3 POPULAR MOBILE DATA EXTRACT METHODS
Currently, there are three types of popular and highly effective mobile data extraction: Logical Extraction, Filesystem Extraction and physical extraction. (Physical Extraction). The feasibility of these three exploits depends on the make, model, and operating system of the mobile device.
1. What is Logic Extraction?
This is the fastest and most supported extraction method, but also has the most limitations. In a logical extraction, forensic tools communicate with the mobile device’s operating system using APIs (Application Programming Interfaces), which specify how software components interact. Forensic tools use these APIs to communicate with the mobile device’s operating system and request data from the system. This process allows most of the data to be collected directly on the device, much like a directly targeted computer collection. The extracted data is exported into a readable format.
Typical data types obtained through logical extraction are call logs, SMS, MMS (Multimedia Messaging Service, usually text messages with attachments or group text messages), images photos, videos, audio files, contacts, calendar, and app data. Specific categories for data collection can be specified, such as SMS and MMS collection only. For example, you can choose to extract SMS data, then all SMS will be collected including all conversations between people or phone numbers in the device. All extracted data in these categories are live live data, deleted data cannot be extracted.
2. What is system file extraction?
The next step in extracting capabilities is to extract the file system. The key difference between logical extraction and system file extraction is the ability for forensic tools to access files on the mobile device’s internal storage directly instead of having to communicate through an API for each. data. This direct access allows forensic tools to extract all files present in internal storage including database files, system files, and logs. Unpacking the file system is useful for checking the file structure, browsing history, and application usage history of mobile devices.
The most important part of extracting system files is full access to the database file on the mobile device. Many applications, such as iMessage, SMS, MMS, Calendar, and others, store their information in database files. When a user deletes data that is part of the database, such as SMS, the entry in this database is marked as deleted and the user is no longer visible. This deleted data remains intact in the database and can be recovered until the database is periodically maintained and deleted in its entirety. Once this process occurs, the data can no longer be recovered.
3. What is physical extraction?
The most widely used but least supported extraction method is physical extraction. Physical extraction is least supported because full access to the mobile device’s internal storage is completely dependent on the operating system and security measures used by manufacturers such as Apple and Samsung. use. Physical extraction from a mobile device shares the same basic concept as a physical forensic image of a computer hard drive. Physical extraction performs a bit-by-bit copy of the entire contents of the mobile device’s flash memory. This extraction allows to collect all live data and also deleted or hidden data.
By copying bit by bit, deleted data can be recovered. This means that data outside of active user data and database files, such as: images, videos, installed apps, location information, emails, etc. exported and deleted versions of these items can also be restored.
