three Critical Lessons from Skanska

1. Litigation holds are just the starting line. Issuing a hold isn’t enough—you must ensure that custodians understand it and that enforcement mechanisms are in place.
2. Prompt collection is essential. Waiting too long risks deletion, whether intentional or accidental. Mobile data is especially vulnerable.
3. Don’t rely on self-collection. When dealing with mobile devices, forensically sound collection by a trained expert is not optional—it’s essential for defensibility.

Depp v. Heard: When Metadata Tells the Story

The highly publicized Depp v. Heard defamation trial put photographic metadata center stage. Both sides brought digital forensic experts to examine the authenticity of injury photographs.

Johnny Depp’s expert, Norbert Neumeister, analyzed the EXIF metadata of photographs submitted by Amber Heard that allegedly show bruising. His conclusion: the images couldn’t be verified as native and authentic files. The metadata indicated the photos were enhanced or altered using the iPhone’s native editing tools—they had been “rendered and composited in an editing program to make the bruises stand out more clearly.”

But the scrutiny wasn’t one-sided. Unsealed court records showed that Heard’s expert, Julian Ackert, had raised similar concerns about Depp’s digital evidence. Some of his photos had metadata anomalies—missing or inconsistent creation dates that could indicate manipulation or tampering.

The Forensic Perspective: As Mr. Ciaramitaro notes, “You don’t have to outrun the bear, you just have to outrun the other side.” Digital artifacts don’t always tell the full story. Sometimes they clearly show manipulation; other times, they’re designed to sow doubt. This is why context and chain of custody are so critical in high-stakes litigation.

Understanding Collection Methodologies

When it comes to mobile device collections, the approach you choose affects both data quality and the custodian experience. There are three primary methods:

Remote Collection

Custodians retain possession of their device while following guided instructions from a forensic expert.

Advantages:

• Least disruptive to the custodian
• Most cost-effective
• Ideal for geographically dispersed teams

Limitations:

• Less effective for locked or damaged devices
• Cannot perform full file system extractions
• Requires custodian cooperation and technical capability

In-Lab Collection

The device is physically surrendered for examination at a forensic facility.

Advantages:

• Greatest level of control for examiners
• Enables advanced recovery, including full file system imaging
• Can recover deleted data

Disadvantages:

• Inconvenient for custodians
• May encounter resistance, especially with primary devices
• Requires device to be out of the custodian’s possession

On-Site Collection

A forensic expert travels to the custodian’s location to perform the collection.

Advantages:

• Provides personal support and reassurance
• Accommodates privacy concerns
• Allows for secure, controlled environment

Disadvantages:

• Most expensive due to travel and logistics
• Requires provision of secure workspace
• Time-intensive

The Three Extraction Types Every Legal Team Should Understand

Beyond the collection method, the type of extraction determines what evidence you’ll actually capture. Understanding these differences is critical to case strategy.

1. Logical File System (LFS)

This is the most common extraction method, retrieving user data accessible through the device’s file system: photos, contacts, call logs, text messages, and basic app data.

Best for: Routine discovery requests where surface-level data is sufficient
Limitations: Misses deleted data, system-level logs, and data from apps that restrict backup access
Speed: Quick and widely supported

2. Logical Targeted Extraction

Focuses on specific data categories based on investigation needs—only messages, only images, or specific app data.

• Best for: Large volumes with tight timelines; privacy-conscious custodians
• Limitations: App or API dependent; may miss contextual or exculpatory data
• Risk: Efficient but may omit evidence from restricted apps

3. Full File System Extraction

The gold standard—captures everything on the device, including deleted files, background app data, system logs, and metadata invisible to standard viewing.

• Best for: Cases involving spoliation allegations, data manipulation concerns, or where completeness is critical
• Requirements: May require jailbreaking, exploits, or specialized tools (Cellebrite Enterprise, GrayKey)
• Advantages: Most complete picture; can recover deleted information
• Disadvantages: Complex, expensive, may face legal or technical constraints

Real-World Impact: In an alleged suicide case, Mr. Ciaramitaro performed a full file system extraction of a custodian’s iPhone and uncovered logs from a continuous glucose monitoring system. These logs, which a logical extraction would not have captured, revealed key material facts that shaped the legal team’s strategy.

The Cloud Complication: What’s Really on the Device?

One of the most common pitfalls in mobile forensics is failing to understand the distinction between data stored locally on a device and data residing in the cloud.

What’s Actually on an iPhone?

Local Data:

• System and configuration settings
• SMS messages (green bubbles)
• Locally saved photos and videos
• Downloaded apps and cached data
• Safari history and bookmarks (if iCloud sync is off)

Cloud-Only or Cloud-Preferred Data:

• iMessage conversations (when “Messages in iCloud” is enabled)
• Full-resolution photos and videos (with “Optimize iPhone Storage” enabled—only thumbnails remain local)
• Email content (often just previews; full messages on server)
• iCloud Drive files and app backups
• Third-party app backups (WhatsApp in iCloud, Telegram in Google Drive)

The Forensic Risk

A device that appears full of data may actually be displaying “ghost files”—placeholders or thumbnails pointing to cloud-stored originals. A forensic collection that doesn’t account for cloud acquisition may miss critical evidence.

Critical iOS Settings to Check Before Collection

Work with a qualified forensic expert to review these settings with custodians:

1. iCloud Messages: If enabled, turn off and wait for messages to rehydrate locally, or supplement with cloud collection
2. Optimize iPhone Storage: Disable to ensure full-resolution media with complete EXIF metadata is on the device
3. Mail Accounts: Identify whether mail is cloud-resident and plan for direct server collection if needed
4. App-Specific Cloud Settings: Check backup settings for WhatsApp, Telegram, and other messaging apps

The Forensic Toolbox: Cellebrite, GrayKey, and Oxygen

Different tools serve different purposes in the mobile forensics ecosystem. Understanding their strengths helps legal teams make informed decisions.

Cellebrite

Often considered the gold standard, Cellebrite offers broad device support and forensically sound extraction methods for both iOS and Android. It’s widely used in government and civil litigation, making it a tried-and-tested, court-accepted tool.

Best for: Comprehensive collections requiring both logical and full file system extractions

GrayKey

Specialized for unlocking and extracting data from locked iOS devices, especially newer iPhones. It’s a powerful access tool but not a full review or analysis platform.

Best for: Law enforcement or high-stakes cases where access is blocked by encryption or screen locks
Note: Extracts raw data that requires other tools for analysis

Oxygen Forensics

Stands out for cloud acquisition and cross-platform analysis. Excellent for messaging apps, social media, and cloud backups (iCloud, Google, Samsung Cloud).

Best for: Investigating user behavior across platforms; strong visualization tools for communications, geolocation, and timeline analysis

Review Formats: How You See the Data Matters

The format in which mobile data is presented can be as important as the data itself. Three common formats serve different purposes:

RSMF (Relativity Short Message Format)

Despite the name, RSMF is supported across multiple platforms. It’s specifically designed for chat data like SMS, iMessage, and WhatsApp.

Advantages:

• Preserves conversation threads
• Displays content as it appears on the device
• Includes timestamps, participants, emojis, and attachments in context
• Can be customized into time slices (24-hour or 48-hour chunks for long conversations)
• Ideal for large-scale, context-rich review

Best for: Structured legal review where tone, intent, and timing are critical

Screenshots

Visually compelling for court presentations but severely limited for comprehensive review.

Disadvantages:

• Static—no metadata for filtering
• Can be edited, making authentication difficult
• Lack context (snapshot of a moment, not the full conversation)
• Manual and time-intensive for high volumes
• Prone to user error in selection

Best for: Court visualizations only, not discovery review

HTML Exports (from tools like Cellebrite)

Creates a single, organized report with messages, contacts, media, and app data in a clickable, searchable format viewable in any browser.

Advantages:

• Readable and portable
• Good for sharing with third parties

Disadvantages:

• Not optimized for large volumes
• Lacks threading and filtering capabilities of RSMF
• Better for quick reference than deep analysis

The Metadata That Matters

Metadata extracted from mobile devices provides a detailed record of user activity, communications, and content creation. In litigation, it’s often the metadata—not the content itself—that proves or disproves a claim.

Message Metadata

• Timestamps: When messages were sent/received (device time and sometimes network time)
• Sender/Recipient Data: Phone numbers, email addresses, usernames
• Thread Context: Unique conversation IDs enabling thread reconstruction and identification of missing content

Geolocation Data

Collected through GPS, Wi-Fi triangulation, or cell towers:

• Shared locations in messages
• EXIF data in photos and videos showing where content was created
• Location services logs

Photo and Video Metadata (EXIF)

Automatically embedded by the device at the time of capture:

• Creation date and time
• Camera settings and device make/model
• Geolocation (latitude/longitude if enabled)
• Orientation and resolution
• Indicators of alteration or resizing

App and Content Tags

• User-generated labels (favorites, hidden albums)
• Face detection markers
• Cloud sync indicators (iCloud vs. local storage)
• Sharing history (uploaded to Instagram, Dropbox, etc.)

The Power of Cross-Referencing

By comparing metadata across different artifacts—aligning message timestamps with photo creation times, for example—analysts can build reliable activity timelines and detect anomalies:

• Time discrepancies suggesting manipulation
• Gaps in message threads
• Photos or videos missing expected metadata
• Evidence of deletion or concealment

Challenges in Modern Mobile Forensics

Technical Barriers

• Encryption: End-to-end encrypted apps like Signal and WhatsApp make recovery impossible without device access and active session credentials.
• Ephemeral Data: Disappearing messages in Signal, Snapchat, WhatsApp, and Instagram mean delays in collection can result in permanent loss.
• App Storage Restrictions: Some apps sandbox content or restrict logical extraction, requiring root access or jailbreaking for recovery.

Legal and Procedural Challenges

• Consent: Direct device collection in civil litigation typically requires custodian consent or a court order. Biometric locks and passcodes can block access without cooperation.
• Third-Party Subpoenas: Cloud providers like Google, Apple, and Meta often resist or delay responses. The data they provide may be limited to metadata and login records rather than full content.

ESI Protocols: These negotiated agreements define how data will be collected, produced, and reviewed. For mobile data, this includes:

• Scope of apps and data types
• Tools to be used for extraction
• Whether full file system images will be created
• How privileged or private data will be handled

Inspection Protocols: More detailed agreements spelling out:

• Who performs the collection
• Whether the custodian will be present
• What data will be accessed or excluded
• Whether copies will be shared with opposing parties

Best Practices for Legal Teams

For Preservation

1. Act immediately when litigation is anticipated. Mobile data is particularly vulnerable to loss.
2. Disable auto-delete features. Instruct clients to turn off message auto-deletion (30-day, 90-day settings) and disappearing message features.
3. Prevent device turnover. Ensure phones aren’t factory reset, traded in, or recycled before collection is complete.
4. Document the hold. Issue clear litigation holds and confirm receipt and understanding by all custodians.

For Collection

1. Choose the right extraction method. Match the method to case needs:
   • Routine discovery → Logical extraction may suffice
   • Spoliation concerns → Full file system required
   • Tight timelines → Logical targeted extraction
2. Use qualified experts. Don’t rely on custodian self-collection. Forensically sound methods require professional expertise.
3. Account for cloud data. Check sync settings and plan for cloud collection where needed.
4. Establish protocols early. Negotiate ESI and inspection protocols at the outset to avoid disputes.

For Review and Production

1. Use appropriate formats. RSMF for comprehensive review, screenshots only for court presentations.
2. Preserve metadata. Ensure extraction methods capture and maintain all relevant metadata.
3. Document chain of custody. Maintain detailed records of all handling and collection procedures.
4. Plan for authentication. Consider how evidence will be authenticated at trial from the beginning.

The Bottom Line

Mobile device forensics is no longer a specialized niche—it’s central to modern litigation. The cases discussed here—from San Bernardino to Skanska to Depp v. Heard—demonstrate that success requires more than just technical capability. It demands:

• Early action to preserve evidence before it’s lost
• Technical expertise to navigate encryption, cloud storage, and app restrictions
• Legal foresight to establish defensible protocols
• Strategic thinking to choose collection methods that support case objectives

The $92,000 question isn’t whether your organization can afford robust mobile forensics—it’s whether you can afford not to have it.

More Information

If you like this article and would like to learn more, you can watch Michael’s entire video series on this topic here on the ILS website.