Data Storage & Recovery

An Introduction to Forensics Data Acquisition from Android Mobile Devices

The position that a Virtual Forensics Investigator (DFI) is rife with steady studying possibilities, particularly as generation expands and proliferates into each and every nook of communications, leisure and industry. As a DFI, we maintain a day by day onslaught of latest units. Many of those units, just like the mobile phone or pill, use not unusual running methods that we want to be acquainted with. Indisputably, the Android OS is most important within the pill and mobile phone business. Given the predominance of the Android OS within the cellular tool marketplace, DFIs will run into Android units at some point of many investigations. At the same time as there are a couple of fashions that recommend strategies to obtaining knowledge from Android units, this newsletter introduces 4 conceivable strategies that the DFI will have to believe while proof collecting from Android units.

A Little Bit Of Historical Past Of the Android OS

Android’s first business unlock used to be in September, 2008 with model Android is the open supply and ‘loose to make use of’ running gadget for cellular units evolved through Google. Importantly, early on, Google and different hardware firms shaped the “Open Handset Alliance” (OHA) in 2007 to foster and give a boost to the expansion of the Android on the market. The OHA now is composed of eighty four hardware firms together with giants like Samsung, HTC, and Motorola (to call a couple of). This alliance used to be based to compete with firms who had their very own marketplace services, similar to aggressive units presented by way of Apple, Microsoft (Home windows Telephone 10 – that is now reportedly lifeless to the marketplace), and Blackberry (which has ceased making hardware). Regardless if an OS is defunct or now not, the DFI will have to realize concerning the more than a few variations of more than one running device systems, particularly if their forensics center of attention is in a specific realm, akin to cellular units.

Linux and Android

The present generation of the Android OS is in response to Linux. Take into account that “in accordance with Linux” does now not imply the standard Linux apps will all the time run on an Android and, conversely, the Android apps that you may revel in (or are accustomed to) won’t essentially run for your Linux computer. However Linux isn’t Android. To explain the purpose, please word that Google decided on the Linux kernel, the very important a part of the Linux running gadget, to regulate the hardware chipset processing in order that Google’s builders don’t have to be concerned about the specifics of ways processing happens on a given set of hardware. This permits their builders to concentrate on the wider running device layer and the consumer interface options of the Android OS.

A Massive Marketplace Percentage

The Android OS has a considerable marketplace percentage of the cellular tool marketplace, essentially as a result of its open-supply nature. An far more than 328 million Android units have been shipped as of the 3rd quarter in 2016. And, consistent with, the Android running gadget had the majority of installations in 2017 — just about sixty seven% — as of this writing.

As a DFI, we will be able to be expecting to come upon Android-primarily based hardware during a regular research. As a result of the open supply nature of the Android OS together with the various hardware systems from Samsung, Motorola, HTC, and so on., the number of mixtures among hardware sort and OS implementation gifts an extra problem. Believe that Android is recently at model 7.1.1, but each and every telephone producer and cellular tool provider will generally adjust the OS for the precise hardware and repair services, giving an extra layer of complexity for the DFI, because the way to knowledge acquisition would possibly range.

Sooner than we dig deeper into further attributes of the Android OS that complicate the option to knowledge acquisition, let us take a look at the idea that of a ROM model to be able to be implemented to an Android software. As an summary, a ROM (Learn Best Reminiscence) software is low-degree programming that may be just about the kernel degree, and the original ROM software is steadily referred to as firmware. In the event you assume when it comes to a pill by contrast to a mobile phone, the pill could have other ROM programming as contrasted to a mobile phone, considering hardware options among the pill and mobile phone might be other, despite the fact that each hardware units are from the similar hardware producer. Complicating the will for extra specifics within the ROM software, upload within the particular necessities of cellphone carrier providers (Verizon, AT&T, and so forth.).

Whilst there are commonalities of obtaining knowledge from a mobile phone, now not all Android units are equivalent, particularly in gentle that there are fourteen best Android OS releases available on the market (from variations to 7.1.1), more than one vendors with style-particular ROMs, and extra numerous customized consumer-complied variations (consumer ROMs). The ‘consumer compiled versions’ also are style-particular ROMs. Generally, the ROM-degree updates implemented to each and every wi-fi tool will include running and device fundamental programs that works for a specific hardware software, for a given supplier (as an example your Samsung S7 from Verizon), and for a specific implementation.

Although there is not any ‘silver bullet’ method to investigating any Android tool, the forensics research of an Android tool will have to apply the similar basic procedure for the choice of proof, requiring a based procedure and method that cope with the research, seizure, isolation, acquisition, exam and research, and reporting for any virtual proof. While a request to inspect a tool is won, the DFI begins with making plans and education to incorporate the considered necessary way of obtaining units, the essential bureaucracy to reinforce and record the chain of custody, the improvement of a objective observation for the exam, the detailing of the software type (and different particular attributes of the received hardware), and an inventory or description of the ideas the requestor is looking for to procure.

Distinctive Demanding Situations of Acquisition

Cellular units, together with cell phone telephones, drugs, and so forth., face distinctive demanding situations all the way through proof seizure. Due to the fact battery lifestyles is restricted on cellular units and it isn’t in most cases really helpful that a charger be inserted into a tool, the isolation level of proof amassing is usually a crucial state in obtaining the tool. Confounding right kind acquisition, the mobile knowledge, WiFi connectivity, and Bluetooth connectivity will have to even be incorporated within the investigator’s center of attention all the way through acquisition. Android has many security measures constructed into the telephone. The lock-monitor function may also be set as PIN, password, drawing a trend, facial popularity, region popularity, depended on-software popularity, and biometrics similar to finger prints. An anticipated 70% of customers do use a few form of safety coverage on their telephone. Significantly, there’s to be had device that the consumer will have downloaded, which may give them the power to wipe the telephone remotely, complicating acquisition.

It’s not likely all through the seizure of the cellular software that the display can be unlocked. If the software isn’t locked, the DFI’s exam can be more uncomplicated since the DFI can amendment the settings within the telephone right away. If get entry to is authorized to the mobile phone, disable the lock-monitor and alter the monitor timeout to its most worth (which may also be as much as half-hour for a few units). Take into account that of key significance is to isolate the telephone from any Web connections to stop far flung wiping of the software. Position the telephone in Plane mode. Connect an exterior energy provide to the telephone after it’s been positioned in a static-loose bag designed to dam radiofrequency signs. As soon as safe, you will have to later have the ability to allow USB debugging, that allows you to permit the Android Debug Bridge (ADB) that can give just right knowledge seize. At the same time as it can be essential to inspect the artifacts of RAM on a cellular tool, that is not likely to occur.

Obtaining the Android Knowledge

Copying a troublesome-pressure from a personal computer or laptop pc in a forensically-sound way is trivial as in comparison to the information extraction strategies wanted for cellular software knowledge acquisition. Normally, DFIs have in a position bodily get right of entry to to a troublesome-pressure without a obstacles, making an allowance for a hardware reproduction or tool bit movement symbol to be created. Cellular units have their knowledge saved inside the telephone in tricky-to-succeed in puts. Extraction of knowledge in the course of the USB port could be a problem, however can also be finished with care and good fortune on Android units.

After the Android software has been seized and is safe, it’s time to read about the telephone. There are a few knowledge acquisition strategies to be had for Android they usually range appreciably. This newsletter introduces and discusses 4 of the main how you can method knowledge acquisition. Those 5 strategies are cited and summarized under:

  1. Ship the software to the producer: You’ll be able to ship the tool to the producer for knowledge extraction, on the way to value additional money and time, however could also be important should you shouldn’t have the specific talent set for a given tool nor the time to be informed. Particularly, as mentioned in advance, Android has a plethora of OS variations in accordance with the producer and ROM model, including to the complexity of acquisition. Producer’s normally make this carrier to be had to executive businesses and regulation enforcement for so much household units, so if you are an unbiased contractor, it is important to test with the producer or achieve make stronger from the group that you’re running with. Additionally, the producer research choice will not be to be had for a few global fashions (like the numerous no-identify Chinese language telephones that proliferate the marketplace – call to mind the ‘disposable telephone’).
  2. Direct bodily acquisition of the information. Certainly one of regulations of a DFI research is to by no means to change the information. The bodily acquisition of knowledge from a mobile phone will have to take note the similar strict approaches of verifying and documenting that the bodily means used won’t adjust any knowledge at the software. Additional, as soon as the software is hooked up, the operating of hash totals is essential. Bodily acquisition lets in the DFI to procure a whole symbol of the software the use of a USB twine and forensic tool (at this aspect, you will have to be considering of write blocks to stop any changing of the information). Connecting to a mobile phone and grabbing a picture simply is not as blank and transparent as pulling knowledge from a troublesome force on a computer pc. The issue is that relying in your decided on forensic acquisition software, the specific make and style of the telephone, the service, the Android OS model, the consumer’s settings at the telephone, the basis standing of the software, the lock standing, if the PIN code is understood, and if the USB debugging choice is enabled at the software, you can also now not have the ability to gain the information from the software beneath research. Merely placed, bodily acquisition results in the area of ‘simply making an attempt it’ to peer what you get and would possibly seem to the courtroom (or opposing aspect) as an unstructured option to acquire knowledge, which will position the information acquisition in danger.
  3. JTAG forensics (a model of bodily acquisition mentioned above). As a definition, JTAG (Joint Check Motion Team) forensics is a extra complex method of knowledge acquisition. It’s necessarily a bodily way that comes to cabling and connecting to Check Get entry to Ports (TAPs) at the software and the use of processing directions to invoke a switch of the uncooked knowledge saved in reminiscence. Uncooked knowledge is pulled in an instant from the hooked up software the use of a unique JTAG cable. This is thought of as to be low-degree knowledge acquisition due to the fact that there is not any conversion or interpretation and is very similar to just a little-reproduction that may be performed while obtaining proof from a personal computer or laptop pc onerous force. JTAG acquisition can frequently be performed for locked, broken and inaccessible (locked) units. On the grounds that this is a low-degree reproduction, if the software used to be encrypted (whether or not by way of the consumer or by way of the specific producer, corresponding to Samsung and a few Nexus units), the obtained knowledge will nonetheless want to be decrypted. However due to the fact Google made up our minds to get rid of entire-software encryption with the Android OS unencumber, the entire-tool encryption trouble is somewhat narrowed, until the consumer has made up our minds to encrypt their tool. After JTAG knowledge is got from an Android tool, the received knowledge may also be additional inspected and analyzed with equipment comparable to 3zx (hyperlink: ) or Belkasoft (hyperlink: ). The use of JTAG equipment will routinely extract key virtual forensic artifacts together with name logs, contacts, region knowledge, surfing historical past and much more.
  4. Chip-off acquisition. This acquisition method calls for the removing of reminiscence chips from the tool. Produces uncooked binary dumps. Once more, this is thought of as a complicated, low-degree acquisition and would require de-soldering of reminiscence chips the use of extremely specialised equipment to take away the chips and different specialised units to learn the chips. Just like the JTAG forensics mentioned above, the DFI dangers that the chip contents are encrypted. But when the ideas isn’t encrypted, a bit of reproduction may also be extracted as a uncooked symbol. The DFI will want to deal with block cope with remapping, fragmentation and, if provide, encryption. Additionally, a couple of Android tool producers, like Samsung, put into effect encryption which can’t be bypassed throughout or after chip-off acquisition has been finished, despite the fact that the right kind passcode is understood. As a result of the get right of entry to problems with encrypted units, chip off is restricted to unencrypted units.
  5. Over-the-air Knowledge Acquisition. We’re each and every mindful that Google has mastered knowledge assortment. Google is understood for keeping up large quantities from cellphone telephones, pills, laptops, computer systems and different units from more than a few running gadget varieties. If the consumer has a Google account, the DFI can get right of entry to, obtain, and examine all knowledge for the given consumer underneath their Google consumer account, with right kind permission from Google. This comes to downloading knowledge from the consumer’s Google Account. Recently, there aren’t any complete cloud backups to be had to Android customers. Knowledge that may be tested come with Gmail, touch knowledge, Google Force knowledge (which can also be very revealing), synced Chrome tabs, browser bookmarks, passwords, an inventory of registered Android units, (the place region historical past for each and every tool can also be reviewed), and a lot more.

The 5 strategies mentioned above isn’t a complete listing. An regularly-repeated observe surfaces approximately knowledge acquisition – while running on a cellular software, right kind and correct documentation is very important. Additional, documentation of the techniques and techniques used in addition to adhering to the chain of custody strategies that you’ve got based will make certain that proof accumulated will probably be ‘forensically sound.’


As mentioned on this article, cellular software forensics, and particularly the Android OS, isn’t like the normal virtual forensic approaches used for pc and personal computer computer systems. At the same time as the private pc is definitely secured, garage may also be easily copied, and the software can also be saved, protected acquisition of cellular units and information can also be and regularly is challenging. A dependent method to obtaining the cellular tool and a deliberate method for knowledge acquisition is important. As mentioned above, the 5 strategies presented will permit the DFI to realize get entry to to the tool. Then again, there are a few further strategies now not mentioned on this article. Further analysis and gear use through the DFI might be essential.