希望访问中文页面? 请点此(简体中文版)  

Posted on: March 03, 2016

in Blog

3 Methods of Mobile Device Extractions and the Data Each Contains

This post defines logical, filesystem, and physical mobile device extractions, and explains the type of ESI each one retrieves; i.e. deleted vs active data.

There are three types of extractions that may be performed on a mobile device: logical, filesystem, and physical. The feasibility of these three types of extractions depends upon the make, model and operating system of the mobile device.

Download this white paper to learn the different nuances of various operating systems when preserving mobile device ESI.

What is a Logical Extraction?

The quickest and most supported extraction method, but also the most limited, is a logical extraction. In a logical extraction, the forensic tools communicate with the operating system of the mobile device using an API (Application Programming Interface), which specifies how software components interact. The forensic tools use these API’s to communicate with the mobile device’s operating system and request the data from the system. This process allows for the acquisition of most of the live data on the device, much like that of a live targeted collection of computer. The extracted data is output into a readable format.

The typical data available via a logical extraction are call logs, SMS (Short Messaging Service, commonly known as text messages), MMS (Multimedia Messaging Service, which are generally text messages with attachments or group text messages), images, videos, audio files, contacts, calendars and application data. It is possible to specify specific categories to collect, such as only SMS and MMS, but you cannot specify particular items in that category to only export. For example you can choose to extract SMS data, but all SMS will be collected not just conversations between specific people or phone numbers. All the data exported in these categories will be live data and will not have the possibility of containing any deleted data.

What is a Filesystem Extraction?

The next step up in extraction abilities is a filesystem extraction. The primary differentiator between logical extractions and filesystem extractions is the ability for the forensic tools to access the files on the mobile device’s internal memory directly instead of having to communicate through API’s for each type of data. This direct access allows the forensic tools to extract all files present in the internal memory including database files, system files and logs. Filesystem extractions are useful for examining the file structure, web browsing history and app usage history of a mobile device.

The most important part of a filesystem extraction is the full access to the database files on a mobile device. Numerous applications, such as iMessage, SMS, MMS, Calendar and others, store their information in database files. When a user deletes data that is part of a database, such as SMS, the entry within this database is marked as deleted and is no longer visible to the user. This deleted data remains intact within the database and is recoverable until the database performs routine maintenance and is cleaned up. Once this process occurs the data is no longer recoverable.

What is a Physical Extraction?

The most extensive but least supported extraction method is the physical extraction. Physical extraction is least supported because getting full access to the internal memory of a mobile device is completely dependent upon the operating system and security measures employed by the manufacturer like Apple and Samsung. A physical extraction from a mobile device shares the same basic concept as the physical forensic imaging of a computer hard drive. A physical extraction performs a bit-by-bit copy of the entire contents of the flash memory of a mobile device. This extraction allows for the collection of all live data and also data that has been deleted or is hidden.

By having a bit-by-bit copy, deleted data can be potentially recovered .This means that data that resides outside of the active user data and database files, such as: images, videos, installed applications, location information, emails, and more are able to be extracted and deleted versions of these items may be recovered as well.

Driven by the continued advancements in mobile technology, more and more people are using mobile devices as a primary work tool. The need to collect these devices for eDiscovery and compliance purposes will continue to grow. Understanding the key differences in mobile device extraction methods can help prepare your team for the nuances of mobile discovery.

Discover More:

Discover More Categories

D4 Weekly eDiscovery Outlook

Power your eDiscovery intellect with our weekly newsletter.