What Are the Different Data Extraction Methods for Mobile Devices?
For several decades, pulling forensically-sound data from cell phones, smartphones, and other personal devices was virtually impossible. Now, mobile forensic analysts can extract live data from these electronics and recover deleted passwords and files.
No matter if your law firm needs to extract pertinent information from a cell phone, tablet, GPS unit, memory card, or other personal devices, our ESI specialists are experts at retrieving mobile data. We use three methods for gathering information from mobile devices: logical extraction, filesystem extraction, and physical extraction.
An Explanation of Logical Extraction
Logical extraction is the process of pulling valuable information from a cell phone, tablet, or another mobile device by communicating with the device’s operating system using an Application Programming Interface (API). Extracting data this way is easy and less time-consuming than the other extraction methods. However, the logical extraction method cannot recover deleted data or be used on locked devices.
If our digital forensics experts determine logical extraction will work on the mobile device related to your case, we will use this process to extract data such as call and text logs, passwords for active social media accounts, saved photos and videos, and IMEI and ESN data. We’ll ensure the data is preserved in its original state and is admissible in court.
An Overview of Filesystem Extraction
The filesystem extraction process is very similar to the logical extraction process. The main difference is that filesystem extractions do not require an API to access files on the mobile device’s internal memory. Because this method allows direct access to the internal memory, forensic investigators can pull all files from the memory, including database and system files. This extraction method is helpful for analyzing file structure, web browsing history, and app usage.
A filesystem extraction could help recover deleted data that was part of a database, such as iMessages or Calendar events. The data is marked as deleted in the database so that it is no longer visible to the user. However, for a short period of time, the information is still intact and can be recovered. Once the database performs routine maintenance, the data will no longer be recoverable with filesystem extraction.
A Review of Physical Extraction
Physical extraction is a more complex method than logical extraction, but it returns more results. Specifically, this method is useful for recovering hidden or deleted information on mobile devices. Tools used during this process will create bit-for-bit replicas of the content on the flash memory to offer a clear picture of the digital evidence.
Using boot loaders, the UFED can bypass system locks and passcodes to pull deleted passwords, files, photos, videos, text messages, call logs, GPS tags, and more. The best part about a physical extraction is that there are no signs of an investigation left behind after the extraction is complete. The data is left forensically intact and untampered to ensure the investigation is not compromised.
Hire e-Discovery Professionals Today
Mobile devices are being increasingly used for personal and work purposes. As their uses continue to grow, the need for e-Discovery practices also increases. If your company or law firm needs assistance with the mobile discovery process, the experts at Cornerstone Discovery are ready to help.
We’ll help you understand the differences between the mobile device extraction methods and ensure the data you need is extracted properly. We can even help you with trial support services. Contact our team today to learn more about extracting data from mobile devices.