Civil litigation often requires mobile device evidence from custodians who consent to acquisition. Android logical acquisition over ADB recovers messages, contacts, call logs, app data, photos, browser history plus media without requiring jailbreak or passcode bypass. This guide covers what logical acquisition captures, what it does not capture, when physical acquisition or chip-off is needed instead plus how to handle the evidence package for civil litigation use. The Sherlock Android Acquirer supports logical acquisition across Android 6 Marshmallow through Android 15.
Civil litigation mobile evidence scope
Civil litigation cases frequently involve mobile device evidence. Family law matters need text messages, photos plus location data. Employment disputes need device evidence of communications during the disputed period. Commercial disputes need evidence of business communications conducted through mobile devices. Personal injury cases need timeline evidence from device activity. Each case has specific evidence requirements that mobile forensic acquisition addresses.
The custodian-consent context (the device owner agrees to provide the device for forensic acquisition) is the typical civil litigation acquisition scenario. The owner either provides their device willingly or is compelled to provide it under court order or discovery process. The acquisition does not need to defeat the device security; the owner provides the passcode plus authorizes the acquisition.
This consent context distinguishes civil litigation acquisition from criminal investigation acquisition. Criminal investigations sometimes require defeating device security on devices the suspect refuses to unlock. Civil litigation typically does not. The acquisition method that handles civil litigation cases is logical acquisition rather than physical extraction.
What logical acquisition captures
Logical acquisition extracts data through the device's normal data access interfaces (Android Debug Bridge or ADB on Android devices) rather than bypassing the operating system at the storage layer. The acquisition captures the data the operating system makes available to authorized callers.
Messages: SMS plus MMS messages from the device messaging database. RCS messages (Google Messages chat features) where present. WhatsApp, Signal, Telegram plus other major messaging apps export their message databases through Android backup or app-data access.
Contacts: the contact database including names, phone numbers, email addresses, postal addresses plus contact group membership.
Call logs: incoming, outgoing plus missed call records with timestamps, duration plus contact information.
App data: data stored by installed applications including chat histories, document drafts, browsing history within the app, account configurations plus app-specific media.
Photos plus videos: media files in the device gallery including originals plus thumbnails. EXIF metadata captures camera plus location information at capture time.
Browser history: Chrome plus other browsers on the device store history that logical acquisition captures from the browser app data directory.
Location history: Google Location History plus per-app location records (Uber trip history, fitness app routes, etc.) are captured where the user enabled them.
Calendar plus reminders: calendar entries, event invitations plus reminder configurations.
Installed app inventory: the list of installed apps plus their installation timestamps provides context for what services the user uses.
Device identifiers: IMEI, IMSI, Android ID, hardware MAC plus other identifiers that may be relevant for cross-referencing with carrier records.
System logs: Android system logs (logcat-class records, dropbox records, anr trace records) provide context for crashes, application behavior plus system events.
The Sherlock Android Acquirer performs logical acquisition across Android 6 Marshmallow through Android 15 with hash verification plus chain of custody documentation suitable for civil litigation evidence.
What logical acquisition does not capture
Several data categories are not accessible through logical acquisition. Understanding these limits prevents over-promising on what mobile evidence will produce.
Deleted data: logical acquisition reads the data the operating system presents. Data the user has deleted is typically not visible through this interface. Some apps retain a "deleted items" or "recently deleted" cache that does survive, but truly deleted user data does not. Recovery of deleted data requires physical acquisition (which requires defeating device security on modern Android devices).
Encrypted app sandbox data: some apps encrypt their data with keys that are not exposed through Android backup. WhatsApp message databases, for example, are encrypted with keys that require root access to extract. Logical acquisition captures what the user can normally export but not what the app keeps additionally encrypted.
Secure folder data: Samsung Secure Folder plus equivalent vendor features create a parallel encrypted user space. Logical acquisition of the main user does not access Secure Folder content.
Work profile data: Android work profiles (corporate-managed user spaces) are isolated from personal user data. Logical acquisition of the personal profile does not access work profile data.
Cloud data: data stored only in cloud services (Google Drive personal files not synced to device, iCloud-equivalent cloud data) is not on the device for acquisition. Cloud acquisition requires separate process through service provider records or with the user's cloud credentials.
Real-time observation: logical acquisition is a point-in-time snapshot. Real-time observation of device behavior requires different tooling (wiretap process, device monitoring agents).
When physical acquisition or chip-off is needed instead
Some cases require evidence categories that logical acquisition cannot deliver. The case characteristics that point to physical acquisition or chip-off:
Need for deleted data recovery. Court cases that require recovery of deleted messages or media need physical acquisition. The recovery is materially more invasive and material cost more.
Device locked plus no consent. Criminal cases where the suspect refuses to unlock require GrayKey-class extraction. This is not in scope for civil litigation typically.
Encrypted app data needed. WhatsApp message databases, Signal encrypted backups plus similar app-encrypted data require root access. Civil litigation cases that need this content typically need separate acquisition via app-specific export or vendor service.
Device damaged plus unable to power on. Devices damaged through physical incident may require chip-off extraction (removing the storage chip plus reading it directly). This is specialty work requiring specific equipment plus expertise.
Sherlock Forensics does not perform GrayKey-class extraction or chip-off in our standard service offering. For civil litigation cases that need physical acquisition, we coordinate with specialty vendors plus oversee the evidence handling. The Sherlock Android Acquirer is positioned for the logical acquisition layer which handles most civil litigation cases.
Civil litigation acquisition workflow
The acquisition workflow for civil litigation:
Pre-acquisition documentation: the consent or court order that authorizes acquisition is documented. The custodian identity, device identification plus authorization scope are captured.
Device handling: the device is placed in airplane mode (or otherwise network-isolated) to prevent remote wipes or modification during acquisition. Photograph the device plus its case. Record device identifiers (IMEI from settings or device sticker).
Custodian authorization: the custodian unlocks the device plus enables USB debugging in developer settings. This requires custodian cooperation. If the custodian will not enable USB debugging, logical acquisition cannot proceed; the case may need to escalate to court order or different acquisition method.
Acquisition: attach the device to the acquisition workstation. Run the Android Acquirer plus initiate logical acquisition. The tool extracts the data categories listed above plus produces a manifest with hash verification.
Verification: verify acquisition completeness against expected data categories. Document any acquisition errors plus the categories affected.
Evidence package: the acquisition output plus manifest plus chain of custody documentation form the evidence package. The package is suitable for inclusion in civil discovery production or as litigation exhibit.
Custodian return: the device is returned to the custodian after acquisition. Document the return with timestamp plus receipt.
Analysis: the acquired data is analyzed against the case-specific questions (what messages occurred during a disputed period, what photos exist of a specific location, what location records contradict a stated timeline). Analysis is performed on the acquired data, not on the device.
Evidence package considerations
The acquisition output needs to support the use in civil litigation. Several considerations:
Chain of custody documentation: the acquisition logs plus custodian records form the chain of custody. The chain of custody supports the evidence integrity attestation.
Hash verification: the acquisition manifest captures per-artifact hashes. The hashes prove the evidence presented in litigation is the evidence as acquired.
Examiner attestation: the examiner who performed the acquisition signs an affidavit covering the acquisition method, tool versions plus findings. The affidavit accompanies the evidence package.
Production format: civil discovery typically requires production in specific formats. The Android Acquirer output can be exported to PDF reports for production, structured data for case management systems or per-message exports for review platforms.
Privilege screening: the acquired data may contain attorney-client privileged communications, work product or third-party private information. Legal counsel should review the acquisition output for privilege plus relevance before production.
Privacy considerations: custodians have varying privacy expectations regarding their devices. The acquisition scope should align with what is needed for the case rather than capturing everything available. Some jurisdictions impose specific privacy requirements on device acquisition.
What this means for litigation planning
The mistake civil litigation teams make is treating mobile device evidence as either obvious or unobtainable. Neither is true. Logical acquisition handles the majority of civil litigation mobile evidence needs through the consent or court-order context that civil cases typically operate in. The cost is materially below criminal investigation acquisition methods.
The honest practitioner posture is to engage mobile forensic acquisition early in cases where mobile evidence may be relevant. The acquisition produces evidence with documented integrity that supports the litigation strategy. The cost of acquisition is materially below the cost of being unable to authenticate mobile evidence at trial because the acquisition was not performed forensically.
The Sherlock Forensics services practice supports mobile forensic acquisition for civil litigation across mid-market and enterprise customers. The forensic toolchain includes the Sherlock Android Acquirer for logical acquisition, the Sherlock Disk Imager for acquisition workstation imaging during the acquisition chain, the Sherlock PST Viewer for email correspondence forensics when device acquisition combines with mailbox analysis plus the supporting forensic examination services.
Talk to our team about mobile forensic acquisition for civil litigation, custodian device handling protocol or evidence package preparation for ongoing discovery.
Civil litigation mobile evidence is recoverable through logical acquisition. Get the Sherlock Android Acquirer for forensic Android logical acquisition. Talk to our team about civil litigation forensic support.