Home > Digital Forensics

Extracting Evidence

Extracting evidence from mobile devices is one of the core tasks in digital forensics. Mobile operating systems—especially Android and iOS—are designed with strong security mechanisms, making evidence extraction more complex than traditional computer forensics. Investigators must select the right extraction method based on device state, lock status, encryption, OS version, and available forensic tools.

This chapter explains the different types of mobile evidence extraction, when each method is used, what data can be acquired, and the limitations imposed by modern mobile security.

Types of Mobile Evidence Extraction

Mobile forensic extraction is typically classified into four major levels. Each offers a different depth of access and type of evidence.

1. Logical Extraction

The simplest and least invasive method.

Obtains:

  • Call logs

  • SMS

  • Contacts

  • Installed apps

  • Some app data

  • Media files (if accessible)

  • Basic device information

Logical extraction uses the standard OS APIs—similar to creating a backup. It does not bypass security protections.

Useful when:

  • Device is locked but trusted pairing is available

  • Full access isn't possible

  • Quick summary of phone activity is needed

Limitations:

  • Limited access to app sandboxes

  • No deleted data

  • No low-level system files

2. File System Extraction

Provides access to the full file system, including many app directories and databases.

Extracts:

  • App data (databases, shared_prefs)

  • Browsing history

  • Messages & social media content

  • Photos & videos with metadata

  • System logs

  • Configuration files

  • Cached files

Allows investigators to analyze:

  • WhatsApp databases

  • Telegram cache

  • Safari/Chrome history

  • SQLite evidence

  • App-level logs

File system extraction often requires unlocking the device.

3. Full File System (FFS) Extraction

The most comprehensive level available without chip-off.

Provides access to:

  • All app containers

  • System-level directories

  • Protected files (with correct device state)

  • File-based encryption keys (permitted scenarios)

  • Raw SQLite databases

  • Deleted data (in certain cases)

Used when:

  • Investigating serious crimes

  • Deep analysis of apps or OS artifacts is required

  • Specialized forensic tools are available

FFS extraction usually requires:

  • Jailbreak (iOS)

  • Root or EDL mode (Android)

  • Vendor-specific vulnerabilities

4. Physical Extraction

Captures a bit-by-bit image of the device’s storage—similar to a hard drive image.

Extracts:

  • Entire partitions

  • Deleted files (if not overwritten)

  • Hidden/unallocated space

  • System files & metadata

Most powerful extraction method but also the hardest due to strong encryption.

Possible via:

  • Chip-off (removing the NAND chip)

  • JTAG (hardware-level access)

  • EDL mode (Qualcomm Emergency Download)

  • Bootloader vulnerabilities

Modern devices (iOS, recent Android) often prevent full physical extraction unless exploited.

Evidence Extraction in Android

Android offers several extraction paths depending on device state.

1. ADB (Android Debug Bridge) Extraction

Possible when:

  • Developer Mode is enabled

  • USB debugging is on

  • Device is unlocked

Provides:

  • Logical extraction

  • Some app data

  • System info

2. Full File System via Root Access

Rooting grants access to:

  • /data/data/ (app sandboxes)

  • SMS, call logs, browser data

  • Social media app databases

Risks:

  • Modifies device state

  • Not valid in strict forensic scenarios

3. EDL Mode (Qualcomm Devices)

Provides raw NAND dumps when supported.
Used when:

  • Device is locked

  • No root access

  • Physical extraction is needed

Requires specialized tools.

4. Custom Recovery Extraction

Using recovery mode (TWRP) to access data.
Useful when:

  • Device is unlocked

  • Bootloader allows flashing

5. Chip-Off Extraction

Physically removing the memory chip.
Provides:

  • Full physical image

  • Deleted data recovery

  • Deep partition access

Used only in severe cases due to high risk.

Evidence Extraction in iOS

iOS is far more restrictive than Android.

1. iTunes / Finder Backup (Logical)

Extracts:

  • Messages

  • Contacts

  • App data (partial)

  • Photos

  • Keychain (if backup password known)

Many forensic tools parse iTunes backups effectively.

2. Full File System Extraction (FS / FFS)

Possible using:

  • Checkm8-based tools for supported devices

  • Jailbreaks

  • Special forensic software (Cellebrite, GrayKey)

Provides:

  • Full app containers

  • Databases

  • Logs

  • Media

  • Browser history

  • Cached data

iOS security state determines what protected files are accessible.

3. Lockdown (Pairing) Exploitation

If trusted pairing record exists:

  • Logical or file system extraction without passcode

Stored on trusted computers:

/var/db/lockdown/

This often allows extraction even when device is locked.

4. iCloud Extraction

If credentials or tokens are available:

Extracts:

  • iCloud Photos

  • iMessage sync

  • Backups

  • Notes

  • Files

  • App data

Cloud extraction is common in modern forensics due to device encryption limitations.

Extracting App Data

Most modern evidence comes from apps.

Includes:

  • WhatsApp msgstore.db

  • Telegram media & cache

  • Signal metadata (limited)

  • Instagram/Twitter/Facebook caches

  • Browser databases (SQLite, LevelDB)

  • Social media session tokens

  • Location data from Maps apps

App databases often contain:

  • Chats

  • Timestamps

  • Locations

  • Contact associations

  • Attachments

Deleted Data Recovery

Deleted data recovery success depends on:

  • Filesystem type (ext4, f2fs, APFS)

  • Device encryption

  • Overwrite behavior

  • App-level data handling

Android external storage offers the best chance of recovery.
iOS APFS reduces recovery probability significantly.

Tools for Evidence Extraction

Common forensic tools:

  • Cellebrite UFED / Physical Analyzer

  • Magnet AXIOM

  • Oxygen Forensic Detective

  • Elcomsoft iOS Toolkit

  • MOBILedit Forensics

  • Autopsy (limited mobile support)

Extraction methods vary based on tool capability.

Key Extraction Considerations

  • Always document chain of custody

  • Prefer non-invasive extraction first

  • Avoid rooting/jailbreaking unless necessary

  • Use EDL/bootloader methods cautiously

  • Capture volatile data quickly

  • Hash extracted images for integrity

  • Perform cloud extraction when device encryption blocks access

Intel Dump

  • Evidence extraction methods include logical, file system, full file system, and physical imaging.

  • Android extractions rely on ADB, root access, EDL mode, recoveries, or chip-off.

  • iOS extraction depends on backups, pairing records, checkm8/jailbreaks, or cloud acquisition.

  • App data is the richest evidence source and includes SQLite databases, shared_prefs, caches, and media.

  • Physical extraction is rare on modern devices due to strong encryption, while cloud extraction has become increasingly important.

  • Success depends on device state, encryption, OS version, and available forensic tools.

HOME COMMUNITY CAREERS DASHBOARD