Intelligent Forensics in Next-Generation Mobile Networks: Evidence, Methods, and Applications

Abstract

This survey examines intelligent forensics in next-generation mobile networks, arguing that future wireless security must move beyond real-time detection toward accountable post-incident reconstruction. Unlike traditional digital forensics, wireless investigations rely on short-lived, distributed, and heterogeneous evidence, including radio waveforms, channel measurements, device-side artifacts, and network telemetry, affected by calibration, timing uncertainty, privacy constraints, and adversarial manipulation. To address this limitation, this paper develops an evidence-centric framework that treats wireless measurements as first-class forensic artifacts and organizes the field through a unified taxonomy spanning physical-layer, device-layer, network-layer, and cross-layer forensics. We further systematize the forensic workflow into readiness and preservation-by-design, acquisition, correlation and analysis, and reporting and reproducibility, while comparing the complementary roles of traditional methods and artificial intelligence-assisted techniques. Subsequently, we review major application areas, including anomaly discovery, attribution, provenance and localization, authenticity verification, and timeline reconstruction. Finally, we identify key open challenges, including domain shift, resource-aware evidence capture, and the benefits and admissibility risks of generative evidence. Overall, this paper positions wireless forensics as a foundational capability for trustworthy, auditable, and reproducible security in next-generation wireless systems. Readers can understand and streamline wireless forensics processes for specific applications, such as low-altitude wireless networks, vehicular communications, and edge general intelligence.

Figures (10)

• Figure 1: Survey organization and taxonomy overview.
• Figure 2: Physical-layer forensics framework from signal evidence to defensible claims. It illustrates provenance-bound signal capture across multiple observation points, and summarizes the supported forensic claims, representative failure modes and adversarial manipulation, and key mitigation principles Xie2021PLASurvey.
• Figure 3: Device-layer forensics framework for radio-stack evidence and defensible claims. The framework depicts endpoint radio-stack evidence under privilege boundaries and acquisition provenance, and summarizes the supported forensic claims, representative limitations, adversarial manipulation, and key mitigation and cross-check measures Hussain2023NDSSRILDefenderISO27043_2015.
• Figure 4: The network-layer forensics framework for provenance-aware traffic and signaling analysis. Depict infrastructure evidence interpreted under explicit capture provenance, and summarize the supported forensic claims, representative failure modes, adversarial manipulation, and mitigation and cross check measures based on provenance preservation, uncertainty aware reporting, and data plane and control plane reconciliation Duan2025AdaptiveSurvey.
• Figure 5: The acquisition framework for provenance-aware wireless evidence collection. It organizes a shared wireless observation substrate for both static rule-based acquisition and AI-driven closed-loop acquisition, and summarizes key operations including selective triggering, confidence-aware sampling, active sensing for disambiguation, and evidence reconstruction vanini2024clockxiong2015tonetrack.