These APIs allow a programmer to write an app to request certain records.
A logical record extraction tool uses Android APIs to extract records from the device and save them to external storage. A logical record extraction tool does not require root access. Root access is required to image the device, and root access is also required to read files in the /data partition, which is where user records are stored. In that previous post, the exploit allows for root privileges. As I discussed in my post on live imaging, the imaging process requires an exploit.
I do not intend to go over how to image live memory simply because it is a very complicated process which sometimes does not work.ĭata obtained using a logical record extraction toolĪ logical record extraction tool is an app which installs on the device. Sometimes live running memory can contain important data, including decrypted data if the data in storage is encrypted. What you do not obtain is live running memory. The examination process is not straightforward, but you obtain the most data. You need to find the file storing these records, which is most likely a database, and examine the database file. If you want to look at data records, such as text messages, you do not have a simple file to examine with all of the records. Examining a physical image takes specialty tools, and I go over the basics in this blog post.
There is a good reason why we always want a physical image. Simply with a physical image, you get everything in storage. For a writeup on slack space, check out this page by viaForensics.
You get every file, every database, every picture, plus also all of the slack. The answer is everything in storage on the device. So with all of the above out of the way, here we go. They have far more powerful tools and their professional services are among the best in the industry.) The fact that the tool is free should be an indication that this tool is not their premiere tool. I'm referencing this tool as a free logical extraction tool you can download and use while pointing out the weaknesses of using logical extractions. viaForensics is a great company and I admire their work. In no way am I trying to bash viaForensics here. For this blog, I'll reference AFLogical by viaForensics, which is a free tool you can find here and you can follow instructions for using it here. A logical extraction of data is a set of data extracted using a forensic app. A physical image will be the image you would obtain when following this guide on a previous blog post or using a similar tool, such as a Cellebrite UFED Physical.
First, to define a couple of working terms here.
The question was what data do you have when you obtain a physical image instead of a logical extraction. Thanks for the request! If you, the reader, ever have a topic you would like to see me dive into, message me.