Skip to content

Mobile Acquisition Types

Types of Acquisition

  • The acquisition phase refers to the extraction of data from the device.
  • Due to the inherent security features of mobile devices, extracting data is not always straightforward.
  • Depending on the operating system, make, and model of the device, the extraction method is decided

[Diagram — add to assets/ if available]

Manual Acquisition

Visually inspecting the device and manually recording data displayed on the screen (e.g., taking screenshots or photographing messages).

  • Phone State - Unlocked and fully operational
  • Data Obtained - Visible contacts, Messages, Call logs, Photos in gallery, App data visible through UI
  • Data extracted through other methods can also be verified using this.
  • Not forensically sound, deleted data would be missing
Logical Acquisition
  • Extracts data through the OS using standard APIs (e.g., via backup services, Android Debug Bridge (ADB), or Apple iTunes backups).
  • Phone State Required: Unlocked and USB Debugging/Backup access enabled
  • Data Obtained: Contacts, Messages (SMS/MMS), Call logs, Photos and videos, App data (depending on OS permissions), Calendar, notes, browser history
  • Limitation- No deleted data, No access to file system structure or hidden/system files, Limited app data
File System Acquisition
  • Extracts the file system structure, including databases and internal app files. More detailed than logical.
  • Phone State Required: Unlocked (ideally in AFU - After First Unlock state)
  • Data Obtained: Everything from logical acquisition + SQLite databases, App directories, System logs
  • may not get deleted data or unallocated space,
  • May need root/jailbreak for full access on some platforms
Physical Acquisition
  • Bit-by-bit image of the entire storage, including unallocated space.
  • Phone State Required: Often needs bootloader unlocked, rooted, or jailbroken state. Can work in BFU state in rare cases (e.g., some Android devices)
  • Data Obtained:Everything from file system acquisition, + Deleted files and System partitions, Hidden, encrypted, or unallocated space, Malware or spyware not visible in OS
  • Limitations:Hard to perform on modern devices due to encryption. Not always possible without exploits