Mobile Device Forensics: iOS vs Android Extraction Techniques

Mobile devices have become central to modern litigation, containing text messages, emails, location data, photos, and app communications critical to case outcomes. However, iOS and Android devices require fundamentally different forensic approaches.

iOS Forensic Extraction

Apple's iOS ecosystem is characterized by strong encryption and a closed architecture, presenting unique challenges for forensic examiners.

iOS Extraction Methods

iTunes Backup Acquisition: The most accessible method, extracting data from device backups stored on computers. Provides logical access to: - Messages and iMessage conversations - Photos and videos - Safari browsing history - App data (depends on app backup settings) - Call logs and contacts

iCloud Extraction: Using user credentials or legal authorization to access cloud-stored data: - iCloud backups - iCloud Photos - iCloud Drive documents - Messages in iCloud - Find My location data - Line app backups (via iCloud Drive)

Full File System (FFS) Extraction: Requires jailbreaking or exploit-based access. Provides complete access to: - Entire file system structure - System files and databases - Keychain (with decryption) - All app data including sandboxed content - Deleted file remnants

Key iOS Artifacts

Forensic examiners focus on specific databases containing evidence:

Consolidated.db: Wi-Fi and cellular location history (older iOS versions)

CellularUsage.db: Phone numbers called, SIM IDs, and usage patterns

Messages Database: Complete text message and iMessage history with attachments

Photos.sqlite: Photo library metadata, albums, faces, and location data

Safari Databases: Browsing history, bookmarks, cache, and cookies

Keychain: Encrypted passwords, credentials, and certificates (requires specialized extraction)

iOS Extraction Challenges

1. Strong Encryption: iOS uses hardware-based encryption tied to device passcode 2. Frequent Updates: Apple regularly patches extraction exploits 3. Activation Lock: iCloud-locked devices require Apple's cooperation or legal process 4. Jailbreak Detection: Many extraction methods require jailbreaking, which apps can detect

Android Forensic Extraction

Android's more open architecture provides broader extraction options, though fragmentation across manufacturers creates variability.

Android Extraction Methods

Android Backup (ADB): Using Android Debug Bridge to create logical backups: - App data (if backup-enabled) - Contacts and messages - System settings - Some app databases

Android Agent: Logical extraction through agent installation: - Messages and call logs - Contacts and calendar - App data and databases - Photos and media files

Full File System Extraction: Requires root access or exploit-based methods: - Complete /data/data/ directories - SQLite databases for all apps - System logs and configuration files - SD card external storage - Recovery of deleted files

Physical Extraction: Low-level data acquisition: - Chipset-specific methods (Qualcomm, MediaTek, Samsung Exynos) - Emergency Download Mode (EDL) for Qualcomm devices - JTAG and chip-off for physically damaged devices

Android Artifacts

SQLite Databases: Android extensively uses SQLite for data storage: - contacts2.db: Contact information - mmssms.db: Text messages and MMS - telephony.db: Call logs - webview.db: Browser data

App Data Directories: Located in /data/data/[package name]/, containing app-specific databases and files.

External Storage: SD cards and USB OTG devices may contain additional evidence.

Google Account Sync: Gmail, Google Photos, Google Drive, Google Maps location history accessible via cloud extraction.

Android Extraction Advantages

1. Multiple Extraction Paths: Root, ADB, agent, physical methods 2. Open File System: Easier access to app data and databases 3. SD Card Support: Additional storage often contains evidence 4. Variety of Tools: More extraction options across price points

Android Challenges

1. Device Fragmentation: Thousands of device models with different configurations 2. Manufacturer Security: Samsung Knox, Huawei, Xiaomi security features 3. Encryption: Full disk encryption increasingly common 4. Root Detection: Banking and security apps detect rooting

Tool Comparison

Cellebrite UFED: Industry leader supporting both iOS and Android, extensive device compatibility, bypass capabilities

Oxygen Forensic Detective: Comprehensive platform with 2026 features: - Android OS 15 support - Unisoc chipset extraction - CVE-2024-31317 exploit for selective FFS - 95+ cloud service extraction - iCloud Drive and Line backup extraction

Magnet AXIOM: Strong app parsing, cloud integration, excellent reporting

XRY by MSAB: Law enforcement standard, device unlock capabilities, extensive artifact support

Best Practices

1. Document Device State: Photo device before and after acquisition 2.

Airplane Mode: Enable immediately to prevent remote wipe 3. Multiple Methods: Attempt least invasive method first (backup), escalate if needed 4.

Hash Verification: SHA-256 hash all extracted data immediately 5. Chain of Custody: Document every access and extraction attempt 6.

2026 Considerations

Increased Encryption: Both iOS and Android default to strong encryption Cloud Integration: More data stored in cloud than on device App Diversity: Thousands of messaging and communication apps AI Processing: On-device AI processing may store sensitive data Privacy Regulations: GDPR, CCPA affect data access and retention

Mobile forensics requires deep technical expertise and current knowledge of extraction techniques. Our team stays current with evolving technologies and maintains certifications in leading forensic platforms.