Abstract—Current forensic tools for examination,of embedded systems,like mobile,phones,and,PDA’s mostly,perform,data extraction on,a logical level and,do,not consider,the type,of storage media,during,data analysis. This paper,suggests a low level approach,for the forensic examination,of flash memories,and describes three low-level data acquisition methods,for making,full memory,copies of flash memory,devices. Results are presented,of a file system study in which USB memory,sticks from 45 different make,and models,were used. For different mobile phones,is shown how,full memory,copies of their flash memories,can,be made and,which,steps are needed,to translate the extracted,data into a format,that can,be understood,by common,forensic media analysis tools. Artifacts, caused by flash specific operations like block erasing and wear leveling, are discussed and directions are given for enhanced,data recovery,and analysis on data originating from,flash memory. Index Terms—embedded systems, flash memory, physical anal-