Physical extraction is the forensic-acquisition method that pulls a bit-for-bit copy of device storage, including deleted files, cache, slack space, and unallocated regions. Logical extraction reads only what the operating system exposes through standard APIs (recent messages, contacts, call logs). Cellebrite Premium and GrayKey aim for physical or full file system; standard logical extraction returns far less.
What it means in practice
The deeper the extraction, the more the recovered data exceeds what the user thought existed on the device. Logical extraction returns roughly what an iCloud backup would contain. Physical extraction returns deleted Signal messages whose database entries have not been overwritten yet, draft photos that were never sent, app cache from sites visited months ago, residual data from apps long since uninstalled. The legal and operational effect is asymmetric. The user assumes that deleting a message removes it; physical extraction often recovers it for weeks to months after deletion until the file system overwrites the underlying blocks. The threat model implication: do not rely on deletion as a privacy mechanism on a device that may face forensic-grade examination.
Who uses it, and against whom
Operated by: federal forensic labs (FBI Cyber Division, ICE HSI, every major state police forensic unit), corporate forensic firms (Stroz Friedberg, Kroll, FTI), defense-side experts in litigation, and (in adversarial contexts) authoritarian-government services with Cellebrite UFED Premium contracts. Against whom: anyone whose device is in the custody of a buyer agency or under court-ordered forensic exam. Civil discovery in family court increasingly includes phone forensics, particularly in high-asset divorces and custody cases involving allegations of abuse. The category was historically law-enforcement-only; the diffusion to civil-litigation forensic firms has expanded the reachability significantly.
What you can change today
Three structural defenses against physical extraction. First, full-disk encryption with a strong passphrase: a modern iPhone in BFU state with a 10+ character alphanumeric passcode resists physical extraction at the current public capability of UFED Premium. Second, minimize what the device holds: end-to-end encrypted messengers with disappearing messages on (the message that does not exist on the device cannot be recovered), cloud-storage of sensitive material with local copies wiped after each session. Third, threat-model-tier device choice: GrapheneOS on a Pixel for the highest tier of resistance, current iPhone in Lockdown Mode as the next tier, anything else accepts the standard forensic exposure.
