An Introduction to Forensics Data Acquisition From Android Mobile Devices 1

The function that a Digital Forensics Investigator (DFI) is rife with continuous mastering opportunities, specifically as generation expands and proliferates into each corner of communications, entertainment, and enterprise. As a DFI, we address an everyday onslaught of recent devices. Like the cellular phone or tablet, many of those devices use common running structures that we need to be acquainted with. Certainly, the Android OS is predominant within the pill and cellular cellphone industry. Given the predominance of the Android OS within the cell tool marketplace, DFIs will run into Android gadgets inside the path of many investigations. While numerous fashions suggest strategies for acquiring records from Android devices, this newsletter introduces four viable methods that the DFI should not forget while evidence accumulates from Android devices.

An Introduction to Forensics Data Acquisition From Android Mobile Devices

 

A Bit of History of the Android Mobile Device

Android’s first industrial launch came in September 2008 with model 1.0. google android is an open-source and ‘unfastened to use’ working device for mobile gadgets developed with Google’s aid. Importantly, early on, Google and other hardware groups fashioned the “Open Handset Alliance” (OHA) in 2007 to foster and aid Android’s increase inside the marketplace. The OHA now includes eighty-four hardware agencies, including giants like Samsung, HTC, and Motorola (to name some). This alliance became established to compete with groups who had their very own marketplace services, including aggressive gadgets offered by way of Apple, Microsoft (Windows Phone 10 – now reportedly dead to the marketplace), and Blackberry (which has ceased making hardware). Regardless of whether an OS is defunct, the DFI needs to realize the various variations of a couple of running gadget platforms, especially if their forensics consciousness is in a selected realm, along with mobile devices.

Linux and Android

The present-day generation of the google android OS is based totally on Linux. Keep in mind that “based totally on Linux” does now not imply the usual Linux apps will continually run on an Android and, conversely, the Android apps that you might revel in (or are familiar with) will not always run on your Linux computing device. But Linux is not google android. To make clear the point, please observe that Google decided on the Linux kernel, the essential part of the Linux operating system, to manipulate the hardware chipset processing so that Google’s developers wouldn’t need to be worried about the specifics of ways processing happens on a given set of hardware. This lets their developers understand the broader operating system layer and the user interface capabilities of the Android OS.

A Large Market Share

The Android OS has an enormous marketplace percentage of the mobile device market, by and large, due to its open-source nature. An extra 328 million Android devices were shipped as of the 0.33 area 2016. In keeping with netwmarketshare.Com, the Android working device had the majority of installations in 2017 — nearly sixty-seven% — as of this writing.

As a DFI, we can expect to stumble upon Android-primarily based hardware within a typical investigation. Due to the open supply nature of the Google Android OS in conjunction with the various hardware platforms from Samsung, Motorola, HTC, etc., the variety of combinations between hardware kind and OS implementation presents an extra task. Consider that Android is currently at version 7.1.1. Yet, each cellphone producer and mobile device provider will usually adjust the OS for the precise hardware and service services, giving the DFI an extra layer of complexity because the information acquisition method may also range.

Before we dig deeper into extra attributes of the google android  OS that complicate the technique of records acquisition, let’s study the concept of a ROM version on the way to be carried out to an Android device. From a top-level view, a ROM (Read Only Memory) application is low-level programming; this is near the kernel degree, and the unique ROM program is frequently known as firmware. Suppose you observe in terms of a tablet in comparison to a cellular smartphone. In that case, the pill will have distinctive ROM programming compared to a cellular telephone because hardware features between the drug and cellular phone could be unique, even if both hardware find pc connected devices are from the identical hardware manufacturer. Complicating the want for extra specifics inside the ROM application, upload in the precise requirements of cellular provider carriers (Verizon, AT&T, etc.).

While there are commonalities in obtaining statistics from a mobile phone, not all Android devices are the same, especially in mild that there are fourteen important Android OS releases available on the market (from versions 1.0 to 7.1.1), multiple companies with version-particular ROMs, and extra infinite custom user-complied variants (purchaser ROMs). The ‘patron compiled variants’ are also version-precise ROMs. In trendy, the ROM-level updates to each WiFi tool will comprise running and machine basic programs that work for a particular hardware tool, for a given dealer (for instance, your Samsung S7 from Verizon), and a selected implementation.

Even though there may be no ‘silver bullet’ option for investigating any Android find pc connected devices, the forensics research of an Android device has to follow the equal standard method for the gathering of evidence, requiring an established procedure and process that address the investigation, seizure, isolation, acquisition, exam, and analysis, and reporting for any virtual proof. When a request to observe a tool is obtained, the DFI starts offevolved with making plans and practice to encompass the considered necessary approach of acquiring gadgets, the vital paperwork to help and report the chain of custody, the improvement of a purpose declaration for the exam, the detailing of the device version (and different particular attributes of the acquired hardware), and a list or description of the information the requestor is in search of to collect.

Unique Challenges of Acquisition

Mobile devices, including cell telephones, tablets, and many others., face particularly demanding situations in evidence seizure. Since battery life is restrained on mobile find pc connected devices and it isn’t normally recommended that a charger is inserted into a tool, the isolation stage of proof-gathering can be vital in obtaining the tool. Confounding the right acquisition, the mobile records, WiFi connectivity, and Bluetooth connectivity must also be blanketed within the investigator’s recognition during purchase. Android has many safety capabilities constructed into the phone. The lock-screen feature can be set as PIN, password, drawing a pattern, facial recognition, location popularity, depending on on-device reputation, and biometrics, including fingerprints. An anticipated 70% of users use some security protection on their cell phones. Critically, there is to be had the software program that the person can also have downloaded, which could deliver them the capability to wipe the smartphone remotely, complicating acquisition.

It is unlikely that the display may be unlocked through the seizure of the cellular device; if the device is not locked, the DFI’s examination can be easier because it can alternate the settings within the cellphone immediately. I get admission to the cellular cellphone, turn off the lock screen and rotate the display screen timeout to its most value (which may be as much as 30 minutes for some devices). Keep in thoughts that of key importance is to isolate the phone from any Internet connections to save you far off the device’s wiping. Place the cell phone in Airplane mode. Attach external electricity delivery to the cell phone after placing it in a static-unfastened bag designed to block radiofrequency alerts. Once cozy, you ought to later be capable of allowing USB debugging so that it will allow the Android Debug Bridge (ADB) that can provide suitable information capture. While observing the RAM artifacts on a cell tool can be important, this is not likely to manifest.

Acquiring the Android Data

Copying a tough power from a computer or pc pc in a forensically sound manner is trivial compared to the records extraction techniques needed for mobile device fact acquisition. Generally, DFIs have prepared bodily access to a difficult drive without using barriers, considering a hardware replica or software bit flow picture to be created. Mobile devices have data saved in the phone’s interior in difficult-to-attain locations. Extraction of records through the USB port can be a mission but may be done with care and good fortune on Android gadgets.

After the Android device is seized and secure, it is time to look at the cellphone. Several data acquisition strategies are available for Android, and they fluctuate considerably. This article introduces and discusses 4 of the number one techniques to acquire statistics. These five techniques are noted and summarized under:

1. Send the tool to the manufacturer: You can send the device to the manufacturer for statistics extraction, which will price greater money and time. However, it may be essential if you no longer have the specific skill set for a given device or the time to examine it. In specific, as cited in advance, Android has a plethora of OS versions primarily based on the manufacturer and ROM version, including the complexity of acquisition. Manufacturers normally make this carrier available to authorities, companies, and law enforcement for maximum domestic gadgets, so if you’re an impartial contractor, you’ll need to test with the manufacturer or advantage aid from the business enterprise with which you are working. The producer investigation alternative might not be had for numerous international fashions (just like the many no-name Chinese telephones that proliferate the marketplace – think about the ‘disposable telephone’).

2. Direct physical acquisition of the information. One of the regulations of a DFI investigation is to in no way alter the facts. The physical acquisition of data from a cell cellphone needs to remember the same strict techniques of verifying and documenting that the bodily approach will no longer regulate any statistics at the device. Further, once the tool is connected, running hash totals is important. Physical acquisition lets the DFI gain a full image of the agency, the usage of a USB cord, and a forensic software program (at this factor, you have to consider writing blocks to prevent any statistics from changing). Connecting to a cellular telephone and grabbing an image isn’t as smooth and clear as pulling statistics from a difficult pressure on a desktop computer. The problem is that relying on your chosen forensic acquisition tool, the unique make and model of the telephone, the provider, the Android OS version, the person’s settings on the phone, the basis reputation of the tool, the lock popularity, if the PIN code is known, and if the USB debugging option is enabled on the device, you can no longer be capable of acquiring the data from the widget below investigation. Placed, physical acquisition finally ends up inside the realm of ‘simply trying it’ to peer what you get. It can seem to the courtroom (or opposing aspect) as an unstructured manner to collect information, which could vicinity the statistics acquisition risk.

3. JTAG forensics (a variant of bodily acquisition cited above). As a definition, JTAG (Joint Test Action Group) forensics is a superior records acquisition method. It is a physical technique that entails cabling and connecting to Test Access Ports (TAPs) at the tool and using processing commands to invoke a transfer of the raw information stored in reminiscence. Basic statistics are pulled directly from the connected device using a special JTAG cable. This is considered low-degree records acquisition because there may be no conversion or interpretation and is just like a chunk-reproduction accomplished when acquiring evidence from a laptop or pc pc tough power. JTAG acquisition can regularly be achieved for locked, damaged, and inaccessible (locked) devices. Since it’s far a low-level copy of the tool changed into encrypted (whether via the person or using the specific manufacturer, including Samsung and a few Nexus gadgets), the acquired records must be decrypted. But because Google decided to remove complete-device encryption with Android OS 5. Zero release, the complete-device encryption issue is narrowed until the consumer has determined to encrypt their tool. After JTAG records are acquired from an Android device, the obtained information may be similarly inspected and analyzed with gear such as 3zx (link: https://z3x-group.Com/ ) or Belkasoft (hyperlink: https://belkasoft.Com/ ). JTAG equipment will robotically extract key digital forensic artifacts such as call logs, contacts, vicinity records, browsing history, and loads.

4. Chip-off acquisition. This acquisition approach calls for the removal of reminiscence chips from the device. Produces uncooked binary dumps. Again, this is considered a complicated, low-stage acquisition and could require the de-soldering of memory chips, using incredibly specialized gear to remove the chips, and different technical gadgets to study the chips. As the JTAG forensics referred to above, the DFI risks that the chip contents are encrypted. But if the data is not encrypted, a bit replica may be extracted as an uncooked photograph. The DFI will need to contend with block cope with remapping, fragmentation, and, if present, encryption. Numerous Android device producers, like Samsung, enforce encryption, which can’t be bypassed during or after the chip-off acquisition, even though the best passcode is understood. Due to the get entry to problems with encrypted gadgets, chip-off is constrained to unencrypted devices.

5. Over-the-air Data Acquisition. We are very aware that Google has mastered facts collection. Google is understood for keeping large amounts of mobile phones, pills, laptops, computers, and different gadgets from various working device types. If the user has a Google account, the DFI can get entry to, download, and examine all facts for the given person under their Google consumer account, with Google’s right permission. This involves downloading records from the person’s Google Account. Currently, there are not any full cloud backups to be had for Android customers. Data that may be examined encompass Gmail touch records, Google Drive data (which may be very revealing), synced Chrome tabs, browser bookmarks, passwords, a list of registered Android gadgets (where region history for every tool can be reviewed), and plenty extra.

The five techniques referred to above aren’t a comprehensive list. A regularly-repeated observation surfaces approximately statistics acquisition – while running on a mobile device, correct documentation is vital. Further, documentation of the techniques and processes used and adhering to the chain of custody procedures you’ve set up will ensure that the evidence collected can be ‘forensically sound.’

Conclusion

As mentioned in this text, cell tool forensics, especially Android OS, isn’t like the traditional digital forensic approaches used for pc and laptop computers. While the personal computer is without problems secured, storage may be easily copied. The device may be saved, safe acquisition of mobile devices and records can be and frequently is complicated. A based approach to acquiring the cellular tool and a planned process for statistics acquisition is essential. As noted above, the five strategies will permit the DFI to gain admission to the device. However, there are several additional strategies now not discussed in this newsletter. Further research and tool use via the DFI might be vital.