As a licensed Private Investigator (PI), it’s frustrating when I’m asked by other PIs how they can preserve visible data from a client’s iPhone. For example, “one of my clients exchanged messages with a contractor who accepted payment and then failed to deliver services.” The client now wants to produce those messages in court. Do we really need to do “forensics” for this kind of situation? Does it really need to cost over $2,500 to simply preserve this data?
The short answer to both questions: No.
Let’s dive into how this can be handled by professional PIs—those trained in the principles of evidence collection, chain-of-custody, documentation, and courtroom presentation—who may not be formally trained in digital forensics but are still capable of executing reliable mobile device discovery.
Is It Forensics—or Just Discovery?
The situation above is often described as a forensic task. But is it? Or is it really just a form of electronic discovery (AKA “eDiscovery”)—part of identifying and preserving Electronically Stored Information (ESI)? This is something PIs already do regularly without the “e” part: we collect evidence for court. So what makes the collection of ESI from mobile devices any different than retrieving documents from an office?
There are some key differences, sure. But most of these cases don’t rise to the level of full forensic analyses. The “forensic” part comes in when:
- You’re determining how the data was created or modified
- You’re either recovering, or making observations regarding, deleted content
- You need to answer tough questions about timestamps, device manipulation, or app behavior
- You need to recover app data that is not captured with a device backup
- You need to know what was happening on a device at a specific point in time
But when the goal is simply to preserve messages, photos, or videos that are clearly visible via the handset, it’s more about collection and less about analysis.
And guess what? Many forensic tools use the same core mechanisms to generate an “advanced logical” or encrypted iTunes-style backup that Apple already enables for its devices—with a few extra bells and whistles.
So why are we paying thousands for extractions that, in these cases, could be performed just as defensibly using simpler, more affordable tools?
Sometimes you need the heavier tools. I certainly do. Most of my cases require full file system analyses that justify the cost of Cellebrite or Verakey. But if all you need is a well-documented, well-executed backup of what’s already on the screen—there’s a more efficient – and less expensive – path.
I often hear from private investigators who’ve been asked to “get the messages” off a phone. These aren’t full forensic investigations—they’re practical efforts to preserve accessible mobile data in a way that’s consistent and repeatable.
What you do need is a clear understanding of what you’re doing—and what you’re not.
Discovery vs. Forensics
Mobile device discovery is about preserving accessible data—text messages, photos, limited app activity—in a way that supports or challenges a witness, victim, or subject’s account of events.
Forensics goes further. It’s about validated processes, attribution, timelines, authentication, and expert interpretation. Forensic analysis can speak to the who, when, where, and how. Discovery is about documenting what’s already visible and doing it in a way that can be backed up if questioned.
Why It Matters for PIs
As a PI, you may collect mobile data to corroborate a timeline, support a client’s version of events, or challenge someone else’s. That can be extremely valuable. You don’t need to be a forensic examiner to do this work—but you do need to do it right.
You can testify as a fact witness. You can explain what device was provided to you, what tool you used, how you verified it worked properly ahead of time, and what you found in the output. But that testimony only holds weight if your process was consistent, documented, and repeatable.
A Note on Backup Extractions, Scope Creep, and Full File System (FFS) Acquisitions
It’s important to understand the limitations of backup-based extractions—especially those performed using iTunes-style backups or logical acquisition tools like UFADE or Magnet ACQUIRE. These backups can preserve a good deal of accessible content, including messages, photos, some system logs, and some app activity. However, they do not include most types of location data, deleted data, more robust system-level logs, app caches, or data stored in protected or encrypted containers.
In contrast, a Full File System (FFS) extraction—typically only possible with specialized forensic tools and certain device conditions—captures far more, including data marked for deletion, internal app storage, deleted communications from other sources, and/or logs that reveal detailed device activity. While FFS extractions offer a more complete picture, they often require elevated access and carry more risk if mishandled.
For the PI performing mobile discovery, backup-style extractions remain useful when handled carefully and appropriately documented. But they also come with risks—particularly around scope creep. If your initial objective is to preserve native text messages, be sure that your client understands the limits of what you’re collecting. Once you complete a backup-style extraction, may not be able to go back and get additional app data that wasn’t included. Apps like Snapchat, Telegram, Messenger, Signal, and others are not typically configured to store their content in standard backups.
This means a candid conversation with the client is often necessary before beginning: Are you sure the messages you’re after are in the native SMS/Messages app, or could they be in another app? Because if that question comes up after the extraction is done, you may not be able to answer it later.
A Practical Use Case: Preserving Text Messages in Plain Sight
Let’s say a client hands you a phone and tells you there’s a text thread that proves their version of a conversation—one that may become central to a legal dispute. The messages are visible in the Messages app. You’re not trying to recover deleted content or analyze device logs. You’re simply trying to preserve what’s there, now, in a way that won’t be questioned later.
Taking screenshots might be tempting—but it’s not defensible. There’s no record of what’s off screen, no metadata, and no way to independently verify what you captured. If it comes up in court, you’ll be asked to show where the screenshot came from—and you may not be able to.
Instead, you can use tools like UFADE or Magnet ACQUIRE to create logical backups of devices, plus a few extra nuggets. Then, using iLEAPP, ALEAPP, or ArtEx, you can extract and format that message thread into a clean report. Now you’ve preserved the conversation—along with structure, timestamps, and supporting metadata—and you’ve created something you can stand behind. As a best practice, consider capturing screenshots or photographs of the messages on the phone and comparing them to the tool-generated report or parsed output. This provides an additional layer of verification and helps demonstrate consistency between what was seen on the device and what was extracted. It also supports tool validation—if what you see in the output doesn’t match expectations, it’s a red flag worth investigating. You can walk through your process in court if needed, as a fact witness, clearly explaining what steps you followed and what was present in the resulting output—without making forensic claims or conclusions beyond your role.
A Practical Training and Tool Path for PIs
Before we dive into tools and resources, it’s important to highlight one foundational requirement: maintaining proper chain-of-custody and documentation. Anytime you’re in possession of a device that may become evidence, document when you received it, from whom, and under what conditions. Keep notes on any steps you take, tools you use, and the state of the device at each stage. Even if you’re not a forensic examiner, these habits protect both your credibility and the integrity of the data.
You don’t need a commercial license to get started. There are free tools and free training resources available right now that are used by forensic practitioners and can be safely used for discovery purposes—if you know how to validate them and avoid altering the device.
Here’s a practical training path you can follow to build your skills and document your methods:
Step 1: Learn What to Preserve
Use these free training resources to understand what data can be collected, what the risks are, and how to handle mobile devices properly.
- DFIR Review
Real-world validation studies and lessons from the forensic community. Free and peer-reviewed. - DFIR Training
Directory of free and paid mobile-specific training, tools, and test exercises. Curated list of beginner-friendly and affordable digital forensics training options.
Step 2: Train Using Your Own Devices
Before you touch anyone else’s phone, test everything on your own. Practice safe workflows. See what gets extracted. Learn what the tools look like when they work—and when they don’t.
Recommended free tools:
- UFADE
A python script leading to a simple GUI for creating logical iTunes-style backups of iPhones. - iLEAPP
Parses iPhone backups for messages, photos, Safari, and more. Outputs HTML reports. - ALEAPP
Companion tool to iLEAPP, focused on parsing Android device data including apps, messages, and photos or videos. - ArtEx2
A user-friendly GUI to browse and export content from iOS backups. No scripting required.
Step 3: Practice With Sample Data
Use publicly available test data so you can validate the tools and outputs without relying on a real device. A good source for validation data is Digital Corpora, that includes publicly available and well-documented forensic image sets for practice and tool testing.
Step 4: Stick to Defensible Practices
Before you accept a phone from a client or testify about mobile data, ask yourself:
- Have I used this tool successfully on my own device or test data?
- Am I collecting the data in a way that preserves structure and timestamps?
- Can I repeat the process and show my steps?
- Do I understand the limits of the tool—and of my role?
- Am I capturing everything relevant to the request?
Staying Within the Lines—But Doing Valuable Work
There’s no harm in doing what you’re trained to do, documenting it carefully, and testifying only to the steps you took and what the tools showed you. In fact, doing that well can be just as impactful as formal forensic work—especially in early stages of civil or criminal matters where quick action and basic preservation can make or break a case.
This kind of mobile device discovery isn’t a shortcut around forensics—it’s an appropriate, disciplined starting point for investigators who want to handle mobile data responsibly. Done right, it creates a means for preserving easily accessible evidence. And for some investigators, it becomes a bridge.
A Starting Point—Not the End of the Road
Are you interested in diving deeper into open source digital forensics? We could explore how to set up your own system to run these tools, analyze test datasets, generate reports, and build repeatable workflows that mirror what forensic experts do—without the commercial price tag. If there’s interest, let me know in the comments below. I may develop a follow-up blog or presentation to help private investigators get up and running with these free and open-sourced tools and methods.
The tools and workflows outlined here are entry-level in the best sense: they’re accessible, capable, and able to produce work that holds up when done carefully. But they also open a path. Many experienced forensic examiners started here—learning to extract and preserve data on devices they were authorized to access, documenting carefully, and respecting the limits of their role.
For private investigators who are doing more and more of this kind of work, learning the fundamentals of mobile forensics isn’t a leap—it’s a natural progression. This is exactly how I—and many other forensic investigators and law enforcement professionals—first started working in this field.