How to Image a Smartphone with Magnet ACQUIRE
Magnet ACQUIRETM is designed to quickly and easily acquire an image of any iOS or Android device. Examiners are given the option of two extraction methods: Quick and Full.
Quick Extraction:
The Quick Extraction method will work on any iOS device, version 5 or newer. Magnet ACQUIRE will combine an iTunes backup, with some additional acquisition techniques, to obtain both native and third-party data. A Quick image from Android devices will include an ADB backup, as well as an additional extraction to obtain browser history and/or native application data (depending on the version of Android). Magnet ACQUIRE supports Android version 2.1 or newer.
Full Extraction:
Magnet ACQUIRE can also help you obtain a full, physical image of many Android devices by using either the built-in privilege escalation exploits or by imaging a device that has already been rooted. Full Extraction is also supported for jailbroken iOS devices.To use Magnet ACQUIRE, start by connecting the mobile device to your examination computer. Run the tool and you should be presented with a list of devices that are connected to your system.
In the above example, I have connected an LG G3 Android device to my system. If your device does not appear, you’ll need to ensure the correct drivers for the device are installed on your computer. Installing iTunes to your examination machine will provide you with the correct iOS drivers. For Android devices, Windows will attempt to install drivers automatically but they are often incorrect and will not allow a USB data connection. To automatically install the correct Android USB drivers in ACQUIRE, choose “The device I’m looking for isn’t showing up”. Next, select Android and then unplug the device and plug it back in. If your examination machine is Windows 7 or older, ACQUIRE will automatically install a generic Android driver that will work for your device. In Windows 8 or newer, it will download a custom driver for your device which is created and signed by Magnet Forensics. This step will require an Internet connection for examination machines running Windows 8 or newer. Once your driver is installed, you can continue with the acquisition process.
Once ACQUIRE detects the device, ensure that the device has USB debugging enabled and be sure to “trust” the connected computer when prompted on the device. The warning above will be displayed if the device is detected but not trusted. Once it is detected and trusted, you will be given some extraction options based on the connected device. With the LG G3 Android device that I’ve connected, I can choose a Quick or Full Extraction. Since the device is not rooted, a Full Extraction will attempt to gain privileged access to the device before obtaining a physical image.
A Quick Extraction will work for any device, even when physical access cannot be obtained (which is becoming a common challenge with modern devices). This will allow for the acquisition of valuable native and third-party application data on the device. A Quick Extraction will let the examiner know if a device has valuable data that warrants the additional time and effort of the more manual techniques. If additional data is required, a JTAG or chip-off extraction is often used as an alternative.
Here, I have chosen a Quick Extraction for the LG G3, which means Magnet ACQUIRE will perform an ADB backup of all the apps, as well an additional acquisition of the device’s browsing history.
Once the imaging process is complete, you’ll be provided with a folder that contains a zip file of all the extracted content, an activity log of the steps taken during the acquisition, and a text file containing details of the acquired smartphone, hashes, and timestamps.
Once you have acquired your image, it can be analyzed by your tool of choice. Images can be easily loaded into Magnet IEF by opening IEF, going to “Mobile”, selecting your desired OS (we’re using Android for this example), and choosing “Images”. IEF will load the image and you can then proceed with your analysis, just like any other PC or mobile image.
Once the analysis is complete, you will be presented with your results in the familiar IEF report, with organized data that can be easily searched, bookmarked, and reported.
As always, if you have any questions or comments, please feel free to contact me: jamie[dot]mcquaid[at]magnetforensics[dot]com.If you’re interested in learning more about how Magnet ACQUIRE works, take a look at some of our additional resources:
Learn More About Magnet ACQUIRE
- Magnet ACQUIRE Features and Specifications
- Blog: Announcing Magnet ACQUIRE – by Jad Saliba, Founder & CTO of Magnet Forensics
- Blog: Using Magnet ACQUIRE in your Investigations
Join the Magnet ACQUIRE Beta Program
- Magnet IEF Customer: Join the Beta Now
- Not a Magnet IEF Customer? Sign up for the community beta launching later this summer