Physical Acquisition Techniques

A physical image is a sector-by-sector or page-by-page copy of the storage medium. It contains every bit on the chip at the moment of acquisition: active file system structures, deleted file content still residing in unallocated clusters, fragmented remnants in slack space, carved data from formatted partitions, and low-level chip metadata such as spare area bytes. This is categorically more than any logical or file-system acquisition can yield, because logical methods ask the OS what files exist and the OS returns only what it tracks.

The completeness of a physical image comes at a cost. Raw storage dumps require parsing by forensic software that understands the file system, the partition layout, and the encoding used by the specific chipset. On some eMMC and UFS chips, the physical dump includes out-of-band (OOB) data, translation layer metadata, and wear-levelling tables that must be stripped or interpreted correctly or the file system will not parse. High-quality physical forensic tools handle this automatically, but the examiner must understand what the tool is doing to interpret anomalies correctly.

Emergency Download mode is a function of Qualcomm's Primary Boot Loader, the first code that executes when a Qualcomm chipset powers on. In EDL mode the device presents itself over USB as a 9008 COM port and accepts Qualcomm's SAHARA and Firehose protocols, which allow a connected host to read and write directly to flash memory. The OS is not running; Android's permission model, lock screen, and encryption key management are all inactive. From the device's perspective, EDL mode is a recovery and provisioning interface intended for factory programming.

Entering EDL mode on most Qualcomm-based Android phones requires one of three approaches: a hardware method (bridging a test point on the PCB to ground while powering on), a software method (issuing an ADB or fastboot command if the device is already accessible), or exploiting a vulnerability in the device's own boot chain to force a reboot into EDL. The hardware method is reliable but requires disassembly and knowledge of the specific board layout for that model. The software method works only if ADB is enabled and the device is unlocked or the examiner already has shell access. Exploit-based EDL entry targets bugs in the bootloader and is model-specific.

Once EDL mode is active and the correct programmer is loaded, the acquisition process issues sequential read commands across the full user data partition and any other partitions of interest (bootloader, modem, recovery, system). The result is a raw partition image or a full-disk image depending on the scope specified. Acquisition speed depends on USB throughput and the flash chip's read speed; a 128 GB device typically takes 30 to 90 minutes over USB 2.0.

Many physical acquisition paths depend on exploiting vulnerabilities in a device's bootloader or early boot code to gain the ability to run arbitrary code before the OS takes over. The goal is typically to boot a custom recovery image that can then perform a raw dd image of the storage, or to elevate privileges within the boot environment far enough to read memory that would otherwise be protected. Exploit-based acquisition is version-specific: a vulnerability present in firmware version A may be patched in version B of the same device, and the examiner's tool must match the device's exact firmware version.

For Apple devices, the checkm8 vulnerability (disclosed 2019) is a bootrom-level exploit affecting iPhone 4s through iPhone X that cannot be patched by software update because the bootrom is read-only silicon. It allows an examiner to boot a custom image and access the file system. However, even with checkm8, the user data partition is encrypted under the Secure Enclave and the passcode; the exploit gives filesystem access only for devices where the passcode is known or not set. Devices running iOS 16 and later also have additional mitigations affecting what third-party tools can extract even after checkm8.

For Android, the exploit situation varies by manufacturer. Some leave bootloaders unlockable via fastboot (with user confirmation), which allows booting a custom TWRP recovery and imaging. Others lock the bootloader permanently and sign every boot stage; exploitation requires finding a bug in one of those stages. Cellebrite UFED and similar tools maintain proprietary exploit libraries but do not disclose which vulnerabilities they use, citing responsible disclosure concerns. An examiner using these tools should document the tool version and the acquisition method in the case notes, even if the underlying exploit is opaque, because this information is required if the method is challenged in court.

When a device cannot power on at all, or when the SoC is too badly damaged to enter EDL or any exploit-accessible state, the only remaining physical method is to access the storage chip directly. Two approaches exist: in-system programming (ISP), which reads the chip through its command pins while still on the board, and chip-off, which removes the chip entirely.

ISP connects a reader directly to the eMMC or UFS chip's command and data lines on the PCB without removing the chip. This requires identifying the correct test points or ball grid array (BGA) pads, which vary by device, and applying the correct signal voltages. A successful ISP read produces the same raw image as an EDL acquisition without needing the device's SoC to participate. The risk is lower than chip-off because the chip stays on the board, but board damage can make the pads inaccessible.

Chip-off desolders the storage chip from the PCB using hot air, infrared heating, or a rework station. The removed chip is then placed in a socket reader or reballed and mounted in a reader that matches its pin configuration. The resulting dump is the raw NAND or eMMC contents. Chip-off is irreversible: if the process goes wrong, the chip can be destroyed. For this reason it is reserved for cases where the device is already inoperable, where no other method is viable, and where the investigation justifies the risk. The examiner should document the condition of the device before and after, photograph the procedure, and note that the method was used as a last resort.

Encryption is the primary factor that determines whether a physical image is useful once obtained. A physical image of an encrypted device is a correctly acquired forensic image; it is simply unreadable without the key. Understanding how encryption is implemented on specific device families determines what options remain after acquisition.

On iPhones from 3GS onward, every file is encrypted with a per-file key, and those keys are wrapped under class keys that are themselves protected by the user's passcode combined with a hardware key fused into the Secure Enclave. The Secure Enclave enforces rate-limiting on passcode attempts and can be configured to erase itself after ten wrong attempts. This means brute-force passcode recovery against a physical image is computationally infeasible for most passcodes; the only viable path is the Secure Enclave itself, which requires the device to be operational and exploits to have been applied. GrayKey (used by law enforcement agencies) and Cellebrite's iOS Advanced Logical extraction operate within this framework.

Modern Android devices use file-based encryption (FBE) with two classes of keys: credential-encrypted (CE) keys that are available only after the user has authenticated, and device-encrypted (DE) keys that are available from first boot. The DE partition contains pre-authentication data such as alarm settings and some call logs; the CE partition contains all user-authenticated data. A physical image acquired before first unlock contains only the DE partition in readable form. After first unlock but before a reboot, some credential-derived key material may reside in RAM and can potentially be captured through a memory acquisition technique.

The practical implication is that device state at seizure matters enormously. A device that is running and unlocked at the time of seizure should, wherever legally permissible and tactically safe, be kept in that state and subjected to live or in-situ acquisition before it locks or powers off. Law enforcement agencies in the United States, United Kingdom, Australia, and India have developed seizure protocols that include placing the device in airplane mode (to prevent remote wipe), keeping it charged, and preserving the unlocked state for as long as the chain of custody allows.

Physical acquisition is the most invasive mobile forensic method and attracts the highest legal scrutiny. Its use requires clear legal authority and proportionality. In the United States, the Fourth Amendment requires a search warrant supported by probable cause before examining the contents of a seized phone (Riley v. California, 2014). In the United Kingdom, the Police and Criminal Evidence Act 1984 and accompanying PACE Codes provide the framework for examination, and the Investigatory Powers Act 2016 governs interception of data in transit. In India, the Bharatiya Nagarik Suraksha Sanhita 2023 provides search and seizure powers, and evidence admissibility is governed by the Bharatiya Sakshya Adhiniyam 2023. The EU's GDPR applies a data minimisation principle that constrains what data from a physical image may be retained or processed even when acquisition is lawful.

Physical acquisition is warranted when lower-yield methods are insufficient for the investigation's evidentiary needs. Specific justifications include: recovery of deleted data that the OS has unlinked but not overwritten; acquisition from a device that is damaged and cannot be accessed through normal OS channels; situations where the OS is suspected of having been manipulated to conceal data; and cases where a complete image is required to demonstrate that all available evidence has been collected. Choosing physical acquisition solely because it yields more data, when logical acquisition would suffice, is poor practice and can expose the examiner to criticism that the method was disproportionate.

The examiner's documentation must record the justification for choosing physical acquisition, the specific method used and why, the tool version, device identifiers, the acquisition start and end time, and the cryptographic hash of the resulting image file. This documentation forms part of the chain of custody and may be examined by opposing counsel or by a court. Hashing the image immediately after acquisition (SHA-256 is current practice) and verifying the hash before any analysis begins establishes integrity.

See Digital Evidence in Mobile and Network Contexts for the broader evidence handling principles that apply regardless of acquisition method.