Example cover sheet for a mobile forensic extraction

Suggested wording for a cover sheet that might accompany a mobile device extraction report

Important information about the attached “logical extraction” report

The attached report relates to a “logical extraction” of a mobile device. A logical extraction requires  the device to be powered on and data is extracted from the device by means of a series of queries (by the extraction software) and responses (from the device).

Consequences of this extraction method include:

  • The data included within the report is a subset of the data contained within the device
  • Deleted data may exist in the device but in some cases will not have been extracted
  • Some of the data presented has been decoded, converted or interpreted by the extraction software
  • The contents of a powered mobile device are changing continuously and therefore the state of the device is not exactly identical to when it was taken into custody.

Important information about the attached “physical extraction” report

The attached report relates to a “physical extraction” of a mobile device. A physical extraction typically involves using software on a PC to take as full and accurate a copy of the contents of the device’s memory as possible. This data is then decoded and interpreted by a forensic software tool (this may be the same software used to extract the data from the device or a separate software product).

In the majority of physical extractions, data will have been copied from the device whilst it was powered off, however, this is not always the case.

Consequences of this extraction method include:

  • Although all of the available data may have been copied from the device, the data
    included within the report is only that which it has been possible to decode and interpret.
  • Deleted data should have been extracted from the device however its presence within the report is dependent upon the ability of the software tools used to identify and decode it
  • Some of the data presented has been decoded, converted or interpreted by the extraction software
  • The contents of a powered mobile device are changing continuously and therefore if the device in question was powered on in order to extract data, the state of the device is not exactly identical to when it was taken into custody