Logical Extraction vs. File System Extraction 

Editor’s Note: This post was originally published April 2021 and has been updated for accuracy and comprehensiveness. 

Digital Forensics Specialist David Smalley
David Smalley
Director, Digital Forensics Specialists
Grayshift
Meet the Expert: Jay Varda
Jay Varda
Digital Forensics Specialist
Grayshift

Law Enforcement agencies perform logical acquisitions of unlocked iOS devices when they do not have access to GrayKey. The logical acquisition has been an industry-leading iOS acquisition method used by investigators and forensic examiners because of its simplicity and level of support. However, device security is one of the biggest roadblocks to completing logical acquisitions. For a logical acquisition to take place, device access needs to be granted using a passcode, and a trusted connection is required in most instances.  

Logical acquisitions are created by using the Apple File Connection protocol, which iTunes also uses to create a backup. This method is designed to manage an iOS device and, more specifically, transfer user data from one device to the next. This protocol allows an iOS device user to experience a seamless transition whenever upgrading their equipment without using cloud services. For those involved in computer forensic extractions, a logical extraction of a mobile device is very similar to a targeted active file type collection on a computer hard drive. Data found within logical collections is limited compared to a full file system extraction.  

Limitations Associated with Logical Extractions 

Logical extractions can be beneficial as they are generally supported directly following the release of an iOS update, and you won’t have to wait too long for collection support. Still, unfortunately, there are many limitations to them. The most significant limitation is the depth and quality of the data collection. Application developer limitations negatively impact these types of iTunes-style backup deliverables, and data from third-party applications are often limited– furthermore, never-before-seen forensic artifacts. PowerLog and protected location databases and supporting data like the Keychain file are rendered unrecoverable. Lastly, backup encryption passwords enforced by the end-user may create significant hurdles for digital forensic investigations by denying access to the data stored once the extraction is completed and ready for analysis. The full file system and accompanying keychain.plist file allows investigators to decrypt encrypted artifacts and end-to-end encryption communication applications.  

GrayKey Provides High Quality Extractions 

GrayKey is a purpose-built solution for mobile device forensics, specializing in access and extraction. Moreover, it is powered by Grayshift’s Advanced Vulnerability Research Team, which has pioneered the development of full file system acquisition methods from mobile devices. 

Digital evidence is growing in importance and proving increasingly critical. Investigators and examiners must be mindful of the collection methods used in any digital investigation. While the logical extraction is better than nothing, it fails compared to the depth and quality that GrayKey customers have come to expect.  

In a side-by-side comparison of found artifacts, a full file system extraction will have 94% more data than that found in a logical extraction. The full file system allows the extraction of application database files giving the examiner the ability to recover deleted artifacts and manually parse artifacts for unsupported applications. We encourage you to experience the GrayKey difference on all lawfully seized iOS devices and with the proper legal authority, regardless of their lock state. We know that you will be pleasantly surprised at the additional data and actionable intelligence collected via GrayKey

Suggested reading: 10 Reasons Why You Need GrayKey 

Always First.

Be the first to find out about GrayKey feature updates and new resources for investigators from Grayshift.

Subscribe to the newsletter now.