Hello everyone,
When prosecutors ask for "all content in the mobile phone to be sent to them", forensic examiners depending on the make-model of the phone, have to go through 3 choices as they can get the content from the phone at various levels of depth
- logical,
- file system,
- pysical.
I see some examiners prefer to send the physical extraction only, and not others, thinking that it already covers logical and file system extractions, so there is no need to send logical extraction and file system extraction seperately, which may sound all right at first sight.
However, sometimes, I see the content appearing on the screen after physical dumps is not producing the same visible content, neither in terms of integrity nor in terms of number of files.
IN physical extractions, because all data need to be decoded to make up a file and because it is not possible to properly decode all raw data into visible/understandable content, some SMS are shown split indvidual pieces of text, so a person can not follow which one belongs to which, some chat converstations are not in conversation mode and sentences are found as unmeaningfull pieces of texts and some videos may not seem at all all as carving was not performed for videos, so to sum up, not all content are decoded properly. So, some contents which you can see in logical extraction may not appear in the same way or not at all when looked through physical dumps.
So, by sending physical extraction only, some examiners believe prosecutor has all the content, in theory yes, but he actually has not.
So, for quality purposes and better services, all extractions from mobile phones should be sent if procesuctor want to see all the content. Or each dumps should be compared amongst each other before choosing which one to send, and examiner make sure physical dump actually covers all the contents shown in logical and file system dumps, which may require hours/days to complete as each piece of content should be checked visually to make sure they are properly shown on screen.
And if Physical dump does not bring properly the files which normally comes on screen in other dump types, all the 3 dumps should be sent seperately in different folders and this should be explained in the report why they will see 3 different dumps from the same phone.
What do you think?
On a related note
I made a feature request a while back for Cellebrite PA to allow you to upload multiple extractions of a phone and then merge them; they said it will hopefully be released at the end of this quarter
ideally id also like them to include a way of showing you what's different between multiple extractions, or the same extraction parsed with different versions of PA but I'm not sure if they're doing that just yet.
Something like this may aid you if you use UFED.
But yeah, I've been doing at least a Logical and File System extraction because they appear to get different content (sometimes one won't get call logs for example and the other will, or they get different numbers of text messages oddly)
I always perform as many different types of extractions as I have time for. With an iPhone on UFED, this means at least 4 extractions. If it's jailbroken or an iPhone 4 or earlier, that's 5 extractions. For Android devices, this is usually 2 or 3 extractions, depending upon whether or not physical extraction is supported.
I find they all get different bits of information, and you're absolutely right about a physical extraction being difficult to interpret.
A true physical extraction should have everything that would be included in the others (assuming it includes SD cards, or other data like that). The problem you mention isn't with the acquisition method, it's with the analysis of that data and the way it's presented. Physical extractions are usually raw dumps of data and if your analysis tool can't reliably find the right files to build the file system, for each file system on the device (there are often many), you're stuck with carving and keyword searches to find particular files whether they're allocated or not. Every tool will carve data differently which is where you'll get differences in the output.
The same issue applies when you get a JTAG or chip-off from a device, all the data is there but it can be challenging to recover since building those file systems can be a pain (each phone/manufacturer handles it a little differently).
I'm not saying you shouldn't do multiple acquisitions, it might be the easier option to get the data you need and I'm a strong believer in if it gets you the data you need, then it's the best method for that investigation.
Jamie
http//
Page 4 has a good breakdown.