Physical extraction

MOBILedit Forensic PRO can perform physical extractions - a bit-by-bit image of data in the phone.

In order to perform a successful physical extraction, you need to have a rooted phone.

For more information on rooting a phone please go to How to root an Android phone? 

Physical extraction can also be performed on some Android devices by using security bypassing methods such as EDL, Spreadtrum, MTK LAF, and more.

Alternatively, you can use one of the temporary rooting methods depending on the security patch level of the device.

Once the phone is rooted and connected successfully, the word “Rooted” will be displayed below the picture of the connected device.

Confirm root access on the phone (a popup will appear on your phone´s screen, please tap on "Grant Access") and click OK, proceed with the Next button. In the following step, you can select the Physical extraction option.

Choose a name for the image file and make sure you have enough space on the destination drive (the physical image will be as big as the full phone´s storage)

After the physical image is created, it can be loaded into MOBILedit Forensic and then analyzed with results presented in a report.

A physical image created previously or on another tool can also be imported into MOBILedit Forensic.

The physical image may be encrypted, this depends on the version of Android:

From Android 7 - FDE (Full disc encryption)
From Android 10 - FBE (File-based encryption).

MOBILedit Forensic can extract unencrypted physical images of a device even if the device is using FDE. Root access is required and the device has to be connected via USB.

Physical extraction for iOS devices is not supported in MOBILedit Forensic due to iOS security.