Mobile Phone Forensics: Logical and File System Data Acquisition for mobile Devices
There are different methods of data extraction from mobile devices. Some data acquisition methods are more ‘forensically sound’, more invasive and more technical, thus requiring a greater analysis time from a specially trained forensic examiner.
Mobile Device forensics involves forensic techniques for computer investigation and analysis of Mobile phones, tablet computers and e-readers to preserve and analyse electronic data. These mobile devices are being used on the internet for criminal and terrorist acts, and as such these acts threateng personal, company, national and international security. Computer forensics experts can trace, recover and acquire digital information, and this can be used as evidence in court proceedings.
A logical data acquisition from a mobile device means that a bit-for-bit copy of ‘logical storage objects’ is extracted. Logical storage objects include files and directories that reside on logical storage (file system). The data extraction tool communicates with and request information from the mobile device’s operating system. A logical extraction extracts data using the manufacturers original API (application programming interface), this would normally be used by the user for synchronizing the mobile devices data to a computer.
The data is extracted using the mobile device’s operating system using a known set of commands such as AT-commands. Logical data acquisition has the advantage that it is much easier for forensic tools to extract system data structures and organise this data to the forensic examiner. A logical extraction is usually easier for a forensic examiner to work with, as this method of data acquisition will not produce a memory dump (binary blob) from the mobile device. A trained forensic examiner will be able to extract far more information from a mobile device physical extraction.
File System Acquisition
A logical data acquisition will not normally produce any deleted data, as it is normally removed by the mobile devices file system. Mobile devices that run popular operating systems such as Android and iOS are built using the SQLite database platform. When data is stored in a SQLite database on a mobile device and data is deleted, the data is not overwritten. When data is deleted in a SQLite database it is usually marked as deleted and made available to be overwritten at a later time.
This means that if a file system data acquisition is available through a mobile device’s synchronization interface, it will be possible to recover deleted data from SQLite databases. A file system extraction from a mobile device also has the advantage of showing the file structure, application data, web artifacts as well as allowing the forensic examiner to perform the analysis using tailored tools and scripts.
For more information on computer forensics or digital forensics, please call us on 01789 261200 or email email@example.com, or check out http://www.cclgroupltd.com/digital-forensics/.
Nathan is a digital forensics specialist at CCL Group - the UK’s leading supplier of digital forensics, including: computer forensics, mobile phone forensics and cell site analysis service, for more information visit www.cclgroupltd.com
|share||like 3||report||32 views|