Acquiring Mobile Device Data (General Process Description)

You are here:

Acquiring Mobile Device Data (General Process Description)

With the forensic process, it is important to note that, with embedded systems such as smart devices, some data must be written to the device in order to communicate with it. Depending on the type of device, the data that is written will change. However, in order to follow the principles of forensics, the data that is written is documented and noted as part of the process. This process is repeatable with multiple devices and is considered forensically sound. In each section, the details of the process can be found. The methods used by the program are designed to write the minimal amount of data to the device to allow for a forensically stable data acquisition.

There are two methods of device detection: automatic detection and manual plug-in selection.

Acquisition via automatic detection: This method automatically detects the devices connected to the computer via a USB port and allows you to select the type of acquisition of the device.
Acquisition via manual plug-in selection: This method allows you to select a plug-in corresponding to the device manufacturer and acquisition type as well as the connection via which acquisition will be performed.

Guidance Software recommends acquiring via automatic detection. Use manual plug-in selection only in the event that the device is not detected or cannot be acquired via automatic detection.

Data acquisition usually consists of the following steps:

Preparation Step: Prepare the device for working with the program. Guidance Software recommends the following:
- Check whether the device is charged in order to prevent power loss during the acquisition process.
  Note: Acquisition from PDAs, iPhones, and Androids might take several hours.
- Choose the proper cable or cradle for your device.
- Ensure the proper drivers for any USB cable (cradle) are installed.
- Check that the device is connected to the computer.
- Insert or remove the SIM card depending on the requirements of the plug-in you are using and your procedures.
- Turn the device on or off depending on the requirements of the plug-in you are using.
- If acquisition of the device is NOT being performed for the first time within this case, it is recommended that you reload (power cycle) the device before starting the new acquisition process.
Selection Step: Go to Add Evidence > Acquire Mobile > Acquire from Device to start the Acquisition Wizard, which will guide you through the process of acquisition. The following items must be selected:
- For automatic detection:
  - The device whose data you want to acquire.
  - The type of acquisition you want to perform.
- For manual plug-in selection
  - The manufacturer and type of acquisition (see the list of acquired data for the corresponding device for the differences between the amount and type of data acquired with the logical and physical acquisition methods).
  - The model of your device (most of the plug-ins allow the program to detect the model automatically).
  - Type of connection (the port to which the device is connected).
Instructions Step: You can read special acquisition instructions if they are available for the selected device.
Acquisition Step: The program acquires information from the device. In some cases, you might need to perform more actions with the device, such as pressing special buttons on it or entering special information. The process of acquiring the device features is displayed in the progress table.
Final Step: Acquisition finishes, and you can disconnect your device from the computer.

There can be certain specifics about acquisition of different types of devices. For more information, see the description of data acquisition of the type of device you want to acquire.

Note: The program allows you to work with other data in the case during the acquisition. You can add, view, and process other evidence in the case while the device is being acquired.

(linked document is not in XML format)