Logical acquisition
Definition
An extraction method that uses the device's own operating system interfaces, such as iTunes backup or Android Debug Bridge, to export the data the OS makes available. Fast and non-invasive, but limited to data the OS exposes and cannot recover deleted content from unallocated storage.
Related terms
- Chain of custody
- The documented chronological record of who collected, handled, transferred, and examined a piece of evidence. For digital evidence, chain of custody includes...
- Packet capture (PCAP)
- The interception and recording of network packets as they traverse an interface. The raw data is stored in PCAP format and analysed...
- Physical acquisition
- An extraction method that reads the raw flash storage of a mobile device, bypassing the operating system. Produces a bit-for-bit image of...
- AFC (Apple File Conduit)
- The iOS service that exposes the media partition for file transfer during synchronisation. In standard form it only surfaces the media partition;...
- Android Debug Bridge (ADB)
- A command-line tool included in the Android SDK that allows communication with an Android device over USB or Wi-Fi. Used for logical...
- Cell site analysis
- The use of records from mobile network operators showing which cell towers a device connected to and when, allowing investigators to establish...
- Faraday isolation
- Shielding a mobile device from radio frequency signals (cellular, Wi-Fi, Bluetooth, GPS) using a Faraday bag or cage, preventing network connections that...
- File-system extraction
- A deeper form of extraction that retrieves the full accessible directory tree by mounting the file system or using a privileged API...
- IMEI (International Mobile Equipment Identity)
- A unique 15-digit number permanently assigned to a mobile device's hardware. Used by networks to identify and block stolen devices, and by...
- iTunes backup protocol
- Apple's proprietary protocol for transferring device data to a computer. Used by forensic tools to conduct logical acquisition of iOS devices; backup...
- Trust relationship (iOS)
- The pairing between an iOS device and a computer established when the user taps 'Trust' after connecting. A forensic logical or file-system...
- Write blocker
- A hardware or software device interposed between a digital storage medium and the forensic workstation that prevents any write commands from reaching...
Explained in these topics
- Digital Evidence in Mobile and Network ContextsAn extraction method that accesses a mobile device through its operating system interfaces (such as USB backup protocols or vendor forensic APIs) to retrieve f...
- Logical and File-System AcquisitionExtraction of mobile device data through the operating system's own synchronisation or backup API. Returns a structured set of files and records the OS is will...
- Mobile and Network Forensics: Scope and DisciplineAn extraction method that uses the device's own operating system interfaces, such as iTunes backup or Android Debug Bridge, to export the data the OS makes ava...