Mobile Forensics


Compelson MOBILedit Forensic Express is a versatile application that acts as a data extractor for mobile phones and cloud accounts. In addition, it acts as a data analyzer and report generator. This powerful 64-bit application applies both physical and logical analysis methods extremely efficiently. With the integrated application analyzer, the GPU-assisted password and PIN breaker as well as the function for recovering deleted data, MOBILEdit offers all the necessary tools to evaluate mobile phones immediately and easily.

In addition, the software allows analyzing ADB (Android Data Bridge) backups and iTunes backups. It supports a wide range of mobile phones, from older models to current devices. Support is continuously updated and expanded through live updates. With granularly adjustable reports and an intuitive user interface, MOBILEdit is a true multifunctional tool. In addition, multithreading enables the simultaneous analysis of several devices.


Compared to other products, Compelson Mobile Edit is extremely cost-effective. Due to its data compatibility with industry standards, it can also be used as a supplement to existing Mobile Analysis packages. Request a non-binding offer today. Also note the possibility of integrating Camera Ballistics for the origin analysis of photos.

Investigators are faced with a variety of data types when analyzing forensic data. Find out here which data can be extracted, analyzed and presented. However, the amount of data extracted depends on the phone model, its operating system and its condition.

Key Features

Forensic data extraction for most mobile phones.
Fast password cracking thanks to GPU (Graphics Processing Unit) acceleration and efficient multi-threading.
Examination of iTunes backups.
Examination of Android ADB backups.
Determination of app data.
Photo/image recognition function.
Recovery of deleted data.
Compatibility with Cellebrite UFED Data Analyzer.
Compatibility with Cellebrite UFED Data Generator.
Compatibility with Oxygen Data Analyzer.
Report generator for detailed reports.
Ability to unlock cell phones.
Integration with Camera Ballistics possible (for checking camera recordings as evidence).

Unbeaten in the NIST test

The National Institute of Standards and Technology (NIST) has developed a methodology to test mobile forensic tools and measure the reliability of products available on the market. In this test, Compelson Mobile Edit scored outstanding and proved to be an extremely reliable and powerful tool for forensic data analysis of mobile devices.

Reports & Exports

MOBILedit offers different options for forensic reports and exports:

HTML: Creates a hierarchical structure that allows the data to be easily browsed with any browser.
PDF: The data can be exported as a single file or in multiple separate files in Acrobat Reader format.
XML: The data can be opened in Excel.
XLS: Exports the data as an Excel workbook.
UFDR: The ability to export the data as a Cellebrite Report file.
MOBILedit exports the processed file structure from the phone.
MOBILedit secures the backup of the RAW files from the phone.
Export and backup can be compressed and encrypted using AES encryption with MD5 or SHA256 hashes.

contact report

The contact report is a valuable tool in uncovering the suspect's connections. It contains comprehensive contact data that has been carefully extracted and analyzed, including deleted contacts where available. The data for the contact analysis comes from various sources such as the phone book, internal memory, vCard files, SIM cards, cloud accounts and applications. The report allows the investigator to search specifically for names, numbers, deleted contacts or other information. The report also provides detailed information about when the contact was created, when it was last modified, and what type of account it is (e.g. WhatsApp, Cloud, Gmail, Facebook, etc.). Here the investigator will find important information such as phone numbers, email addresses, home addresses, birthdays, employers and contact profile pictures that will help put a face to a name.

Through a contact analysis, the investigator can find out which contacts the suspect had close contact with and discover important connections. The contact analysis lists the number of messages and calls sent and received, including the talk time in minutes, and ranks the contacts in descending order of the number of communication events with the suspect.

The contact report allows the investigator to identify all phone, email, cloud and application accounts associated with the suspect's device. This information is extremely valuable in solving the case.

All messages are retrieved and displayed in full in the message report, including deleted messages if available. This includes standard phone messages such as SMS, MMS, iMessages, email messages, SIM messages and application messages. The report can be customized and sorted by contacts, timeline, conversation view, or both.

Communication history:
The report enables efficient perusal of complete conversation histories. The conversations are separated by contact and sorted by time order. All SMS, MMS, iMessage and application messages including encrypted messaging apps are included in the reports.

Call log:
The call log contains details of all phone calls made through cellular services and applications, including deleted calls. The report shows the date and time of the calls, the call duration, the source of the call (e.g. cellphone, Facebook, WhatsApp, etc.) and the associated contact and phone number.

The Email Report retrieves and displays emails in full, including deleted messages if available. The report can be customized and sorted by contacts, timeline or conversation view.

Advanced application analysis:
All installed applications are listed and analyzed in detail, including deleted application data if available. The application report provides a comprehensive overview of the applications on the device. It is possible to limit the search to specific applications or to carry out an analysis for all applications in the device. Especially relevant is the ability to read encrypted messages in various applications. The RAW application data is saved in the export folder, allowing for additional processing and analysis. MOBILedit supports hundreds of applications and the list keeps growing.

MobilEdit is designed to integrate seamlessly with other forensic tools in your lab. It allows importing and analyzing data files exported from Cellebrite UFED and Oxygen reports. This can reveal data that may have been overlooked. You can also export all data extracted with MOBILedit Forensic Express to UFED. This allows you to use the UFED Viewer or Analytics for further processing and further your investigation.

Deleted data:
Deleted data is often crucial in an investigation. Our software presents details of erased data in a dedicated comprehensive data erased report. In addition, deleted data is also displayed in each individual analysis report. Regardless of whether it is deleted calls, SMS, MMS, calendar entries, notes, application data or other evidence, MOBILedit Forensic Express intensively searches databases for caches and hidden files in order to find the largest possible amount of deleted data.

The password report shows passwords from different account types and applications. On iOS devices, all system passwords and most application passwords are managed through a dedicated and encrypted keychain. Our software can decrypt the keychain and retrieve all passwords stored in it. This includes Wi-Fi passwords, Apple ID passwords, passwords saved in Safari, and various email and application passwords and passwords saved in web browsers and other accounts. Get Wi-Fi passwords from Android devices.

WLAN networks:
The Wi-Fi network report shows detailed information about all Wi-Fi networks saved on the device. The report shows the history of WiFi connections in chronological order. This includes the WiFi network name, last connected time and date, auto connect time and date (indicates if the suspect has repeatedly visited the network location), SSID, BSSID and security mode. In addition, continued protocols and connection times can also be supported. WiFi network passwords are also recovered and displayed in the password report.

The image report lists images from the phone's file system, including images retrieved from apps. Potential images stored in temporary files or caches are also detected. The option to display large full-size images allows displaying one image per page in an additional section of the report. Duplicate images, such as emojis, can be filtered to keep reports uncluttered.

The photo report retrieves all device and application photos of the phone, usually from the DCIM folder. Deleted photos sent via MMS or from an app can also be recovered if the memory allows it. The Apple HEIF image format is also supported.

radio cells:
Data from cell towers to which the phone in question was connected can be retrieved. Received cell phone locations are displayed individually on the map via a link.

Audio files from the phone and apps are copied. The audio report allows you to play an audio file simply by clicking on it. The report also includes the file path, creation and modification time, audio file length and size.

Video files from the mobile phone and the apps are copied. The video file report allows you to play a file by clicking on it. It also shows the file path, creation date, modification date, encoding, video length, size, frame rate, height and width.

The calendar and organizer are searched and analyzed. The data is processed in four different reports. It is possible to customize the search for calendar entries, notes and tasks within a specific time range or to perform a full search.

The calendar report shows the various device and application accounts where events have been created and stored. Details include the source of the account, name, account owner, email address, and the number of events associated with the calendar.

Events report lists all events of the device and apps in detail, including deleted entries from calendars and other sources where events were created. The details include the calendar in which the event was created, summary, description, start time, creation time, modification time, end time, and recurrence. The events can be displayed in ascending or descending order.

Tasks are detailed in the task report. This includes the full text, creation time, modification time, start and end time, and whether the task was deleted.

Notes, including deleted or removed notes, are summarized in detail in the notes report. The report includes the note's title, summary, full-text content, and times of creation, modification, and deletion.

All common document formats can be read and presented.

System logs:
A report on system logs and DumpSys files from Android phones. Android stores these files for debugging and monitoring. They contain system data such as current locations, recently connected WiFi networks, running apps, recently launched apps, current cell locations and signal information, the current Bluetooth MAC address and name. These files are listed in the System Logs section in the HTML and PDF reports and can be opened simply by clicking on their filenames. Your content will be analyzed and displayed in various reports for WiFi networks, GPS locations, notifications, etc.

File system:
The file system report contains three sections:

Internal - contains the raw file system.
Application File System - Contains data files from apps.
Extra File System – These files are not physically present on the device but come from the iTunes backup. On Android, these are Content Providers, System Logs, and DumpSys files.

The timeline allows a precise insight into all device activities. The report summarizes all extracted items with timestamp and displays them chronologically. The parameters of a timeline can be adjusted. For example, you can choose to only create a timeline with calls and messages.

Photo detection:
This feature automatically finds suspicious content in photos such as guns, drugs, nudes, currency, and documents. The photo recognition uses AI and learns independently. You can analyze unlimited photos and save time by avoiding manual searches. Photos are automatically categorized so investigators can easily archive cases and detail suspicious content in a detailed report.

Bookmarks report collects all browser bookmarks from iOS phones (Safari) and on Android devices up to Android 5.1. In later versions of Android, bookmarks can only be retrieved on a per-app basis. The report can be sorted by time or name (alphabetically).

Bluetooth pairing:
Bluetooth pairing report is available for both Android and Apple iPhones. In this report you will find the name of the Bluetooth connection, the address of the paired device, the status. On iOS also the date and time of the connection.

Contact analysis:
Contact analysis provides the relationships between contacts in different modes of communication. Contacts that are rarely connected can be skipped.

Notifications about the device and applications are detailed and can be accessed from iOS and Android devices. The report shows all content, including source and timestamp. On iOS, notifications are also included that are no longer active and contain information that is otherwise no longer available, e.g. B. Emails and messages from apps that do not store them in databases. Only active notifications can be retrieved on Android.

Browser history:
The Browsing History report contains the history of all browser applications. Each entry consists of the URL visited and the time of access. In some cases, the total number of visits to the URL is also available with the timestamp of each visit. The report can be customized in alphabetical order or by time order.

Internet search:
The Internet search history report contains queries from the web browser along with a timestamp. System-wide web searches are only available on Android 5.1 and older devices. Web search data is also collected from analysis of browser applications.
[10:38, 08/01/2023] Risto Popovski: GPS locations:

The GPS location report contains comprehensive information about the possible GPS location data of the device and apps. This includes last known locations that can be read from Android. The analysis and report provide valuable insights from mapping, fitness and transportation apps such as Google Maps, Pokémon Go, Nike + Running, Uber and many others. In some applications, GPS data can even be collected for the entire route and displayed with its recorded and saved timestamps. Photos and videos can also include GPS locations in their metadata. It is possible to customize the location search and report by time or to search locations near specific GPS coordinates.

Cell phone unlocking on many Android phones can allow access to the device's physical data, even if it's protected by a password or gesture. It is also possible to bypass the lock screen on many phone models.