An Introduction to Forensics From Android Mobile Devices 1

An Introduction to Forensics From Android Mobile Devices

The position that a Digital Forensics Investigator (DFI) is rife with continuous getting to know opportunities, specifically as generation expands and proliferates into each nook of communications, amusement, and business. As a DFI, we cope with each day’s onslaught of new gadgets. Like the cell phone or tablet, many of those devices use commonplace running structures that we want to be acquainted with. Certainly, the Android OS is fundamental within the pill and mobile cellphone enterprise. Given the predominance of the Android OS inside the mobile device marketplace, DFIs will run on Android devices in the direction of many investigations. While numerous models advise approaches to acquire information from Android devices, this article introduces 4 viable strategies that the DFI needs to remember while proof accumulating from Android devices.

Read more Articles : 

A Bit of History of the Android OS

Android’s first business release came in September 2008 with version 1.0. Android is the open-source and ‘loose to apply’ running gadget for mobile devices evolved via Google. Importantly, early on, Google and other hardware companies shaped the “Open Handset Alliance” (OHA) in 2007 to foster and support the growth of Android in the market. The OHA now includes eighty-four hardware businesses, including giants like Samsung, HTC, and Motorola (to call a few). This alliance was established to compete with corporations who had their own marketplace services, consisting of aggressive gadgets presented by Apple, Microsoft (Windows Phone 10 – that’s now reportedly dead to the marketplace), and Blackberry (which has ceased making hardware). Regardless if an OS is defunct or not, the DFI should understand the various variations of multiple operating system platforms, particularly if their forensics cognizance is in a selected realm, together with cell devices.

Linux and Android

The present-day generation of the Android OS is based on Linux. Keep in thoughts that “based on Linux” does no longer suggest the usual Linux apps will usually run on an Android and, conversely, the Android apps that you would possibly experience (or are acquainted with) will now not necessarily run on your Linux computing device. But Linux is not Android. To make clear the factor, please observe that Google decided on the Linux kernel, the important part of the Linux running gadget, to manage the hardware chipset processing so that Google’s developers wouldn’t have to be worried about the specifics of the way processing takes place on a given set of hardware. This permits their developers to recognize the broader operating machine layer and the person interface features of the Android OS.

A Large Market Share

The Android OS has a widespread market proportion of the cell device market, more often than not because of its open-source nature. An excess of 328 million Android gadgets had been shipped as of the 0.33 zone in 2016. And, consistent with netwmarketshare.Com, the Android operating gadget had the majority of installations in 2017 — nearly sixty-seven% — as of this writing.


As a DFI, we can assume to encounter Android-based hardware inside the route of a typical research. Due to the open supply nature of the Android OS and the varied hardware platforms from Samsung, Motorola, HTC, and so on., the style of mixtures among hardware type and OS implementation offer an extra challenge. Consider that Android is currently at model 7.1.1. Yet, each telephone producer and cell tool dealer will commonly alter the OS for the particular hardware and service services, giving an additional layer of complexity for the DFI. The method to fact acquisition may also range.

Before we dig deeper into extra attributes of the Android OS that complicate the approach to information acquisition, allow’s take a look at the concept of a ROM version to be implemented to an Android device. As an outline, a ROM (Read Only Memory) program is low-stage programming near the kernel level, and the particular ROM software is often known as firmware. If you suspect in terms of a tablet in assessment to a cell phone, the tablet will have specific ROM programming as contrasted to a mobile phone, for the reason that hardware functions between the tablet and cell phone might be different, even though each hardware gadgets are from the equal hardware manufacturer. Complicating the want for more specifics inside the ROM software, upload in the unique necessities of cellular carrier companies (Verizon, AT&T, and so on.).

While there are commonalities of acquiring statistics from a cellular smartphone, now not all Android devices are the same, especially in light that there are fourteen most important Android OS releases in the marketplace (from versions 1.0 to 7.1.1), a couple of companies with model-particular ROMs, and further countless custom user-complied editions (customer ROMs). The ‘customer compiled variants’ also are version-unique ROMs. In general, the ROM-level updates carried out to each wireless tool will comprise operating and system basic packages that work for a specific hardware device, for a given dealer (for instance, your Samsung S7 from Verizon) for a selected implementation.

Even although there is no ‘silver bullet’ option to investigating any Android tool, the forensics research of an Android tool needs to comply with the same preferred procedure for the gathering of proof, requiring a dependent system and approach that address the research, seizure, isolation, acquisition, exam, and evaluation, and reporting for any digital proof. When a request to have a look at a tool is obtained, the DFI starts with making plans and instruction to consist of the needful method of acquiring devices, the essential office work to assist and report the chain of custody, the improvement of a purpose announcement for the exam, the detailing of the device model (and other particular attributes of the acquired hardware), and a listing or description of the information the requestor is searching for to accumulate.

Unique Challenges of Acquisition

Mobile gadgets, including cellular telephones, drugs, and so forth., face unique, demanding situations at some stage in the proof seizure. Since battery existence is constrained on mobile gadgets and it is not usually advocated that a charger is inserted right into a tool, the isolation level of evidence amassing may be crucial in obtaining the device. Confounding right acquisition, the cell statistics, WiFi connectivity, and Bluetooth connectivity also need to be included in the investigator’s focus at some stage in an acquisition. Android has many security capabilities constructed into the telephone. The lock-display function can be set as PIN, password, drawing a sample, facial popularity, place recognition, trusted-tool popularity, and biometrics consisting of fingerprints. An envisioned 70% of users do use some form of security protection on their smartphone. Critically, there may be the available software program that the user may also have downloaded that can deliver them the potential to wipe the smartphone remotely, complicating acquisition.

It is unlikely for the duration of the seizure of the cell device that the screen may be unlocked. If the device is not locked, the DFI’s examination could be less complicated because the DFI can trade the settings inside the smartphone right away. I get entry is permitted to the cell smartphone, disable the lock-display screen and alternate the display screen timeout to its most value (which can be as much as a half-hour for some devices). Keep in thoughts that of key importance is to isolate the telephone from any Internet connections to save you far-flung wiping of the device. Place the phone in Airplane mode. Attach an external energy supply to the smartphone after placing it in a static-loose bag designed to block radiofrequency alerts. Once relaxed, you ought to later be able to allow USB debugging, with the purpose to allow the Android Debug Bridge (ADB) that can offer appropriate fact capture. While it can be crucial to look at RAM artifacts on a cellular device, this is not going to manifest.


Acquiring the Android Data

Copying a difficult-drive from a laptop or computer laptop in a forensically sound manner is trivial compared to the statistics extraction strategies wanted for cellular tool information acquisition. Generally, DFIs have ready physical admission to a difficult-power without limitations, making an allowance for a hardware replica or software program bit flow photo to be created. Mobile devices have their information stored internal of the cellphone in difficult-to-attain places. Extraction of data via the USB port may be a task; however, it may be performed with care and good fortune on Android gadgets.

After the Android tool has been seized and is comfy, it’s time to have a look at the smartphone. There are several facts acquisition strategies to be had for Android, and they fluctuate significantly. This article introduces and discusses 4 of the number one approaches to technique information acquisition. These five strategies are noted and summarized under:

1. Send the device to the producer: You can send the device to the manufacturer for records extraction, to fee more time and money, but it may be vital in case you do no longer have the specific ability set for a given device nor the time to research. In specific, as noted earlier, Android has a plethora of OS variations based totally on the producer and ROM model, including the complexity of acquisition. Manufacturer’s usually made this service available to government groups and regulation enforcement for most domestic devices, so if you’re an impartial contractor, you’ll want to check with the manufacturer or benefit assist from the company that you are working with. Also, the producer investigation choice won’t be to be had for several international fashions (like the many no-call Chinese telephones that proliferate the market – think about the ‘disposable smartphone’).

2. Direct bodily acquisition of the facts. One of the regulations of a DFI investigation is to by no means to modify the records. The physical acquisition of facts from a cellular smartphone should recollect the same strict tactics of verifying and documenting that the physical approach will no longer alter any records in the tool. Further, as soon as the device is hooked up, going for walks of hash totals is vital. The physical acquisition lets the DFI obtain a full photograph of the tool, the usage of a USB twine, and forensic software program (at this factor, you need to be deliberating write blocks to prevent any changing of the statistics). Connecting to a cell smartphone and grabbing an image is not as clean and clear as pulling information from a difficult drive on a computer laptop. The hassle is that relying on your chosen forensic acquisition tool, the particular make and version of the telephone, the provider, the Android OS model, the consumer’s settings on the cellphone, the basis popularity of the device, the lock popularity, if the PIN code is known, and if the USB debugging alternative is enabled on the device, you can no longer be able to acquire the statistics from the tool under investigation. Simply put, physical acquisition ends up in the realm of ‘just attempting it’ to peer what you get and can seem to the court docket (or opposing aspect) as an unstructured manner to acquire statistics, which can vicinity the data acquisition at threat.

3. JTAG forensics (a version of bodily acquisition noted above). As a definition, JTAG (Joint Test Action Group) forensics is a more advanced knowledge acquisition method. It is largely a physical technique that entails cabling and connecting to Test Access Ports (TAPs) on the device and processing commands to invoke a transfer of the raw information stored in reminiscence. Raw data is pulled without delay from the connected tool using a unique JTAG cable. This is taken into consideration to be low-degree data acquisition due to the fact there’s no conversion or interpretation and is similar to a chunk-reproduction. This is performed when acquiring proof from a computing device or computer pc tough force. JTAG acquisition can often be achieved for locked, damaged, and inaccessible (locked) gadgets. Since it is a low-stage reproduction, if the device is changed into encrypted (whether through the consumer or using the particular manufacturer, which includes Samsung and some Nexus gadgets), the obtained statistics will need to be decrypted. But for the reason that Google determined to take away whole-tool encryption with the Android OS five- 0 release, the complete-device encryption problem is a chunk narrowed, except the consumer, has determined to encrypt their tool. After JTAG data is acquired from an Android device, the received data may be further inspected and analyzed with equipment consisting of 3zx (link: http://z3x-group.Com/ ) or Belkasoft (link: https://belkasoft.Com/ ). Using JTAG gear will mechanically extract key digital forensic artifacts along with name logs, contacts, area facts, surfing history, and loads extra.

Four. Chip-off acquisition. This acquisition approach requires the elimination of memory chips from the tool. Produces uncooked binary dumps. Again, that is considered a sophisticated, low-degree acquisition and could require de-soldering of memory chips using surprisingly specialized equipment to remove the chips and different specialized devices to study the chips. Like the JTAG forensics cited above, the DFI risks that the chip contents are encrypted. But if the facts aren’t encrypted, a piece reproduction can be extracted as an uncooked picture. The DFI will want to take care of block cope with remapping, fragmentation, and, if present, encryption. Several Android tool manufacturers, like Samsung, enforce encryption that can’t be bypassed at some stage in or after chip-off acquisition has been completed, although the ideal passcode is understood. Due to the access troubles with encrypted devices, chip off is constrained to unencrypted devices.


5. Over-the-air Data Acquisition. We are each aware that Google has mastered information series. Google is known for preserving big amounts from cellular phones, capsules, laptops, computer systems, and other gadgets from diverse working device kinds. If the consumer has a Google account, the DFI can access, download, and examine all records for the given user under their Google user account, with the right permission from Google. This entails downloading facts from the consumer’s Google Account. Currently, there are not any full cloud backups to be had for Android customers. Data that can be tested include Gmail, contact statistics, Google Drive information (which may be very revealing), synced Chrome tabs, browser bookmarks, passwords, a list of registered Android devices (where region records for every tool may be reviewed), and plenty greater.

The 5 methods referred to above are not a comprehensive list. A regularly-repeated notice surfaces about facts acquisition – when working on a mobile device, proper and accurate documentation is crucial. Further, documentation of the procedures and tactics used, as well as adhering to the chain of custody tactics that you’ve set up, will ensure that proof accrued could be ‘forensically sound.’


As mentioned in this text, mobile device forensics, especially Android OS, is different from the traditional digital forensic tactics used for laptop and desktop computers. While the personal laptop is without problems secured, the garage may be easily copied. The device can be stored, safe acquisition of cellular devices and records can be and frequently is complex. A based method to acquiring the mobile tool and a deliberate technique for information acquisition is essential. As referred to above, the 5 techniques added will permit the DFI to get entry to the tool. However, there are several extra methods no longer mentioned in this newsletter. Additional studies and tool use using the DFI can be vital.