Prioritizing Acquisition and Image of Mobile Forensic Images

Mobile Forensic Jay Ravtole todayMarch 26, 2024

Background
share close

Mobile Acquisition Possibilities

Mobile devices provide a variety of possible acquisition opportunities. The capacity to collect a specific sort of acquisition will be determined by the mobile device’s make/model/operating system, as well as the lab’s accessible instruments. The mobile acquisitions include Full File System, Physical, Logical, After First Unlock (AFU), Before First Unlock (BFU), Manual, and System/Crash Logs.

What Kind of Acquisitions Exist

Figure 1: Various Mobile Acquisitions

Device Conditions

There are three key device conditions that will determine what acquisition sequence an examiner should take: Off, On and Unlocked, and On and Locked.

Figure 2: Three device conditions

Different Acquisitions

Let us define some of the various acquisitions as they pertain to mobile, as these definitions differ from the typical acquisition kinds found in Mobile Forensics.

  • Physical images are data obtained directly via a connection to the device’s storage space. This acquisition method is less frequent on modern smartphones, but it is still available on Internet of Things devices and many older phones.
  • Full File System Image is a process that requests active files and folders from the file system, which may contain deleted or non-user data. This is the most thorough acquisition of current smartphones.
  • The logical image represents the requested file data as understood by the operating system. This would include acquisition methods like backups and.apk downgrades.
  • Before First Unlock (BFU) refers to a device in the ON state that has not been UNLOCKED since the last BOOT. Some commercial tools can extract a partial file system image in this form.
  • After First Unlock (AFU) refers to a device in the ON state that has been UNLOCKED since the last BOOT. Some commercial tools can extract a partial file system image in this form.

Proposed Workflows

Device Off

Figure 3: Workflow for a mobile device in the OFF condition

Device On and Unlocked

Figure 4: Initial steps for a mobile device in the ON and UNLOCKED condition

Figure 5: Continued workflow for a mobile device ON and UNLOCKED condition

Device On and Locked

Figure 6: Workflow for mobile devices in ON and LOCKED condition

If you want to learn more about mobile forensic foundations and analysis, we recommend our HEF Certified Cyber Forensic Investigator (HEF-CCFi) training.

Written by: Jay Ravtole

Tagged as: .

Rate it

Previous post

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *


Open chat
Hello
Can we help you?