An Introduction to Forensics Data Acquisition From Android Mobile Devices

The function {that a} Digital Forensics Investigator (DFI) is rife with steady studying alternatives, particularly as expertise expands and proliferates into each nook of communications, leisure and enterprise. As a DFI, we cope with a every day onslaught of recent units. Many of those units, just like the mobile phone or pill, use frequent working programs that we have to be aware of. Actually, the Android OS is predominant within the pill and mobile phone trade. Given the predominance of the Android OS within the cell system market, DFIs will run into Android units in the midst of many investigations. Whereas there are a number of fashions that recommend approaches to buying knowledge from Android units, this text introduces 4 viable strategies that the DFI ought to think about when proof gathering from Android units.

A Little bit of Historical past of the Android OS

Android’s first industrial launch was in September, 2008 with model 1.0. Android is the open supply and ‘free to make use of’ working system for cell units developed by Google. Importantly, early on, Google and different {hardware} corporations shaped the “Open Handset Alliance” (OHA) in 2007 to foster and assist the expansion of the Android within the market. The OHA now consists of 84 {hardware} corporations together with giants like Samsung, HTC, and Motorola (to call a couple of). This alliance was established to compete with corporations who had their very own market choices, similar to aggressive units supplied by Apple, Microsoft (Home windows Telephone 10 – which is now reportedly useless to the market), and Blackberry (which has ceased making {hardware}). Regardless if an OS is defunct or not, the DFI should know concerning the varied variations of a number of working system platforms, particularly if their forensics focus is in a specific realm, similar to cell units.

Linux and Android

The present iteration of the Android OS is predicated on Linux. Remember the fact that “primarily based on Linux” doesn’t imply the same old Linux apps will at all times run on an Android and, conversely, the Android apps that you simply may get pleasure from (or are aware of) won’t essentially run in your Linux desktop. However Linux will not be Android. To make clear the purpose, please be aware that Google chosen the Linux kernel, the important a part of the Linux working system, to handle the {hardware} chipset processing in order that Google’s builders would not should be involved with the specifics of how processing happens on a given set of {hardware}. This permits their builders to give attention to the broader working system layer and the consumer interface options of the Android OS.

A Massive Market Share

The Android OS has a considerable market share of the cell system market, primarily as a result of its open-source nature. An extra of 328 million Android units had been shipped as of the third quarter in 2016. And, in response to, the Android working system had the majority of installations in 2017 — almost 67% — as of this writing.

As a DFI, we are able to anticipate to come across Android-based {hardware} in the midst of a typical investigation. As a result of open supply nature of the Android OS at the side of the various {hardware} platforms from Samsung, Motorola, HTC, and so on., the number of combos between {hardware} sort and OS implementation presents a further problem. Contemplate that Android is at present at model 7.1.1, but every cellphone producer and cell system provider will sometimes modify the OS for the precise {hardware} and repair choices, giving a further layer of complexity for the DFI, because the strategy to knowledge acquisition could fluctuate.

Earlier than we dig deeper into further attributes of the Android OS that complicate the strategy to knowledge acquisition, let us take a look at the idea of a ROM model that shall be utilized to an Android system. As an summary, a ROM (Learn Solely Reminiscence) program is low-level programming that’s near the kernel stage, and the distinctive ROM program is usually known as firmware. Should you assume by way of a pill in distinction to a mobile phone, the pill may have completely different ROM programming as contrasted to a mobile phone, since {hardware} options between the pill and mobile phone shall be completely different, even when each {hardware} units are from the identical {hardware} producer. Complicating the necessity for extra specifics within the ROM program, add within the particular necessities of cell service carriers (Verizon, AT&T, and so on.).

Whereas there are commonalities of buying knowledge from a mobile phone, not all Android units are equal, particularly in gentle that there are fourteen main Android OS releases in the marketplace (from variations 1.0 to 7.1.1), a number of carriers with model-specific ROMs, and extra numerous customized user-complied editions (buyer ROMs). The ‘buyer compiled editions’ are additionally model-specific ROMs. Usually, the ROM-level updates utilized to every wi-fi system will include working and system fundamental functions that works for a specific {hardware} system, for a given vendor (for instance your Samsung S7 from Verizon), and for a specific implementation.

Despite the fact that there isn’t a ‘silver bullet’ answer to investigating any Android system, the forensics investigation of an Android system ought to observe the identical basic course of for the gathering of proof, requiring a structured course of and strategy that deal with the investigation, seizure, isolation, acquisition, examination and evaluation, and reporting for any digital proof. When a request to look at a tool is acquired, the DFI begins with planning and preparation to incorporate the requisite technique of buying units, the required paperwork to assist and doc the chain of custody, the event of a function assertion for the examination, the detailing of the system mannequin (and different particular attributes of the acquired {hardware}), and a listing or description of the data the requestor is searching for to accumulate.

Distinctive Challenges of Acquisition

Cell units, together with cell telephones, tablets, and so on., face distinctive challenges throughout proof seizure. Since battery life is proscribed on cell units and it isn’t sometimes beneficial {that a} charger be inserted into a tool, the isolation stage of proof gathering generally is a vital state in buying the system. Confounding correct acquisition, the mobile knowledge, WiFi connectivity, and Bluetooth connectivity must also be included within the investigator’s focus throughout acquisition. Android has many safety features constructed into the cellphone. The lock-screen function could be set as PIN, password, drawing a sample, facial recognition, location recognition, trusted-device recognition, and biometrics similar to finger prints. An estimated 70% of customers do use some sort of safety safety on their cellphone. Critically, there’s out there software program that the consumer could have downloaded, which can provide them the flexibility to wipe the cellphone remotely, complicating acquisition.

It’s unlikely in the course of the seizure of the cell system that the display shall be unlocked. If the system will not be locked, the DFI’s examination shall be simpler as a result of the DFI can change the settings within the cellphone promptly. If entry is allowed to the mobile phone, disable the lock-screen and alter the display timeout to its most worth (which could be as much as half-hour for some units). Remember the fact that of key significance is to isolate the cellphone from any Web connections to forestall distant wiping of the system. Place the cellphone in Airplane mode. Connect an exterior energy provide to the cellphone after it has been positioned in a static-free bag designed to dam radiofrequency alerts. As soon as safe, it’s best to later have the ability to allow USB debugging, which can enable the Android Debug Bridge (ADB) that may present good knowledge seize. Whereas it might be necessary to look at the artifacts of RAM on a cell system, that is unlikely to occur.

Buying the Android Knowledge

Copying a hard-drive from a desktop or laptop computer pc in a forensically-sound method is trivial as in comparison with the information extraction strategies wanted for cell system knowledge acquisition. Usually, DFIs have prepared bodily entry to a hard-drive with no obstacles, permitting for a {hardware} copy or software program bit stream picture to be created. Cell units have their knowledge saved inside the cellphone in difficult-to-reach locations. Extraction of information via the USB port generally is a problem, however could be achieved with care and luck on Android units.

After the Android system has been seized and is safe, it’s time to study the cellphone. There are a number of knowledge acquisition strategies out there for Android they usually differ drastically. This text introduces and discusses 4 of the first methods to strategy knowledge acquisition. These 5 strategies are famous and summarized beneath:

1. Ship the system to the producer: You may ship the system to the producer for knowledge extraction, which can value further money and time, however could also be mandatory in the event you would not have the actual talent set for a given system nor the time to be taught. Particularly, as famous earlier, Android has a plethora of OS variations primarily based on the producer and ROM model, including to the complexity of acquisition. Producer’s typically make this service out there to authorities businesses and regulation enforcement for many home units, so in the event you’re an impartial contractor, you will want to verify with the producer or acquire assist from the group that you’re working with. Additionally, the producer investigation choice might not be out there for a number of worldwide fashions (like the various no-name Chinese language telephones that proliferate the market – consider the ‘disposable cellphone’).

2. Direct bodily acquisition of the information. One in every of guidelines of a DFI investigation is to by no means to change the information. The bodily acquisition of information from a mobile phone should keep in mind the identical strict processes of verifying and documenting that the bodily technique used won’t alter any knowledge on the system. Additional, as soon as the system is linked, the working of hash totals is important. Bodily acquisition permits the DFI to acquire a full picture of the system utilizing a USB wire and forensic software program (at this level, you have to be pondering of write blocks to forestall any altering of the information). Connecting to a mobile phone and grabbing a picture simply is not as clear and clear as pulling knowledge from a tough drive on a desktop pc. The issue is that relying in your chosen forensic acquisition instrument, the actual make and mannequin of the cellphone, the provider, the Android OS model, the consumer’s settings on the cellphone, the basis standing of the system, the lock standing, if the PIN code is understood, and if the USB debugging choice is enabled on the system, you might not have the ability to purchase the information from the system below investigation. Merely put, bodily acquisition results in the realm of ‘simply making an attempt it’ to see what you get and will seem to the court docket (or opposing facet) as an unstructured method to collect knowledge, which might place the information acquisition in danger.

3. JTAG forensics (a variation of bodily acquisition famous above). As a definition, JTAG (Joint Check Motion Group) forensics is a extra superior approach of information acquisition. It’s basically a bodily technique that entails cabling and connecting to Check Entry Ports (TAPs) on the system and utilizing processing directions to invoke a switch of the uncooked knowledge saved in reminiscence. Uncooked knowledge is pulled instantly from the linked system utilizing a particular JTAG cable. That is thought of to be low-level knowledge acquisition since there isn’t a conversion or interpretation and is just like a bit-copy that’s completed when buying proof from a desktop or laptop computer pc exhausting drive. JTAG acquisition can typically be completed for locked, broken and inaccessible (locked) units. Since it’s a low-level copy, if the system was encrypted (whether or not by the consumer or by the actual producer, similar to Samsung and a few Nexus units), the acquired knowledge will nonetheless have to be decrypted. However since Google determined to get rid of whole-device encryption with the Android OS 5.0 launch, the whole-device encryption limitation is a bit narrowed, until the consumer has decided to encrypt their system. After JTAG knowledge is acquired from an Android system, the acquired knowledge could be additional inspected and analyzed with instruments similar to 3zx (hyperlink: ) or Belkasoft (hyperlink: ). Utilizing JTAG instruments will routinely extract key digital forensic artifacts together with name logs, contacts, location knowledge, searching historical past and much more.

4. Chip-off acquisition. This acquisition method requires the removing of reminiscence chips from the system. Produces uncooked binary dumps. Once more, that is thought of a sophisticated, low-level acquisition and would require de-soldering of reminiscence chips utilizing extremely specialised instruments to take away the chips and different specialised units to learn the chips. Just like the JTAG forensics famous above, the DFI dangers that the chip contents are encrypted. But when the data will not be encrypted, a bit copy could be extracted as a uncooked picture. The DFI might want to deal with block deal with remapping, fragmentation and, if current, encryption. Additionally, a number of Android system producers, like Samsung, implement encryption which can’t be bypassed throughout or after chip-off acquisition has been accomplished, even when the proper passcode is understood. As a result of entry points with encrypted units, chip off is proscribed to unencrypted units.

5. Over-the-air Knowledge Acquisition. We’re every conscious that Google has mastered knowledge assortment. Google is understood for sustaining huge quantities from cell telephones, tablets, laptops, computer systems and different units from varied working system sorts. If the consumer has a Google account, the DFI can entry, obtain, and analyze all data for the given consumer below their Google consumer account, with correct permission from Google. This entails downloading data from the consumer’s Google Account. At the moment, there aren’t any full cloud backups out there to Android customers. Knowledge that may be examined embrace Gmail, contact data, Google Drive knowledge (which could be very revealing), synced Chrome tabs, browser bookmarks, passwords, a listing of registered Android units, (the place location historical past for every system could be reviewed), and way more.

The 5 strategies famous above will not be a complete checklist. An often-repeated be aware surfaces about knowledge acquisition – when engaged on a cell system, correct and correct documentation is crucial. Additional, documentation of the processes and procedures used in addition to adhering to the chain of custody processes that you’ve got established will be certain that proof collected shall be ‘forensically sound.’


As mentioned on this article, cell system forensics, and specifically the Android OS, is completely different from the normal digital forensic processes used for laptop computer and desktop computer systems. Whereas the private pc is well secured, storage could be readily copied, and the system could be saved, secure acquisition of cell units and knowledge could be and infrequently is problematic. A structured strategy to buying the cell system and a deliberate strategy for knowledge acquisition is important. As famous above, the 5 strategies launched will enable the DFI to realize entry to the system. Nevertheless, there are a number of further strategies not mentioned on this article. Extra analysis and power use by the DFI shall be mandatory.

Leave a Comment