VIP phone
VIP phone

Jamf Mobile Forensics

Forensic Detection of Advanced Attacks on Mobile Devices

Jamf Mobile Forensics is a forensic analysis platform for iOS and Android mobile devices, designed to detect sophisticated attacks that evade conventional mobile security tools. It is intended to protect the highest-risk users in an organization—those who, due to their roles or the information they have access to, are prime targets of espionage campaigns.

Unlike MDM or mobile threat defense solutions, which operate at the network level or focus on known threats, Jamf Mobile Forensics performs an in-depth analysis of artifacts at the operating system level. It is this depth that allows it to identify compromises that leave no visible trace.

Cloud The option recommended by Jamf for most organizations. Benefits include fast installation, ease of scaling for international deployments, and access to additional capabilities.

On-premises All information collected on the devices remains within the customer's environment (while still excluding any end-user PII). Server software updates are managed by the customer.

Air-gapped network For environments that require complete isolation from the network. As with the on-premises model, the customer is responsible for managing and updating the server.

Cable inspection This is done by connecting the mobile device via USB to a Mac or Windows computer with the Jamf host application installed. This method collects the most comprehensive set of data. It is suitable for one-time checks, post-trip audits, and forensic investigations, without the need to install any application on the target device.

Inspection via the mobile app (Threat Protect) The Threat Protect app is installed on the iOS, iPadOS, or Android device itself and performs inspections remotely at intervals defined by the organization. It enables continuous, wireless monitoring after the initial setup—a key factor, given that log deletion is a common practice following an attack, and continuous inspection increases the likelihood of capturing evidence before it disappears. The app can be deployed on corporate or BYOD devices, preferably via MDM.

Detection is based on the analysis of technical artifacts within the system, including:

  • Operating system logs, failures, and errors
  • Kernel logs
  • Diagnostic files
  • Processes and other data at the operating system level
  • Files and filepaths
  • Crash logs and IPS files
  • Installed Apps
  • WiFi Manager and App Store logs
  • Stackshots / spindumps
  • Development certificates and configuration profiles

The detection combines proprietary Indicators of Compromise (IOCs) developed by Jamf Threat Labs with behavioral detection techniques, enabling the identification of zero-day, zero-click, and one-click attacks, APTs, and espionage operations carried out by commercial or state-sponsored actors.

Jamf Mobile Forensics was built specifically to address the type of attack that bypasses standard security controls:

  • Mercenary spyware — Pegasus, Predator, Graphite, and other families of commercial spyware used in targeted attacks.
  • Zero-click attacks — threats that do not require any user interaction.
  • Exploitation of zero-day vulnerabilities — previously unknown flaws that are invisible to signature-based tools.
  • Advanced Persistent Threats (APT) and state-sponsored attacks.

These attacks are, by their very nature, costly and targeted. They tend to focus on high-value users and organizations, and the solution was designed with this scenario in mind.

For more information about forensic investigation solutions, Jamf Mobile Forensics, or our other partners, please contact us.