Forensic examination of mobile phones and other electronic devices is a scientific data analysis process carried out using international standards and specialised tools, according to cybersecurity expert Dinos Pastos.
Speaking on Politis radio (107.6 and 97.6) during the programme A Second Look, he said: “In simple terms, forensic analysis is the scientific examination carried out on electronic devices such as mobile phones and computers – essentially anything that contains data.”
The aim, he added, is to extract information from a device “through procedures that follow international standards”.
According to Pastos, both authorities and private sector experts use the same methodology to analyse data stored on devices and draw conclusions, which are then documented in a final report.
How far back an examination can go
Asked how far back in time such an examination can reach, Pastos said there is no fixed time limit. As long as data exists on a device, experts can reconstruct activity from the day the device was first used up to the day of the examination.
“It can show what has taken place from the day the device began being used until the day it is examined, with specific details,” he said.
He explained that a forensic examination may reveal files, photos or messages present on a device. In cases where data has been deleted or altered, the process may still record either the content itself or evidence of the modification or deletion. In some cases, he noted, it may even be possible to recover the file intact.
What applies to SMS, WhatsApp and Signal
Pastos clarified that the ability to recover data depends largely on the application involved. SMS messages, he said, do not have an internal mechanism that permanently destroys messages when they are deleted, unlike apps such as Signal or other highly secure platforms.
“There are applications that guarantee that when you delete a message, the message itself will never be found – but the date on which the deletion took place may still be visible,” he said.
SMS, by contrast, is a simpler service without encryption or advanced protection, making it easier to locate deleted messages. He added that recovery also depends on the device itself, including the model, operating system version and usage patterns.
The role of syncing and the cloud
Pastos also addressed what happens when a user changes devices, stressing that data does not automatically appear if a phone has been replaced with a newer one.
Recovery is possible only if data has been synchronised through cloud services such as Google Cloud or iCloud. “Devices that undergo forensic analysis must contain the information for it to be found,” he said, explaining that smartphones keep records when syncing is enabled.
In this context, he noted that when more than one device is seized, it may be because data or message traces from specific dates correspond to a different device than the one currently in use.
How integrity of process is ensured
Asked whether a private expert conducting a forensic examination could manipulate the outcome or “mislead” authorities, Pastos said the process is strictly standardised and verifiable.
Once a device is seized for analysis, the first step is to create an exact copy – known as an image – of the entire device. As he put it, this is “a complete representation of all files and data”. After the image is created, the original device is shut down and sealed.
“The investigation is carried out on this image, not on the phone itself,” he stressed, explaining that this safeguards against interference or alteration of the original device.
The image is accompanied by a digital fingerprint, or hash, and a timestamp, allowing another investigator, authority or laboratory to repeat the same process and obtain identical results.
“This ensures there is no doubt about whether tampering, intervention, concealment or false findings have occurred,” Pastos said, emphasising that “the methodology and practices are internationally standardised”.