Posted on: March 03, 2016in Blog
3 Methods of Mobile Device Extractions and the Data Each Contains
This post defines logical, filesystem, and physical mobile device extractions, and explains the type of ESI each one retrieves; i.e. deleted vs active data.
There are three types of extractions that may be performed on a mobile device: logical, filesystem, and physical. The feasibility of these three types of extractions depends upon the make, model and operating system of the mobile device.
What is a Logical Extraction?
The quickest and most supported extraction method, but also the most limited, is a logical extraction. In a logical extraction, the forensic tools communicate with the operating system of the mobile device using an API (Application Programming Interface), which specifies how software components interact. The forensic tools use these API’s to communicate with the mobile device’s operating system and request the data from the system. This process allows for the acquisition of most of the live data on the device, much like that of a live targeted collection of computer. The extracted data is output into a readable format.
The typical data available via a logical extraction are call logs, SMS (Short Messaging Service, commonly known as text messages), MMS (Multimedia Messaging Service, which are generally text messages with attachments or group text messages), images, videos, audio files, contacts, calendars and application data. It is possible to specify specific categories to collect, such as only SMS and MMS, but you cannot specify particular items in that category to only export. For example you can choose to extract SMS data, but all SMS will be collected not just conversations between specific people or phone numbers. All the data exported in these categories will be live data and will not have the possibility of containing any deleted data.
What is a Filesystem Extraction?
The next step up in extraction abilities is a filesystem extraction. The primary differentiator between logical extractions and filesystem extractions is the ability for the forensic tools to access the files on the mobile device’s internal memory directly instead of having to communicate through API’s for each type of data. This direct access allows the forensic tools to extract all files present in the internal memory including database files, system files and logs. Filesystem extractions are useful for examining the file structure, web browsing history and app usage history of a mobile device.
The most important part of a filesystem extraction is the full access to the database files on a mobile device. Numerous applications, such as iMessage, SMS, MMS, Calendar and others, store their information in database files. When a user deletes data that is part of a database, such as SMS, the entry within this database is marked as deleted and is no longer visible to the user. This deleted data remains intact within the database and is recoverable until the database performs routine maintenance and is cleaned up. Once this process occurs the data is no longer recoverable.
What is a Physical Extraction?
The most extensive but least supported extraction method is the physical extraction. Physical extraction is least supported because getting full access to the internal memory of a mobile device is completely dependent upon the operating system and security measures employed by the manufacturer like Apple and Samsung. A physical extraction from a mobile device shares the same basic concept as the physical forensic imaging of a computer hard drive. A physical extraction performs a bit-by-bit copy of the entire contents of the flash memory of a mobile device. This extraction allows for the collection of all live data and also data that has been deleted or is hidden.
By having a bit-by-bit copy, deleted data can be potentially recovered .This means that data that resides outside of the active user data and database files, such as: images, videos, installed applications, location information, emails, and more are able to be extracted and deleted versions of these items may be recovered as well.
Driven by the continued advancements in mobile technology, more and more people are using mobile devices as a primary work tool. The need for a BYOD policy or to collect these devices for eDiscovery and compliance purposes will continue to grow. Understanding the key differences in mobile device extraction methods can help prepare your team for the nuances of mobile discovery.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted October 27, 2016
Unplugged: What China’s Internet and Data Restrictions Mean for U.S. Companies and China’s Economy
Posted October 20, 2016
3 Areas of Focus When Migrating Data to a New Document Review Tool
Posted October 13, 2016
3 Best Practices for eDiscovery Custodian Interviews
Posted October 06, 2016
Latest Developments in U.S. FCPA Enforcement
Posted September 22, 2016
The Hybrid Approach to an eDiscovery Managed Services Model
Posted September 15, 2016
5 Document Management Best Practices for Beginners
Posted September 13, 2016
Innoxcell Annual Symposium 2016 | Shanghai Series
Posted September 08, 2016
Maintaining a Great Wall of Data Control in eDiscovery
Posted September 08, 2016
PREX16 | 5th Annual Conference on Preservation Excellence
Posted September 01, 2016
Uncovering Enterprise Vault Stub Files and Their Missing Attachments