BIPI is a Chennai-based engineering company that operates the control layer for modern digital infrastructure. We design and run cybersecurity defence, agentic AI systems, digital engineering, growth automation, and continuous compliance as one platform, so organisations can detect signals, decide in real time, and deliver continuously.

What cybersecurity services does BIPI offer?

Web, mobile, network, and API penetration testing (VAPT), red team engagements, cloud security architecture, Zero Trust deployments, 24/7 SOC operations, and detection engineering. We work with financial services, SaaS, and regulated mid-market companies across India, APAC, EMEA, and North America.

What AI services does BIPI build?

Custom AI agents, LLM integrations, autonomous decision systems, and AI Ops intelligence layers. Our agents are scoped, observable, and audited end-to-end. We do not ship demos. We ship production agents that take real action across your existing systems.

Which compliance frameworks does BIPI support?

ISO 27001:2022, SOC 2 Type II, PCI DSS, GDPR, and India's DPDPA. We treat compliance as an engineering program, not a paper exercise: continuous evidence generation, exception tracking, and 72-hour breach-readiness.

BIPI Private Limited is headquartered in Chennai, Tamil Nadu, India, and serves clients across APAC, EMEA, and North America.

How do I contact BIPI?

Email info@bipi.in for new engagements or careers@bipi.in for jobs. You can also use the contact form at bipi.in/contact. We respond within one business day.

BIPI

Mobile Forensics in 2024: What Actually Works on iOS and Android

Cybersecurity

Cellebrite and GrayKey are not the silver bullets the marketing suggests. iOS sysdiagnose, Android adb pulls, MVT for Pegasus and Predator, and a realistic picture of what you can and cannot recover from a 2024 phone.

By Arjun Raghavan, Security & Systems Lead, BIPI · July 14, 2024 · 8 min read

#mobile#forensics#ios#android

Mobile forensics is a field where vendor marketing and operational reality have drifted apart. The slides at conferences show full physical extractions of locked iPhones; the reality on most cases is a logical extraction, a sysdiagnose archive, or a backup file. The good news is that 2024 has produced enough useful open tooling that you can get a long way before you need to pay anyone.

Cellebrite and GrayKey: the reality

Cellebrite UFED and Magnet GrayKey are the two commercial tools that dominate law enforcement and high-end corporate cases. Their physical extraction capability is real but heavily version-dependent: they leapfrog Apple's and Google's security updates, sometimes leading, sometimes lagging. For any iPhone shipping in the past year, full physical access from a locked state is generally not available out of the box and requires escalation to the vendor's premium services.

For most corporate IR cases the licensing cost is hard to justify. A logical acquisition through iTunes-style backup or Android adb covers the user-visible data, which is most of what investigations actually need. The cases where you need physical extraction are the cases where you should engage a specialist firm, not buy the tool.

iOS sysdiagnose: underrated and free

Apple ships a built-in diagnostic capture: hold a specific button combination on the device, wait a few minutes, and a sysdiagnose archive is written to the Analytics section of Settings. It contains crash reports, system logs, network state, and a great deal of process and connection history. For investigating suspected spyware or unusual app behaviour, it is the first thing to grab. The user has to be cooperative and unlocked, but for insider and consent-based investigations that is usually the situation.

Parse the archive with the Mac Console.app or with mvt-ios (the open-source toolkit from Amnesty International originally built for Pegasus detection). The artifacts of interest include shutdown.log, DataUsage.sqlite, locationd_cache_encrypted, and the various crash reports under Library/Logs.

Android: adb, Safe Box, and bug reports

Android logical acquisition is more flexible because adb gives you broader access on a developer-enabled device. adb backup is largely deprecated as of recent versions, but adb pull against /sdcard and the app-specific data directories (with root on rooted devices, with run-as on non-rooted devices for debuggable apps) still works. Samsung's Safe Box and the OEM-specific backup tools are also useful where they apply.

Android bug reports (adb bugreport) are the rough equivalent of iOS sysdiagnose: a zip of system state, logs, dumpsys output, battery stats, and process information. For Android, the database files of interest are in /data/data/com.android.providers.contacts/, /data/data/com.android.providers.telephony/, and the per-app databases under /data/data/<package>/databases/.

MVT: spyware detection that actually works

MVT (Mobile Verification Toolkit) is the open-source toolkit Amnesty Tech and Citizen Lab built for detecting Pegasus, Predator, and similar commercial spyware. It runs against iOS backups or sysdiagnose archives and against Android bug reports. The detection methodology is based on indicator-of-compromise lists from public Pegasus and Predator investigations, plus a set of behavioural heuristics for the file paths and process names these implants use.

The workflow: collect an iOS backup with iTunes or libimobiledevice (idevicebackup2), unencrypt if you have the password, then mvt-ios check-backup against the IOC files in the indicators-of-targeted-attack feed. For Android, mvt-android check-bugreport plus mvt-android check-adb if the device is connected. The output is a JSON report flagging suspicious processes, files, URL visits, and SMS messages. Citizen Lab publishes the IOC files; keep them updated.

What you cannot get and how to plan for it

End-to-end encrypted messengers (Signal, iMessage in some modes, WhatsApp end-to-end backups) are not recoverable from device backups in plaintext without the device PIN. Disappearing messages are usually gone. Keychain and Keystore items beyond the basic accessibility classes are not extractable without the unlock secret. Apps that use the iOS Data Protection class A (NSFileProtectionComplete) keep their data encrypted while the device is locked, which is why the lock state at the moment of acquisition matters.

For corporate cases, this means setting expectations early. The MDM (Microsoft Intune, Jamf, Workspace ONE) often has more useful telemetry than the device itself does: app inventory, network destinations, compliance state, and sometimes configuration profile history. Pull MDM data alongside device data, not instead of.

Documenting the chain of custody

Mobile cases go to litigation more often than other endpoint cases because the data they contain is personal. Document the device serial, IMEI, model, OS version, and lock state at the moment of acquisition. Hash the archive. Photograph the device. If the device is being preserved (not just imaged), put it in a Faraday bag to prevent remote wipe. None of this is technical work, but skipping it can invalidate the evidence at the worst possible moment.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.