Not All Phone Extractions Are Created Equal: What Attorneys Need to Know

By Lucas Flores, Digital Forensics Expert Witness

An attorney calls about a case. The phone has already been extracted. The report is in hand. Texts, call logs, photos, contacts. Both sides have reviewed it, the timeline seems agreed upon, and the case is moving toward resolution.

Then the same device is examined at a deeper level. Suddenly there are messages that were sent and deleted hours after the events in question. There is application data from a messaging platform nobody mentioned. There is location history from a fitness tracker that contradicts a key claim. There is a draft text that was typed but never sent, sitting in an app's database file, that changes the meaning of everything around it.

The first examination was not wrong. It was just shallow. And in mobile forensics, the depth of the extraction determines the depth of what you can know.

This post is for attorneys, civil and criminal, who deal with phone evidence and want to understand what they are actually getting when an examiner produces a "phone extraction." The terminology is not standardized across the field, vendors use the labels differently, and the gap between what a basic extraction reveals and what a thorough one reveals can be the difference between losing and winning the case.

The Levels of Mobile Extraction

There are several recognized methods for getting data off a phone, each with different capabilities, different requirements, and different limitations. They are not interchangeable, and an examiner who only offers one of them is offering you only one slice of what the device knows.

Manual Extraction

The simplest form: the examiner picks up the phone, navigates through it like any user, and photographs or records what is on the screen. This sounds primitive, and it is, but it has a real role in cases where the device cannot be unlocked or where a quick screenshot of a specific item is what matters. It captures only what is visible to a normal user. Nothing deleted, nothing hidden, nothing beneath the surface. While it may have it’s place, this should always be a last resort.

Logical Extraction

A logical extraction uses the phone's own built-in interfaces, the same ones it uses to make backups, to pull a copy of user-visible data. This is what most people picture when they think of a phone extraction: text messages, call logs, contacts, photos, calendar entries, and the contents of certain apps. It is fast, it is broadly supported, and it produces a report that looks comprehensive.

It is also, in many cases, the least revealing option. A logical extraction generally does not recover deleted data. It does not pull most app-specific databases in their raw form. It misses system files, hidden caches, and significant portions of how the device actually used the data. When an attorney sees a clean logical report and concludes the phone has been thoroughly examined, they are often working from incomplete information.

Advanced Logical Extraction

A step further. Advanced logical extractions use additional supported protocols to pull more than the standard backup interface offers. They typically include more of the application data, some media databases, and certain artifacts that a standard logical extraction skips. Useful, but still bound by what the device chooses to expose through its supported interfaces.

File System Extraction

This is where the depth changes meaningfully. A file system extraction pulls a copy of the phone's file system as the operating system sees it, including many files that are not exposed through ordinary backup interfaces. The examiner now has access to app sandboxes, SQLite databases, plist files, system logs, and structured data that user-facing apps rely on but never display directly.

This matters because most mobile apps store their data in SQLite databases, and SQLite frequently retains records even after a user "deletes" them. A deleted text in a messaging app may still exist in the database's free pages until the space is overwritten. A file system extraction can reach that data. A logical extraction usually cannot.

Full File System Extraction

The deepest extraction generally available on a working, modern phone. A full file system extraction is designed to capture essentially everything in the user data partition: every app's complete sandbox, system databases, configuration files, keychain or keystore data where supported, and substantial historical and deleted content that lives in app databases and cache files.

For iOS devices, this requires specific exploitation methods that work on certain models and versions and not others. For Android, the picture varies by manufacturer, chipset, and security patch level. The right extraction for a given phone is determined by the device itself, not by the examiner's preference, and an honest examiner will tell you when a deeper level is not available for the model in front of them.

When attorneys ask me what extraction reveals what was actually happening on a phone, full file system is usually the answer. But the label alone is not enough, because of something almost no vendor report explains clearly.

Why AFU Versus BFU Changes Everything

Modern iOS and Android devices use file-based encryption, where individual files and groups of files are encrypted with keys tied to different data protection classes. Whether those keys are available depends on the state of the phone at the time of extraction.

A phone that has been powered on but has not yet been unlocked after boot is in a Before First Unlock (BFU) state. In this state, most of the keys needed to decrypt user data simply do not exist in usable form. A phone that has been unlocked at least once since boot, even if it is currently sitting on the lock screen, is in an After First Unlock (AFU) state. Many more keys are available in memory, which means much more of the user data can actually be read.

An examiner can perform what the tool labels a "Full File System Extraction" on a BFU device. The resulting image may be hundreds of gigabytes, but the bulk of that data is still encrypted because the keys needed to decrypt it were never available during the extraction. The label is technically accurate. The evidentiary value is dramatically reduced.

The same extraction performed on the same device in an AFU state can yield a fundamentally richer picture: app databases readable, messages recoverable, location history accessible, deleted records intact in SQLite free pages.

For litigators, this means the label "Full File System Extraction" is not by itself a guarantee of completeness. Two of the most important questions to ask are: was the device in AFU or BFU state at the time of extraction, and which data protection classes were and were not accessible? An examiner who cannot answer those questions clearly is not someone whose report you should rely on without further inquiry.

Physical Extraction

Traditionally, a physical extraction means a bit-for-bit copy of the device's storage media: every byte, allocated or not, encrypted or not, including deleted content and unallocated space. It was once the gold standard for mobile forensics.

For modern smartphones, that gold standard no longer holds in the way it did. Current iOS and Android devices use file-based encryption tied to keys that depend on the state of the phone, as described above. Even if an examiner physically removes the storage chip and reads it byte by byte, the resulting image contains files that are individually encrypted, and the keys needed to decrypt them are not stored on the chip itself. The image is complete in a literal sense and largely unreadable in a practical one.

For this reason, a true physical extraction is generally not a meaningful option on current smartphones, and any examiner who promises one for a modern locked phone is either using the term loosely or overstating what the resulting image will contain.

That said, physical extraction remains valid and routinely useful for other classes of devices. USB flash drives, SD cards, older feature phones, certain Internet of Things devices, dash cameras, GPS units, and traditional hard drives can all be imaged physically with results that include deleted content and unallocated space in usable, readable form. When evidence lives on one of these devices, physical extraction is often the most thorough method available.

Extraction Is Not Analysis

One more distinction is worth making, because it changes how attorneys read forensic reports.

Extraction is the act of getting data off the device. Analysis is the act of understanding what that data means. A vendor tool can produce an automated report from an extraction in minutes, and many do. But the report is only as good as the questions the examiner thought to ask of the data. Important evidence often sits in app databases that the automated parser does not recognize, in timestamps that require interpretation, or in patterns of activity that only emerge when an examiner manually reviews the underlying structures.

I have reviewed extractions where the critical evidence was present in the data but absent from the report because the automated tool did not parse the relevant app. The data was there. The understanding was not.

What Attorneys Should Ask For

A few practical questions that improve how you handle phone evidence in your cases.

When you receive a forensic report from opposing counsel, ask:

•  What level of extraction was performed and on what date.

• What tool and version produced it.

• Whether the device was in AFU or BFU state at the time of extraction.

• What apps were parsed and whether any apps on the device were not parsed by the tool.

• Whether deleted content from app databases was searched for.

When you retain your own examiner, ask:

• What extraction levels are available for the specific device.

• What each level will and will not recover for the particular questions in your case.

• Whether a re-examination of evidence already extracted by another examiner is appropriate.

Sometimes a fresh look at the underlying file system data reveals what a prior report missed.

And when an extraction report appears to fully resolve a factual question in a case, ask:

• whether the level of extraction performed was actually capable of answering that question.

A logical extraction cannot prove that nothing was deleted. The absence of evidence in a shallow report is not evidence of absence in the device.

The Practical Takeaway

The phone may hold more information than the first extraction report shows. Whether that matters in a given case depends on the issues in dispute, but the question deserves to be asked deliberately rather than assumed. For litigators handling cases that turn on what someone said, did, or knew, understanding the depth of the available evidence is part of the diligence, not an afterthought.

Veritas performs mobile device forensics across all major platforms and extraction levels, including re-examination of evidence previously extracted by other examiners. We work statewide, in person and remotely, for civil litigators, criminal defense firms, and corporate counsel.

This article is for general informational purposes and does not constitute legal advice.