Information Technology Reference
In-Depth Information
Data acquisition methods
Data acquisition is the process of imaging or otherwise extracting information from a digit-
al device and its peripheral equipment and media. Acquiring data from a mobile phone is
not as simple as a standard hard drive forensic acquisition. The following points break
down the three types of forensic acquisition methods for mobile phones:
physical
,
logical
,
and
manual
. These methods may have some overlap with a couple of levels discussed in
the mobile forensics tool leveling system. The amount and type of data that can be collec-
ted will vary depending on the type of acquisition method being used.
Physical acquisition
Physical acquisition of mobile phones is performed using mobile forensic tools and meth-
ods. Physical extraction acquires information from the device by direct access to the flash
memory. The process creates a bit-for-bit copy of an entire file system, similar to the ap-
proach taken in computer forensic investigations. A physical acquisition is able to acquire
all of the data present on a device including the deleted data and access to unallocated
space on most devices.
Logical acquisition
Logical acquisition of mobile phones is performed using the device manufacturer
application-programming interface for synchronizing the phones contents with a computer.
Many of the forensic tools perform a logical acquisition. However, the forensic analyst
must understand how the acquisition occurs and whether the mobile is modified in any way
during the process. Depending on the phone and forensic tools used, all or some of the data
is acquired. A logical acquisition is easy to perform and only recovers the files on a mobile
phone and does not recover data contained in unallocated space.
Manual acquisition
With mobile phones, physical acquisition is usually the best option, and logical acquisition
is the second-best option. Manual extraction should be the last option when performing the
forensic acquisition of a mobile phone. Both logical and manual acquisition can be used to
validate findings in the physical data. During manual acquisition, the examiner utilizes the
user interface to investigate the contents of the phone's memory. The device is used nor-
mally through a keypad or touchscreen and menu navigation, and the examiner takes pic-
tures of each screen's contents. Manual extraction introduces a greater degree of risk in the
