Mobile Forensics: Data Acquisition
When we are dealing with data acquisition in mobile forensics, we are dealing with massive data. The data is in the form of call logs, files, chats, messages, GPS location, browser history, etc.
Data Acquisition Challenges
- The real challenge is to maintain the integrity of this data while acquiring it for analysis.
- Another challenge is to recover the deleted and obsolete data from a mobile device.
To combat the issues, we would dive into the trending techniques of data acquisition in mobile forensics.
Data Acquisition Techniques
1. Logical Acquisition
Logical acquisition acquires bit-by-bit copies of logical storage objects from their allocated space. The slack spaces cannot be acquired hence it’s not possible to overcome the challenge of obtaining deleted data from logical data acquisition.
It works best on unrooted mobile phones.
To start with logical data acquisition, the USB debugging mode needs to be enabled.
The ADB daemon runs with the shell permissions on unrooted devices. The files containing evidence are not accessed easily. However, some data that are not encrypted and other files like browser history, device information, etc., can be extracted.
If you have root privileges, this method can be used to extract evidential files for Mobile Forensics.
For the operation process via this technique, you could check out our previous article for better understanding.
The backup analysis method makes use of the backup image obtained from the phone for the investigation. Some phones utilize backup options like SD Card and Cloud Storage.
AFLogical is an Android forensics logical technique that is free for law enforcement and government agencies. It’s open-source and available on GitHub. It can extract data from SMS, Contacts, and Calendar applications on your phone.
Among all these tricks, Automatic Logical Extraction is a feature provided by SPF Pro (SmartPhone Forensic System Professional) and it’s the easiest way to carry out logical data acquisition. The process is completely automatic and takes place in a few simple steps provided on the product page.
2. Physical Acquisition
Physical acquisition is done by creating bit-by-bit copies of the physical storage. It helps in extracting the deleted data along with the other content present on the phone.
Now that you need to have access to the root level of the device to have complete control, rooting a phone can be a little problematic since it modifies the data present in the device.
We don’t recommend those without deep mobile forensics knowledge to apply the technique.Instead, you’d better to request a mobile forensics service from an expert digital forensic solution provider when you do need to apply physical acquisition.
- Hardware components are removed physically from the device.
- Connected hardware is used with the device to extract data.
This method works on unrooted devices by a professional forensic examiner.
Following are the two methods of hardware-based data acquisition:
- JTAG, Joint Test Action Group is a physical data acquisition method that connects to TAPs (Standard test access ports) on a device to transfer the raw data to the connected hardware directly from the memory chips.
- CHIPOff, this is not a recommended procedure since it can result in damaged chips. ChipOff requires the physical removal of NAND chips to extract data.
The software-based acquisition doesn’t cause any physical harm to the device. However, root privilege is required along with USB Debugging enabled.
Hardware components are not removed; hence the device stays in its original condition.
As complicated as the process of acquiring data sounds, the market is flooded with various open-source and proprietary mobile forensics tools that help in the easier acquisition of mobile data for Forensic Investigators.
Mobile forensic tools like SPF Pro (Smart Phone Forensic System Professional) have made the process of data extraction easier than it has ever been. You can not only extract but recover data in a forensically sound manner without any hassle.
Automatic logical extraction is an excellent feature provided by the SPF Pro which doesn’t require an experienced forensic investigator to recover the data from a mobile device.
