Mobile Forensic Images and Acquisition Priorities
Recently, I had a talk at the Magnet Virtual Summit on “Mobile Forensic Images, Getting the Right Data”. As part of that presentation I shared a couple of key pieces of information regarding device conditions, types of mobile acquisitions, and proposed workflows for different data. I wanted to share some of that information here for reference
Mobile Acquisition Possibilities
There are multiple types of potential acquisitions available from mobile devices. The ability to obtain a particular type of acquisition will depend on the make/model/operating system of the mobile device as well as the tools available to the lab. These mobile acquisitions include Full File System, Physical, Logical, After First Unlock (AFU), Before First Unlock (BFU), Manual, and System/Crash Logs.
Figure 1: Various Mobile Acquisitions
Device Conditions
There are 3 major device conditions that will dictate what acquisition order an examiner may want to take; Off, On and Unlocked, and On and Locked.
Figure 2: Three device conditions
Different Acquisitions
Let’s define some of the different acquisitions as they pertain to mobile as these definitions are different than the traditional acquisition types found in computer forensics:
Full File System Image is a process that requests active Files and Folders from the file system which may contain remnants of deleted data and non-user data. This is the most complete acquisition from modern smartphones.
Physical Image is data pulled directly from a connection to the device storage area. This acquisition method is less common on newer smartphones but is still possible on Internet of Things devices and many older phones.
Logical Image is requested file data as interpreted by the operating system. This would include acquisition techniques such as backups and .apk downgrades.
Before First Unlock (BFU) describes a device in the ON state that has NOT been UNLOCKED since the last BOOT. Some commercial tools are able to obtain a partial file system image in this state.
After First Unlock (AFU) describes a device in the ON state that has been UNLOCKED since the last BOOT. Some commercial tools are able to obtain a partial file system image in this state.
Proposed Workflows
Device Off
Figure 3: Workflow for a mobile device in the OFF condition
Device On and Unlocked
Figure 4: Initial steps for a mobile device in the ON and UNLOCKED condition
Figure 5: Continued workflow for a mobile device ON and UNLOCKED condition
Device On and Locked
Figure 6: Workflow for mobile device in ON and LOCKED condition
Individual lab procedures, policies, and capabilities will dictate the right workflow for your organization. If you want to learn more about mobile forensic fundamentals and analysis, we invite you to look at our Hexordia Mobile Forensics Analysis (HMFA) Course.
Registration is open for our Virtual Live Mobile Forensics Analysis Course!
Check It Out Here
👇👇👇
