Obtaining evidence from devices | by Benjamin Bierce

Obtaining evidence from devices

Cell phone evidence is becoming more and more relevant in litigation. Almost everyone carries a phone with them just about all the time. There are probably several cell phones present at any incident, and they may contain valuable information. There are two main areas where we can get evidence from a cell phone. The first is from the records maintained by the cell phone company, and the second is from the device itself. In this post, we will review how we can extract a forensic image from the memory of the cell phone, and an overview of the analysis of the extraction. This post isn’t intended to be a tutorial on how to perform cell phone extractions. I recommend you have a trained and experienced examiner conduct the extraction and analysis. This post is intended to familiarize you with the process and provide things to think about when preparing for a phone exam. In this post, we will cover:

  • How evidence is forensically extracted
  • Types of extractions
  • Analysis of the extractions
  • Deep dive

How Evidence is Forensically Extracted

Let’s say we’ve sent a preservation letter for a phone to the opposition, obtained a court order to examine the phone, and established and agreed-upon protocol to examine the phone with the opposition. Now it’s time to extract a forensic image of the phone.

The most accepted method of obtaining a forensic image from a phone is to use a forensic tool. Many companies offer tools to examine phones. Some examples are Cellebrite Universal Forensic Extraction Device (UFED), Oxygen Forensic Detective, Magnet Axiom, MSAB XRY, Susteen Secure View, and more. Over the years, I’ve received training on several of the tools and used a few in the wild. The examples in this post will be using the Cellebrite UFED because it’s the tool with which I’m most comfortable.

Before we begin the extraction, we must prepare the phone. The first step is to ensure the phone is fully charged. Some phones won’t allow the forensic extraction process unless the battery is at 100%. Other preparations are dependent on the type of phone. For example, it’s best to set the screen auto-lock on iPhones to never. On some newer versions of iOS, setting the iOS lock screen to never requires the iCloud password, not the phone’s passcode. That’s why it’s important to obtain all account passwords in addition to the phone’s passcode.

Once the phone is ready to be examined, we can plug it into a computer running the forensic tool. Some phones need to be in Recovery mode or Device Firmware Upgrade (DFU) mode, but from there, the forensic tool takes over and does its magic. The extraction can take anywhere from a few minutes to several hours depending on the type of extraction, the size of the memory on the phone, and how much data is in the phone.

Types of Extractions

There are three main types of extractions: Logical, file system, and physical. Logical is the least intrusive, and physical is the most intrusive. We can obtain a logical extraction on most phones, but file systems and physical extractions are available on fewer phones. It seems the more sophisticated and higher-end the phone, the less intrusive the available extractions become. Until recently, logical extractions were the only available extractions for iPhones without jailbreaking the phone. We can obtain file system extractions on most high-end Androids, but physical extractions may not be available.


Logical extractions are the easiest, fastest, and least intrusive. The logical extraction retrieves data from the phone that is easily available to the user. What we can see in native apps on the phone will be recovered. Logical extractions generally don’t recover deleted items or databases. Logical extractions will include data like call logs, text messages, email messages, photos, videos, audio files, calendar entries, memos, and more.

Some forensic tools offer an extraction they call an advanced logical. An advanced logical will recover everything available in a standard logical extraction along with some system files and databases. At the most, it would extract everything that would be stored with an Android or iTunes backup. It’s not quite to the level of a file system extraction, but it does recover more valuable data and some deleted data.

File System

File system extractions recover all the data included in logical extractions along with all the operating system files. Included in the operating system files are application databases and some deleted data. We may be able to recover logs from some applications like Snapchat or Instagram.


Physical extractions are the most time consuming and most invasive. Physical extractions copy every 1 and 0 on the memory of the phone. In addition to all the data from a logical or file system extraction, we will be able to recover deleted data that hasn’t yet been overwritten on the memory of the phone.

With the logical extraction, we can limit the extraction to certain types of data like text messages, call logs, or contacts while excluding data like videos or photos. With file system or physical extractions, we can’t exclude anything.

Analysis of the Extractions

One type of forensic tool extracts the data from the phone, and another type of forensic tool analyzes the extraction. For example, the Cellebrite UFED extracts the forensic image, and then the extraction is analyzed using the UFED Physical Analyzer (PA). Some companies provide both tools in one program, but the processes are separate.

Once we open the extraction in the analysis tool, we can search for information valuable to our case. For example, we might search for the word “crash” or “accident” if our case involves a motor vehicle crash. We might find text, email, or Instagram messages with statements about the crash. We can check the timeline to see what activity was occurring on the phone at the time of the crash.

Once we find valuable information, we can tag it and produce reports limited to the information valuable to our case, or limited to an agreed-upon timeframe.

The searches we can perform using the forensic analysis software is limited to the data the forensic software can find. Some forensic tools can find more information than others, and forensic tools can find more information on some phones than others. The more common and less sophisticated the app, the more likely the forensic software will recover information. For example, the forensic analysis tool will recover more information from a standard texting app than it will from something like Snapchat, which automatically deletes the message.

Deep Dive

Most likely, the phone will contain information valuable to our investigation that isn’t recoverable with a search using the forensic analysis software. Every application on the phone maintains at least one database. Forensic analysis tools do not parse most of these databases. But we can manually search these databases for valuable information. My favorite place to start is the data usage database. Let’s say we are looking for phone usage around the time of a motor vehicle crash. We can open the data usage database and look for applications that accessed the internet around the time of the crash. Once we identify applications using the internet around the time of the crash, we can manually search the databases associated with these applications.

Internet usage alone doesn’t necessarily indicate the active use of the phone. We may find internet access by applications like Google Maps or Waze around the time of the crash. More than likely, this would indicate the user was using a navigation application, which wouldn’t indicate active use. We may find internet access by applications such as Instagram or Snapchat around the time of the crash. Internet usage alone doesn’t indicate active use, but we can manually search the databases for Instagram or Snapchat to see if there were messages sent or received around the time of the crash, which would indicate active use. This usage would not be recovered by a standard search using the forensic analysis tool.


In this post, we covered how evidence is forensically extracted from a phone, the types of extractions, analysis of the extractions, and the deep dive. Of course, this post was not all-inclusive, but hopefully, you have a better understanding of how an evidence extraction is performed on a phone.

Originally published: http://revforensics.com/obtaining-evidence-from-devices/ 

February 5, 2020
Notify of
The comment form collects your name, email and content to allow us keep track of the comments placed on the website. Please read and accept our website Terms and Privacy Policy to post a comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013