Physical acquisition
Definition
An extraction method that reads the raw flash storage of a mobile device, bypassing the operating system. Produces a bit-for-bit image of the storage chip, enabling recovery of deleted data and file system metadata, but is blocked by full-device encryption unless the key is available.
Related terms
- Chain of custody
- The documented chronological record of who collected, handled, transferred, and examined a piece of evidence. For digital evidence, chain of custody includes...
- Logical acquisition
- An extraction method that uses the device's own operating system interfaces, such as iTunes backup or Android Debug Bridge, to export the...
- Packet capture (PCAP)
- The interception and recording of network packets as they traverse an interface. The raw data is stored in PCAP format and analysed...
- Cell site analysis
- The use of records from mobile network operators showing which cell towers a device connected to and when, allowing investigators to establish...
- Faraday isolation
- Shielding a mobile device from radio frequency signals (cellular, Wi-Fi, Bluetooth, GPS) using a Faraday bag or cage, preventing network connections that...
- IMEI (International Mobile Equipment Identity)
- A unique 15-digit number permanently assigned to a mobile device's hardware. Used by networks to identify and block stolen devices, and by...
- Write blocker
- A hardware or software device interposed between a digital storage medium and the forensic workstation that prevents any write commands from reaching...
Explained in these topics
- Digital Evidence in Mobile and Network ContextsAn extraction method that reads the raw flash storage of a mobile device, bypassing the operating system. Produces a bit-for-bit image of the storage chip, ena...
- Mobile and Network Forensics: Scope and DisciplineA bit-for-bit image of a device's storage chip, capturing allocated and unallocated space, deleted file fragments, and file system metadata. More powerful than...