oct ewj 24 online - Flipbook - Page 85
l Furthermore, Computer Forensics Lab experts can
carve and recover deleted data from all types of mobile handsets. The advanced in-house hardware and
software data extraction and recovery tools at our disposal, enable us to ensure that no critical digital evidence is hidden from the keen eyes of the digital
forensic examiner. It is important to note that missing
or incomplete extraction of data from seized or acquired mobile handsets and computers, can adversely
affect the results of a digital forensic investigation and
can lead to miscarriage of justice. Full disclosure of all
data from mobile handsets is only possible if a physical data acquisition of the mobile device or a computer
is performed whether or not the pin or password of
the mobile device or the computer is known or not
given.
How does physical data extraction work in mobile
devices?
Mobile Data Acquisition Comparison TablePhysical
data extraction in digital forensics relates to a more
complex and advanced type of data extraction compared to logical extraction, and it does return far better results because the phone or the computer is
operated in super admin mode and not normal user
mode. Specifically, this method is useful for recovering
hidden or deleted information on mobile devices. It
produces a low-level, bit-by-bit, copy of the phone’s
storage device. Effectively, this extracts the blockdevice data as abstracted in the operating system.
Fundamentally, physical data extraction in mobile devices bypasses the device’s Operating System (OS).
This is carried out just before the OS of device starts
to set in. The stage is called the Bootloader which is
the first thing that starts up when a device is turned
on. In this method, bootloaders, can bypass system
locks and passcodes to extract deleted passwords, files,
photos, videos, text messages, call logs, GPS tags, and
other artifacts. After a physical extraction there are no
signs of an investigation once it is complete. The data
is left forensically intact to ensure the investigation is
not compromised.
Important note:
For forensic data recovery and physical data
extraction of mobile devices whose PINs and/or passwords are not known or have not been provided,
prior authorisation from a legal authority (such as a
warrant or court order) is required, This service is
only available to authorised legal professionals, law
EXPERT WITNESS JOURNAL
83
O C TO B E R 2 0 2 4
