Mobile forensic terminology

Below you can find meanings and explanations for various abbreviations and terms used in our products and manuals.

ADB – Android Debug Bridge

A command-line interface that allows communication with an Android device from Windows, Linux, or macOS.
DFIR context: ADB enables device interrogation, data acquisition, app deployment, and log access. Its availability depends on USB debugging status, authorization state, and device security configuration.

AFC2 – Apple File Conduit 2

A service available on jailbroken iOS devices that provides extended file system access beyond standard AFC.
DFIR context: AFC2 allows access to normally restricted system directories but does not bypass hardware encryption or Secure Enclave protections.

AFU – After First Unlock

A device state after the user has unlocked the device by entering the PIN, pattern, or passcode at least once since boot.
DFIR context: In AFU state, additional data (including decrypted file-based encryption keys) may be accessible compared to BFU state.

API – Application Programming Interface

A defined set of methods that allows software components to communicate with each other.
DFIR context: APIs are used to interact with operating systems, applications, cloud services, and forensic tools in a controlled and documented manner.

BF / BFA – Brute Force (Attack)

An attack method that attempts all possible combinations to recover a password, PIN, or passcode.
DFIR context: Used to bypass screen locks or encrypted backups where rate-limiting, hardware security, and encryption strength permit.

BFU – Before First Unlock

A device state before the user has unlocked the device since boot.
DFIR context: Data accessibility is significantly restricted; many encrypted data sets remain unavailable until the first unlock occurs.

Bootloader

A low-level software component that initializes hardware and verifies the operating system before boot.
DFIR context: Bootloader lock state directly affects the feasibility of advanced acquisition methods, including physical extraction and custom boot images.

BROM Mode – Boot ROM Mode

A low-level execution mode in MediaTek devices where immutable Boot ROM code runs before the bootloader.
DFIR context: BROM vulnerabilities can allow secure boot bypass and enable physical acquisition or decryption. Boot ROM flaws cannot be patched via firmware updates.

CDMA – Code Division Multiple Access

An older cellular radio technology primarily used in the United States.
DFIR context: Relevant for legacy device analysis and understanding historical network artefacts.

Chipset

A common term for a System-on-Chip (SoC) integrating CPU, GPU, memory controllers, and peripherals.
DFIR context: The chipset determines supported forensic methods, exploit viability, and encryption implementation.

CPU – Central Processing Unit

The primary processor executing operating system and application instructions.
DFIR context: CPU architecture and secure execution environments influence encryption handling and exploit compatibility.

CWM – ClockworkMod Recovery

A custom Android recovery environment.
DFIR context: Can enable advanced access on older or modified devices but is rarely viable on modern, locked systems.

DFU – Device Firmware Upgrade

A low-level recovery mode used by iOS devices to restore firmware from any state.
DFIR context: DFU allows firmware restoration but does not grant access to encrypted user data.

Dirty COW – Dirty Copy-On-Write

A Linux kernel vulnerability exploiting a race condition in the copy-on-write memory mechanism.
DFIR context: Can enable temporary privilege escalation on vulnerable Android devices, allowing deeper data access without permanent system modification.

Download Mode

A firmware communication mode used by Samsung devices, equivalent to Fastboot on other platforms.
DFIR context: Required for flashing firmware and interacting with devices using tools such as Odin or Heimdall.

EDL – Emergency Download Mode

A low-level Qualcomm communication mode for firmware flashing and recovery.
DFIR context: Frequently used for chipset-level acquisition, unbricking, and secure boot bypass on supported devices.

Exynos

A family of mobile chipsets developed by Samsung.
DFIR context: Exynos devices support specific physical extraction and decryption techniques depending on model and security patch level.

Factory Reset

A process that restores a device to its default state by erasing user data, apps, and settings.
DFIR context: On modern encrypted devices, a factory reset destroys encryption keys, resulting in cryptographic erasure. Pre-reset user data is effectively unrecoverable.

Fastboot

A diagnostic and flashing protocol included with the Android SDK.
DFIR context: Used to boot custom images, flash partitions, and perform low-level device operations where permitted.

FBE – File-Based Encryption

An encryption model where files are encrypted individually with separate keys.
DFIR context: Enables different data accessibility states (BFU vs AFU) and fine-grained key control.

FBE – File-Based Encryption (with Metadata Encryption)

An encryption model where individual files are encrypted using separate keys rather than a single disk-wide key. Modern implementations also encrypt file metadata, such as filenames, directory structures, timestamps, and file sizes.
DFIR context: On modern Android devices, both file contents and metadata may remain inaccessible in BFU state. Even when partial data is accessible in AFU state, encrypted metadata can prevent directory reconstruction, filename attribution, and timeline analysis. This significantly limits recoverability compared to legacy FDE and reinforces that post-reset or BFU-state data is often forensically unrecoverable without the appropriate decryption keys.

On modern Android devices using File-Based Encryption (FBE) with metadata encryption, the BFU and AFU states do not only affect access to file contents, but also to file metadata. In BFU state, most user data and associated metadata (including filenames, directory structure, and timestamps) remain cryptographically inaccessible. In AFU state, additional data may become available after first unlock; however, access can still be partial and dependent on which encryption keys are resident in memory. As a result, the presence of some readable artefacts does not guarantee full file-system visibility or reliable timeline reconstruction.

FDE – Full Disk Encryption

An encryption model where the entire data partition is protected by a single key.
DFIR context: Common on older Android versions; once unlocked, data is typically fully accessible.

Forensic Soundness

A principle requiring evidence to be collected and handled in a manner that preserves integrity, authenticity, and repeatability.
DFIR context: Actions must be auditable, minimally invasive, and verifiable, typically through hashing and logging.

FRP – Factory Reset Protection

A security feature that prevents device reuse after reset without the original account credentials.
DFIR context: FRP can block post-reset access and must be considered during lawful acquisition and device handling.

FTP – File Transfer Protocol

A legacy protocol for transferring files between systems.
DFIR context: Lacks encryption and is unsuitable for secure evidence transfer.

GPU – Graphics Processing Unit

A processor optimized for parallel computation.
DFIR context: Often used to accelerate password cracking and cryptographic workloads in forensic environments.

GSM – Global System for Mobile Communications

A digital cellular communication standard widely used worldwide.
DFIR context: Relevant for understanding network artefacts, SIM data, and historical call records.

Hotkey Combination

A hardware key sequence used to boot a device into a specific mode.
DFIR context: Required to access recovery, fastboot, or download modes during acquisition.

HTML – Hypertext Markup Language

The standard markup language for web pages.
DFIR context: Used in forensic reports and rendered analysis outputs.

ICCID – Integrated Circuit Card Identifier

A unique identifier assigned to SIM cards.
DFIR context: Used to identify and correlate SIM cards to network activity.

IMEI – International Mobile Equipment Identity

A unique identifier assigned to mobile devices.
DFIR context: Critical for device identification, tracking, and network correlation.

IMSI – International Mobile Subscriber Identity

An identifier used to identify a subscriber on a cellular network.
DFIR context: Links a user identity to network usage and SIM artefacts.

iOS

The mobile operating system used by Apple devices.
DFIR context: Employs strong hardware-backed encryption and strict sandboxing, heavily influencing acquisition strategy.

Kirin

A family of chipsets designed by Huawei HiSilicon.
DFIR context: Some Kirin devices support offline decryption and physical extraction methods depending on chipset generation.

MAC – Media Access Control Address

A unique identifier assigned to network interfaces.
DFIR context: Used in network artefact analysis and device correlation.

MDM – Mobile Device Management

A framework used to remotely manage and secure devices.
DFIR context: Can restrict data access, enforce encryption, block USB communication, or initiate remote wipe.

MTK – MediaTek

A semiconductor manufacturer producing mobile chipsets.
DFIR context: MediaTek devices may support BROM-based acquisition and decryption techniques.

MTP – Media Transfer Protocol

A protocol for transferring media files between devices and computers.
DFIR context: Limited to user-accessible storage and does not provide forensic-level access.

ODIN

A firmware communication utility developed by Samsung.
DFIR context: Used to interact with Samsung devices in Download Mode for flashing and recovery operations.

OEM – Original Equipment Manufacturer

The company that designs and produces a device.
DFIR context: OEM policies determine bootloader lock behaviour, firmware signing, and security controls.

PTP – Photo Transfer Protocol

A protocol for transferring photos from devices.
DFIR context: Extremely limited and not suitable for forensic acquisition.

RSA – Rivest–Shamir–Adleman

A public-key cryptographic algorithm.
DFIR context: Used in authentication, key exchange, and secure communications.

SIM – Subscriber Identity Module

A smart card storing subscriber identity and network credentials.
DFIR context: Contains identifiers and network artefacts relevant to subscriber attribution.

SOC – System-on-Chip

A single integrated chip containing CPU, GPU, memory controllers, and peripherals.
DFIR context: Determines performance, security architecture, and forensic method support.

SPL – Security Patch Level

A date-based indicator of installed security updates.
DFIR context: Directly impacts exploit availability and supported acquisition methods.

Spreadtrum / UNISOC

A chipset manufacturer commonly found in lower-cost devices.
DFIR context: Some UNISOC devices support chipset-level acquisition methods with varying reliability.

SSH – Secure Shell

An encrypted protocol for remote system access.
DFIR context: Used on rooted or jailbroken devices for controlled file-system access.

TWRP – Team Win Recovery Project

A custom Android recovery environment.
DFIR context: Can enable advanced access on supported devices but is rarely viable on modern locked hardware.

UFED – Universal Forensic Extraction Device

A forensic extraction platform developed by Cellebrite.
DFIR context: Produces UFDR reports and supports logical, file-system, and physical extractions depending on device support.

UFDR – UFED Physical Analyzer Report

A structured forensic report format used for analysis and review.
DFIR context: Contains extracted artefacts, metadata, and validation information.

USB – Universal Serial Bus

An industry-standard interface for data transfer and power.
DFIR context: Primary physical connection for mobile forensic acquisition.

XML – Extensible Markup Language

A structured data format for human- and machine-readable documents.
DFIR context: Used for configuration files, reports, and data interchange.