In this episode of the I Beg to DFIR digital forensics webinar series, Paul Lorentz, Product Specialist, and Ian Whiffin, Decoding Product Manager for Physical Analyzer (PA), put a spotlight on the different types of digital forensics data extractions and the results you can expect from each.

First things first, we start with device states—there are two:

  1. AFU: A device that has been unlocked at least once.
  2. BFU: A cold device before the first unlock.

BFU devices have typically been restarted or turned off and require a passcode. They still have their data encrypted and secured and a advanced access would be required to obtain a passcode for access.

AFU devices have been kept on and have been unlocked at least once. The passcode could potentially be bypassed, and you can proceed to gain access data under the hood.

Beyond understanding these two different states, it is just as important as understanding the different types of encryptions:

File/Full Disk Encryption:

  • Available on a dying breed of devices.
  • Since Android 6.0.
  • Gives you one decryption key for the entire platform.
  • Physical Extraction is possible.

File-Based Encryption:

  • The standard today.
  • No secure startup.
  • Each file has its own encryption key, unlike Full Disk Encryption.

Moving on to the types of extractions:

Full File System (FFS) Extraction:

  • The most comprehensive type of extractions you can get on these devices.
  • Required to gain access to deeper information like health, Keychain data (on iOS), and location/breadcrumb data that shows where the device has been.

AFU Extraction:

  • On Android: Get the same data as a full file system extraction.
  • On iOS: Different levels of access depending on the device state can limit the information you can extract. (For example, Keychain, location data, and email accounts that may require passcode access)

BFU Extraction

  • Extraction of basic information—not as detailed as FFS.
  • Possibility of gaining cell tower connection information.

Advanced Logical Extraction

  • Extraction of basic information: Calls, native messages, notes, media.
  • Deeper level data like health, location, and Keychain are not available.

Secured Container:

  • Requires a separate passcode.
  • Examples include Samsung Secure Folder, Huawei Private Space, Xiaomi Second Space, and more.
  • A potential treasure trove of data.

On extractions for external SD cards:

The best practice would be to:

  1. Do the extraction of the device with the SD card inside it.

  2. Then decide based on the extraction—are you dealing with an encrypted card, a storage expansion, a media card, or just a normal SD card?

  3. Proceed to do an extraction on the SD card separately.

Tip: Smart Flow is your best solution.

On which extraction method is the best:

Understand the conditions of the case and what you are after—consider these questions: 

  • Is it limited by judicial authorization?
  • Is it limited to extractions?
  • Is there a time constraint?
  • Have you considered the SOPs of your agency?

Watch the full episode to get all the information you need to supercharge your extractions.

Check out our ‘Dig For’ series on YouTube hosted by Heather Mahalik, Jared Barnhart, and Paul Lorentz. The show brings fresh insights and discussions on the ever-evolving world of digital investigations—happening every third Tuesday of every month.

Share this post
View Now