// first 10 minutes
mobile device triage (consent-based) — quick-start
mobile triage — first 10 minutes. consent and safety before acquisition. print this, check boxes, then run the primary tools.
checklist
- confirm explicit, informed consent from the device owner before touching the device — document who consented, when, and in what context.
- photograph the device (front and back), note make, model, iOS/Android version, and serial number before any extraction.
- put the device in airplane mode or a Faraday bag — prevents remote wipe and stops new data from arriving during triage.
- note current battery level and plug in if below 30% — acquisition can fail mid-run on a dead battery.
- iOS: check if the device is locked or unlocked; note Face ID / Touch ID enrollment status.
- android: note if USB debugging is enabled — acquisition paths differ significantly without it.
- record the device PIN or passcode from the owner if they consent — required for most logical extraction methods.
- check for active cloud sync — iCloud backup, Google auto-backup — and note last sync timestamp.
- do not install any apps on the device or trigger backup before extraction — changes modification timestamps.
- begin the primary tool path below — mobile triage tool suite.
primary tools
- 01ios backup browserdrop an iTunes backup Manifest.db · list backed-up apps · files · domains · relative paths · export CSV · runs locally
- 02ios backup analyzerdrop an ios backup manifest · browse file structure · extract app data · databases · runs locally
- 03android backup analyzerdrop an android backup ab file · browse app data · extract databases · files · shared preferences · runs locally
- 04ios spotlight search artifact extractordrop ios spotlight sqlite or interactionc database · extract spotlight search queries · reconstruct what the user searched for on device · surface app launches via spotlight and searched contact names · runs locally
- 05ios screen time forensic analyzerdrop screen time sqlite from ios backup · app usage · website visits · pickup frequency · digital activity · alibi assessment · runs locally
- 06ios app install and uninstall timeline reconstructordrop manifest db applicationstate plists installd log · install uninstall upgrade timeline · mass uninstall alerts · runs locally
- 07android logcat analyzerdrop android logcat output · parse log levels · crash detection · anr · security exceptions · network activity · timeline · runs locally
- 08mobile location history extractordrop ios locations sqlite · google location json · csv gps · haversine stops · movement timeline · runs locally