Question regarding ...
 
Notifications
Clear all

Question regarding Logical Extraction

6 Posts
4 Users
0 Likes
573 Views
(@thecableguy)
Posts: 12
Active Member
Topic starter
 

Hi everyone,

This is my first post, im glad im here. I hope to get some help from your knowledge.

Im new to mobile forensics (new to digital forensics in general). Im confused though on Logical Extraction.

I found two explanations of what it is but im not sure if they say the same thing..

a) Logical Extraction is just connecting the phone to the pc and via specialized software you "query" the phone and get response with the data you request ex last calls, msgs etc

b) Logical Extraction is BIT TO BIT COPY of the logical (partition) of the phone.

From what i already know these are 2 different scenarios. Which one is correct?

Thanks in advance for your time and excuse my ignorance

 
Posted : 02/11/2014 9:27 pm
(@dandaman_24)
Posts: 172
Estimable Member
 

Logical - Extraction software asks the handset what data is available to be extracted. The nicely nicely approach.

Physical - Data is recovered in RAW - Bit for Bit, including deleted data.

 
Posted : 03/11/2014 4:04 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

It depends on what tool you use.

This is because there is a feeble attempt to map general purpose computer imaging onto mobile devices.

Logical can mean several things. Is it logical if you connect to a port and your tool talks to the communication part of the OS? Or, is it logical when your tool loads its own tool and that copies the file system? Or… and so on.

The same problem exists with physical.

 
Posted : 03/11/2014 6:46 pm
(@thecableguy)
Posts: 12
Active Member
Topic starter
 

so there isnt one fixed explanation for "Logical extraction" when it comes to mobile forensics?

 
Posted : 04/11/2014 2:01 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Not really, in my opinion.

But, according to SANS, logical acquisition

includes active information from logically stored data
is supported for most device by most tools
easy reporting

Wikipedia states

Logical acquisition implies a bit-by-bit copy of logical storage objects (e.g., directories and files) that reside on a logical store (e.g., a file system partition). Logical acquisition has the advantage that system data structures are easier for a tool to extract and organize. Logical extraction acquires information from the device using the original equipment manufacturer application programming interface for synchronizing the phone's contents with a personal computer. A logical extraction is generally easier to work with as it does not produce a large binary blob. However, a skilled forensic examiner will be able to extract far more information from a physical extraction.

viaForensics defines it as

A logical technique extracts allocated data and is typically achieved by accessing the file system. Allocated data simply means that the data is not deleted and is accessible on the file system. One exception to this definition is what some files, such as an SQLite database, can be allocated and also still contain deleted records in the database. While recovery of the deleted data requires special tools and techniques, it is possible to recover deleted data from a logical acquisition.

Cellebrite defines it

Logical extraction of data is performed through the device's designated API (Application Programming Interface), available from the device vendor.

 
Posted : 06/11/2014 1:33 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

b) Logical Extraction is BIT TO BIT COPY of the logical (partition) of the phone.

This sounds to me "incorrect".

A partition on a device is essentially residing in the storage media as a "block list", it starts at a given address and is a given length in bytes (or blocks).

If you copy bit to bit a block list you are doing actually a physical extraction of a part of the device storage.

A "logical partition" does not exist, what you view as "logical" is a "representation", made by the OS through it's filesystem driver (or through a filesystem parser, etc.) of the data contained in the block list.

You cannot copy "bit to bit" a "representation", at the most you can copy "bit to bit" the elements ("logical store objects" as they are called in the Wikipedia that jhup quoted) that you can view in this "representation", optionally keeping (or however storing) some additional "metadata" (dates/times/permissions/ownership/etc.).

As an example in the Windows environment, get *any* bootable .iso and examine it in three ways
1) by opening it in Winimage (or mounting it in any of the available virtual disk drivers such as IMDISK)
2) by opening it in 7-zip
3) by opening it in Isobuster

You will see how the same data can be rendered in different ways.
In the .iso opened in Winimage or mounted in IMDISK you will NOT see the actual boot file, in the 7-zip a "conventional" [BOOT] folder will be present containing it, and in Isobuster you will have that + additional info.

You simply cannot get this file (or some other info) from the "logical" view of the .iso (corresponding to the Winimage view or to the IMDISK mounted volume), the data is simply "not there".

jaclaz

 
Posted : 07/11/2014 5:16 pm
Share: