Smartphones have changed the way we work.

The mobile market is now driven by two different types of devices: iOS or Android.
Magnet ACQUIRE works to help you collect the most evidence in the fastest way possible despite the new constraints that Apple and Google devices present us.

LIMITED OPTIONS TO ACQUIRE PHYSICAL IMAGES OF SMARTPHONES

LIMITED OPTIONS TO ACQUIRE PHYSICAL IMAGES OF SMARTPHONES

Physical images are becoming increasingly difficult to acquire, across all of your mobile forensic tools. Expect that you’ll be getting less and less physical images of smartphones.

CONSISTENTLY ACQUIRE LOGICAL IMAGES WITH IOS AND ANDROID BACKUP METHODS

CONSISTENTLY ACQUIRE LOGICAL IMAGES WITH IOS AND ANDROID BACKUP METHODS

Documented backup processes and commands for iOS and Android provide multiple methods to acquire logical images that will continue to work consistently across a broad array of devices and OS versions. However, each of these backup methods is limited in terms of scope of content/data that they extract.

COMBINING BACKUP METHODS ENHANCES SCOPE OF DATA EXTRACTION

COMBINING BACKUP METHODS ENHANCES SCOPE OF DATA EXTRACTION

While logical extractions using backup methods will never be as comprehensive as a physical image, using a combination of multiple backup methods will allow you to extract the majority of highest value data from a smartphone.

USE MAGNET ACQUIRE WITH MAGNET IEF
OR YOUR OTHER FORENSIC TOOLS


Smartphone images extracted with Magnet ACQUIRE can be analyzed with Magnet IEF
or your other forensic tools.

Magnet Acquire and other tools

Interested in learning more about investigating smartphones with Magnet ACQUIRE?

Check out our recorded webinar and Q&A blog!

View Webinar Read Blog Post

CHOOSE THE EXTRACTION PROCESS THAT BEST
FITS THE SITUATION


Magnet Acquire offers a choice of two extraction processes for smartphones:

Quick Extraction

Option 1
Quick Extraction

Magnet ACQUIRE's Quick Extraction reliably and quickly obtains an image from all iOS and Android devices.

Full Extraction

Option 2
Full Extraction

Gather more evidence through physical image of rooted Android devices or file system logical images of jailbroken iOS devices.

Quick Extraction

Quick Extraction uses documented OS backup processes to quickly and reliably acquire logical images of any iOS or Android smartphone.

Quick Extraction uses a combination of two acquisition methods in a single extraction process, to produce one logical image with more content/data than can be obtained by either method on its own. While the combination of backup methods used in Quick Extraction does not match the comprehensiveness of a physical image, it does consistently extract the majority of the highest value content/data from a smartphone.

Quick Extraction diagram

This approach streamlines your smartphone examination workflow by:

  • Eliminating the need to do multiple extractions using different acquisition methods
  • Reducing time spent analyzing evidence as you don’t need to compare the evidence reported for multiple images
  • Making it easier to share a single evidence report with stakeholders

OS

IMAGE

ACQUISITION METHODS

EVIDENCE

ANDROID
V2.1 TO 3.2.6
LOGICAL
Android Debug Bridge
(ADB) Pull Command
Agent Application
Contents of any external storage device (i.e. SD card)
Call Logs, SMS/MMS, Browser History and user dictionary
ANDROID 4+
LOGICAL
ADB Backup
Agent Application
3rd party application user data
Some native device data including: SMS/MMS, calendar, call logs, BT devices, WiFi hot spots, user accounts, user dictionary
Contents of any external storage (i.e. SD Card)
Browser History
iOS
V5 TO 10+
LOGICAL
iTunes Backup Process
Apple File Conduit
(Below 8.3)
File Relay
(Below 8)
3rd party application user data
Some native device data including: SMS/MMS & iMessage, calendar and call logs
Camera pictures, ringtones, and iTunes books
Some native device data including: complete Photo album, SMS/MMS & iMessage, address book, typing cache, geolocation cache, application screenshots, WiFi hot spots, voicemail and native email metadata
ANDROID
V2.1 TO 3.2.6

IMAGE:

LOGICAL

ACQUISITION METHODS:

Android Debug Bridge
(ADB) Pull Command
Agent Application

EVIDENCE:

Contents of any external storage device (i.e. SD card)
Call Logs, SMS/MMS, Browser History and user dictionary
ANDROID 4+

IMAGE:

LOGICAL

ACQUISITION METHODS:

ADB Backup
Agent Application

EVIDENCE:

3rd party application user data
Some native device data including SMS/MMS, calendar, call logs, BT devices, WiFi hot spots, user accounts, user dictionary
Contents of any external storage (i.e. SD Card)
Browser History
iOS
V5 TO 10+

IMAGE:

LOGICAL

ACQUISITION METHODS:

iTunes Backup Process
Apple File Conduit
(Below 8.3)
File Relay (Below 8)

EVIDENCE:

3rd party application user data Some native device data including: SMS/MMS & iMessage, calendar and call logs
Camera pictures, ringtones, and iTunes books
Some native device data including Complete Photo album, SMS/MMS & iMessage, address book, typing cache, geolocation cache, application screenshots, WiFi hot spots, voicemail and native email metadata

Full Extraction

Magnet ACQUIRE’S Full Extraction process enables you to collect
more evidence from a smartphone.

ANDROID SMARTPHONES AND TABLETS

  • Acquire a physical image of locked or unlocked Android smartphones through the use of publicly known rooting methods
  • The automated Android rooting process progresses through well-known roots, in order to give you the best chance of gaining the privileged access needed to gather the most data.

iOS SMARTPHONES AND TABLETS

  • Acquire a logical file system of jailbroken iOS devices.

OS

IMAGE

ACQUISITION METHODS

EVIDENCE

ANDROID
V2.1 - 4
PHYSICAL
Linux DD
Command
Magnet Acquire will root select Android devices running Android v 2.1 to 5.0. Recover a full physical image of the device’s flash memory. Evidence collected will include all files, folders, user data, native data and unallocated space.
iOS
V5 TO 10+
LOGICAL
Apple File Conduit 2
For jailbroken iOS devices Magnet Acquire will recover a full logical file system dump which includes all of the files, folders, user data and native data.
ANDROID
V2.1 - 4

IMAGE:

PHYSICAL

ACQUISITION METHODS:

Linux DD
Command

EVIDENCE:

Magnet Acquire will root select Android devices running Android v 2.1 to 5.0. Recover a full physical image of the device’s flash memory. Evidence collected will include all files, folders, user data, native data and unallocated space.
iOS
V5 TO 10+

IMAGE:

LOGICAL

ACQUISITION METHODS:

Apple File Conduit 2

EVIDENCE:

For jailbroken iOS devices Magnet Acquire will recover a full logical file system dump which includes all of the files, folders, user data and native data.

Documented Acquisition Methods and
Activity Logging

We understand the transparency and documentation of acquisition methods that you require in order to attest to digital evidence in court.



  • Magnet ACQUIRE uses published techniques to acquire smartphone and hard drive images.
  • The activity logging function allows you to review exactly what methods were used to extract data from each device that is imaged.
  • You’ll be able to review detailed logs of rooting attempts when conducting full extractions on smartphones.
  • You’ll receive critical device information for any extraction.

Quick Extraction

Quick Extractions use the OS vendor’s documented backup processes and other publically documented methods to extract data to build a logical image

Full Extraction

Full logging of the extraction process including documenting which roots were attempted and which root was successful.

Ready to start using this free acquisition
tool in your next investigation?



MAGNET IEF CUSTOMERS

Download your free copy of
Magnet ACQUIRE – Community Edition 2.0

Log In Now

NOT A MAGNET IEF CUSTOMER?

Request your free copy of
Magnet ACQUIRE – Community Edition 2.0

Request Your Copy Now