Law Enforcement agencies perform logical acquisitions of unlocked iOS devices when they do not have access to GrayKey.  The logical acquisition has been an industry-leading iOS acquisition method used by investigators and forensic examiners because of its simplicity and level of support. However, one of the biggest roadblocks for successfully completing logical acquisitions is device security. For a logical acquisition to take place, device access needs to be granted using a passcode and a trusted connection is required in most instances. 

Logical acquisitions are created through use of the Apple File Connection protocol which is also used by iTunes. This method is designed to manage an iOS device and more specifically transfer user-data from one device to the next. This protocol allows an iOS device user to experience a seamless transition whenever upgrading their equipment, without the use of cloud services. For those of you involved in computer forensic extractions, a logical extraction of a mobile device is very similar to a targeted file collection on a computer hard drive. Data stored within logical collections is limited when compared to a full file system extraction. 

Many limitations associated with logical extractions.

Logical extractions can be beneficial as they are generally supported directly following the release of an iOS update and you won’t have to wait too long for collection support, but unfortunately there are many limitations to them. The largest and most important limitation is the depth and quality of the data collection. These types of iTunes-style backup deliverables are negatively impacted by application developer limitations and data from third-party applications are often limited. Furthermore, never-before-seen forensic artifacts like the KnowledgeC database and supporting data like the Keychain file are rendered unrecoverable. Lastly, backup encryption passwords enforced by the end-user may create significant hurdles for digital forensic investigations by denying access to the data stored once the extraction is completed and ready for analysis.  

In comparison, GrayKey is a purpose-built solution for mobile device forensics, specializing in access and extraction.  Moreover, it is powered by Grayshift’s Advanced Vulnerability Research Team, which has pioneered the development of full filesystem acquisition methods from mobile devices.  

Logical acquisitions fail in comparison to the depth and quality provided by GrayKey extractions.

Digital evidence is growing in importance and proving increasingly critical. To that end, investigators and examiners must be mindful of the collection methods used in any digital investigation. While the logical acquisition is better than nothing, it fails in comparison to the depth and quality that GrayKey customers have come to expect. We encourage you to experience the GrayKey difference on all lawfully seized iOS devices and with the proper legal authority, regardless of their lock state. We know that you will be pleasantly surprised at the additional data and actionable intelligence collected via GrayKey. 

Author:
David Smalley,
Digital Forensics Manager