Logical and File-System Acquisition

Logical acquisition communicates with the device through an interface the manufacturer provides. On iOS devices, the primary channel is the same protocol iTunes uses to create backups: the examiner connects the device over USB, establishes a trust relationship using a stored pairing record or by prompting the user, and instructs the backup service to transfer a defined set of data. The backup package includes contacts, call history, SMS and iMessage records, photos in the camera roll, application data for apps that participate in the backup, health records, and browser history. The device itself controls what enters the package.

On Android devices, the equivalent path is the ADB backup command, which requests the system to produce a compressed archive of application data. Google also provides the Android Backup Service, which works over the network rather than USB. Both approaches return what the operating system and individual application backup policies permit. Applications that have set the android:allowBackup flag to false are excluded. System partitions, the bootloader, and unallocated storage are never included.

The primary advantage of logical acquisition is that it requires no special hardware, no device modification, and no exploit. Commercial tools such as Cellebrite UFED, MSAB XRY, and Magnet AXIOM automate the process and parse the backup into browsable report formats. The primary limitation is that the method returns only what the vendor allows: encrypted application containers, system databases outside the backup scope, and any data deleted from live records are not included.

File-system extraction moves past the backup layer to access the directory structure of the device's data partition directly. On iOS, this is typically achieved by exploiting a known vulnerability or using a jailbreak to elevate privilege, then communicating through a privileged AFC service (AFC2) that exposes the full file system rather than only the media partition. Modern forensic tools from Cellebrite and MSAB include built-in jailbreak capabilities that apply a temporary privilege elevation without permanently modifying the device.

On Android devices, file-system extraction generally requires root access, either because the device ships with an unlocked bootloader (common on developer handsets and some Chinese market devices), because a rooting exploit is available for the specific firmware version, or because the device has been rooted by the owner. Once root access is obtained, the examiner can pull the full data partition using the adb pull command or a dedicated tool, retrieving every accessible file including those outside the backup scope.

The data returned by file-system extraction includes application databases that are excluded from backup, thumbnail caches, log files written by the system and apps, configuration plists and XML files, and temporary files in app containers that may contain fragments of user activity. Forensically significant finds often come from SQLite databases that applications use for local storage: messaging apps store their conversation history in SQLite, mapping apps write location history to SQLite, and browsers write history, cookies, and cache indices to SQLite databases that the backup API may not fully expose.

Understanding what each method can and cannot return is the foundation of acquisition planning. The table below compares the two methods across the dimensions most relevant to a forensic investigation.

The boundary between file-system extraction and physical acquisition is defined by unallocated space. Physical acquisition produces a sector-by-sector image of the storage chip, including every unallocated block where deleted file fragments may survive. File-system extraction operates at the file level: it retrieves files that exist in the directory structure but cannot see the space between them. For investigations where deleted message recovery or file carving is a priority, physical techniques are required. See Physical Acquisition Techniques and JTAG and Chip-Off Acquisition for those methods.

Cellebrite UFED is the most widely deployed commercial mobile forensic platform. It supports logical, file-system, physical, and chip-off modes within a single interface. For logical extraction, UFED sends standard backup requests to iOS and Android devices and parses the results. For file-system extraction, it applies built-in exploit packages appropriate to the device model and firmware version, then mounts the file system to copy the data partition. UFED Physical Analyzer provides post-acquisition parsing and reporting.

MSAB XRY operates similarly, with a hardware kit that connects to the device and software that guides the examiner through acquisition mode selection. XRY offers logical and file-system modes and uses its own exploit library for privileged access. The company's XAMN software handles parsing and timeline analysis. Both Cellebrite and MSAB update their exploit libraries in response to new device models and firmware releases, which means a tool version that successfully performed file-system extraction on one firmware version may fail on the next.

Magnet AXIOM includes an acquisition module (Magnet ACQUIRE) that supports logical and file-system extraction, with AXIOM Process handling artefact parsing across mobile and computer evidence. Open-source options remain relevant, particularly for verification. The libimobiledevice library provides command-line access to the iOS backup protocol and AFC service, allowing examiners to reproduce a logical acquisition independently. For Android, the ADB toolchain is universal and can be scripted to pull specific directories or the full data partition when root is available.

iOS devices have become progressively more restrictive with each major release. The introduction of File-Based Encryption (FBE) in iOS 8, the move to the Secure Enclave processor, and Apple's consistent policy of patching the vulnerabilities exploited for file-system access have shortened the window in which a given exploit remains effective. As of iOS 17 and later, file-system extraction on devices without a known jailbreak requires either the passcode or, in some cases, a forensic-grade tool update that incorporates newly discovered vulnerabilities. Logical extraction through the backup API remains available provided a pairing record exists and the backup is not password-protected.

Android fragmentation works in both directions for the forensic examiner. The diversity of manufacturers and firmware versions means that a privilege escalation vulnerability affecting one device family may not exist on another. Devices from manufacturers that ship with relaxed security policies or unlocked bootloaders are more accessible. Google Pixel devices running recent Android versions with full-disk encryption and verified boot are among the harder targets for file-system extraction. Older Android versions (pre-7.0) with ADB backup enabled and no screen lock are among the easiest targets for logical acquisition.

SIM card data is not recovered through either logical or file-system acquisition methods applied to the handset. SIM data, including the ICCID, IMSI, stored contacts, and SMS records held on the card itself, requires dedicated SIM card reading hardware. See SIM Card Forensics for that workflow.

Regardless of acquisition method, the fundamental requirements for evidential integrity are the same: documented authority, recorded chain of custody, and a cryptographic hash that can demonstrate the acquired data has not been altered. In the United States, a warrant is generally required for device searches following Riley v. California (2014), which held that mobile phones are not subject to the search-incident-to-arrest exception. In the United Kingdom, the Computer Misuse Act 1990, the Police and Criminal Evidence Act 1984, and the Investigatory Powers Act 2016 govern authority to access device data. In the European Union, the proposed e-Evidence Regulation and existing national laws apply. India's framework is now the Bharatiya Nagarik Suraksha Sanhita 2023 and the Digital Personal Data Protection Act 2023.

File-system extraction that relies on a security exploit raises an additional question in some jurisdictions: does applying an exploit to obtain access constitute unauthorised modification of the device, and does that affect the admissibility of the evidence obtained? Courts in the United States, United Kingdom, and Australia have generally accepted properly documented forensic tool use as lawful when conducted under valid authority, but the examiner must be able to explain in plain terms what the tool did, whether it wrote any data to the device, and whether it left residual changes. Tools that apply only temporary, non-persistent jailbreaks and do not alter user data partitions are in a stronger position than those that permanently modify the device.