Logical extraction - General info
A logical extraction is where the digital forensic software, in our case MOBILedit Forensic, will connect with a device, establish communication, and then request directories and file data from the device file system partition.
The data requested is a copy of the directories and files to which the operating system developer and device manufacturer will allow access, and files that are not protected by the permission security imposed on the device.
In this way, data can be extracted and analysed relatively easily from phones, smart watches, UFD files, etc… and often in cases where the device is not protected by a PIN code or pattern, referred to as authentication security.
The extracted data (raw data) is copied to a selected extraction folder logically to represent the data stored on the device.
It is possible to carry out a Logical extraction where there is access to more data that is protected by permission security. For this, root access is required with higher permissions, access rights and privileges.
If you have been able to obtain a physical image, this can be imported to carry out a logical extraction and analysis and will provide the maximum amount of data resulting in a more thorough analysis.
If you aren’t able to obtain a physical image and are only able to acquire a logical extraction, we recommend an “all data” MOBILedit backup if you are allowed to in law. It is the next best thing if you can’t get the physical as it allows for reloading and re-examination of the data at a later date, even if the device is no longer available.
With a Logical extraction, it is possible to select specific data by type and also use filters & Highlights to focus on the information you want to identify and present as evidence.
For best results, keep your package scripts updated, just as all packages should always be updated.
Logical extraction is usually faster and easier than a physical extraction yet contains less data.