Posted on: March 03, 2016in Blog
3 Methods of Mobile Device Extractions and the Data Each Contains
This post defines logical, filesystem, and physical mobile device extractions, and explains the type of ESI each one retrieves; i.e. deleted vs active data.
There are three types of extractions that may be performed on a mobile device: logical, filesystem, and physical. The feasibility of these three types of extractions depends upon the make, model and operating system of the mobile device.
What is a Logical Extraction?
The quickest and most supported extraction method, but also the most limited, is a logical extraction. In a logical extraction, the forensic tools communicate with the operating system of the mobile device using an API (Application Programming Interface), which specifies how software components interact. The forensic tools use these API’s to communicate with the mobile device’s operating system and request the data from the system. This process allows for the acquisition of most of the live data on the device, much like that of a live targeted collection of computer. The extracted data is output into a readable format.
The typical data available via a logical extraction are call logs, SMS (Short Messaging Service, commonly known as text messages), MMS (Multimedia Messaging Service, which are generally text messages with attachments or group text messages), images, videos, audio files, contacts, calendars and application data. It is possible to specify specific categories to collect, such as only SMS and MMS, but you cannot specify particular items in that category to only export. For example you can choose to extract SMS data, but all SMS will be collected not just conversations between specific people or phone numbers. All the data exported in these categories will be live data and will not have the possibility of containing any deleted data.
What is a Filesystem Extraction?
The next step up in extraction abilities is a filesystem extraction. The primary differentiator between logical extractions and filesystem extractions is the ability for the forensic tools to access the files on the mobile device’s internal memory directly instead of having to communicate through API’s for each type of data. This direct access allows the forensic tools to extract all files present in the internal memory including database files, system files and logs. Filesystem extractions are useful for examining the file structure, web browsing history and app usage history of a mobile device.
The most important part of a filesystem extraction is the full access to the database files on a mobile device. Numerous applications, such as iMessage, SMS, MMS, Calendar and others, store their information in database files. When a user deletes data that is part of a database, such as SMS, the entry within this database is marked as deleted and is no longer visible to the user. This deleted data remains intact within the database and is recoverable until the database performs routine maintenance and is cleaned up. Once this process occurs the data is no longer recoverable.
What is a Physical Extraction?
The most extensive but least supported extraction method is the physical extraction. Physical extraction is least supported because getting full access to the internal memory of a mobile device is completely dependent upon the operating system and security measures employed by the manufacturer like Apple and Samsung. A physical extraction from a mobile device shares the same basic concept as the physical forensic imaging of a computer hard drive. A physical extraction performs a bit-by-bit copy of the entire contents of the flash memory of a mobile device. This extraction allows for the collection of all live data and also data that has been deleted or is hidden.
By having a bit-by-bit copy, deleted data can be potentially recovered .This means that data that resides outside of the active user data and database files, such as: images, videos, installed applications, location information, emails, and more are able to be extracted and deleted versions of these items may be recovered as well.
Driven by the continued advancements in mobile technology, more and more people are using mobile devices as a primary work tool. The need for a BYOD policy or to collect these devices for eDiscovery and compliance purposes will continue to grow. Understanding the key differences in mobile device extraction methods can help prepare your team for the nuances of mobile discovery.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted November 16, 2017
5 Workflow Tips for Conducting a Foreign Language Review
Posted November 10, 2017
What You Need to Know About Managed Review and the eDiscovery Process
Posted November 02, 2017
7 Steps to Help You Defensibly Migrate eDiscovery Data
Posted October 27, 2017
CLE Webinar with Lewis Brisbois: How to Do Social Media Collection and Presentation Right
Posted October 26, 2017
Despite Clawback, Defendant’s Reckless Abandon of Rule 502 Bites Back
Posted October 20, 2017
How to Use the eDiscovery PST Export Tool in Office 365 E3
Posted October 12, 2017
Recent eDiscovery Cases for Mobile Phones and Social Media
Posted October 05, 2017
Raising Objections to the Format of ESI Productions: Do it Early and Do it Clearly
Posted September 27, 2017
5 Reasons eDiscovery Alternative Fee Models Make Sense for You
Posted September 22, 2017
Why it's Crucial to Have a Corporate Mobile Device Policy