Mobile Acquisition Types¶
Types of Acquisition¶
- The acquisition phase refers to the extraction of data from the device.
- Due to the inherent security features of mobile devices, extracting data is not always straightforward.
- Depending on the operating system, make, and model of the device, the extraction method is decided
[Diagram — add to assets/ if available]
Manual Acquisition¶
Visually inspecting the device and manually recording data displayed on the screen (e.g., taking screenshots or photographing messages).
- Phone State - Unlocked and fully operational
- Data Obtained - Visible contacts, Messages, Call logs, Photos in gallery, App data visible through UI
- Data extracted through other methods can also be verified using this.
- Not forensically sound, deleted data would be missing
Logical Acquisition¶
- Extracts data through the OS using standard APIs (e.g., via backup services, Android Debug Bridge (ADB), or Apple iTunes backups).
- Phone State Required: Unlocked and USB Debugging/Backup access enabled
- Data Obtained: Contacts, Messages (SMS/MMS), Call logs, Photos and videos, App data (depending on OS permissions), Calendar, notes, browser history
- Limitation- No deleted data, No access to file system structure or hidden/system files, Limited app data
File System Acquisition¶
- Extracts the file system structure, including databases and internal app files. More detailed than logical.
- Phone State Required: Unlocked (ideally in AFU - After First Unlock state)
- Data Obtained: Everything from logical acquisition + SQLite databases, App directories, System logs
- may not get deleted data or unallocated space,
- May need root/jailbreak for full access on some platforms
Physical Acquisition¶
- Bit-by-bit image of the entire storage, including unallocated space.
- Phone State Required: Often needs bootloader unlocked, rooted, or jailbroken state. Can work in BFU state in rare cases (e.g., some Android devices)
- Data Obtained:Everything from file system acquisition, + Deleted files and System partitions, Hidden, encrypted, or unallocated space, Malware or spyware not visible in OS
- Limitations:Hard to perform on modern devices due to encryption. Not always possible without exploits