Acquisition Techniques
Acquisition is performed at the very early stages of the mobile forensics process. Acquisition is the process of gathering data from a mobile device using a range of techniques in a forensically sound manner. This task will explore the four main acquisition techniques and tooling, and how evidence and access can be preserved.
Levels of Acquisition
When we discuss acquisition levels, we refer to the depth and method required to extract data from a device. The techniques and acquisition methods used are determined by a mixture of various factors, including the ones listed below:
Age of device (i.e. installed OS version, updates, etc.)
Security mechanisms in place
Authenticated or unauthenticated access (i.e. locked or unlocked)
Availability of tooling to the examiner
Depth of data we wish to retrieve (i.e. deleted data)
In mobile forensics, there are generally four levels of acquisition, which are provided in the table below.
Manual
Manual acquisition involves manually interacting with the device to gather information, such as scrolling through chat messages or taking pictures with an alternative device.
This is incredibly valuable if the device is currently unlocked, as many security mechanisms have already been bypassed.
However, this raises serious issues concerning data integrity and non-repudiation.
Minimal access to system logs and databases.
Logical
Logical acquisition involves using features of the mobile devices' Operating System (such as APIs, backup features, etc) to extract data.
This method is helpful for cases where the device is locked, using another trusted (by the mobile) device to authenticate.
Partial.
File System
File System acquisition involves creating an entire copy of the device's file system.
It usually requires exploiting a vulnerability, MDM, jailbreaking, or using specialist toolkits to obtain privileged access to the filesystem.
Substantial.
Physical
An entire bit-for-bit image of the device, allowing deleted data to be recovered.
Difficult with modern devices due to extensive security mechanisms; however, incredibly valuable, especially with older devices.
Full (on devices without encryption at rest).
Maintaining Access
Like traditional digital devices, preserving access is a key objective for analysts. For example, if a device is unlocked, we must ensure it remains unlocked. An unlocked device is the best-case scenario for an analyst as it means that a set amount of security mechanisms are no longer applied.
Disabling the lock screen timer, which can be configured in the respective settings on Android and iOS, can be an effective way to ensure a device remains unlocked.
Additionally, it is essential to enable the "airplane" mode on mobile devices. This prevents any modification to data, and in the case of iOS, prevents remote wiping via the "Find My" feature.
Manual Acquisition
This method of acquisition is often considered a preliminary means of retrieving data within the investigation process. Manual acquisition involves collecting evidence by navigating around the phone, opening various applications or messages, and taking pictures of the information present using another device.
While manual acquisition requires the device to be unlocked, it can be a great way to get key information quickly. However, it must be noted that this breaks non-repudiation and authenticity of data, potentially making it inadmissible and untrustworthy. Moreover, many artifacts may be missed due to the inability to look at system logs and files directly.
Logical Acquisition
Logical acquisition involves using features within the mobile device's Operating System to extract data. This technique is considered much safer in preserving the integrity of evidence, as nothing is overwritten or modified. For mobile devices, this may involve using features to create a backup and examine that backup.
However, while logical acquisition provides much more data than manual acquisition, it is only partial, as backups often admit specific data types, including Operating System files.
This can be done using tools such as 3uTools, Easeus, and libimobiledevice on the CLI.
Using libimobiledevice to create a backup for iOS
For Android, this can be done using the Android Debug Bridge (ADB):
File System Acquisition
This acquisition method provides an entire extraction of the file system itself. It is a much more comprehensive technique than others, such as logical acquisition. To illustrate, Operating System data will be included within the extraction, potentially enabling the recovery of deleted data and additional data that backups do not include, allowing for a comprehensive analysis.
With that said, this technique does not come without challenges. Performing a file system acquisition involves privileged access to the device. What that entails exactly is covered in the next task; however, it usually involves gaining root access, often exploiting vulnerabilities in the device to bypass security mechanisms. Specialist forensic toolkits such as Cellebrite UFED are capable of such acquisition.
Last updated