Physical acquisition

Physical acquisition strikes the best balance between extraction speed, ease of use, and the amount of information being extracted. This process does not require disassembling the phone or using any special hardware. A micro USB (or Apple Lightning) cord, a PC (or Mac), and forensic software for physical acquisition (refer to the following section) are all that's required. For iOS devices newer than iPhone 4, Elcomsoft iOS Forensic Toolkit is currently the only physical acquisition solution available.

Physical acquisition extracts the maximum amount of information from the device. For unencrypted devices, unallocated space will be extracted together with the filesystem, allowing experts to carve the dump for destroyed evidence. Encrypted devices handle unallocated space differently. For example, Apple iOS always uses full-disk encryption that does not keep encryption keys to released data blocks. As a result, unallocated areas can be accessed, but cannot be decrypted in Apple devices even if the device is jailbroken and the passcode is known.

Physical acquisition benefits as are follows:

• Strikes the best balance between the amount of extracted data, speed, and ease of use
• Guaranteed timeframe
• In many cases, it can extract unallocated space (except on Apple devices)
• Operates on a high level and can overcome encryption (extracted images are decrypted on-the-fly)
• Available for select Windows Phone models
• Available for older iOS devices
• Available for many Android devices (various methods exist)
• Only requires a USB or Lightning cord and acquisition software
• Device disassembly not required
• Can be used by most forensic experts, no special skills required
• Non-destructive and non-invasive process

Major drawbacks of physical acquisition include the following:

• Limited general availability, extremely limited availability for Apple iOS devices
• May or may not support locked Android devices with USB Debugging turned off
• No unified approach, a wide range of acquisition tools and methods
• May not acquire locked devices with an unknown PIN/passcode

Apple iOS

When it comes to Apple devices, physical acquisition is fully available for 32-bit hardware, with limited support for 64-bit devices (keychain items remain encrypted when acquiring a 64-bit device, even if the passcode is known). The 32-bit acquisition process supports iPhone 4, 4S, 5, and 5C, but not the later 5S, 6, or 6 Plus. The original iPad mini can be acquired with the 32-bit process, but iPad mini 2 (Retina) already uses a 64-bit System on a Chip (SoC), so physical acquisition is available via a separate (64-bit) process.

Note

SoC is an integrated circuit that combines electronics such as the main CPU, GPU, wireless modems, and dedicated motion and other co-processors on a single chip. A SoC packs much more than just a CPU on a single silicon chip.

Note that iPhone 4S, 5, and 5C can only be acquired via a jailbreak, so prerequisites for the physical acquisition of these devices includes either a jailbroken iPhone or a known passcode and a version of iOS that can be jailbroken. A non-jailbroken iPhone 4S, 5, or 5C locked with an unknown passcode cannot be extracted via physical acquisition; however, a limited amount of data can still be extracted even if the device is locked with an unknown passcode.

The 64-bit acquisition process supports all existing Apple devices, such as iPhone 5S/6/6S/Plus, iPad mini 2-4, iPad Air/Air 2, and iPad Pro. The 64-bit process is backward-compatible with 32-bit devices and can be used instead of the full 32-bit acquisition process if there is an error acquiring the device. However, the 64-bit process is highly invasive; it modifies the content of user and system partitions. Instead of a DMG image, the 64-bit process returns a TAR file of the filesystem (files and folders only). Finally, keychain items are acquired, but cannot be decrypted via the 64-bit process even if the passcode is known.

More about iOS physical acquisition in Chapter 5, iOS - Introduction and Physical Acquisition.

Android

Physical acquisition is probably the best extraction method available for Android devices. Physical acquisition operates on a higher level than JTAG or chip-off.

Note

JTAG: This is a common name for test access ports (TAP) standardized by the Joint Test Action Group (JTAG) association. These ports, among other things, can be utilized to access raw data stored in the connected device. Chip-off: This is an advanced, destructive acquisition technique where individual storage chips (for example, embedded MultiMediaCard (eMMC)) are removed from the device and imaged directly (by attaching wire leads to the chip contacts) or via a commercially-available adapter.

Since physical acquisition runs through the phone's controller, in many cases, dumping an encrypted device will produce a decrypted dump (which is not the case for JTAG or chip-off). In Android, the dumping process requires superuser permission to run. A rooted device is required. Commercial acquisition tools such as Oxygen Forensic Suite will automatically attempt to root the device (tethered rooting) on the expert's behalf. A different, more advanced acquisition strategy is available for certain devices via a bootloader hack (Cellebrite UFED), which does not require rooting the device or altering its content in any way. Only supported devices can be extracted with this method, which include some Motorola Android devices and selected Samsung, Qualcomm, and LG devices. While this method is mostly applicable to devices with unlocked bootloaders, Cellebrite has bootloader hacks for certain devices with locked bootloaders (for example, selected Nokia Lumia devices).

Finally, some manufacturers implement service access to the phone's storage via a special firmware update mode. These manufacturers include Qualcomm (Qualcomm HS-USB 9006 / Qualcomm MMC Storage; this works regardless of the bootloader lock status, but may not be available on all devices); LG, regardless of the chipset (LAF mode works regardless of the bootloader lock status); and MediaTek and Spreadtrum (only works on unlocked bootloaders). These modes can be utilized for forensically sound acquisition of some devices via mobile forensic tools, such as Oxygen Forensic Suite.

We will discuss more about Android physical acquisition in Chapter 5, iOS - Introduction and Physical Acquisition.

Windows Phone 8 and Windows 10 Mobile

For a long time, the Windows Phone OS remained secure against physical acquisition attacks. A bootloader-level exploit was developed for select Windows Phone devices by Cellebrite. Supported Windows Phone 8 devices can be dumped with Cellebrite UFED via a USB cord (http://www.cellebrite.com/Pages/windows-phone-forensics-physical-extraction-and-decoding-from-windows-phone-devices).

The bootloader exploit works even if the device was updated to run Windows 10 Mobile.

Limitations and availability

Physical extraction is not available on BlackBerry 10, Apple iOS devices with 64-bit hardware, and a great deal of Android smartphones for which no known exploit is available.

Tools for physical acquisition

Just to mention, the following forensic tools are available and recommended for performing physical acquisition of mobile devices:

• Cellebrite UFED offers an extensive range of tools for mobile forensics under their UFED umbrella. More tools are provided by Cellebrite.
• Micro Systemation (XRY) offers a range of mobile forensic tools to perform physical and logical extraction from a wide range of mobile devices, extracting all available raw data (physical only).
• AccessData (MPE+) offers Mobile Phone Examiner Plus (MPE+), an all-in-one acquisition and analysis toolkit supporting a wide range of mobile devices. The company claims support for over 7,000 device models.
• Elcomsoft iOS Forensic Toolkit is the only tool on the market to support physical acquisition of all 32-bit and 64-bit iOS devices.
• Oxygen Forensic Suite supports more than 12,000 unique device models via physical, logical, and cloud acquisition techniques. This comes with the ability to exploit unique properties of certain chip sets and OEMs that allow investigators to dump the entire content of the device while bypassing the bootloader lock and screen lock together.
• Magnet ACQUIRE can perform logical acquisition as well as physical acquisition of multiple Android and iOS devices. The extraction is done in a manner that is agnostic so that any analysis tool can import the extracted data for analysis.
• BlackBag Mobilyize can acquire Android and iOS. iOS is restricted to logical/filesystem. For Android, it can do all three levels of extraction provided on the device type and other variables such as OS, operator customizations, and so on.