The role that a Digital Forensics Investigator (DFI) is rife with non-stop mastering opportunities, especially as generation expands and proliferates into every nook of communications, leisure, and enterprise. As a DFI, we address a daily onslaught of latest devices. Many of those gadgets, just like the cellular telephone or pill, use common running structures that we want to be acquainted with. Certainly, the Android OS is predominant in the tablet and mobile phone industry. Given the predominance of the Android OS in the cell device marketplace, DFIs will run into Android gadgets inside the direction of many investigations. While there are numerous models that endorse tactics to obtaining statistics from Android devices, this newsletter introduces four possible strategies that the DFI have to don’t forget when evidence amassing from Android gadgets.
A Bit of History of the Android OS
Android’s first industrial release changed into in September 2008 with model 1.0. Android is the open supply and ‘loose to use’ working gadget for mobile gadgets advanced by way of Google. Importantly, early on, Google and other hardware corporations formed the “Open Handset Alliance” (OHA) in 2007 to foster and aid the growth of the Android within the marketplace. The OHA now consists of 84 hardware groups which include giants like Samsung, HTC, and Motorola (to name a few). This alliance became set up to compete with businesses who had their personal marketplace offerings, which include competitive devices provided via Apple, Microsoft (Windows Phone 10 – that’s now reportedly dead to the market), and Blackberry (which has ceased making hardware). Regardless if an OS is defunct or no longer, the DFI ought to understand approximately the various versions of more than one operating machine platforms, specifically if their forensics recognition is in a particular realm, including mobile devices.
Linux and Android
The modern iteration of the Android OS is primarily based on Linux. Keep in mind that “based totally on Linux” does now not suggest the standard Linux apps will usually run on an Android and, conversely, the Android apps which you may enjoy (or are acquainted with) will now not always run on your Linux desktop. But Linux is not Android. To make clear the factor, please notice that Google selected the Linux kernel, the vital a part of the Linux running system, to manage the hardware chipset processing in order that Google’s builders would not be worried about the specifics of ways processing takes place on a given set of hardware. This lets in their builders to awareness at the broader operating gadget layer and the person interface features of the Android OS.
A Large Market Share
The Android OS has a big marketplace share of the cellular device marketplace, basically because of its open-source nature. An extra of 328 million Android devices had been shipped as of the 0.33 quarter in 2016. And, consistent with netwmarketshare.Com, the Android operating gadget had the bulk of installations in 2017 — almost 67% — as of this writing.
As a DFI, we are able to anticipate to come upon Android-based total hardware within the direction of a typical investigation. Due to the open supply nature of the Android OS along with the numerous hardware structures from Samsung, Motorola, HTC, and so on., the sort of mixtures among hardware type and OS implementation offers an extra challenge. Consider that Android is presently at version 7.1.1, yet every smartphone producer and cellular device provider will commonly adjust the OS for the precise hardware and carrier services, giving an extra layer of complexity for the DFI, because the method to records acquisition may range.
Before we dig deeper into additional attributes of the Android OS that complicate the approach to records acquisition, let’s observe the concept of a ROM version so as to be carried out to an Android tool. As an overview, a ROM (Read Only Memory) software is low-degree programming this is near the kernel degree, and the unique ROM application is frequently known as firmware. If you watched in terms of a pill in comparison to a mobile phone, the pill could have exceptional ROM programming as contrasted to a mobile cellphone, because hardware capabilities between the pill and cell phone will be extraordinary, although both hardware gadgets are from the equal hardware producer. Complicating the need for more specifics within the ROM program, add within the particular requirements of cellular provider carriers (Verizon, AT&T, and many others.).
While there are commonalities of obtaining information from a cellular telephone, no longer all Android gadgets are identical, in particular in mind that there are fourteen principal Android OS releases available on the market (from variations 1.0 to 7.1.1), more than one providers with model-precise ROMs, and further infinite custom user-complied versions (patron ROMs). The ‘consumer compiled variants’ also are model-unique ROMs. In popular, the ROM-stage updates applied to every wi-fi tool will contain running and device fundamental packages that work for a particular hardware tool, for a given seller (as an instance your Samsung S7 from Verizon), and for a particular implementation.
Even although there’s no ‘silver bullet’ method to investigating any Android device, the forensics research of an Android tool need to comply with the same trendy manner for the collection of proof, requiring a structured manner and approach that deal with the investigation, seizure, isolation, acquisition, examination, and evaluation, and reporting for any digital proof. When a request to look at a device is received, the DFI begins with planning and instruction to include the requisite method of acquiring gadgets, the vital office work to aid and report the chain of custody, the improvement of a motive announcement for the examination, the detailing of the device model (and different precise attributes of the obtained hardware), and a listing or description of the data the requestor is seeking to acquire.
Unique Challenges of Acquisition
Mobile gadgets, including mobile phones, capsules, and so on., face precise challenges at some stage in evidence seizure. Since battery life is restricted on cellular devices and it is not normally endorsed that a charger is inserted into a tool, the isolation level of evidence amassing can be a critical country in obtaining the device. Confounding proper acquisition, the cell statistics, WiFi connectivity, and Bluetooth connectivity should additionally be blanketed in the investigator’s awareness in the course of acquisition. Android has many security capabilities built into the telephone. The lock-display screen characteristic can be set as PIN, password, drawing a pattern, facial recognition, location recognition, depending on on-device popularity, and biometrics together with fingerprints. An expected 70% of customers do use a few kinds of security protection on their smartphone. Critically, there is an available software program that the user may additionally have downloaded, which could deliver them the capability to wipe the telephone remotely, complicating acquisition.
It is not going throughout the seizure of the cell tool that the screen might be unlocked. If the device isn’t locked, the DFI’s examination could be simpler due to the fact the DFI can exchange the settings on the phone right away. If get entry to is permitted to the cellular cellphone, disable the lock-display and exchange the display screen timeout to its maximum fee (which may be as much as 30 minutes for a few gadgets). Keep in thoughts that of key importance is to isolate the smartphone from any Internet connections to save you far-flung wiping of the tool. Place the phone in Airplane mode. Attach an outside energy supply to the telephone after it has been positioned in a static-free bag designed to block radiofrequency alerts. Once comfortable, you need to later be able to permit USB debugging, in order to permit the Android Debug Bridge (ADB) which could provide good facts seize. While it could be essential to examine the artifacts of RAM on a cell tool, this is not going to take place.
Acquiring the Android Data
Copying a difficult-power from a computing device or pc computer in a forensically-sound way is trivial compared to the records extraction strategies wished for mobile tool facts acquisition. Generally, DFIs have geared up physical get entry to a tough-power with no limitations, allowing for a hardware replica or software program bit circulation picture to be created. Mobile devices have their records saved interior of the cellphone in difficult-to-reach locations. Extraction of records via the USB port can be a mission, however, can be achieved with care and luck on Android gadgets.
After the Android tool has been seized and is secure, it is time to take a look at the telephone. There are numerous statistics acquisition techniques to be had for Android and that they vary extensively. This article introduces and discusses four of the primary methods to method records acquisition. These 5 methods are mentioned and summarized below:
1. Send the device to the producer: You can ship the device to the producer for statistics extraction, so one can cost extra time and money, however, can be important if you do now not have the precise talent set for a given tool nor the time to learn. In particular, as mentioned earlier, Android has a plethora of OS versions based totally on the producer and ROM version, including to the complexity of acquisition. Manufacturer’s typically made this service available to government corporations and law enforcement for most home gadgets, so if you’re an unbiased contractor, you will want to check with the manufacturer or gain support from the enterprise that you are operating with. Also, the producer research alternative may not be available for several worldwide fashions (just like the many no-name Chinese phones that proliferate the market – think of the ‘disposable smartphone’).
2. Direct bodily acquisition of the data. One of the guidelines of a DFI investigation is to in no way to regulate the statistics. The physical acquisition of data from a cellular phone needs to bear in mind the equal strict procedures of verifying and documenting that the bodily technique used will now not alter any statistics at the device. Further, as soon as the device is connected, the jogging of hash totals is essential. Physical acquisition permits the DFI to achieve a full picture of the tool using a USB wire and forensic software program (at this point, you need to be taking into consideration write blocks to prevent any changing of the data). Connecting to a cell cellphone and grabbing an image simply isn’t as smooth and clear as pulling information from a tough pressure on a desktop pc. The hassle is that depending on your chosen forensic acquisition device, the precise make and model of the smartphone, the carrier, the Android OS version, the person’s settings on the phone, the foundation reputation of the device, the lock status, if the PIN code is thought, and if the USB debugging alternative is enabled on the tool, you may no longer be able to accumulate the records from the tool beneath investigation. Simply put, physical acquisition ends up in the realm of ‘simply attempting it’ to look what you get and can appear to the courtroom (or opposing facet) as an unstructured manner to gather facts, which could location the facts acquisition at risk.
Three. JTAG forensics (a version of bodily acquisition cited above). As a definition, JTAG (Joint Test Action Group) forensics is an extra advanced manner of facts acquisition. It is essentially a physical approach that entails cabling and connecting to Test Access Ports (TAPs) at the device and the usage of processing commands to invoke a switch of the uncooked facts saved in memory. Raw facts are pulled at once from the linked tool the usage of a unique JTAG cable. This is considered to be low-level records acquisition considering the fact that there is no conversion or interpretation and is just like a bit-copy that is done when acquiring evidence from a computer or laptop computer difficult drive. JTAG acquisition can frequently be achieved for locked, damaged and inaccessible (locked) devices. Since it is a low-level reproduction, if the tool became encrypted (whether via the user or by way of the unique producer, inclusive of Samsung and a few Nexus devices), the acquired data will still need to be decrypted. But since Google decided to take away complete-device encryption with the Android OS five.Zero launches, the whole-tool encryption limitation is a piece narrowed, except the user has decided to encrypt their tool. After JTAG statistics is acquired from an Android tool, the acquired facts can be further inspected and analyzed with equipment consisting of 3zx (hyperlink: http://z3x-crew.Com/ ) or Belkasoft (link: https://belkasoft.Com/ ). Using JTAG tools will automatically extract key virtual forensic artifacts along with call logs, contacts, location statistics, browsing records and plenty greater.
4. Chip-off acquisition. This acquisition technique calls for the elimination of reminiscence chips from the device. Produces raw binary dumps. Again, this is taken into consideration an advanced, low-degree acquisition and will require de-soldering of memory chips the use of fantastically specialized tools to cast off the chips and other specialized gadgets to read the chips. Like the JTAG forensics mentioned above, the DFI dangers that the chip contents are encrypted. But if the information is not encrypted, a chunk copy may be extracted as a raw image. The DFI will want to contend with block address remapping, fragmentation and, if a gift, encryption. Also, numerous Android tool manufacturers, like Samsung, enforce encryption which can not be bypassed all through or after the chip-off acquisition has been completed, despite the fact that the proper passcode is known. Due to the get entry to problems with encrypted gadgets, chip off is confined to unencrypted devices.
Five. Over-the-air Data Acquisition. We are each conscious that Google has mastered information series. Google is understood for retaining big amounts from cellular phones, drugs, laptops, computers and other gadgets from various working machine sorts. If the user has a Google account, the DFI can access, download, and examine all facts for the given person beneath their Google consumer account, with right permission from Google. This includes downloading data from the user’s Google Account. Currently, there are not any complete cloud backups to be had to Android customers. Data that can be examined encompass Gmail, touch statistics, Google Drive data (which may be very revealing), synced Chrome tabs, browser bookmarks, passwords, a list of registered Android gadgets, (where place history for each device may be reviewed), and much greater.
The five strategies mentioned above isn’t always a comprehensive listing. A regularly-repeated observe surfaces about records acquisition – while working on a mobile device, proper and correct documentation is important. Further, documentation of the processes and approaches used as well as adhering to the chain of custody strategies which you’ve hooked up will make certain that proof gathered can be ‘forensically sound.’
As discussed in this article, cell tool forensics and specifically the Android OS is different from the conventional digital forensic procedures used for laptop and desktop computers. While the personal pc is without problems secured, the garage may be effortlessly copied, and the tool may be saved, safe acquisition of cellular gadgets and data may be and frequently is tricky. A based approach to acquiring the mobile device and a deliberate technique for statistics acquisition is essential. As cited above, the five strategies introduced will allow the DFI to benefit get right of entry to the tool. However, there are numerous extra methods not discussed in this text. Additional research and device user via the DFI can be important.