Acquisition Techniques: Physical Extraction vs. Logical Extraction (en)

From OnnoWiki
Revision as of 05:04, 21 October 2024 by Onnowpurbo (talk | contribs) (Created page with "Here's the translated text while retaining the wiki format: == Acquisition Techniques in Mobile Forensics == Acquisition techniques are a crucial initial step in the mobile...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Here's the translated text while retaining the wiki format:

Acquisition Techniques in Mobile Forensics

Acquisition techniques are a crucial initial step in the mobile forensics process. The goal is to obtain an accurate and complete copy of the data from a mobile device without damaging the original data. There are several acquisition methods, but we will further discuss *physical* and *logical extraction*.

Physical Extraction

  • Definition:

Physical extraction is the process of obtaining a bit-by-bit copy of all data present on a mobile device, including deleted or hidden data. This method provides the most complete picture of the device's condition at the time of acquisition.

  • Process:

1. Preparation:

  • Secure the mobile device to prevent data alteration.
  • Connect the device to a forensic tool (write blocker).
  • Select the type of image to be created (raw, sparse, etc.).

2. Acquisition:

  • The forensic tool will read all sectors on the device's storage media (e.g., internal storage, SD card) and create an exact copy.

3. Verification:

  • Calculate the hash value of the generated image and compare it with the hash value from the original device to ensure data integrity.


  • Advantages:
    • Obtains the most complete data.
    • Can recover deleted data.
    • Suitable for cases requiring in-depth analysis.


  • Disadvantages:
    • The process takes longer compared to logical extraction.
    • Requires specialized forensic tools.

Logical Extraction Using Ubuntu

  • Definition:

Logical extraction is the process of obtaining a copy of data that can be accessed by the mobile device's operating system. This method is faster than physical extraction but does not provide as complete a picture as physical extraction.

  • Process:

1. Preparation:

  • Connect the mobile device to a computer running Ubuntu.
  • Install the necessary drivers.
  • Install forensic tools such as Autopsy, Sleuth Kit, or other tools.

2. Acquisition:

  • Use forensic tools to access the mobile device's file system.
  • Copy the data to be analyzed to the computer.


  • Advantages:
    • The process is faster.
    • Does not require specialized forensic tools.
    • Suitable for cases that do not require in-depth analysis.


  • Disadvantages:
    • Does not retrieve deleted or hidden data.
    • Depends on available drivers and tools.


Usage Examples:

  • Physical Extraction: In cybercrime investigation cases involving mobile devices, physical extraction can be used to search for hidden evidence, such as deleted messages, hidden photos, or traces of activity on the dark web.
  • Logical Extraction Using Ubuntu: If the goal is to analyze active user data, such as call history, text messages, or app data, logical extraction using Ubuntu can be an efficient choice.
Main Differences
Feature Physical Extraction Logical Extraction
Data Coverage Entire data Accessible data
Speed Slow Fast
Tools Specialized forensic tools Open-source tools
Complexity High Low

Conclusion:

The choice between physical extraction and logical extraction depends on the investigative goals and available resources. If the most complete and in-depth data is needed, physical extraction is the right choice. However, if time is a critical factor, logical extraction may be a good alternative.

Notes:

  • Mobile forensic processes require specific knowledge and skills.
  • Ensure to follow proper procedures to maintain evidence integrity.
  • Always update knowledge about the latest forensic tools and techniques.

Interesting Links

Some popular forensic tools:

  • Autopsy: A highly popular open-source platform for digital forensic analysis.
  • The Sleuth Kit: A toolkit that provides various utilities for forensic investigation.
  • SQLite: A database often used in mobile devices, making it important to understand how to analyze it.

Other topics that may be interesting:

  • Android Forensics: Unique features and challenges in analyzing Android devices.
  • iOS Forensics: Differences with Android and specific tools.
  • Cloud Data Analysis: How to analyze data stored in the cloud.