It is a rare scenario these days to perform a forensic investigation without including a mobile device or a smartphone. Smartphones are being replaced as a personal computer and are capable of storing a wealth of information often intentionally, and sometimes unintentionally.
Although smartphone forensics are similar to those of digital forensics, smartphone file system structures differ and require specialized decoding skills to correctly interpret the data acquired from the device.
There are three different methods of mobile data extraction: Logical, File System and Physical. Also, a fourth extraction type exists, Manual Extraction where technically the investigator photographs or video the displayed data.
1. Logical Extraction
The logical extraction method is easier and includes active information from logically stored data on mobile phone. Data types include passwords, call logs, phone details (IMEI), contacts, SMS, images, videos, audio files, apps data from Android devices and more.
Logical extraction of data is performed through a designated API (Application Programming Interface), available from the device vendor.From a technical standpoint, API-based logical extraction is straightforward to implement and the results are provided in a readable format.
However, the logical method is limited to the scope of content the specific vendor has made available through its API. Therefore, the API will not see that they exist and will not make them available for logical extraction. In addition, not all devices have a common interface to extract emails, and the API will not be applicable.
This extraction method is supported for most devices by most tools. In most cases, logical extraction is not possible for locked devices. Reporting is easier as it is limited to the amount of data it can extract, unlike other extraction methods.
2. File System Extraction
File system extraction is the acquisition of the files embedded in the memory of a mobile device. It is an extension of logical extraction that extends examiner’s reach to the phone’s live partition. Gains access to all of the files present in the mobile device's memory, file system, and the allocated space and unallocated space.
Data type includes images, videos, database files, system files and logs, passwords, apps data, phone book information, call logs, messages, web history, EXIF data on images, system data and data from unallocated space may be retrieved. Most of the built-in and user applications store their data in these database files. Full access to the database enables the recovery of the deleted entries in these files.
This extraction method is supported for most devices by most tools. Reporting of the file system extraction may be more complex.
3. Physical Extraction
Physical extraction provides a bit-by-bit copy of the entire flash memory allowing the most comprehensive and detailed analysis of the mobile device. This extraction method not only enables the acquisition of intact data, but also data that is hidden or has been deleted.
A common method used to physically extract data from mobile phones is through “rescue mode” or “download mode”. Operating in this mode, mobile phones are designed to allow the insertion of a small piece of code, called boot loaders, into the RAM during start-up.
Supported data types obtained using physical extraction include intact and deleted passwords, installed applications, geo tags, location information, media files such as photos and videos taken by the user, GPS fixes, emails, chats and more.
This extraction method is not supported for all devices. Reporting is generally more complex considering the amount of data it can extract.
4. Manual Extraction
Manual extraction comes in picture where the device doesn’t support any of the above mentioned extraction methods. In this extraction method the examiner scrolls through device to document contents by photographs or video of displayed data.
This extraction method is supported by all kinds of devices unless physically damaged.Though the reporting is easier, the investigating process is complex and time consuming.
In a nutshell, the primary difference between the mobile phone extraction methods are