Part 3 – Mobile Payments & Digital Wallets: Following the Transaction Trail
Contributed By: Kris Carlson, COO, Former ICAC Commander, and Digital Forensics Investigator/Testifying Expert
Series context. Earlier installments explored forensic lessons from augmented reality and biometric identifiers. This part shifts focus to financial technology, where mobile payments and digital wallets present new opportunities for fraud detection, and also pose new evidentiary challenges for courts and investigators. [1]
The New Currency of Evidence
Smartphones serve as both communication devices and payment terminals. Apple Pay, Google Wallet, and other contactless systems are convenient for both end users and merchants, and they also create digital trails that can verify or challenge disputed transactions. Investigations have shifted away from paper receipts and card statements (which may still be relevant) to ephemeral metadata streams, including tokenized card numbers, device IDs, NFC exchange logs, and app-level transaction histories. Courts increasingly expect the proper collection of this evidence. When properly collected, these data points will help establish the identity, timing, and intent of financial transactions that may be in dispute. [2][3]
LCG perspective: Tokenization and encryption protect consumers, but they also make forensic reproducibility more difficult. Practitioners need to identify the difference between secure design and investigatory blind spots. [4]
Key Forensic Artifacts in Mobile Payments
Mobile payment systems create a layered trail of digital evidence that extends well beyond a simple record of purchase. Each transaction generates data at multiple points, including device identifiers, application logs, and server-side confirmations, as well as bank records and other information, all of which can help investigators validate authenticity, establish timelines, and uncover fraudulent activity. When preserved correctly, these artifacts link a disputed payment to a particular device, location, and, in some cases, the individual user. The categories below outline the most significant sources of forensic value in mobile payment investigations and show how they can be used to reconstruct events with evidentiary precision.
- Transaction tokens and cryptograms – Mobile wallets like Apple Pay and Google Wallet never transmit the actual card number. Instead, they generate a temporary “token” or cryptogram stored briefly in the device’s secure element. These identifiers are unique to each transaction and can prove whether a payment request came from a specific device. For investigators, they serve as a digital fingerprint that ties the action to the handset; however, their short lifespan means that prompt mobile device preservation/extraction is critical.
- Wallet application logs – Mobile payment apps often record detailed event logs that go beyond basic transaction history. These may include timestamps, geolocation stamps, user authentication (e.g., Face ID, Touch ID, or passcode entry), and even failed payment attempts. Such logs can help reconstruct a timeline of user behavior, establish presence at a location, or reveal whether the device owner actually authorized a disputed purchase.
- Bank and processor metadata – While device logs may be limited or deleted over time, bank servers and payment processors maintain authoritative records of the transaction lifecycle for much longer periods of time. These server-side artifacts often include token-to-card mapping, merchant identifiers, device IDs, and approval codes. Cross-referencing these with on-device data allows investigators to confirm the origin of disputed payments, detect duplicate attempts, or identify fraudulent use of stolen credentials.
- Contactless interaction traces – Near-field communication (NFC) exchanges between the mobile device and point-of-sale terminal can leave traces in system caches or diagnostic logs. These may display details such as transaction time, terminal ID, and whether the exchange was successful or unsuccessful. Even if the transaction was never completed, cached NFC data can prove the device was presented at a specific merchant or location.
- Linked device accounts – Mobile payment apps rarely operate in isolation. Associated iCloud, Google, email, or bank accounts may store backup transaction confirmations, receipts, or synchronization artifacts. These linked records provide additional layers of corroboration and can bridge gaps when local device data has been deleted or altered. Investigators often find that cloud artifacts are more persistent than volatile on-device traces.
- Authentication artifacts – Evidence of biometric logins or passcode use at the moment of transaction can tie activity to a specific user, not just the device.
- Third-party app data – Some retailers’ apps (e.g., Starbucks, Uber) generate their own payment logs, offering an additional evidentiary trail.[5]
That said, investigators should not overlook traditional sources of evidence that may shed light on disputed financial transactions. Paper receipts, bank statements, surveillance video, text message alerts from financial institutions, handwritten notes or ledgers, witness testimony, and even social media posts or communications can all provide valuable context. While digital records can offer powerful inculpatory or exculpatory information, corroborating those records with multiple forms of evidence is essential to a thorough and balanced investigation.
Mapping Metadata to Fraud and Dispute Resolution
Mobile payment trails often support or challenge claims in fraud cases, divorce proceedings, or commercial disputes. By comparing device logs with merchant acquirer records, bank records, and other artifacts, investigators may be able to verify whether a disputed transaction originated from a claimant’s device, whether multiple wallets were set up, or whether stolen credentials were used from a different location. [6][7]. Admissibility, however, relies on documenting the extraction process. Courts applying Federal Rules of Evidence 901 and 902 seek proof of authenticity, while Daubert/Frye tests evaluate the reliability of mobile forensic tools. [2]
Quick Checklist
- Preserve original device data early – Secure the handset and create valid forensic extractions before volatile logs are lost.
- Capture wallet and authentication artifacts – Document transaction tokens, NFC traces, biometric events, and Wallet app logs.
- Request supporting records from third parties – Issue preservation notices and subpoena bank, processor, and merchant logs to map tokens and cryptograms back to accounts.
- Corroborate with ancillary evidence – Collect text alerts, cloud receipts, and social media or handwritten notes that reference disputed transactions.
- Validate forensic tools and methods – Ensure extractions and analyses meet Daubert reliability standards and FRE 901/902 authentication requirements. [8]
- Maintain meticulous chain of custody – Document every acquisition and transfer step to withstand authenticity challenges.
Final thoughts
Digital wallets offer convenience but leave investigators with scattered artifacts across devices, apps, and processors. By using disciplined forensic methods and preparing evidence for forensic scrutiny and Daubert-level review, practitioners can turn these fragments into credible court narratives. Investigators must remember, however, that simply producing a digital file (email, log, video, etc.) is not enough. Practitioners must document the acquisition, validate the tools, and prepare to testify about the integrity and authenticity of the evidence. Some final notes:
- Courts will demand authentication, meaning the practitioner will need to show that artifacts (tokens, logs, receipts) are what you claim they are. This typically involves a chain of custody, tool validation, hash values, metadata, and other relevant details.
- Server-side records (bank/issuer/processor logs) are usually more authoritative, but this often requires a legal process (such as a subpoena or warrant), and notice of preservation should be sent sooner rather than later.
- Courts will require proof that there has been no tampering, alteration, or loss of relevant original artifacts (spoliation risk), which is where metadata (timestamps, device IDs, log entries) is critical; without them, admissibility may fail.
The benefit is clear: resolving financial disputes with digital accuracy rather than doubt. [9]
References (endnotes)
[[1] FATF, Guidance for a Risk-Based Approach to Prepaid Cards, Mobile Payments and Internet-Based Payment Services (2013). https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Rba-npps-2013.html
[2] Federal Rules of Evidence 901 (Authentication). https://www.law.cornell.edu/rules/fre/rule_901
[3] Federal Rules of Evidence 902 (Self-authentication). https://www.law.cornell.edu/rules/fre/rule_902
[4] The Sedona Conference, Best Practices Commentary on Forensic Data Collection (2020 edition). https://thesedonaconference.org/publication/Commentary_on_Best_Practices_for_Managing_Electronic_Discovery
[5] ISO/IEC 27037:2012, Guidelines for Identification, Collection, Acquisition, and Preservation of Digital Evidence. https://www.iso.org/standard/44381.html
[6] NIST SP 800-101 Rev. 1, Guidelines on Mobile Device Forensics (2014). https://csrc.nist.gov/publications/detail/sp/800-101/rev-1/final
[7] Payment Card Industry Security Standards Council, PCI DSS v4.0 (2022). https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss
[8] Lorraine v. Markel American Insurance Co., 241 F.R.D. 534 (D. Md. 2007). https://casetext.com/case/lorraine-v-markel-american-insurance-company
[9] Mirza, M.M., Ozer, A., Karabiyik, U., Mobile Cyber Forensic Investigations of Web3 Wallets on Android and iOS, Applied Sciences 12(21):11180 (2022). https://www.mdpi.com/2076-3417/12/21/11180
This article is for general information and does not constitute legal advice.