An Introduction to Forensics Data Acquisition From Android Mobile Devices 1

The function that a Digital Forensics Investigator (DFI) is rife with continuous mastering opportunities, specifically as generation expands and proliferates into each corner of communications, entertainment, and enterprise. As a DFI, we address an everyday onslaught of recent devices. Like the cellular phone or tablet, many of those devices use common running structures that we need to be acquainted with. Certainly, the Android OS is predominant within the pill and cellular cellphone industry. Given the predominance of the Android OS within the cell tool marketplace, DFIs will run into Android gadgets inside the path of many investigations. While numerous fashions suggest strategies for acquiring records from Android devices, this newsletter introduces four viable methods that the DFI should do not forget whilst evidence accumulating from Android devices.

Android Mobile Devices

A Bit of History of the Android Mobile Device

Android’s first industrial launch came in September 2008 with model 1.0. google android is an open-source and ‘unfastened to use’ working device for mobile gadgets developed with Google’s aid. Importantly, early on, Google and other hardware groups fashioned the “Open Handset Alliance” (OHA) in 2007 to foster and aid Android’s increase inside the marketplace. The OHA now includes eighty-four hardware agencies, including giants like Samsung, HTC, and Motorola (to name some). This alliance turned into established to compete with groups who had their very own marketplace services, which includes aggressive gadgets offered by way of Apple, Microsoft (Windows Phone 10 – that is now reportedly dead to the marketplace), and Blackberry (which has ceased making hardware). Regardless if an OS is defunct or now not, the DFI needs to realize the various variations of a couple of running gadget platforms, especially if their forensics consciousness is in a selected realm, along with mobile devices.

Linux and Android

The present-day generation of the google android OS is based totally on Linux. Keep in mind that “based totally on Linux” does now not imply the usual Linux apps will continually run on an Android and, conversely, the Android apps that you might revel in (or are familiar with) will not always run on your Linux computing device. But Linux is not google android. To make clear the point, please observe that Google decided on the Linux kernel, the essential part of the Linux operating system, to manipulate the hardware chipset processing so that Google’s developers wouldn’t need to be worried about the specifics of ways processing happens on a given set of hardware. This lets their developers understand the broader operating system layer and the user interface capabilities of the Android OS.

A Large Market Share

The Android OS has an enormous marketplace percentage of the mobile device market, by and large, due to its open-source nature. An extra 328 million Android devices were shipped as of the 0.33 area in 2016. In keeping with netwmarketshare.Com, the Android working device had the majority of installations in 2017 — nearly sixty-seven% — as of this writing.

As a DFI, we can expect to stumble upon Android-primarily based hardware within the course of a typical investigation. Due to the open supply nature of the google android OS in conjunction with the various hardware platforms from Samsung, Motorola, HTC, etc., the variety of combinations between hardware kind and OS implementation presents an extra task. Consider that Android is currently at version 7.1.1. Yet, each cellphone producer and mobile device provider will usually adjust the OS for the precise hardware and service services, giving an extra layer of complexity for the DFI, for the reason that method to information acquisition may additionally range.

Before we dig deeper into extra attributes of the google android  OS that complicate the technique to records acquisition, let’s study the concept of a ROM version on the way to be carried out to an Android device. As a top-level view, a ROM (Read Only Memory) application is low-level programming; this is near the kernel degree, and the unique ROM program is frequently known as firmware. If you observed in terms of a tablet in comparison to a cellular smartphone, the pill will have distinctive ROM programming as contrasted to a cellular telephone, because hardware features among the pill and cellular telephone could be unique, even if both hardware find pc connected devices are from the identical hardware manufacturer. Complicating the want for extra specifics inside the ROM application, upload in the precise requirements of cellular provider carriers (Verizon, AT&T, etc.).

While there are commonalities of obtaining statistics from a mobile phone, not all Android devices are the same, especially in mild that there are fourteen important Android OS releases available on the market (from versions 1.0 to 7.1.1), multiple companies with version-particular ROMs, and extra infinite custom user-complied variants (purchaser ROMs). The ‘patron compiled variants’ are also version-precise ROMs. In trendy, the ROM-level updates carried out to each wi-fi tool will comprise running and machine basic programs that work for a particular hardware tool, for a given dealer (for instance, your Samsung S7 from Verizon), and a selected implementation.

Even although there may be no ‘silver bullet’ option for investigating any Android find pc connected devices, the forensics research of an Android device have to follow the equal standard method for the gathering of evidence, requiring an established procedure and method that address the research, seizure, isolation, acquisition, exam, and analysis, and reporting for any virtual proof. When a request to observe a tool is obtained, the DFI starts offevolved with making plans and practice to encompass the considered necessary approach of acquiring gadgets, the vital paperwork to help and report the chain of custody, the improvement of a purpose declaration for the exam, the detailing of the device version (and different particular attributes of the acquired hardware), and a list or description of the information the requestor is in search of to collect.

Unique Challenges of Acquisition

Mobile devices, including cell telephones, tablets, and many others., face particular demanding situations in evidence seizure. Since battery life is restrained on mobile find pc connected devices and it isn’t normally recommended that a charger is inserted into a tool, the isolation stage of proof-gathering can be vital in obtaining the tool. Confounding the right acquisition, the mobile records, WiFi connectivity, and Bluetooth connectivity must also be blanketed within the investigator’s recognition during acquisition. Android has many safety capabilities constructed into the phone. The lock-screen feature can be set as PIN, password, drawing a pattern, facial recognition, location popularity, depended on on-device reputation, and biometrics inclusive of fingerprints. An anticipated 70% of users do use a few kinds of security protection on their cellphone. Critically, there is to be had the software program that the person can also have downloaded, which could deliver them the capability to wipe the smartphone remotely, complicating acquisition.

It is unlikely all through the seizure of the cellular device that the display may be unlocked. If the device is not locked, the DFI’s examination can be easier due to the fact the DFI can alternate the settings within the cellphone right away. I get admission to the cellular cellphone, disable the lock-screen and alternate the display screen timeout to its most value (which may be as much as 30 minutes for some devices). Keep in thoughts that of key importance is to isolate the phone from any Internet connections to save you far off the device’s wiping. Place the cell phone in Airplane mode. After it has been placed in a static-unfastened bag designed to block radiofrequency alerts, attach external electricity delivery to the cell phone. Once cozy, you ought to later be capable of allowing USB debugging so that it will allow the Android Debug Bridge (ADB) that can provide suitable information capture. While it can be important to observe the artifacts of RAM on a cell tool, this is not likely to manifest.

Acquiring the Android Data

Copying a tough-power from a computer or pc pc in a forensically sound manner is trivial compared to the records extraction techniques needed for mobile device fact acquisition. Generally, DFIs have prepared bodily access to a difficult-drive and not using barriers, considering a hardware replica or software bit flow picture to be created. Mobile devices have their data saved in the interior of the phone in difficult-to-attain locations. Extraction of records through the USB port can be a mission but may be done with care and good fortune on Android gadgets.

After the Android device has been seized and is secure, it is time to look at the cellphone. There are several data acquisition strategies available for Android, and that they fluctuate considerably. This article introduces and discusses 4 of the number one ways to technique statistics acquisition. These five techniques are noted and summarized under:

1. Send the tool to the manufacturer: You can send the device to the manufacturer for statistics extraction, which will price greater money and time. However, it may be essential if you no longer have the specific skill set for a given device or the time to examine it. In specific, as cited in advance, Android has a plethora of OS versions primarily based on the manufacturer and ROM version, including the complexity of acquisition. Manufacturer’s normally made this carrier available to authorities, companies, and law enforcement for maximum domestic gadgets, so if you’re an impartial contractor, you’ll need to test with the manufacturer or advantage aid from the business enterprise with which you are working with. The producer investigation alternative might not be had for numerous international fashions (just like the many no-name Chinese telephones that proliferate the marketplace – think about the ‘disposable telephone’).

2. Direct physical acquisition of the information. One of the regulations of a DFI investigation is to in no way alter the facts. The physical acquisition of data from a cell cellphone needs to remember the same strict techniques of verifying and documenting that the bodily approach will no longer regulate any statistics at the device. Further, once the tool is connected, the running of hash totals is important. Physical acquisition lets the DFI gain a full image of the tool, the usage of a USB cord, and a forensic software program (at this factor, you have to consider write blocks to prevent any changing of the statistics). Connecting to a cellular telephone and grabbing an image isn’t as smooth and clear as pulling statistics from a difficult pressure on a desktop computer. The problem is that relying on your chosen forensic acquisition tool, the unique make and model of the telephone, the provider, the Android OS version, the person’s settings on the telephone, the basis reputation of the tool, the lock popularity, if the PIN code is known, and if the USB debugging option is enabled on the device, you can no longer be capable of acquiring the data from the device below investigation. Placed, physical acquisition finally ends up inside the realm of ‘simply trying it’ to peer what you get and can seem to the courtroom (or opposing aspect) as an unstructured manner to collect information, which could vicinity the statistics acquisition risk.

3. JTAG forensics (a variant of bodily acquisition cited above). As a definition, JTAG (Joint Test Action Group) forensics is a more superior records acquisition method. It is basically a bodily technique that entails cabling and connecting to Test Access Ports (TAPs) at the tool and using processing commands to invoke a transfer of the raw information stored in reminiscence. Raw statistics is pulled directly from the connected tool with the usage of a special JTAG cable. This is considered low-degree records acquisition because there may be no conversion or interpretation and is just like a chunk-reproduction that is accomplished when acquiring evidence from a laptop or pc pc tough power. JTAG acquisition can regularly be achieved for locked, damaged, and inaccessible (locked) devices. Since it’s far a low-level copy of the tool changed into encrypted (whether via the person or using the specific manufacturer, including Samsung and a few Nexus gadgets), the acquired records will nevertheless need to be decrypted. But for the reason that Google decided to remove complete-device encryption with the Android OS 5.Zero release, the complete-device encryption issue is a bit narrowed until the consumer has determined to encrypt their tool. After JTAG records is acquired from an Android device, the obtained information may be similarly inspected and analyzed with gear such as 3zx (link: https://z3x-group.Com/ ) or Belkasoft (hyperlink: https://belkasoft.Com/ ). Using JTAG equipment will robotically extract key digital forensic artifacts such as call logs, contacts, vicinity records, browsing history, and loads more.

4. Chip-off acquisition. This acquisition approach calls for the removal of reminiscence chips from the device. Produces uncooked binary dumps. Again, this is considered a complicated, low-stage acquisition and could require de-soldering of memory chips, the use of incredibly specialized gear to remove the chips, and different specialized gadgets to study the chips. Like the JTAG forensics referred to above, the DFI risks that the chip contents are encrypted. But if the data is not encrypted, a bit replica may be extracted as an uncooked photograph. The DFI will need to contend with block cope with remapping, fragmentation, and, if present, encryption. Numerous Android device producers, like Samsung, enforce encryption, which can’t be bypassed during or after the chip-off acquisition has been finished, even though the best passcode is understood. Due to the get entry to problems with encrypted gadgets, chip off is constrained to unencrypted gadgets.

5. Over-the-air Data Acquisition. We are very aware that Google has mastered facts collection. Google is understood for keeping large amounts from mobile phones, pills, laptops, computers, and different gadgets from various working device types. If the user has a Google account, the DFI can get entry to, download, and examine all facts for the given person under their Google consumer account, with Google’s right permission. This involves downloading records from the person’s Google Account. Currently, there are not any full cloud backups to be had for Android customers. Data that may be examined encompass Gmail touch records, Google Drive data (which may be very revealing), synced Chrome tabs, browser bookmarks, passwords, a list of registered Android gadgets (where region history for every tool can be reviewed), and plenty extra.

The 5 techniques referred to above isn’t a comprehensive list. A regularly-repeated observation surfaces approximately statistics acquisition – while running on a mobile device, right, and correct documentation is vital. Further, documentation of the techniques and processes used, as well as adhering to the chain of custody procedures which you’ve set up, will ensure that evidence collected can be ‘forensically sound.’


As mentioned in this text, cell tool forensics, and especially the Android OS, isn’t like the traditional digital forensic approaches used for pc and laptop computers. While the personal computer is without problems secured, storage may be easily copied. The device may be saved, safe acquisition of mobile devices and records can be and frequently is complicated. A based approach to acquiring the cellular tool and a planned approach for statistics acquisition is essential. As noted above, the 5 strategies brought will permit the DFI to gain admission to the device. However, there are several additional strategies now not discussed in this newsletter. Additional research and tool use via the DFI might be vital.