There are five basic levels of acquisition for smartphones, including:

•  Manual examination: Process undertaken when the examiner physically scrolls through the mobile device and documents data using photographs or written notes regarding the contents of the device.

•  Logical acquisition: Obtaining specific contents of logical storage objects that reside on a file system partition within a mobile device. A tool that communicates with the phone and obtains and reports only existing non-deleted contacts, call history records, SMS text messages, pictures, videos, or one or more items from the previously listed categories is conducting a logical acquisition of the data from the device.

•  File system acquisition/Advanced Logical: Partial file system dump. Physical analyzer uses the term “Advanced Logical” for some smart devices, more commonly iOS devices. If we think about “iOS Advanced Logical” it is a partial file system obtained through backup + AFC,  if we think about “Android Advanced Logical” it is again a partial file system obtained through backup + MTP + ADB.  This will be covered in detail in each phone-specific section of the course.

•  Full file system: Full file system dump, including data from the user data partition. Common with exploits and advanced extraction (CAS, Premium, GrayKey).  This is the next best thing to a full physical acquisition.

•  Physical acquisition: Use of the term physical acquisition in mobile-device forensics refers to the process of obtaining all the data from first to last bit from one or more physical stores (memory chips) in the mobile device. JTAG, ISP, and chip-off methods fall under physical acquisition. The ability to obtain this type of extraction is becoming rare as encryption mechanisms are constantly growing in strength.

When performing smartphone forensics, it is ideal to first obtain the deepest level of acquisition supported for the make and model of phone you’re working on that the tools you are using will support. Then go back and complete other supported extraction methods that may do a better job of parsing and displaying data from the phone.

For example, if you are able to obtain a physical memory dump from the phone, you get deleted information and files that are locked by the OS when they are in use. You may also be able to obtain security and unlock codes with a physical acquisition. The tool you are using, however, may or may not parse user data in an easily readable format with a physical acquisition.

Therefore, if you next perform a file system and/or logical acquisition of the data, you may obtain better results for reporting purposes. Finally, taking pictures of particularly important pieces of data from the device.