An Introduction to Forensics Data Acquisition From Android Mobile Devices 1

An Introduction to Forensics Data Acquisition From Android Mobile Devices

The function of a Digital Forensics Investigator (DFI) is rife with non-stop gaining knowledge of opportunities, particularly as the era expands and proliferates into each nook of communications, amusement, and business. As a DFI, we address a day-by-day onslaught of the latest gadgets. Like the cell phone or pill, many gadgets use commonplace working structures that we want to be familiar with. Certainly, the Android OS is predominant within the pill and cell smartphone enterprise. Given the predominance of the Android OS inside the cellular device market, DFIs will run into Android gadgets within the route of many investigations. While numerous fashion companies recommend strategies to obtain records from Android gadgets, this newsletter introduces four possible methods that the DFI must consider when gathering proof from Android devices.

A Bit of History of the Android OS

Android’s first commercial release came in September 2008 with model 1.Zero. Android is the open-source and ‘free to use’ operating gadget for cell gadgets developed through Google. Importantly, early on, Google and other hardware agencies shaped the “Open Handset Alliance” (OHA) in 2007 to foster and help the Android boom inside the marketplace. The OHA now includes 84 hardware businesses and giants like Samsung, HTC, and Motorola (to call a few). This alliance mounted to compete with groups with their market services, consisting of aggressive gadgets presented through Apple, Microsoft (Windows Phone 10 – now reportedly lifeless to the market), and Blackberry (which has ceased making hardware). Regardless of whether an OS is defunct, the DFI has to recognize approximately the numerous variations of a couple of operating machine platforms, particularly if their forensics cognizance is in a particular realm, such as cellular devices.

Linux and Android

The modern-day new release of the Android OS is based totally on Linux. Remember that “based on Linux” no longer implies the same old Linux apps will continually run on an Android, and conversely, the Android apps that you would possibly revel in (or are acquainted with) will no longer always run on your Linux desktop. But Linux isn’t always Android. To clarify the factor, please be aware that Google selected the Linux kernel, the important part of the Linux operating system, to manage the hardware chipset processing so that Google’s builders wouldn’t be involved with the specifics of ways processing occurs on a given set of hardware. This allows their developers to recognize the broader working gadget layer and the user interface capabilities of the Android OS.

A Large Market Share

The Android OS has a large market share of the cellular tool market, normally due to its open-source nature. An extra 328 million Android gadgets were shipped in the third quarter of 2016. According to, the Android working machine had the majority of installations in 2017—almost sixty-seven—as of this writing.

As a DFI, we can assume we encounter Android-based hardware within the path of standard research. Due to the open-source nature of the Android OS at the side of the varied hardware systems from Samsung, Motorola, HTC, etc., combos between hardware type and OS implementation afford an additional project. Consider that Android is currently at model 7.1.1. Still, every telephone producer and cell device supplier will generally alter the OS for the precise hardware and service services, giving an additional layer of complexity for the DFI because the data acquisition method can also vary.

Before we dig deeper into extra attributes of the Android OS that complicate the data acquisition technique, let’s examine the concept of a ROM version to be carried out to an Android tool. As an outline, a ROM (Read Only Memory) application is low-level programming. This is close to the kernel degree, and the precise ROM software is regularly called firmware. Suppose you believe you studied in terms of a tablet in assessment to a cellular phone. In that case, the tablet can have one-of-a-kind ROM programming compared to a cellular telephone, given that hardware features among the pill and cell cellphone can be specific, even if each hardware gadget is from an identical manufacturer. Complicating the want for greater specifics inside the ROM software, upload within the unique necessities of mobile provider carriers (Verizon, AT&T, etc.).

While there are commonalities in acquiring statistics from a mobile phone, now not all Android gadgets are the same, mind that there are fourteen fundamental Android OS releases on the market (from variations 1.0 to 7.1.1), a couple of vendors with version-particular ROMs, and further endless custom person-complied versions (purchaser ROMs). The ‘purchaser compiled variants’ also are model-specific ROMs. In standard, the ROM-level updates implemented to each wireless tool will incorporate operating and device primary packages that work for a specific hardware tool, for a given dealer (for instance, your Samsung S7 from Verizon), and specific implementation.

Even though there is no ‘silver bullet’ technique to investigating any Android tool, the forensics research of an Android device ought to follow the identical standard system for the collection of evidence, requiring an established method and approach that cope with the research, seizure, isolation, acquisition, examination, and analysis, and reporting for any virtual evidence. When a request to look at a device is obtained, the DFI starts with making plans and coaching to encompass the needful method of acquiring gadgets, the necessary office work to guide and document the chain of custody, the development of a cause declaration for the examination, the detailing of the tool model (and different precise attributes of the received hardware), and a list or description of the information the requestor is looking for to accumulate.

Unique Challenges of Acquisition

Mobile gadgets, including cell telephones, pills, and so on., face unique, demanding situations for the duration of the proof seizure. Since battery existence is constrained on cell gadgets and it isn’t always recommended that a charger is inserted right into a tool, the isolation degree of proof amassing can be important in obtaining the device. Confounding right acquisition, the cellular statistics, WiFi connectivity, and Bluetooth connectivity must also be protected within the investigator’s recognition during acquisition. Android has many security functions that are constructed into the smartphone. The lock-screen feature may be set as PIN, password, drawing a pattern, facial reputation, location reputation, depending on on-device reputation, and biometrics such as fingerprints. A predicted 70% of customers do use some protection on their phones. Critically, there may be an available software program that the consumer may have downloaded, which could give them the potential to wipe the phone remotely, complicating the acquisition.

It is not throughout the seizure of the cellular tool that the display could be unlocked. If the tool isn’t always locked, the DFI’s exam may be easier because the DFI can exchange the settings inside the smartphone directly. If access is permitted to the cell cellphone, turn off the lock display and alternate the display screen timeout to its maximum price (which can be as much as a half-hour for a few devices). Remember that it is important to isolate the phone from any Internet connections to prevent faraway wiping of the device. Place the smartphone in Airplane mode. Attach an outside power supply to the telephone after it is positioned in a static-loose bag designed to build radiofrequency indicators. Once relaxed, you need to be able to permit USB debugging later to allow the Android Debug Bridge (ADB), which can offer precise statistics capture. At the same time, looking at the RAM artifacts on a mobile device, which will not occur, could be critical.

Acquiring the Android Data

Copying tough power from a laptop or PC in a forensically sound way is trivial compared to the records extraction strategies used for cell device information acquisition. Generally, DFIs have prepared physically to get admission to a tough power without obstacles, considering a hardware copy or software program bit movement photograph to be created. Mobile gadgets have their facts saved inside of the telephone in hard-to-reach locations. Extraction of information through the USB port may be challenging but can be accomplished with care and success on Android devices. After the Android tool is seized and secure, it is time to study the phone. Numerous statistics acquisition strategies are available for Android, and they fluctuate significantly. This article introduces and discusses 4 of the number one ways to technique data acquisition. These five techniques are cited and summarized below:

1. Send the device to the producer: You can send the tool to the producer for facts extraction to fee extra time and money, but it can be important if you do not have the precise talent set for a given tool or the time to learn. In particular, as referred to earlier, Android has many OS variations primarily based on the producer and ROM model, adding to the complexity of acquisition. Manufacturers normally make this carrier available to government businesses and regulation enforcement for maximum domestic gadgets. If you’re an unbiased contractor, you’ll need to check with the producer or gain support from the business enterprise you are operating with. Also, the producer investigation choice might not be available for numerous global fashions (like the many no-name Chinese telephones that proliferate the marketplace – think about the ‘disposable cellphone’).

2. Direct bodily acquisition of the records. One of the rules of a DFI investigation is to by no means to regulate the information. The physical acquisition of data from a cellular cellphone needs to recollect the identical strict processes of verifying and documenting that the bodily technique used will now not modify any records at the tool. Further, once the device is attached, the walking of hash totals is important. The physical acquisition lets the DFI achieve a complete photograph of the device using a USB twine and forensic software program (at this factor, you should consider writing blocks to save you any changing of the records).

Connecting to a cellular telephone and grabbing an image is not as easy and clear as pulling records from a difficult drive on a computing device computer. The hassle is that relying on your preferred forensic acquisition tool, the precise make and model of the cellphone, the provider, the Android OS version, the user’s settings on the telephone, the root popularity of the tool, the lock popularity, if the PIN code is understood, and if the USB debugging alternative is enabled at the device, you can now not be capable of acquiring the records from the tool beneath research. Placed, physical acquisition ends up inside the realm of ‘just trying it to look what you get and may seem to the court (or opposing aspect) as an unstructured manner to acquire facts that can locate the facts acquisition at hazard.

Three. JTAG forensics (a version of physical acquisition cited above). As a definition, JTAG (Joint Test Action Group) forensics is a more advanced way of acquiring facts. It is a bodily method that entails cabling and connecting to Test Access Ports (TAPs) at the device and processing instructions to invoke a transfer of the uncooked records stored in reminiscence. Raw information is pulled immediately from the related tool using a unique JTAG cable.

This is considered a low-degree statistics acquisition because there’s no conversion or interpretation, and it is much like a bit of a replica. This is done while obtaining evidence from a laptop or computer difficult drive. JTAG acquisition can often be completed for locked, broken, and inaccessible (locked) gadgets. Since it’s miles a low-stage replica, the received records will need to be decrypted if the device changed into encrypted (whether by using the user or the precise producer, consisting of Samsung and some Nexus devices).

However, because Google is determined to eliminate complete-tool encryption with the Android OS five.0 launch, the whole-tool encryption predicament is narrowed until the user has chosen to encrypt their tool. After JTAG data is acquired from an Android device, the received facts may be further inspected and analyzed with gear, including 3zx (hyperlink: http://z3x-crew.Com/ ) or Belkasoft (hyperlink: https://belkasoft.Com/ ). JTAG gear will mechanically extract key virtual forensic artifacts, including name logs, contacts, region facts, browsing history, and more.

4. Chip-off acquisition. This acquisition technique calls for the removal of memory chips from the device. Produces uncooked binary dumps. Again, that is considered a sophisticated, low-degree acquisition and could require de-soldering of reminiscence chips using relatively specialized tools to get rid of the chips and different specialized gadgets to read the chips. Like the JTAG forensics referred to above, the DFI dangers that the chip contents are encrypted. However, if the information is not encrypted, a piece reproduction can be extracted as a raw image. The DFI must contend with block cope with remapping, fragmentation, and, if possible, encryption. Also, several Android device manufacturers, like Samsung, put in force encryption, which cannot be bypassed throughout or after chip-off acquisition has been completed, even though the perfect passcode is known. Due to the admission of problems with encrypted gadgets, chip-off is limited to unencrypted devices.

5. Over-the-air Data Acquisition. We are very conscious that Google has mastered information collection. Google maintains massive quantities of cellular phones, tablets, laptops, computer systems, and gadgets from numerous working devices. If the person has a Google account, the DFI can get the right to enter, download, and analyze all statistics for the given consumer under their Google user account, with the right permission from Google. This entails downloading records from the person’s Google Account. Currently, Android customers do not have any full cloud backups. Data that may be examined encompass Gmail, contact data, Google Drive records (which can be very revealing), synced Chrome tabs, browser bookmarks, passwords, a listing of registered Android gadgets (where vicinity records for each device may be reviewed), and plenty greater.

The five strategies stated above aren’t a complete listing. A frequently observed observation surfaces about statistics acquisition – while running on a mobile tool, correct documentation is important. Further, documentation of the processes and methods used and adhering to the chain of custody methods you’ve set up will ensure that the evidence accumulated might be ‘forensically sound.’


As discussed in this article, cell device forensics, especially the Android OS, differs from the conventional digital forensic processes used for laptop and laptop computer systems. While the personal computer is without problems, the garage can be without trouble. The tool can be stored, and safe acquisition of mobile devices and information can often be difficult. A dependent approach to acquiring the cell device and a planned approach for records acquisition is essential. As mentioned above, the five strategies will allow the DFI to gain the right of entry to the tool. However, numerous extra strategies are now not discussed in this article. Additional research and tools used by the DFI can be important.

About the writer. Dr. Ron McFarland, CISSP, PMP, is the Dean of Applied Technologies at the College of the Canyons in Valencia, California. He also teaches as a part-time associate professor in cybersecurity studies at the University of Maryland University College. He received his doctorate from Nova Southeastern University’s School of Engineering and Computer Science. He also holds multiple safety certifications, including the distinguished Certified Information Systems Security Professional (CISSP) and numerous CISCO certifications. He is a visitor blogger at Wrinkled Brain Net ( http://www.Wrinkledbrain.Net ), a blog devoted to Cyber Security and Computer Forensics. Dr. McFarland can be reached at his UMUC e-mail: ronald.Mcfarland@school.Umuc.Edu

Ricardo L. Dominguez

Tv geek. Professional twitter buff. Incurable zombie aficionado. Bacon fanatic. Internet expert. Alcohol specialist.Fixie owner, father of 3, ukulelist, Mad Men fan and Guest speaker. Working at the fulcrum of simplicity and programing to create great work for living breathing human beings. Concept is the foundation of everything else.