An Introduction to Forensics Data Acquisition From Android Mobile Devices 1

An Introduction to Forensics Data Acquisition From Android Mobile Devices

The function that a Digital Forensics Investigator (DFI) is rife with non-stop gaining knowledge of opportunities, particularly as the era expands and proliferates into each nook of communications, amusement, and business. As a DFI, we address a day-by-day onslaught of the latest gadgets. Like the cell phone or pill, many of those gadgets use commonplace working structures that we want to be familiar with. Certainly, the Android OS is predominant within the pill and cell smartphone enterprise. Given the predominance of the Android OS inside the cellular device market, DFIs will run into Android gadgets within the route of many investigations. While numerous fashions recommend strategies to obtain records from Android gadgets, this newsletter introduces 4 possible methods that the DFI must bear in mind when proof gathering from Android devices.

A Bit of History of the Android OS

Android’s first commercial release came in September 2008 with model 1.Zero. Android is the open-source and ‘free to use’ operating gadget for cell gadgets developed through Google. Importantly, early on, Google and other hardware agencies shaped the “Open Handset Alliance” (OHA) in 2007 to foster and help the Android boom inside the marketplace. The OHA now includes 84 hardware businesses and giants like Samsung, HTC, and Motorola (to call a few). This alliance became mounted to compete with groups who had their personal market services, consisting of aggressive gadgets presented through Apple, Microsoft (Windows Phone 10 – which is now reportedly lifeless to the market), and Blackberry (which has ceased making hardware). Regardless if an OS is defunct or not, the DFI has to recognize approximately the numerous variations of a couple of operating machine platforms, particularly if their forensics cognizance is in a particular realm, such as cellular devices.


Linux and Android

The modern-day new release of the Android OS is based totally on Linux. Keep in thoughts that “based on Linux” does no longer imply the same old Linux apps will continually run on an Android and, conversely, the Android apps which you would possibly revel in (or are acquainted with) will no longer always run on your Linux desktop. But Linux isn’t always Android. To clarify the factor, please be aware that Google selected the Linux kernel, the important part of the Linux operating system, to manage the hardware chipset processing so that Google’s builders wouldn’t be involved with the specifics of ways processing occurs on a given set of hardware. This allows their developers to recognize the broader working gadget layer and the user interface capabilities of the Android OS.

A Large Market Share

The Android OS has a full-size market percentage of the cellular tool market, normally due to its open-source nature. An extra of 328 million Android gadgets had been shipped as of the third quarter in 2016. And, according to netwmarketshare.Com, the Android working machine had the majority of installations in 2017 — almost sixty-seven% — as of this writing.

As a DFI, we can assume to encounter Android-based hardware within the path of a standard research. Due to the open-source nature of the Android OS at the side of the varied hardware systems from Samsung, Motorola, HTC, etc., combos between hardware type and OS implementation affords an additional project. Consider that Android is currently at model 7.1.1. Still, every telephone producer and cell device supplier will generally alter the OS for the precise hardware and service services, giving an additional layer of complexity for the DFI, for the reason that method to data acquisition can also range.

Before we dig deeper into extra attributes of the Android OS that complicate the technique to data acquisition, let’s examine the concept of a ROM version to be carried out to an Android tool. As an outline, a ROM (Read Only Memory) application is low-level programming. This is close to the kernel degree, and the precise ROM software is regularly referred to as firmware. If you believe you studied in terms of a tablet in assessment to a cellular phone, the tablet can have one of a kind ROM programming as contrasted to a cellular telephone, given that hardware features among the pill and cell cellphone can be specific, even if each hardware gadgets are from the identical hardware manufacturer. Complicating the want for greater specifics inside the ROM software, upload within the unique necessities of mobile provider carriers (Verizon, AT&T, and so forth.).

While there are commonalities of acquiring statistics from a mobile phone, now not all Android gadgets are the same, in particular in mind that there are fourteen fundamental Android OS releases on the market (from variations 1.0 to 7.1.1), a couple of vendors with version-particular ROMs, and further endless custom person-complied versions (purchaser ROMs). The ‘purchaser compiled variants’ also are model-specific ROMs. In standard, the ROM-level updates implemented to each wireless tool will incorporate operating and device primary packages that work for a specific hardware tool, for a given dealer (for instance, your Samsung S7 from Verizon), and specific implementation.

Even although there is no ‘silver bullet’ technique to investigating any Android tool, the forensics research of an Android device ought to follow the identical standard system for the collection of evidence, requiring an established method and approach that cope with the research, seizure, isolation, acquisition, examination, and analysis, and reporting for any virtual evidence. When a request to look at a device is obtained, the DFI starts with making plans and coaching to encompass the needful method of acquiring gadgets, the necessary office work to guide and document the chain of custody, the development of a cause declaration for the examination, the detailing of the tool model (and different precise attributes of the received hardware), and a list or description of the information the requestor is looking for to accumulate.

Unique Challenges of Acquisition

Mobile gadgets, including cell telephones, pills, and so on., face unique, demanding situations for the duration of the proof seizure. Since battery existence is constrained on cell gadgets and it isn’t always recommended that a charger is inserted right into a tool, the isolation degree of proof amassing can be important in obtaining the device. Confounding right acquisition, the cellular statistics, WiFi connectivity, and Bluetooth connectivity need to additionally be protected within the investigator’s recognition during acquisition. Android has many security functions constructed into the smartphone. The lock-screen feature may be set as PIN, password, drawing a pattern, facial reputation, location reputation, depending on on-device reputation, and biometrics such as fingerprints. A predicted 70% of customers do use some protection on their phones. Critically, there may be an available software program that the consumer may additionally have downloaded, which could deliver them the potential to wipe the phone remotely, complicating acquisition.

It is not going throughout the seizure of the cellular tool that the display could be unlocked. If the tool isn’t always locked, the DFI’s exam may be easier because the DFI can exchange the settings inside the smartphone directly. If access is permitted to the cell cellphone, disable the lock-display and alternate the display screen timeout to its maximum price (which can be as much as a half-hour for a few devices). Keep in thoughts that of key importance is to isolate the phone from any Internet connections to prevent faraway wiping of the device. Place the smartphone in Airplane mode. Attach an outside power supply to the telephone after being positioned in a static-loose bag designed to dbuildradiofrequency indicators. Once relaxed, you need to later be able to permit USB debugging, for you to allow the Android Debug Bridge (ADB) which can offer precise statistics capture. While it could be critical to have a look at the artifacts of RAM on a mobile device, that is not going to take place.

 Android Mobile

Acquiring the Android Data

Copying a tough-power from a laptop or PC in a forensically sound way is trivial compared to the records extraction strategies wanted for cell device information acquisition. Generally, DFIs have prepared physically get admission to a tough-power without obstacles, considering a hardware copy or software program bit movement photograph to be created. Mobile gadgets have their facts saved interior of the telephone in hard-to-reach locations. Extraction of information through the USB port may be a challenge but can be accomplished with care and success on Android devices. After the Android tool has been seized and is secure, it is time to study the phone. There are numerous statistics acquisition strategies available for Android and they fluctuate significantly. This article introduces and discusses 4 of the number one ways to technique data acquisition. These 5 techniques are cited and summarized below:

1. Send the device to the producer: You can send the tool to the producer for facts extraction to fee extra time and money, but it can be important if you do not have the precise talent set for a given tool or the time to learn. In particular, as referred to earlier, Android has a plethora of OS variations primarily based on the producer and ROM model, adding to the complexity of acquisition. Manufacturer’s normally made this carrier available to government businesses and regulation enforcement for maximum domestic gadgets, so in case you’re an unbiased contractor, you’ll need to check with the producer or gain support from the business enterprise that you are operating with. Also, the producer investigation choice might not be available for numerous global fashions (like the many no-name Chinese telephones that proliferate the marketplace – think about the ‘disposable cellphone’).

2. Direct bodily acquisition of the records. One of the rules of a DFI investigation is to by no means to regulate the information. The physical acquisition of data from a cellular cellphone needs to recollect the identical strict processes of verifying and documenting that the bodily technique used will now not modify any records at the tool. Further, once the device is attached, the walking of hash totals is important. The physical acquisition lets the DFI achieve a complete photograph of the device using a USB twine and forensic software program (at this factor, you should be taking into account write blocks to save you any changing of the records).

Connecting to a cellular telephone and grabbing an image is not as easy and clear as pulling records from a difficult drive on a computing device computer. The hassle is that relying on your preferred forensic acquisition tool, the precise make and model of the cellphone, the provider, the Android OS version, the user’s settings on the telephone, the root popularity of the tool, the lock popularity, if the PIN code is understood, and if the USB debugging alternative is enabled at the device, you can now not be capable of acquiring the records from the tool beneath research. Placed, physical acquisition ends up inside the realm of ‘just trying it to look what you get and may seem to the court (or opposing aspect) as an unstructured manner to acquire facts that can locate the facts acquisition at hazard.

Three. JTAG forensics (a version of physical acquisition cited above). As a definition, JTAG (Joint Test Action Group) forensics is a greater advanced way of facts acquisition. It is basically a bodily method that entails cabling and connecting to Test Access Ports (TAPs) at the device and processing instructions to invoke a transfer of the uncooked records stored in reminiscence. Raw information is pulled immediately from the related tool through the use of a unique JTAG cable.

This is considered a low-degree statistics acquisition because there’s no conversion or interpretation and is much like a bit-replica. This is carried out while obtaining evidence from a laptop or computer difficult drive. JTAG acquisition can often be completed for locked, broken and inaccessible (locked) gadgets. Since it’s miles a low-stage replica if the device changed into encrypted (whether by using the user or using the precise producer, consisting of Samsung and some Nexus devices), the received records will nonetheless need to be decrypted.

But because Google is determined to do away with complete-tool encryption with the Android OS five.0 launch, the whole-tool encryption predicament is a chunk narrowed until the user has determined to encrypt their tool. After JTAG data is acquired from an Android device, the received facts may be further inspected and analyzed with gear inclusive of 3zx (hyperlink: http://z3x-crew.Com/ ) or Belkasoft (hyperlink: https://belkasoft.Com/ ). Using JTAG gear will mechanically extract key virtual forensic artifacts, including name logs, contacts, region facts, browsing history, and lots extra.

4. Chip-off acquisition. This acquisition technique calls for the removal of memory chips from the device. Produces uncooked binary dumps. Again, that is considered a sophisticated, low-degree acquisition and could require de-soldering of reminiscence chips using relatively specialised tools to get rid of the chips and different specialised gadgets to read the chips. Like the JTAG forensics referred to above, the DFI dangers that the chip contents are encrypted. But if the information is not encrypted, a piece reproduction can be extracted as a raw image. The DFI will need to contend with block cope with remapping, fragmentation and, if gift, encryption. Also, several Android device manufacturers, like Samsung, put in force encryption, which cannot be bypassed throughout or after chip-off acquisition has been completed, even though the perfect passcode is known. Due to the get admission to problems with encrypted gadgets, chip off is limited to unencrypted devices.

5. Over-the-air Data Acquisition. We are every conscious that Google has mastered information collection. Google is thought for maintaining massive quantities from cellular phones, tablets, laptops, computer systems and different gadgets from numerous working device kinds. If the person has a Google account, the DFI can get the right to enter, download, and analyze all statistics for the given consumer under their Google user account, with the right permission from Google. This entails downloading records from the person’s Google Account. Currently, there are not any full cloud backups to be had to Android customers. Data that may be examined encompass Gmail, contact data, Google Drive records (which can be very revealing), synced Chrome tabs, browser bookmarks, passwords, a listing of registered Android gadgets, (where vicinity records for each device may be reviewed), and plenty greater.

The 5 strategies stated above isn’t a complete listing. A frequently-repeated observe surfaces about statistics acquisition – whilst running on a mobile tool, right and correct documentation is important. Further, documentation of the processes and methods used in addition to adhering to the chain of custody methods which you’ve set up will make sure that evidence accumulated might be ‘forensically sound.’


As discussed in this article, cell device forensics, especially the Android OS, differs from the conventional digital forensic processes used for laptop and laptop computer systems. While the personal computer is without problems secured, the garage can be with no trouble copied. The tool can be stored, safe acquisition of mobile devices and information can often be difficult. A dependent approach to acquiring the cell device and a planned approach for records acquisition is essential. As mentioned above, the five strategies brought will allow the DFI to gain get right of entry to the tool. However, there are numerous extra strategies now not discussed in this article. Additional research and tool use by the DFI can be important.

About the writer. Dr. Ron McFarland, CISSP, PMP, is the Dean of Applied Technologies at the College of the Canyons in Valencia, California. He also teaches as a Part-Time Associate Professor in Cyber Security Studies for the University of Maryland University College. He received his doctorate from Nova Southeastern University’s School of Engineering and Computer Science. He additionally holds multiple safety certifications including the distinguished Certified Information Systems Security Professional (CISSP) certification and numerous CISCO certifications. He is a visitor blogger at Wrinkled Brain Net ( http://www.Wrinkledbrain.Net ), a blog devoted to Cyber Security and Computer Forensics. Dr. McFarland can be reached at his UMUC e-mail: ronald.Mcfarland@school.Umuc.Edu

Ricardo L. Dominguez

Tv geek. Professional twitter buff. Incurable zombie aficionado. Bacon fanatic. Internet expert. Alcohol specialist.Fixie owner, father of 3, ukulelist, Mad Men fan and Guest speaker. Working at the fulcrum of simplicity and programing to create great work for living breathing human beings. Concept is the foundation of everything else.