Canada, BC
(604) 800-9060
TERADRIVEFORENSICS
Physical vs logical mobile acquisitions: what Canadian counsel needs to know
Insightsmobile-forensics

Physical vs logical mobile acquisitions: what Canadian counsel needs to know

A plain-language comparison of physical and logical mobile phone acquisitions — what each method captures, when each is available, and how the choice affects the strength of evidence in a Canadian court.

Published Jul 3, 2026Updated Jul 3, 202612 min read

When a mobile phone is examined for court, the single most important technical decision is how the data is copied off the device. There are two families of methods: logical acquisition and physical acquisition (with file-system acquisition sitting between them). Each captures a different slice of what is on the phone, each has different legal and evidentiary implications, and the wrong choice can quietly leave decisive evidence on the device and out of the record.

This article compares the two side by side in plain language, then walks through the technical, legal, and practical trade-offs that Canadian counsel should understand before a mobile device is examined.

Table of contents

  1. The short answer
  2. What "logical" actually captures
  3. What "physical" actually captures
  4. File-system acquisition — the useful middle ground
  5. Side-by-side comparison
  6. When each method is even available
  7. Advanced methods: chip-off, JTAG, ISP
  8. Legal and evidentiary implications in Canada
  9. How to instruct the examiner
  10. Common misconceptions
  11. FAQ

1. The short answer

Logical acquisition copies what the phone''s operating system is willing to hand over through its normal backup and sync interfaces — messages, contacts, call logs, photos, and the current contents of most apps. It is fast, non-invasive, and works on almost any device, but it does not recover deleted content and it does not see system areas of the file system.

Physical acquisition copies the raw storage of the device, block for block, the same way a hard drive is imaged in a computer case. It can recover deleted messages, cached location data, application databases the OS would never expose over backup, and unallocated space. It is far more powerful, but it is not available on every device and every operating system version — modern iPhones and current Android flagships often cannot be physically acquired without specialised access.

For most Canadian litigation involving a smartphone, the correct answer is: attempt the deepest acquisition the device supports, document what was and was not available, and be transparent about the limits in the report.

2. What "logical" actually captures

A logical acquisition uses the interfaces the phone itself provides — the iTunes/Finder backup protocol on iPhone, ADB backup or vendor sync protocols on Android, and equivalent MTP transfers for media. What comes across the wire is essentially what the operating system agrees to share:

  • SMS and iMessage threads currently on the device.
  • Contacts, calendars, and call history.
  • Photos and videos in the camera roll.
  • Notes, voice memos, browser bookmarks.
  • Some app data, but only for apps that opt in to backup and only in the form the app chooses to expose.

What it usually does not capture:

  • Deleted messages, deleted photos, deleted app records.
  • The SQLite databases behind most third-party apps (WhatsApp, Signal, Telegram, Snapchat, dating apps, etc.) in a form that lets an examiner recover thread history the user has archived or deleted.
  • System logs and cached location data (significant_locations on iOS, quick-search boxes on Android).
  • Wi-Fi network history, keyboard cache, and app-usage timelines that place a device in a location at a time.

Logical acquisition is fine for a simple preservation of what the user currently sees. It is often insufficient when the dispute turns on what was said, deleted, or where the device has been.

3. What "physical" actually captures

A physical acquisition copies the underlying flash storage as raw bytes. Once the raw image is in the lab, the examiner reconstructs the file system and then walks through every allocated file, every SQLite database, and every unallocated block that has not yet been overwritten.

That produces material that logical acquisition simply cannot reach:

  • Deleted SMS, iMessage, and third-party chat records recovered from database free pages and journals.
  • The full contents of app sandboxes — WhatsApp msgstore.db, Signal signal.db, Snapchat arroyo.db, dating-app caches, and so on — including archived and deleted threads.
  • iOS Cache.sqlite and Android NetworkUsageStats databases that show which app was active, when, and how much data it moved.
  • Location artefacts (iOS Significant Locations, Android quest-history and Google Play Services caches, cell-tower registrations, Wi-Fi survey data).
  • Keyboard predictive-text history that can reveal terms the user typed even if the message was never sent.
  • Wallpaper thumbnails, deleted photo thumbnails, and Snapshots/ folders that captured the last-open screen of an app.
  • Unallocated flash space, which sometimes preserves fragments of messages, images, or documents that have been deleted but not yet overwritten.

Physical acquisition is what people usually mean when they say "we did a full forensic download." It is the gold standard when the device supports it.

4. File-system acquisition — the useful middle ground

There is an important third option that the industry calls file-system acquisition (sometimes "full file system," or FFS on iPhone). It copies every file the operating system stores on the phone, including the app sandboxes and system databases, but it does not copy unallocated flash beneath the file system.

In practice, on modern iPhones, this is what most investigations actually get. It recovers deleted rows from SQLite databases (because SQLite marks rows as deleted rather than erasing them immediately), and it exposes the full app data that logical acquisition hides — so it typically recovers 90 percent of what a true physical acquisition would recover. What it misses is unallocated space and true carved fragments.

For Canadian litigation, file-system acquisition is often the practical target on a current-generation iPhone. Physical acquisition remains the target on Android, on older iPhones, and any time deleted content in unallocated space matters.

5. Side-by-side comparison

DimensionLogicalFile-systemPhysical
What is copiedOS-mediated backup exportEvery file on the deviceRaw flash storage, byte for byte
Deleted messages recoverableRarelyOften (from SQLite free pages and WAL journals)Yes, including from unallocated space
Third-party app databasesOnly if the app allows backupYes, in fullYes, in full
Location artefactsLimitedExtensiveExtensive
Unallocated space carvingNoNoYes
SpeedMinutes30–120 minutesHours to days
Requires unlockUsually yesYesDepends on method
Available on latest iPhoneYesSometimes (tool + version dependent)Rarely
Available on modern AndroidYesOftenSometimes
InvasivenessNoneNoneNone to significant (chip-off is destructive)
Report signalBasicStrongStrongest

6. When each method is even available

Availability is driven by three variables: the device model, the operating system version, and the state of the device when it arrived at the lab.

  • Latest-generation iPhones (iPhone 15/16 on current iOS): logical is always available; file-system is often available with the right tooling and the correct passcode; physical is generally not available.
  • Older iPhones (iPhone X and earlier, or devices on older iOS): physical acquisition is often available through documented bootrom exploits and tool support.
  • Modern Android flagships (Pixel, Samsung, current OnePlus): file-system acquisition is often available; physical depends on whether the bootloader can be unlocked or a chipset exploit exists.
  • Older or budget Android devices: physical acquisition is often available through standard tool workflows.
  • Locked device, unknown passcode: the acquisition path narrows sharply. On iPhone, BFU (before-first-unlock) acquisition returns almost nothing until the passcode is known. On Android, most modern devices are similarly constrained.
  • Damaged device (water, screen destroyed, board damaged): physical extraction may still be possible via chip-off, JTAG, or ISP methods, described below.

The correct instruction to the examiner is not "do a physical" — it is "recover the deepest acquisition this device supports, and document what was attempted and what succeeded."

7. Advanced methods: chip-off, JTAG, and ISP

When the device is damaged or when standard forensic tools cannot reach the storage, the lab has three fallback methods that operate closer to the hardware:

  • ISP (In-System Programming): the examiner solders wires directly to test points on the mainboard and reads the eMMC or UFS flash controller through its native interface, without disturbing the chip. Non-destructive to the storage itself, and often the right first fallback.
  • JTAG: an older technique that uses the CPU''s debug interface to read memory through the processor. Available on fewer modern devices because JTAG interfaces are increasingly locked or removed, but sometimes still the only way in.
  • Chip-off: the flash storage chip is physically desoldered from the board and read in a dedicated chip reader. Destroys the device but produces a true raw physical image of the flash. Reserved for devices that will not power on, for suspected anti-forensic modifications, or when other methods have failed.

These techniques matter for evidentiary reasons as well as technical ones. In a Canadian case where the device has been damaged — accidentally or deliberately — the ability to say on the record that "we attempted ISP, that failed on this model because the flash is a PoP package, so we proceeded to chip-off and produced a verified image" is often the difference between a defensible acquisition and one the other side can undermine.

8. Legal and evidentiary implications in Canada

The choice of acquisition method has direct consequences for how evidence lands in a Canadian court.

Best-evidence and completeness. Canadian courts increasingly expect the party tendering electronic evidence to have preserved the whole of the relevant record, not selected portions of it. Logical acquisition often produces exactly that risk — the party appears to have preserved "the messages," but the deleted, archived, or third-party-app content that would have completed the picture was never captured. A file-system or physical acquisition inoculates against a challenge that the party cherry-picked what was preserved.

Chain of custody and reproducibility. All three methods produce a hash-verified image that the lab can re-mount and re-examine later, and that opposing counsel can independently verify. This is a strong point for defensibility on all three methods, provided the examiner records hash values at acquisition and any downstream examiner re-verifies before analysis.

Section 31 (Canada Evidence Act) and provincial equivalents. The integrity provisions for electronic records are satisfied by any of the three acquisition methods, as long as the examiner can describe the system that recorded and preserved the data. That is a technical foundation, not a bar to admissibility, and it applies equally to logical and physical acquisitions.

Cross-examination risk. The biggest evidentiary risk is not admissibility but weight. When the examiner is asked on cross whether deleted content, application databases, or location artefacts were captured, "we did a logical acquisition, so no" invites the finder of fact to wonder what was missed. "We attempted file-system acquisition, it succeeded, here is the coverage" is a much stronger position.

Privacy and proportionality. The counterpoint is that physical acquisition captures more than logical, including material that may be irrelevant and sensitive (health data, private messages with third parties, unrelated location history). In matrimonial, employment, and civil matters where the scope of the examination is limited by court order or protocol, the acquisition method should match the scope — and the examiner should hold the fuller image in a sealed working copy while producing only the responsive artefacts to counsel. This is standard practice at defensible labs.

9. How to instruct the examiner

Counsel does not need to specify the acquisition method. The correct instruction has three parts:

  1. Scope. What is the dispute, what date range matters, and what categories of content are in issue (messages with named parties, location on named dates, use of named apps).
  2. Depth authorisation. Authorise the examiner to attempt the deepest acquisition the device supports, and to document what was attempted and what succeeded. This gives the lab the room to escalate from logical to file-system to physical without a second round of instructions.
  3. Production scope. Specify what the lab should produce to counsel — a targeted export of responsive artefacts, or the full working image. In matters with a protocol, this is where the protocol lives.

Retaining a lab that automatically defaults to logical because it is faster is the single most common way that decisive mobile evidence is left on the device.

10. Common misconceptions

"We got a full download, so we have everything." A logical export is often described as a "full download" by the person who ran it. Ask what tool was used and what acquisition method the tool reports — the answer distinguishes a logical export from a file-system or physical image.

"Deleted messages are gone." On a logical acquisition, effectively yes. On a file-system or physical acquisition, deleted messages are frequently recovered from SQLite free pages, WAL journals, and unallocated space, sometimes for months after the deletion.

"The passcode is not needed if we own the device." On modern iPhones and current Android devices, the passcode is required for any acquisition beyond BFU state, regardless of ownership. Corporate MDM enrolment sometimes provides an alternative, but personal-device custody without the passcode is a hard limit.

"Physical acquisition means the phone is destroyed." Only chip-off destroys the device. Standard physical acquisition through supported forensic tools, and ISP/JTAG in most cases, are non-destructive.

"Any lab can do a physical." Physical acquisition on modern devices is tool-limited and license-limited. The lab needs current Cellebrite/GrayKey/Magnet subscriptions and, for advanced methods, ISP/chip-off equipment. Ask what the lab has before assuming capability.

11. FAQ

Frequently asked

Do we always need a physical acquisition?
No. For simple preservation of currently visible content, a logical acquisition is often enough. When the case turns on deleted content, third-party app data, or device location, the deepest acquisition the device supports — usually file-system on modern iPhones and physical on Android and older iPhones — is the correct target.
Can a physical acquisition be done on a locked phone?
On older devices, sometimes yes through documented bootrom exploits or chip-off. On modern iPhones and current Android flagships, generally no beyond BFU state until the passcode is known. This is the single most limiting factor on modern mobile investigations.
Is chip-off admissible in Canadian courts?
Yes, when the procedure is properly documented and the resulting image is hash-verified. Chip-off is a recognised forensic technique. The lab should record why chip-off was necessary, the equipment used, the resulting image hashes, and how the file system was reconstructed.
How long does a physical acquisition take?
For a supported device with a known passcode, physical or file-system acquisition typically completes in a few hours. Chip-off adds a day or more for desoldering, reading, and file-system reconstruction. Analysis after acquisition is separate and depends on the volume of relevant content.
What should our retainer letter to the lab say?
Authorise the lab to attempt the deepest acquisition the device supports, to document what was attempted and what succeeded, and to hold the full working image in evidence while producing responsive artefacts on the scope defined in the retainer. Do not name a specific acquisition method — the lab picks the right one for the device.

Related reading

Need digital evidence handled defensibly?

Book a confidential consultation. Our team will reach out as soon as possible.