An Introduction to Forensics Data Acquisition From Android Mobile Devices

The position {that a} Digital Forensics Investigator (DFI) is rife with steady finding out alternatives, particularly as era expands and proliferates into each and every nook of communications, leisure and industry. As a DFI, we care for a day by day onslaught of latest gadgets. Many of those gadgets, just like the mobile phone or pill, use commonplace working methods that we want to be aware of. Certainly, the Android OS is major within the pill and mobile phone business. Given the predominance of the Android OS within the cell system marketplace, DFIs will run into Android gadgets at some point of many investigations. While there are a number of fashions that counsel approaches to obtaining information from Android gadgets, this newsletter introduces 4 viable strategies that the DFI must believe when proof collecting from Android gadgets.

A Bit of History of the Android OS

Android’s first business free up was once in September, 2008 with model 1.0. Android is the open supply and ‘loose to make use of’ working machine for cell gadgets evolved via Google. Importantly, early on, Google and different {hardware} corporations shaped the “Open Handset Alliance” (OHA) in 2007 to foster and fortify the expansion of the Android available on the market. The OHA now is composed of 84 {hardware} corporations together with giants like Samsung, HTC, and Motorola (to call a couple of). This alliance was once established to compete with corporations who had their very own marketplace choices, akin to aggressive gadgets introduced via Apple, Microsoft (Windows Phone 10 – which is now reportedly useless to the marketplace), and Blackberry (which has ceased making {hardware}). Regardless if an OS is defunct or now not, the DFI should know in regards to the more than a few variations of more than one working machine platforms, particularly if their forensics focal point is in a specific realm, akin to cell gadgets.

Linux and Android

The present iteration of the Android OS is in keeping with Linux. Keep in thoughts that “in keeping with Linux” does now not imply the standard Linux apps will at all times run on an Android and, conversely, the Android apps that it’s possible you’ll revel in (or are aware of) is not going to essentially run in your Linux desktop. But Linux isn’t Android. To explain the purpose, please notice that Google decided on the Linux kernel, the crucial a part of the Linux working machine, to regulate the {hardware} chipset processing in order that Google’s builders shouldn’t have to be keen on the specifics of the way processing happens on a given set of {hardware}. This permits their builders to concentrate on the wider working machine layer and the consumer interface options of the Android OS.

A Large Market Share

The Android OS has a considerable marketplace percentage of the cell system marketplace, basically because of its open-source nature. An way over 328 million Android gadgets have been shipped as of the 3rd quarter in 2016. And, consistent with, the Android working machine had the majority of installations in 2017 — just about 67% — as of this writing.

As a DFI, we will be expecting to come across Android-based {hardware} at some point of a regular investigation. Due to the open supply nature of the Android OS along with the assorted {hardware} platforms from Samsung, Motorola, HTC, and so on., the number of combos between {hardware} sort and OS implementation gifts an extra problem. Consider that Android is recently at model 7.1.1, but every telephone producer and cell system provider will normally regulate the OS for the precise {hardware} and repair choices, giving an extra layer of complexity for the DFI, because the solution to information acquisition might range.

Before we dig deeper into further attributes of the Android OS that complicate the solution to information acquisition, let’s take a look at the idea that of a ROM model that will probably be implemented to an Android system. As an outline, a ROM (Read Only Memory) program is low-level programming this is on the subject of the kernel point, and the original ROM program is usally referred to as firmware. If you assume on the subject of a pill against this to a mobile phone, the pill can have other ROM programming as contrasted to a mobile phone, since {hardware} options between the pill and mobile phone will probably be other, even supposing each {hardware} gadgets are from the similar {hardware} producer. Complicating the will for extra specifics within the ROM program, upload within the particular necessities of cellular carrier carriers (Verizon, AT&T, and so on.).

While there are commonalities of obtaining information from a mobile phone, now not all Android gadgets are equivalent, particularly in mild that there are fourteen primary Android OS releases available on the market (from variations 1.Zero to 7.1.1), more than one carriers with model-specific ROMs, and extra numerous customized user-complied editions (buyer ROMs). The ‘buyer compiled editions’ also are model-specific ROMs. In normal, the ROM-level updates implemented to every wi-fi system will comprise working and machine elementary programs that works for a specific {hardware} system, for a given supplier (as an example your Samsung S7 from Verizon), and for a specific implementation.

Even despite the fact that there’s no ‘silver bullet’ technique to investigating any Android system, the forensics investigation of an Android system must practice the similar normal procedure for the number of proof, requiring a structured procedure and way that deal with the investigation, seizure, isolation, acquisition, exam and research, and reporting for any virtual proof. When a request to inspect a tool is gained, the DFI begins with making plans and preparation to incorporate the considered necessary approach of obtaining gadgets, the vital bureaucracy to fortify and report the chain of custody, the advance of a goal observation for the exam, the detailing of the system mannequin (and different particular attributes of the got {hardware}), and a listing or description of the guidelines the requestor is looking for to procure.

Unique Challenges of Acquisition

Mobile gadgets, together with mobile phones, drugs, and so on., face distinctive demanding situations right through proof seizure. Since battery existence is proscribed on cell gadgets and it isn’t normally advisable {that a} charger be inserted into a tool, the isolation level of proof collecting generally is a important state in obtaining the system. Confounding right kind acquisition, the cell information, WiFi connectivity, and Bluetooth connectivity must even be integrated within the investigator’s focal point right through acquisition. Android has many safety features constructed into the telephone. The lock-screen characteristic will also be set as PIN, password, drawing a development, facial reputation, location reputation, trusted-device reputation, and biometrics akin to finger prints. An estimated 70% of customers do use some form of safety coverage on their telephone. Critically, there may be to be had device that the consumer can have downloaded, which can provide them the facility to wipe the telephone remotely, complicating acquisition.

It is not going right through the seizure of the cell system that the display screen will probably be unlocked. If the system isn’t locked, the DFI’s exam will probably be more straightforward for the reason that DFI can exchange the settings within the telephone promptly. If get admission to is authorized to the mobile phone, disable the lock-screen and alter the display screen timeout to its most price (which will also be as much as 30 mins for some gadgets). Keep in thoughts that of key significance is to isolate the telephone from any Internet connections to stop faraway wiping of the system. Place the telephone in Airplane mode. Attach an exterior energy provide to the telephone after it’s been positioned in a static-free bag designed to dam radiofrequency alerts. Once safe, you must later have the ability to allow USB debugging, which can permit the Android Debug Bridge (ADB) that can give just right information seize. While it can be necessary to inspect the artifacts of RAM on a cell system, that is not going to occur.

Acquiring the Android Data

Copying a hard-drive from a desktop or laptop pc in a forensically-sound approach is trivial as in comparison to the information extraction strategies wanted for cell system information acquisition. Generally, DFIs have in a position bodily get admission to to a hard-drive and not using a boundaries, making an allowance for a {hardware} replica or device bit circulation symbol to be created. Mobile gadgets have their information saved within the telephone in difficult-to-reach puts. Extraction of information throughout the USB port generally is a problem, however will also be achieved with care and good fortune on Android gadgets.

After the Android system has been seized and is safe, it’s time to read about the telephone. There are a number of information acquisition strategies to be had for Android they usually range significantly. This article introduces and discusses 4 of the main techniques to way information acquisition. These 5 strategies are famous and summarized under:

1. Send the system to the producer: You can ship the system to the producer for information extraction, which can value further money and time, however is also vital for those who do not need the precise talent set for a given system nor the time to be informed. In explicit, as famous previous, Android has a plethora of OS variations in keeping with the producer and ROM model, including to the complexity of acquisition. Manufacturer’s most often make this carrier to be had to executive businesses and regulation enforcement for many home gadgets, so in case you are an unbiased contractor, it is very important take a look at with the producer or acquire fortify from the group that you’re operating with. Also, the producer investigation choice might not be to be had for a number of global fashions (like the numerous no-name Chinese telephones that proliferate the marketplace – bring to mind the ‘disposable telephone’).

2. Direct bodily acquisition of the information. One of laws of a DFI investigation is to by no means to vary the information. The bodily acquisition of information from a mobile phone should remember the similar strict processes of verifying and documenting that the bodily approach used is not going to regulate any information at the system. Further, as soon as the system is hooked up, the working of hash totals is vital. Physical acquisition permits the DFI to procure a complete symbol of the system the usage of a USB wire and forensic device (at this level, you must be pondering of write blocks to stop any changing of the information). Connecting to a mobile phone and grabbing a picture simply is not as blank and transparent as pulling information from a tough force on a desktop pc. The drawback is that relying in your decided on forensic acquisition software, the precise make and mannequin of the telephone, the provider, the Android OS model, the consumer’s settings at the telephone, the foundation standing of the system, the lock standing, if the PIN code is understood, and if the USB debugging choice is enabled at the system, you would possibly not have the ability to achieve the information from the system below investigation. Simply put, bodily acquisition leads to the area of ‘simply making an attempt it’ to look what you get and might seem to the courtroom (or opposing aspect) as an unstructured technique to accumulate information, which is able to position the information acquisition in peril.

3. JTAG forensics (a variation of bodily acquisition famous above). As a definition, JTAG (Joint Test Action Group) forensics is a extra complicated means of information acquisition. It is largely a bodily approach that comes to cabling and connecting to Test Access Ports (TAPs) at the system and the usage of processing directions to invoke a switch of the uncooked information saved in reminiscence. Raw information is pulled immediately from the hooked up system the usage of a distinct JTAG cable. This is regarded as to be low-level information acquisition since there’s no conversion or interpretation and is very similar to a bit-copy this is finished when obtaining proof from a desktop or laptop pc demanding force. JTAG acquisition can usally be finished for locked, broken and inaccessible (locked) gadgets. Since this can be a low-level replica, if the system was once encrypted (whether or not via the consumer or via the precise producer, akin to Samsung and a few Nexus gadgets), the got information will nonetheless want to be decrypted. But since Google made up our minds to get rid of whole-device encryption with the Android OS 5.Zero free up, the whole-device encryption limitation is a piece narrowed, until the consumer has decided to encrypt their system. After JTAG information is got from an Android system, the got information will also be additional inspected and analyzed with equipment akin to 3zx (hyperlink: ) or Belkasoft (hyperlink: ). Using JTAG equipment will robotically extract key virtual forensic artifacts together with name logs, contacts, location information, surfing historical past and much more.

4. Chip-off acquisition. This acquisition method calls for the elimination of reminiscence chips from the system. Produces uncooked binary dumps. Again, this is regarded as a complicated, low-level acquisition and would require de-soldering of reminiscence chips the usage of extremely specialised equipment to take away the chips and different specialised gadgets to learn the chips. Like the JTAG forensics famous above, the DFI dangers that the chip contents are encrypted. But if the guidelines isn’t encrypted, a piece replica will also be extracted as a uncooked symbol. The DFI will want to take care of block deal with remapping, fragmentation and, if provide, encryption. Also, a number of Android system producers, like Samsung, put in force encryption which can’t be bypassed right through or after chip-off acquisition has been finished, even supposing the proper passcode is understood. Due to the get admission to problems with encrypted gadgets, chip off is proscribed to unencrypted gadgets.

5. Over-the-air Data Acquisition. We are every conscious that Google has mastered information assortment. Google is understood for keeping up large quantities from mobile phones, drugs, laptops, computer systems and different gadgets from more than a few working machine sorts. If the consumer has a Google account, the DFI can get admission to, obtain, and analyze all knowledge for the given consumer below their Google consumer account, with right kind permission from Google. This comes to downloading knowledge from the consumer’s Google Account. Currently, there are not any complete cloud backups to be had to Android customers. Data that may be tested come with Gmail, touch knowledge, Google Drive information (which will also be very revealing), synced Chrome tabs, browser bookmarks, passwords, a listing of registered Android gadgets, (the place location historical past for every system will also be reviewed), and a lot more.

The 5 strategies famous above isn’t a complete record. An often-repeated notice surfaces about information acquisition – when operating on a cell system, right kind and correct documentation is very important. Further, documentation of the processes and procedures used in addition to adhering to the chain of custody processes that you’ve got established will make certain that proof accumulated will probably be ‘forensically sound.’


As mentioned on this article, cell system forensics, and particularly the Android OS, isn’t the same as the standard virtual forensic processes used for computer and desktop computer systems. While the non-public pc is well secured, garage will also be readily copied, and the system will also be saved, protected acquisition of cell gadgets and information will also be and usally is problematic. A structured solution to obtaining the cell system and a deliberate way for information acquisition is vital. As famous above, the 5 strategies presented will permit the DFI to realize get admission to to the system. However, there are a number of further strategies now not mentioned on this article. Additional analysis and gear use via the DFI will probably be vital.

Tags :