Acquisition methods
Logical → file system → physical → JTAG → chip-off — ordered by invasiveness
Gold standard for most investigations. Gets all app databases. iOS checkm8 exploit (A5–A11 chips) enables full FS on many older devices without passcode.
Data access
- ✓Full /data partition (Android root required)
- ✓All app sandboxes and databases
- ✓System logs and configuration
- ✓Deleted files in unallocated space (limited)
- ✓iOS: AFC2 jailbreak or agent-based
Limitations
- !Android: requires root or exploitable vulnerability
- !iOS: requires jailbreak or forensic agent (checkm8 devices)
- !Encryption may block access on locked devices
- !Not all devices exploitable
Tools
Cellebrite UFED · GrayKey · Magnet AXIOM · Oxygen Forensic Detective · checkra1n + AFC2