The acquisition phase

The acquisition phase refers to extraction of data from the device. Due to the inherent security features of mobile devices, extracting the data is not always straightforward. The extraction method is decided largely depending on the operating system, make, and model. The following are the types of acquisition methods that can be used to extract data from a device:

  • Manual acquisition is the simplest of all of the acquisition methods. The examiner uses the user interface of the phone to browse and investigate. No special tools or techniques are required here, but the limitation is that only the files and data visible through the normal user interface can be extracted. Data extracted through other methods can also be verified using this. It should be noted that this option can very easily modify data on the device (for instance, opening an unread SMS will mark it as read), so these changes should be documented as thoroughly as possible.
  • Logical acquisition, also called logical extraction, generally refers to extracting the files that are present on a logical store such as a file system partition. This involves obtaining data types such as text messages, call history, and pictures from a phone. The logical extraction technique works by using the original equipment manufacturer Applications Programming Interfaces (APIs) for synchronizing the phone's contents with a computer. This technique usually involves extracting the following evidence:
    • Call logs
    • SMS
    • MMS
    • Browser history
    • People
    • Contact methods
    • Contacts extensions
    • Contacts groups
    • Contacts phones
    • Contacts setting
    • External Image Media (metadata)
    • External Image Thumbnail Media (metadata)
    • External Media, Audio, and Misc. (metadata)
    • External Videos (meta data)
    • MMSParts (includes full images sent via MMS)
    • Location details (GPS data)
    • Internet activity
    • Organizations
    • List of all applications installed and their versions
    • Social networking app data such as WhatsApp, Skype, and Facebook
  • File System acquisition is a logical procedure and generally refers to the extraction of a full file system from a mobile device. File system acquisition can sometimes help in recovering the contents (stored in SQLite files) that are deleted from the device.
  • Physical acquisition involves making a bit-for-bit copy of an entire flash storage device, equivalent to a full image of a hard drive. The data extracted using this method is usually in the form of raw data (as a hexadecimal dump) that can then be further parsed to obtain file system information or human-readable data. Since all investigations are performed on this image, this process also ensures that an original evidence is not altered.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.221.222.47