Posted on: March 03, 2016in Blog
3 Methods of Mobile Device Extractions and the Data Each Contains
This post defines logical, filesystem, and physical mobile device extractions, and explains the type of ESI each one retrieves; i.e. deleted vs active data.
There are three types of extractions that may be performed on a mobile device: logical, filesystem, and physical. The feasibility of these three types of extractions depends upon the make, model and operating system of the mobile device.
What is a Logical Extraction?
The quickest and most supported extraction method, but also the most limited, is a logical extraction. In a logical extraction, the forensic tools communicate with the operating system of the mobile device using an API (Application Programming Interface), which specifies how software components interact. The forensic tools use these API’s to communicate with the mobile device’s operating system and request the data from the system. This process allows for the acquisition of most of the live data on the device, much like that of a live targeted collection of computer. The extracted data is output into a readable format.
The typical data available via a logical extraction are call logs, SMS (Short Messaging Service, commonly known as text messages), MMS (Multimedia Messaging Service, which are generally text messages with attachments or group text messages), images, videos, audio files, contacts, calendars and application data. It is possible to specify specific categories to collect, such as only SMS and MMS, but you cannot specify particular items in that category to only export. For example you can choose to extract SMS data, but all SMS will be collected not just conversations between specific people or phone numbers. All the data exported in these categories will be live data and will not have the possibility of containing any deleted data.
What is a Filesystem Extraction?
The next step up in extraction abilities is a filesystem extraction. The primary differentiator between logical extractions and filesystem extractions is the ability for the forensic tools to access the files on the mobile device’s internal memory directly instead of having to communicate through API’s for each type of data. This direct access allows the forensic tools to extract all files present in the internal memory including database files, system files and logs. Filesystem extractions are useful for examining the file structure, web browsing history and app usage history of a mobile device.
The most important part of a filesystem extraction is the full access to the database files on a mobile device. Numerous applications, such as iMessage, SMS, MMS, Calendar and others, store their information in database files. When a user deletes data that is part of a database, such as SMS, the entry within this database is marked as deleted and is no longer visible to the user. This deleted data remains intact within the database and is recoverable until the database performs routine maintenance and is cleaned up. Once this process occurs the data is no longer recoverable.
What is a Physical Extraction?
The most extensive but least supported extraction method is the physical extraction. Physical extraction is least supported because getting full access to the internal memory of a mobile device is completely dependent upon the operating system and security measures employed by the manufacturer like Apple and Samsung. A physical extraction from a mobile device shares the same basic concept as the physical forensic imaging of a computer hard drive. A physical extraction performs a bit-by-bit copy of the entire contents of the flash memory of a mobile device. This extraction allows for the collection of all live data and also data that has been deleted or is hidden.
By having a bit-by-bit copy, deleted data can be potentially recovered .This means that data that resides outside of the active user data and database files, such as: images, videos, installed applications, location information, emails, and more are able to be extracted and deleted versions of these items may be recovered as well.
Driven by the continued advancements in mobile technology, more and more people are using mobile devices as a primary work tool. The need for a BYOD policy or to collect these devices for eDiscovery and compliance purposes will continue to grow. Understanding the key differences in mobile device extraction methods can help prepare your team for the nuances of mobile discovery.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted January 18, 2018
5 Expert Predictions for the eDiscovery Industry in 2018
Posted January 17, 2018
Get Your Passport to GDPR Success - LegalTech New York 2018
Posted January 11, 2018
Is Your Organization Vulnerable to a Cyber Attack? 3 Steps to Put Your Mind at Ease
Posted January 04, 2018
How the EU and China Plan to Deal with Multinational Data
Posted December 28, 2017
How to Navigate International Data Privacy Laws for eDiscovery
Posted December 21, 2017
Cross-Border eDiscovery: An Introduction to Cultural and Legal Obstacles
Posted December 14, 2017
Webinar Q&A Featuring Panelists from Special Counsel and Brainspace
Posted November 30, 2017
Help Your Employees Find the Information They Need with Machine Learning
Posted November 22, 2017
How to Use Managed and Prioritized Workflows to Reduce the Cost of Review [On-Demand Webinar]
Posted November 16, 2017
5 Workflow Tips for Conducting a Foreign Language Review