Information Technology Reference
In-Depth Information
Manual extraction
This method involves simply scrolling through the data on the device and viewing the
data on the phone directly through the use of the device's keypad or touchscreen. The in-
formation discovered is then photographically documented. The extraction process is fast
and easy to use, and will work on almost every phone. This method is prone to human er-
ror, such as missing certain data due to unfamiliarity with the interface. At this level, it is
not possible to recover deleted information and grab all the data. There are some tools that
have been developed to aid an examiner to easily document a manual extraction.
Logical extraction
Logical extraction involves connecting the mobile device to forensic hardware or to a
forensic workstation via a USB cable, RJ-45 cable, Infrared, or Bluetooth. Once connec-
ted, the computer initiates a command and sends it to the device, which is then interpreted
by the device processor. Next, the requested data is received from the device's memory
and sent back to the forensic workstation. Later, the examiner can review the data. Most
of the forensic tools currently available work at this level of the classification system. The
extraction process is fast, easy to use, and requires little training for the examiners. On the
flip side, the process may write data to the mobile and might change the integrity of the
evidence. In addition, deleted data is almost never accessible.
Hex dump
A hex dump, also referred to as a physical extraction, is achieved by connecting the
device to the forensic workstation and pushing unsigned code or a bootloader into the
phone and instructing the phone to dump memory from the phone to the computer. Since
the resulting raw image is in binary format, technical expertise is required to analyze it.
The process is inexpensive, provides more data to the examiner, and allows the recovering
of the deleted files from the device-unallocated space on most devices.
Chip-off
Chip-off refers to the acquisition of data directly from the device's memory chip. At this
level, the chip is physically removed from the device and a chip reader or a second phone
is used to extract data stored on it. This method is more technically challenging as a wide
variety of chip types are used in mobiles. The process is expensive and requires hardware
level knowledge as it involves the de-soldering and heating of the memory chip. Training
is required to successfully perform a chip-off extraction. Improper procedures may dam-
age the memory chip and render all data unsalvageable. When possible, it is recommen-
