Comparison Between Full File System vs. Advanced Logical Acquisition:

Background: At DA Forensics, we are dedicated to utilizing the most effective and reliable tools. Our acquisition and thorough testing of VeraKey from Magnet Forensics are testaments to our commitment to delivering top-notch forensic services.

Test Device: We chose an iPhone Xr with 128 GB storage and iOS 15.6.1 for our evaluation. Its prior use in everyday scenarios provided a real-life context for our testing, aligning with our focus on practical and pertinent forensic examination.

VeraKey Acquisition:

Data Identified: The phone initially displayed about 50.14 GB of used space.

Acquisition Details: VeraKey effectively identified an 80.28 GB partition, extracting an impressive 93.3 GB of data. This includes keychain, password list, and a detailed acquisition report.

Key Insights: VeraKey’s ability to capture significantly more data than what is visibly used (93.3 GB vs. 50.14 GB) demonstrates its effectiveness in thorough data retrieval.

Cellebrite UFED Advanced Logical Acquisition:

Outcome: Cellebrite UFED extracted only 24.23 GB of data from the same device.

Comparison: VeraKey’s full file system acquisition extracted substantially more data, showcasing its superior capability in acquiring extensive data.

Detailed Analysis and Findings:

Full File System Acquisition (FFS): 

  • Acquires significantly more data overall – 793,263 data points compared to 69,196 for Advanced Logical.
  • Captures crucial data types like Device Connectivity, Emails, Instant Messages, Notes, Recordings, Searched Items, and Web History.
  • Retrieves more entries in shared data types, e.g., 67,370 Web History entries vs. 204 by Advanced Logical.
  • Ensures comprehensive data collection, reducing the risk of missing relevant evidence.

Advanced Logical Acquisition:

  • Focuses on readily available user data, less comprehensive compared to FFS.

Illustrative Data Comparison:

To better understand the differences in data acquisition methods, please see the accompanying illustrations below. Included are a comprehensive chart and Cellebrite snapshots for both the full file system and advanced logical acquisitions. We utilized Cellebrite’s Physical Analyzer to analyze and compare the data from both methods. The results, including the number of data points, are displayed in Figure 1. These visual aids effectively demonstrate the distinct differences in the amount and type of data retrieved by each method, offering both quantitative and qualitative insights.

Disclaimer: In the above comparison, we utilized Cellebrite’s UFED and Magnet Forensics VeraKey for data acquisitions, and Cellebrite Physical Analyzer for examining the images. It is important to note, however, that the primary focus and significance of our work lie in the types of acquisitions performed, rather than the specific tools employed.

