Skip to main content
GOSET.ORGglobal online safety education & trainingGlobal Online Safety Education & Training

Public Safety | Field guide

Mobile Device Evidence Preservation Field Guide

Mobile devices can hold evidence, account access, cloud connections, location history, communications, and app data. Handling choices matter.

Get PDF BelowAll Resources
Investigations8 min readReviewed April 23, 2026

Quick actions

  • Record device state before any handling decision.
  • Do not assume airplane mode disables all communication pathways.
  • Keep the device powered when agency protocol and examiner guidance call for it.
  • Escalate quickly when encryption, biometric locks, or cloud synchronization are issues.

Capture the starting state

  • Unlocked or locked.
  • Powered on or powered off.
  • Battery level and charging status.
  • Network indicators, Bluetooth, Wi-Fi, cellular, VPN, or hotspot signs.
  • Open app, visible notification, call state, or active recording state.
  • Case number, collector, date, time, and time zone.

Avoid avoidable changes

  • Do not browse through apps or messages to see what is there.
  • Do not connect the device to a personal computer or charger.
  • Do not attempt passcodes, patterns, passwords, or biometric access unless authorized and trained.
  • Do not rely on memory. Record every action taken and why.

Network isolation is a decision, not a reflex

SWGDE notes that mobile devices may be remotely modified or wiped and that simple airplane mode may not disable all radios on newer devices. Agencies should train responders on approved isolation methods and decision points.

Why training matters

NIST describes mobile device forensics as a specialty involving preservation, acquisition, examination, analysis, and reporting. A field responder does not need to be the examiner, but does need to protect the examiner's ability to do the work later.

Important note

This resource is for education and planning. It is not legal advice, clinical advice, or a substitute for agency policy, school policy, legal counsel, emergency services, or trained investigative support.

Related resources

Keep building the toolkit

Continue with resources that serve a similar audience or program track.

Public SafetyChecklist

Digital Evidence First Responder Checklist

A field-oriented checklist for recognizing, documenting, preserving, and escalating digital evidence without compromising integrity.

Digital evidenceFirst responderDocumentation

9 min read | Reviewed April 23, 2026

Read guide
Public SafetyReadiness checklist

Agency Digital Evidence Training Readiness Checklist

A planning checklist for agencies assessing digital evidence training needs, policy gaps, role-based audiences, and partner coordination.

Training readinessPolicyAgency planning

9 min read | Reviewed April 23, 2026

Read guide
Public SafetyPlanning guide

Cloud and Platform Records Request Planning Guide

A planning guide for identifying cloud/platform evidence, preservation needs, provider details, time zones, identifiers, and legal process questions.

Cloud evidencePlatform recordsLegal process

8 min read | Reviewed April 23, 2026

Read guide