Mobile data acquisition with Belkasoft X

Belkasoft X offers a range of acquisition methods for iOS and Android-based devices:

IOS ACQUISITION METHODS: up to iOS 17

iTunes

iTunes backups acquisition (including lockdown files support)

This is a standard way to back up iOS device data. It requires iTunes to be installed on the machine where Belkasoft X is running, as well as an unlocked device or a valid lockdown file.

Since an encrypted iTunes backup contains more data, Belkasoft X suggests encrypting a backup if no password is set in iTunes.

Supported iOS versions: any (including iOS 17)

Checm8

checkm8-based acquisition

Belkasoft X supports forensically sound, jailbreak-free extraction of selected iOS devices via a hard-coded, unpatchable exploit called 'checkm8'. Compatible devices include the range of iPhone and iPad devices powered by Apple's A7 through A11 SoC (iPhone 5s through iPhone X and corresponding iPad models). Full file system and keychain can be acquired using this method.

Supported iOS versions: 12.0 to 16 beta (16 final release and newer versions are not supported)

Brute-force

iOS passcode brute-force

A locked iOS device can pose a significant challenge for your investigation because, even with sophisticated acquisition types like checkm8, you will only obtain a limited amount of data (BFU mode extraction). A specialized module of Belkasoft X, known as the Mobile Passcode Brute-Force module, addresses this issue for iPhones and iPads with specific SoCs inside.

Learn more

Agent-based_acquisition

Agent-based acquisition

The agent-based method is another approach to acquiring an iPhone or an iPad without jailbreak. The acquired image contains a full file system copy and keychain, similarly to checkm8 or jailbroken device image.

However, unlike checkm8, it works on a broader range of devices and iOS versions, including iPhone XS/XS Max, iPhone XR, iPhone 11/Pro/Pro Max, iPhone 12/Mini/Pro/Pro MAX, iPhone 13/Mini/Pro/Pro Max, iPhone 14/Plus/Pro/Pro Max, iPhone SE (2nd gen), iPad Air (3rd gen) and iPad Pro (3rd gen) and others.

Supported iOS versions: iOS 10.3.3 to 16.1.2 (refer to a specialized page for more precise information).

Jailbroken

Support for the latest jailbreaks

Belkasoft X supports the latest jailbreaks like checkra1n, odyssey, unc0ver, and others. In some cases, jailbreaking is the only method to extract important data from a device under investigation. With Belkasoft X it is possible to acquire a full file system as well as a keychain from jailbroken iOS devices.

Supported iOS versions: Any, if a jailbreak was successfully installed

Media

iOS crash log extraction

Crash logs can be used to understand the conditions under which the application was terminated and provide a trace of the execution of an application. Belkasoft X can extract iOS crash logs as a separate type of acquisition. You do not need to jailbreak your device; it is sufficient to have a passcode or a valid lockdown file of the device.

Supported iOS versions: Any

LOG

Media files copy via AFC protocol

This acquisition type is based on AFC (Apple File Conduit), Apple's proprietary protocol for media file transfer from an iOS device to a host computer. This type of acquisition allows copying pictures, audio, and video files. It requires iTunes to be installed on the machine where Belkasoft X is running.

Supported iOS versions: Any

Screen Capture

Screen capturing

With the help of this method, Belkasoft X has the ability to capture screenshots of a device. You can take screenshots of chat threads, call lists, device settings, and other important data.

ANDROID ACQUISITION METHODS

Brute-force

Android passcode brute-force

A specialized module of Belkasoft X, called the Mobile Passcode Brute-Force module, can assist in the acquisition of specific Android devices without the need to unlock them.

Learn more

ADBBackup

ADB backup acquisition

A standard ADB backup is built into the Android operating system and available on any Android device. Belkasoft X supports this kind of acquisition for a vast majority of Android-based devices.

Android Filesystem Copy

Logical and physical acquisition of rooted Android devices

With Belkasoft X you can acquire both physical and logical images of an Android device where administrative rights are obtained ('rooted device'). A logical image, which is a full file system copy, is useful when your device has built-in encryption and a physical image makes no sense.

iTunes

Agent-based acquisition

This acquisition method uses a special application ('agent'), installed by Belkasoft X on a device. The agent helps transfer data from the device to Belkasoft X. The range of data depends on a chipset vendor.

Upon the acquisition, the agent will be automatically uninstalled by Belkasoft X.

A variant of this method is acquisition through an agent copied onto the phone's SD card. In this case, there is no need to connect the phone to a computer via a cable, which can be advantageous in case of a faulty connector.

MTK

Support for MTK-based devices

Belkasoft X has specific support for acquisition from devices powered by MediaTek. A number of acquisition methods are supported, and each of them has its own requirements and range of acquired data (logical file system image, physical dump, particular types of applications).

The wide variety of MTK-based devices and MTK chipsets are supported, including popular smartphones—such as LG, HTC, Sony Experia, and others, as well as exotic devices—Gionee, Oppo, and Umidigi.

Find out which MTK-based devices are supported

Qualcomm

Support for Qualcomm-based devices

Belkasoft X allows you to acquire a physical image from a vast amount of different mobile device models running on Qualcomm Snapdragon SoC. This method is based on an emergency download mode (EDL).

The list of supported devices includes more than 250 smartphone models, including various models of Samsung, Xiaomi, Meizu, ZTE, Vivo, and others.

Find out which Qualcomm-based devices are supported

Qualcomm

Support for Spreadtrum-based devices

Belkasoft X also allows you to acquire a physical image of a vast amount of different mobile device models running on a Spreadtrum chipset.

The method supports almost 90 phone models, including various models of Archos, ARK, BLU, Intex, Micromax, and others.

Find out which Spreadtrum-based devices are supported

APK Downgrade

APK downgrade method

This method allows a user to install an older version of an application to a device, which allows for the extraction of data from applications that have removed the possibility of backing up their data into the standard ADB backup. Upon the acquisition completion, the original versions of applications will be restored, even if the acquisition was completed incorrectly.

Belkasoft X supports the downgrade of multiple applications including Facebook Messenger, Instagram, KakaoTalk, Opera, Signal, Skype, Telegram, Twitter, Viber, WeChat, WhatsApp, Zello, and others.

Media

Media files copy via MTP/PTP protocols

This acquisition method uses Media Transfer Protocol / Picture Transfer Protocol and allows the copying of pictures, audio, and video files from a device to a computer.

Advanced ADB Acquisition

Advanced ADB acquisition

This acquisition method is a combination of several methods powered by ADB into a single task. It runs an ADB backup creation, agent-based acquisition, and copying data from a SIM card.

Automated Screen Capture

Automated screen capturing

With the help of this method, Belkasoft X has the ability to capture screenshots of various popular applications installed on a device. You can take screenshots of chat threads and call lists. Handy options allow you to set the maximum number of pages to capture, which helps when working with large volumes of chat or call data. You can also specify directions for the scrolling, whether up or down.

See also

Why Belkasoft should be your tool of choice for mobile forensics

[Infographics] Mobile forensics with Belkasoft X

[On-demand –°ourse] Mobile Forensics with Belkasoft X

[On-demand –°ourse] iOS Forensics with Belkasoft X

Why use Belkasoft X?

Combines mobile, computer, and cloud forensics in a single tool

Helps acquire data even in complex setups

Analyzes 1500+ types of artifacts out of the box

Belkasoft X is easy to use!

Allows for advanced low-level analysis

Much more cost-effective

Shows the entire picture thanks to high-level analysis

Quick to complete data extraction and parsing

What's next?

TRY

Free trial

Start a free trial of Belkasoft Evidence Center X and experience its ease of use and reliability along with the cutting-edge digital forensics capabilities.

Start free trial

CONTACT

NEED ADVICE?

Talk to an expert who can help you identify the Belkasoft configuration you need and answer your questions.

Talk to us