In mobile forensics, which acquisition method preserves the highest level of data integrity and captures the most data from an iOS device?
Physical acquisition creates a bit-for-bit copy of the entire flash memory, preserving all data including deleted files.
Why this answer
Physical acquisition is correct because it creates a bit-for-bit copy of the entire flash storage, including unallocated space, deleted files, and system partitions. This method bypasses the iOS file system abstraction, preserving the highest data integrity and capturing all recoverable data, unlike higher-level acquisitions that only retrieve accessible files.
Exam trap
EC-Council often tests the misconception that 'file system acquisition' is the most thorough because it includes system files, but the trap is that physical acquisition alone captures unallocated space and deleted data, which file system acquisition cannot access due to iOS sandboxing and file system abstraction.
How to eliminate wrong answers
Option A is wrong because file system acquisition only copies allocated files and metadata visible through the iOS file system (e.g., via AFC or iTunes backup), missing deleted data and unallocated space, thus providing lower integrity and less data. Option C is wrong because logical acquisition extracts only user-accessible data (e.g., contacts, messages) via APIs like iTunes backup or libimobiledevice, ignoring system files and deleted artifacts, resulting in the least data capture. Option D is wrong because manual acquisition involves physically interacting with the device screen to capture data (e.g., screenshots or notes), which is highly operator-dependent, alters the device state, and cannot recover hidden or deleted data, offering the lowest integrity and data completeness.