The correct seizure of smartphones and other mobile devices

The first step in the mobile forensic investigation process is one of the most important and should not be underestimated. The correct seizure of mobile devices extremely influences the following steps (extraction, analysis and reporting). With this post, T3K-Forensics wants to give mobile forensics experts a brief overview about the most important tasks when seizing mobile devices. So what are the tasks to carry out when seizing mobile devices?

#1 Documentation of the environment

As in any forensic enterprise, when it comes to seizing evidence proper documentation is one of the most important tasks. First of all, photos should be taken of the mobile device itself and the environment in which it was found (especially cables, adapters, docking station, etc). Also note in your documentation the state that the device was found in (Running/not running; locked/unlocked; visible damages, etc).

#2 Documentation of the IMEI

As an identifier for smartphones, usually the IMEI (International Mobile Station Equipment Identity) is used in documentation. As the IMEI is meant to identify a device in the cellular network, dual SIM phones have two IMEIs, phones made for the CDMA-network have a MEID instead of an IMEI and tablets without the ability to connect to a cellular network do not have an IMEI assigned.

Often the IMEI is printed on the back of the phone or on a sticker under the battery. If you cannot find an IMEI that way, you will usually find it in the phone’s menu or by dialling *#06.

#3 Handling locked smartphones

If you find a phone in an unlocked state, your first priority should be to stop the phone from locking, by touching the screen and by changing the setting for the screen-timeout to the maximum. Next, go to security settings and check if there is any kind of lock code set. If so, and the code is unknown, you might want to consider an immediate on-site extraction of the phone, if that is possible.

Should the screen not be active when you find the device, try not to disturb the screen, so that possible smudges on the screen can be recovered and with those possible unlock patterns for the phone.

Because of the continuously tightened security concepts of mobile device manufacturers, unknown passcodes can become an obstacle in your forensic investigation, which may only be overcome by the cost- and time-consuming use of a special unlocking lab, or in other cases not at all. Therefore, you should not miss the opportunity to ask the owner of the phone for possible unlock codes for the device. Note that PIN-codes of SIM-cards usually do not impede forensic examinations – at least not for government agencies, as those can simply request the PUK-code for a SIM-card from the network provider.

Even if a device seemingly has no passcode set, in case of Android devices, this might only be because of an active smart lock. As soon as you leave a certain area, lose connection to a certain Bluetooth device or set the phone down for a few seconds, the lock code might become active again and lock you out of the device. So, if you find an Android device seemingly without a lock code set, go to security settings and confirm that state before you attempt to bag the device as evidence.

All modern smartphones feature an option to lock the phone or wipe all data from the phone by issuing a remote command. This imposes the risk of you losing all evidence of a device. In addition, data incoming to the device after the seizure might change or overwrite evidence and undermine the forensic soundness of your examination. Therefore, your next priority should be to sever the device’s connection from the network.

#4 Disconnecting mobile devices from network connection

The two main methods to use are to activate airplane mode on the device, or to put the device in a so-called Faraday bag. If you put a device in a Faraday bag, remember that this will drain the battery of a device rather quickly, so it is recommended to connect a battery pack to the device and put it in the Faraday bag as well. Note that on some smartphones, activating airplane mode is not possible without unlocking the phone first. To be on the safe side, we recommend combining both methods whenever possible.

Should you not be able to access airplane mode and have no Faraday bags at hand, you can also remove the SIM-card – provided that the device does not use an E-SIM instead – to sever the connection from the cellular network. However, be aware that without the SIM-card, the device can still connect to known WIFIs and that in some areas there may be city-wide WIFIs active (e.g. the Funkfeuer project or UPC Wi-Free in Vienna), which the seized device might connect to. Turning off the device, however, should always be a matter of last resort for you, as encryption codes might become active and as unnecessary restarts of a device might overwrite deleted data.


Seizing evidence is one of the most important parts of the mobile forensic investigation process, which impacts the following steps (extraction, analysis and reporting) substantially. The investigating mobile forensics experts should be aware of the tasks to be carried out when seizing evidence and their influence on the investigation process.

In this post, we could only give a brief overview about the most important tasks – there are a lot of specials cases (e.g. Apples new USB restricted mode or synchronized pcs), which will be tackled in detail in our mobile forensics trainings. The correct seizure of mobile devices is a main part of our L1 – Mobile phone extractions and analysis training. This training covers the most important steps of mobile forensic investigations, from seizing the device to creating reports. One of the unique parts of this training is the handling of different mobile devices and mastering the challenges which occur when investigating them (> 60 different smartphones).

Do you want to improve your knowledge of mobile forensics? We are at your service at any time!

L1 - Mobile Phone Extractions & Analysis Training

Forschungs- und Förderungspartner: