There is no one “press-the-button” solution (yet) to get all your search terms from a physical cell phone dump. There is, however, a certain approach that can help you solve some of these challenges. The following is subject to change as new developments occur.

Logical versus Physical
There are, in general, two methods to process a cell phone:

First is the logical method, which acquires files and directories from the cell phone’s flash memory file system. Logical extraction products can be divided into two categories: 1. Complete units providing you with all necessary hardware and software, like UFED, XRY, Celldek, etc. 2. Software-based logical extraction tools, like BitPim, Oxygen, DataPilot, etc.

Some of these products extract the data—such as the contacts, phonebook, etc.—and present it in a pre-formatted form. Some products are capable of extracting the phone’s file system (like the EFS, Embedded File System).

The second method, which this article will focus on, is physical extraction, which gets a bit-by-bit copy of the entire physical flash memory using low-level access. This way, not only the phone’s file system is extracted, but also its firmware and, most importantly, all unallocated data. If you want to recover all handset data, go for the physical extraction. Bear in mind that a phone can contain more than one flash memory chip.

Get Started
Physical extractions are only used for important cases, and we prefer to keep it that way because it is rather costly and time-consuming. There are several methods we can use to recover physical data from a cell phone:

• Chip off
• JTAG test access port
• Flasher boxes
• Physical analyzer capabilities from devices such as XRY, UFED, etc.

It doesn’t matter which of the above are used, the process starts with a manual or schematic of the phone and a reference phone of the same brand and model. The manual or schematic is used to get details about the functions and connections as well as the technical details of the phone. If the physical dump results in a 6 Mb file and the manual refers to 16 Mb flash memory, you know that something is wrong.

The reference phone is the key to the extraction process. All pre-processing is done on the reference phone. If you know how to decode the reference phone’s physical dump, then you’re ready to process the exhibit phone. A mistake made on an exhibit phone can’t be reversed; however, a mistake on a reference phone gives you the opportunity to simply start over again. Note: you should process cell phones in a faraday box if you have one.