An Introduction to Forensics From Android Mobile Devices

The position that a Digital Forensics Investigator (DFI) is rife with continuous getting to know opportunities, specifically as generation expands and proliferates into each nook of communications, amusement, and business. As a DFI, we cope with each day onslaught of new gadgets. Many of those devices, just like the cell phone or tablet, use commonplace running structures that we want to be acquainted with. Certainly, the Android OS is fundamental within the pill and mobile cellphone enterprise. Given the predominance of the Android OS inside the mobile device marketplace, DFIs will run on Android devices in the direction of many investigations. While there are numerous models that advise approaches to acquire information from Android devices, this article introduces 4 viable strategies that the DFI need to remember while proof accumulating from Android devices.


Read more Articles : 

A Bit of History of the Android OS

Android’s first business release became in September 2008 with version 1.0. Android is the open source and ‘loose to apply’ running gadget for mobile devices evolved via Google. Importantly, early on, Google and other hardware companies shaped the “Open Handset Alliance” (OHA) in 2007 to foster and support the growth of the Android in the market. The OHA now includes eighty-four hardware businesses which include giants like Samsung, HTC, and Motorola (to call a few). This alliance was established to compete with corporations who had their own marketplace services, consisting of aggressive gadgets presented by Apple, Microsoft (Windows Phone 10 – that’s now reportedly dead to the marketplace), and Blackberry (which has ceased making hardware). Regardless if an OS is defunct or not, the DFI should understand about the various variations of multiple operating system platforms, particularly if their forensics cognizance is in a selected realm, together with cell devices.

Linux and Android

The present-day generation of the Android OS is based on Linux. Keep in thoughts that “based on Linux” does no longer suggest the usual Linux apps will usually run on an Android and, conversely, the Android apps that you would possibly experience (or are acquainted with) will now not necessarily run on your Linux computing device. But Linux is not Android. To make clear the factor, please observe that Google decided on the Linux kernel, the important part of the Linux running gadget, to manage the hardware chipset processing so that Google’s developers wouldn’t have to be worried about the specifics of the way processing takes place on a given set of hardware. This permits their developers to recognition on the broader operating machine layer and the person interface features of the Android OS.

A Large Market Share

The Android OS has a widespread market proportion of the cell device market, more often than not because of its open-source nature. An excess of 328 million Android gadgets had been shipped as of the 0.33 zone in 2016. And, consistent with netwmarketshare.Com, the Android operating gadget had the majority of installations in 2017 — nearly sixty-seven% — as of this writing.Forensics

As a DFI, we are able to assume to encounter Android-based hardware inside the route of a typical research. Due to the open supply nature of the Android OS along with the varied hardware platforms from Samsung, Motorola, HTC, and so on., the style of mixtures among hardware type and OS implementation offers an extra challenge. Consider that Android is currently at model 7.1.1, yet each telephone producer and cell tool dealer will commonly alter the OS for the particular hardware and service services, giving an additional layer of complexity for the DFI, because the method to facts acquisition may additionally range.

Before we dig deeper into extra attributes of the Android OS that complicate the approach to information acquisition, allow’s take a look at the concept of a ROM version so one can be implemented to an Android device. As an outline, a ROM (Read Only Memory) program is low-stage programming this is near the kernel level, and the particular ROM software is often known as firmware. If you suspect in terms of a tablet in assessment to a cell phone, the tablet will have specific ROM programming as contrasted to a mobile phone, for the reason that hardware functions between the tablet and cell phone might be different, even though each hardware gadgets are from the equal hardware manufacturer. Complicating the want for more specifics inside the ROM software, upload in the unique necessities of cellular carrier companies (Verizon, AT&T, and so on.).

While there are commonalities of acquiring statistics from a cellular smartphone, now not all Android devices are same, especially in light that there are fourteen most important Android OS releases in the marketplace (from versions 1.0 to 7.1.1), a couple of companies with model-particular ROMs, and further countless custom user-complied editions (customer ROMs). The ‘customer compiled variants’ also are version-unique ROMs. In general, the ROM-level updates carried out to each wireless tool will comprise operating and system basic packages that work for a specific hardware device, for a given dealer (as an instance your Samsung S7 from Verizon), and for a selected implementation.

Even although there is no ‘silver bullet’ option to investigating any Android tool, the forensics research of an Android tool need to comply with the same preferred procedure for the gathering of proof, requiring a dependent system and approach that address the research, seizure, isolation, acquisition, exam and evaluation, and reporting for any digital proof. When a request to have a look at a tool is obtained, the DFI starts with making plans and instruction to consist of the needful method of acquiring devices, the essential office work to assist and report the chain of custody, the improvement of a purpose announcement for the exam, the detailing of the device model (and other particular attributes of the acquired hardware), and a listing or description of the information the requestor is searching for to accumulate.

Unique Challenges of Acquisition

Mobile gadgets, which include cellular telephones, drugs, and so forth., face unique demanding situations at some stage in the proof seizure. Since battery existence is constrained on mobile gadgets and it is not usually advocated that a charger is inserted right into a tool, the isolation level of evidence amassing may be a crucial nation in obtaining the device. Confounding right acquisition, the cell statistics, WiFi connectivity, and Bluetooth connectivity need to also be included in the investigator’s focus at some stage in an acquisition. Android has many security capabilities constructed into the telephone. The lock-display function can be set as PIN, password, drawing a sample, facial popularity, place recognition, trusted-tool popularity, and biometrics consisting of fingerprints. An envisioned 70% of users do use some form of security protection on their smartphone. Critically, there may be the available software program that the user may also have downloaded, that can deliver them the potential to wipe the smartphone remotely, complicating acquisition.

It is unlikely for the duration of the seizure of the cell device that the screen may be unlocked. If the device is not locked, the DFI’s examination could be less complicated because the DFI can trade the settings inside the smartphone right away. If get entry to is permitted to the cell smartphone, disable the lock-display screen and alternate the display screen timeout to its most value (which can be as much as half-hour for some devices). Keep in thoughts that of key importance is to isolate the telephone from any Internet connections to save you far-flung wiping of the device. Place the phone in Airplane mode. Attach an external energy supply to the smartphone after it’s been placed in a static-loose bag designed to block radiofrequency alerts. Once relaxed, you ought to later be able to allow USB debugging, with a purpose to allow the Android Debug Bridge (ADB) that can offer appropriate facts capture. While it is able to be crucial to look at the artifacts of RAM on a cellular device, this is not going to manifest.Mobile

Acquiring the Android Data

Copying a difficult-drive from a laptop or computer laptop in a forensically-sound manner is trivial in comparison to the statistics extraction strategies wanted for cellular tool information acquisition. Generally, DFIs have ready physical get admission to a difficult-power without limitations, making an allowance for a hardware replica or software program bit flow photo to be created. Mobile devices have their information stored internal of the cellphone in difficult-to-attain places. Extraction of data via the USB port may be a task, however, may be performed with care and good fortune on Android gadgets.

After the Android tool has been seized and is comfy, it’s time to have a look at the smartphone. There are several facts acquisition strategies to be had for Android and they fluctuate significantly. This article introduces and discusses 4 of the number one approaches to technique information acquisition. These five strategies are noted and summarized under:

1. Send the device to the producer: You can send the device to the manufacturer for records extraction, with a view to fee more time and money, but may be vital in case you do no longer have the specific ability set for a given device nor the time to research. In specific, as noted earlier, Android has a plethora of OS variations based totally on the producer and ROM model, including to the complexity of acquisition. Manufacturer’s usually made this service available to government groups and regulation enforcement for most domestic devices, so if you’re an impartial contractor, you’ll want to check with the manufacturer or benefit assist from the company that you are working with. Also, the producer investigation choice won’t be to be had for several international fashions (like the many no-call Chinese telephones that proliferate the market – think about the ‘disposable smartphone’).

2. Direct bodily acquisition of the facts. One of the regulations of a DFI investigation is to by no means to modify the records. The physical acquisition of facts from a cellular smartphone should recollect the same strict tactics of verifying and documenting that the physical approach used will no longer alter any records in the tool. Further, as soon as the device is hooked up, the going for walks of hash totals is vital. The physical acquisition lets in the DFI to obtain a full photograph of the tool the usage of a USB twine and forensic software program (at this factor, you need to be deliberating write blocks to prevent any changing of the statistics). Connecting to a cell smartphone and grabbing an image just is not as clean and clear as pulling information from a difficult drive on a computer laptop. The hassle is that relying on your chosen forensic acquisition tool, the particular make and version of the telephone, the provider, the Android OS model, the consumer’s settings on the cellphone, the basis popularity of the device, the lock popularity, if the PIN code is known, and if the USB debugging alternative is enabled on the device, you can no longer be able to acquire the statistics from the tool under investigation. Simply put, physical acquisition ends up in the realm of ‘just attempting it’ to peer what you get and can seem to the court docket (or opposing aspect) as an unstructured manner to acquire statistics, which can vicinity the data acquisition at threat.

3. JTAG forensics (a version of bodily acquisition noted above). As a definition, JTAG (Joint Test Action Group) forensics is a more advanced way of facts acquisition. It is largely a physical technique that entails cabling and connecting to Test Access Ports (TAPs) on the device and the usage of processing commands to invoke a transfer of the raw information stored in reminiscence. Raw data is pulled without delay from the connected tool using a unique JTAG cable. This is taken into consideration to be low-degree data acquisition due to the fact there’s no conversion or interpretation and is similar to a chunk-reproduction this is performed when acquiring proof from a computing device or computer pc tough force. JTAG acquisition can often be achieved for locked, damaged and inaccessible (locked) gadgets. Since it is a low-stage reproduction, if the device changed into encrypted (whether through the consumer or by means of the particular manufacturer, which include Samsung and some Nexus gadgets), the obtained statistics will nonetheless need to be decrypted. But for the reason that Google determined to take away whole-tool encryption with the Android OS five.0 release, the complete-device encryption problem is a chunk narrowed, except the consumer has determined to encrypt their tool. After JTAG data is acquired from an Android device, the received data may be further inspected and analyzed with equipment consisting of 3zx (link: http://z3x-group.Com/ ) or Belkasoft (link: https://belkasoft.Com/ ). Using JTAG gear will mechanically extract key digital forensic artifacts along with name logs, contacts, area facts, surfing history and loads extra.

Four. Chip-off acquisition. This acquisition approach requires the elimination of memory chips from the tool. Produces uncooked binary dumps. Again, that is taken into consideration a sophisticated, low-degree acquisition and could require de-soldering of memory chips using surprisingly specialized equipment to remove the chips and different specialised devices to study the chips. Like the JTAG forensics cited above, the DFI risks that the chip contents are encrypted. But if the facts isn’t encrypted, a piece reproduction can be extracted as a uncooked picture. The DFI will want to take care of block cope with remapping, fragmentation and, if present, encryption. Also, several Android tool manufacturers, like Samsung, enforce encryption which can’t be bypassed at some stage in or after chip-off acquisition has been completed, although the ideal passcode is understood. Due to the access troubles with encrypted devices, chip off is constrained to unencrypted devices.Mobile

5. Over-the-air Data Acquisition. We are each aware that Google has mastered information series. Google is known for preserving big amounts from cellular phones, capsules, laptops, computer systems and other gadgets from diverse working device kinds. If the consumer has a Google account, the DFI can access, download, and examine all records for the given user under their Google user account, with right permission from Google. This entails downloading facts from the consumer’s Google Account. Currently, there are not any full cloud backups to be had to Android customers. Data that can be tested include Gmail, contact statistics, Google Drive information (which may be very revealing), synced Chrome tabs, browser bookmarks, passwords, a list of registered Android devices, (where region records for every tool may be reviewed), and plenty greater.

The 5 methods referred to above is not a comprehensive list. A regularly-repeated notice surfaces about facts acquisition – when working on a mobile device, proper and accurate documentation is crucial. Further, documentation of the procedures and tactics used as well as adhering to the chain of custody tactics that you’ve set up will ensure that proof accrued could be ‘forensically sound.’


As mentioned in this text, mobile device forensics, and especially the Android OS, is different from the traditional digital forensic tactics used for laptop and desktop computers. While the personal laptop is without problems secured, garage may be easily copied, and the device can be stored, safe acquisition of cellular devices and records can be and frequently is complex. A based method to acquiring the mobile tool and a deliberate technique for information acquisition is essential. As referred to above, the 5 techniques added will permit the DFI to advantage get entry to to the tool. However, there are several extra methods no longer mentioned in this newsletter. Additional studies and tool use by means of the DFI can be vital.