An Introduction to Forensics Data Acquisition From Android Mobile Devices

The position {that a} Digital Forensics Investigator (DFI) is rife with steady studying alternatives, particularly as know-how expands and proliferates into each nook of communications, leisure and enterprise. As a DFI, we cope with a each day onslaught of recent gadgets. Many of those gadgets, just like the mobile phone or pill, use frequent working programs that we’d like to be accustomed to. Certainly, the Android OS is predominant within the pill and mobile phone trade. Given the predominance of the Android OS within the cellular gadget market, DFIs will run into Android gadgets in the midst of many investigations. While there are a number of fashions that recommend approaches to buying knowledge from Android gadgets, this text introduces 4 viable strategies that the DFI ought to think about when proof gathering from Android gadgets.

A Bit of History of the Android OS

Android’s first industrial launch was in September, 2008 with model 1.0. Android is the open supply and ‘free to use’ working system for cellular gadgets developed by Google. Importantly, early on, Google and different {hardware} firms fashioned the “Open Handset Alliance” (OHA) in 2007 to foster and help the expansion of the Android within the market. The OHA now consists of 84 {hardware} firms together with giants like Samsung, HTC, and Motorola (to title a number of). This alliance was established to compete with firms who had their very own market choices, comparable to aggressive gadgets provided by Apple, Microsoft (Windows Phone 10 – which is now reportedly useless to the market), and Blackberry (which has ceased making {hardware}). Regardless if an OS is defunct or not, the DFI should know in regards to the varied variations of a number of working system platforms, particularly if their forensics focus is in a selected realm, comparable to cellular gadgets.

Linux and Android

The present iteration of the Android OS relies on Linux. Keep in thoughts that “based on Linux” doesn’t imply the standard Linux apps will at all times run on an Android and, conversely, the Android apps that you just would possibly take pleasure in (or are accustomed to) is not going to essentially run in your Linux desktop. But Linux isn’t Android. To make clear the purpose, please be aware that Google chosen the Linux kernel, the important a part of the Linux working system, to handle the {hardware} chipset processing in order that Google’s builders would not have to be involved with the specifics of how processing happens on a given set of {hardware}. This permits their builders to concentrate on the broader working system layer and the person interface options of the Android OS.

A Large Market Share

The Android OS has a considerable market share of the cellular gadget market, primarily due to its open-source nature. An extra of 328 million Android gadgets had been shipped as of the third quarter in 2016. And, in accordance to, the Android working system had the majority of installations in 2017 — practically 67% — as of this writing.

As a DFI, we will count on to encounter Android-based {hardware} in the midst of a typical investigation. Due to the open supply nature of the Android OS along side the numerous {hardware} platforms from Samsung, Motorola, HTC, and many others., the number of mixtures between {hardware} sort and OS implementation presents a further problem. Consider that Android is at present at model 7.1.1, but every cellphone producer and cellular gadget provider will sometimes modify the OS for the particular {hardware} and repair choices, giving a further layer of complexity for the DFI, for the reason that method to knowledge acquisition could fluctuate.

Before we dig deeper into further attributes of the Android OS that complicate the method to knowledge acquisition, let us take a look at the idea of a ROM model that might be utilized to an Android gadget. As an outline, a ROM (Read Only Memory) program is low-level programming that’s shut to the kernel degree, and the distinctive ROM program is commonly referred to as firmware. If you assume by way of a pill in distinction to a mobile phone, the pill may have completely different ROM programming as contrasted to a mobile phone, since {hardware} options between the pill and mobile phone might be completely different, even when each {hardware} gadgets are from the identical {hardware} producer. Complicating the necessity for extra specifics within the ROM program, add within the particular necessities of cell service carriers (Verizon, AT&T, and many others.).

While there are commonalities of buying knowledge from a mobile phone, not all Android gadgets are equal, particularly in mild that there are fourteen main Android OS releases available on the market (from variations 1.0 to 7.1.1), a number of carriers with model-specific ROMs, and extra numerous customized user-complied editions (buyer ROMs). The ‘buyer compiled editions’ are additionally model-specific ROMs. In normal, the ROM-level updates utilized to every wi-fi gadget will comprise working and system primary purposes that works for a selected {hardware} gadget, for a given vendor (for instance your Samsung S7 from Verizon), and for a selected implementation.

Even although there isn’t any ‘silver bullet’ answer to investigating any Android gadget, the forensics investigation of an Android gadget ought to comply with the identical normal course of for the gathering of proof, requiring a structured course of and method that deal with the investigation, seizure, isolation, acquisition, examination and evaluation, and reporting for any digital proof. When a request to study a tool is acquired, the DFI begins with planning and preparation to embrace the requisite methodology of buying gadgets, the mandatory paperwork to help and doc the chain of custody, the event of a goal assertion for the examination, the detailing of the gadget mannequin (and different particular attributes of the acquired {hardware}), and a listing or description of the knowledge the requestor is searching for to purchase.

Unique Challenges of Acquisition

Mobile gadgets, together with cell telephones, tablets, and many others., face distinctive challenges throughout proof seizure. Since battery life is restricted on cellular gadgets and it’s not sometimes really helpful {that a} charger be inserted into a tool, the isolation stage of proof gathering could be a important state in buying the gadget. Confounding correct acquisition, the mobile knowledge, WiFi connectivity, and Bluetooth connectivity also needs to be included within the investigator’s focus throughout acquisition. Android has many security measures constructed into the cellphone. The lock-screen characteristic may be set as PIN, password, drawing a sample, facial recognition, location recognition, trusted-device recognition, and biometrics comparable to finger prints. An estimated 70% of customers do use some sort of safety safety on their cellphone. Critically, there may be out there software program that the person could have downloaded, which may give them the flexibility to wipe the cellphone remotely, complicating acquisition.

It is unlikely through the seizure of the cellular gadget that the display screen might be unlocked. If the gadget isn’t locked, the DFI’s examination might be simpler as a result of the DFI can change the settings within the cellphone promptly. If entry is allowed to the mobile phone, disable the lock-screen and alter the display screen timeout to its most worth (which may be up to half-hour for some gadgets). Keep in thoughts that of key significance is to isolate the cellphone from any Internet connections to stop distant wiping of the gadget. Place the cellphone in Airplane mode. Attach an exterior energy provide to the cellphone after it has been positioned in a static-free bag designed to block radiofrequency indicators. Once safe, you need to later have the opportunity to allow USB debugging, which can enable the Android Debug Bridge (ADB) that may present good knowledge seize. While it might be essential to study the artifacts of RAM on a cellular gadget, that is unlikely to occur.

Acquiring the Android Data

Copying a hard-drive from a desktop or laptop computer pc in a forensically-sound method is trivial as in contrast to the info extraction strategies wanted for cellular gadget knowledge acquisition. Generally, DFIs have prepared bodily entry to a hard-drive with no limitations, permitting for a {hardware} copy or software program bit stream picture to be created. Mobile gadgets have their knowledge saved within the cellphone in difficult-to-reach locations. Extraction of knowledge by means of the USB port could be a problem, however may be achieved with care and luck on Android gadgets.

After the Android gadget has been seized and is safe, it’s time to study the cellphone. There are a number of knowledge acquisition strategies out there for Android and so they differ drastically. This article introduces and discusses 4 of the first methods to method knowledge acquisition. These 5 strategies are famous and summarized under:

1. Send the gadget to the producer: You can ship the gadget to the producer for knowledge extraction, which can value further money and time, however could also be needed for those who shouldn’t have the actual talent set for a given gadget nor the time to be taught. In specific, as famous earlier, Android has a plethora of OS variations primarily based on the producer and ROM model, including to the complexity of acquisition. Manufacturer’s typically make this service out there to authorities companies and legislation enforcement for many home gadgets, so for those who’re an unbiased contractor, you have to to test with the producer or achieve help from the group that you’re working with. Also, the producer investigation possibility is probably not out there for a number of worldwide fashions (like the numerous no-name Chinese telephones that proliferate the market – consider the ‘disposable cellphone’).

2. Direct bodily acquisition of the info. One of guidelines of a DFI investigation is to by no means to alter the info. The bodily acquisition of knowledge from a mobile phone should have in mind the identical strict processes of verifying and documenting that the bodily methodology used is not going to alter any knowledge on the gadget. Further, as soon as the gadget is related, the operating of hash totals is important. Physical acquisition permits the DFI to acquire a full picture of the gadget utilizing a USB twine and forensic software program (at this level, try to be pondering of write blocks to stop any altering of the info). Connecting to a mobile phone and grabbing a picture simply is not as clear and clear as pulling knowledge from a tough drive on a desktop pc. The downside is that relying in your chosen forensic acquisition device, the actual make and mannequin of the cellphone, the provider, the Android OS model, the person’s settings on the cellphone, the foundation standing of the gadget, the lock standing, if the PIN code is understood, and if the USB debugging possibility is enabled on the gadget, you is probably not ready to purchase the info from the gadget underneath investigation. Simply put, bodily acquisition leads to the realm of ‘simply making an attempt it’ to see what you get and will seem to the courtroom (or opposing aspect) as an unstructured approach to collect knowledge, which may place the info acquisition in danger.

3. JTAG forensics (a variation of bodily acquisition famous above). As a definition, JTAG (Joint Test Action Group) forensics is a extra superior approach of knowledge acquisition. It is actually a bodily methodology that includes cabling and connecting to Test Access Ports (TAPs) on the gadget and utilizing processing directions to invoke a switch of the uncooked knowledge saved in reminiscence. Raw knowledge is pulled straight from the related gadget utilizing a particular JTAG cable. This is taken into account to be low-level knowledge acquisition since there isn’t any conversion or interpretation and is comparable to a bit-copy that’s finished when buying proof from a desktop or laptop computer pc arduous drive. JTAG acquisition can typically be finished for locked, broken and inaccessible (locked) gadgets. Since it’s a low-level copy, if the gadget was encrypted (whether or not by the person or by the actual producer, comparable to Samsung and a few Nexus gadgets), the acquired knowledge will nonetheless want to be decrypted. But since Google determined to get rid of whole-device encryption with the Android OS 5.0 launch, the whole-device encryption limitation is a bit narrowed, until the person has decided to encrypt their gadget. After JTAG knowledge is acquired from an Android gadget, the acquired knowledge may be additional inspected and analyzed with instruments comparable to 3zx (hyperlink: ) or Belkasoft (hyperlink: ). Using JTAG instruments will robotically extract key digital forensic artifacts together with name logs, contacts, location knowledge, looking historical past and much more.

4. Chip-off acquisition. This acquisition approach requires the removing of reminiscence chips from the gadget. Produces uncooked binary dumps. Again, that is thought-about a sophisticated, low-level acquisition and would require de-soldering of reminiscence chips utilizing extremely specialised instruments to take away the chips and different specialised gadgets to learn the chips. Like the JTAG forensics famous above, the DFI dangers that the chip contents are encrypted. But if the knowledge isn’t encrypted, a bit copy may be extracted as a uncooked picture. The DFI will want to deal with block deal with remapping, fragmentation and, if current, encryption. Also, a number of Android gadget producers, like Samsung, implement encryption which can’t be bypassed throughout or after chip-off acquisition has been accomplished, even when the proper passcode is understood. Due to the entry points with encrypted gadgets, chip off is restricted to unencrypted gadgets.

5. Over-the-air Data Acquisition. We are every conscious that Google has mastered knowledge assortment. Google is understood for sustaining huge quantities from cell telephones, tablets, laptops, computer systems and different gadgets from varied working system sorts. If the person has a Google account, the DFI can entry, obtain, and analyze all data for the given person underneath their Google person account, with correct permission from Google. This includes downloading data from the person’s Google Account. Currently, there are not any full cloud backups out there to Android customers. Data that may be examined embrace Gmail, contact data, Google Drive knowledge (which may be very revealing), synced Chrome tabs, browser bookmarks, passwords, a listing of registered Android gadgets, (the place location historical past for every gadget may be reviewed), and far more.

The 5 strategies famous above isn’t a complete listing. An often-repeated be aware surfaces about knowledge acquisition – when engaged on a cellular gadget, correct and correct documentation is important. Further, documentation of the processes and procedures used in addition to adhering to the chain of custody processes that you’ve got established will be sure that proof collected might be ‘forensically sound.’


As mentioned on this article, cellular gadget forensics, and particularly the Android OS, is completely different from the standard digital forensic processes used for laptop computer and desktop computer systems. While the private pc is well secured, storage may be readily copied, and the gadget may be saved, protected acquisition of cellular gadgets and knowledge may be and sometimes is problematic. A structured method to buying the cellular gadget and a deliberate method for knowledge acquisition is important. As famous above, the 5 strategies launched will enable the DFI to achieve entry to the gadget. However, there are a number of further strategies not mentioned on this article. Additional analysis and gear use by the DFI might be needed.

Spread the love
Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!