MOBILedit Forensic PRO can perform physical extractions - a bit-by-bit image of data in the phone.
In order to perform a successful physical extraction, you need to have a rooted phone.
Physical extraction can also be performed on some Android devices by using bypassing methods such as EDL, MTK LAF, and more.
Alternatively, you can use one of the temporary rooting methods depending on the security patch level of the device.
Once the phone is rooted and connected successfully, the word “Rooted” will be displayed below the picture of the connected device.
Confirm root access on the phone (a popup will appear on your phone´s screen, please tap on "Grant Access") and click OK, proceed with the Next button. In the following step, you can select the Physical extraction option.
Choose a name for the image file and make sure you have enough space on the destination drive (the physical image will be as big as the full phone´s storage)
After the physical image is created, it can be loaded into MOBILedit Forensic and then analyzed with results presented in a report.
The physical image may be encrypted, this depends on the version of Android:
From Android 7 - FDE (Full disc ecryption)
From Android 10 - FBE (File based encryption).
MOBILedit Forensic can extract unencrypted physical images of a device even with FDE if the device is rooted and live-connected.
Please note that the Physical Image creation option is ONLY available in the PRO version of MOBILedit Forensic. The option to import a Physical Image is in addition available also in the Applications Analyser of ours.