The Logical Examination

Those who are tasked with locating, documenting, and extracting potential evidence or artifacts on mobile devices must understand the limitations and various communication types involved in the logical examination. The downside to logical examinations is that they can be limited in what can be extracted and, in most cases, do not contain deleted data. Positive aspects of logical extractions are that the specific item(s) pulled generally needs little to no interpretation. Logical examinations may require devices to be enabled with a specific internal setting, which allows the program to “see” and communicate with the device. Many vendors will utilize an “agent’ or “client,” which may be installed on the target phone to execute a specific supported extraction. Attention Terminal (AT), proprietary Bus transfers such as FBus and MBus, SyncML (Synchronization Markup Language), OBEX (Object Exchange), IRMC (Infrared Mobile Communications), and MTP (Media Transfer Protocol) are just some of the various protocols used to pull logical data.