The role of a Digital Forensics Investigator (DFI) is rife with non-stop mastering opportunities, especially as generation expands and proliferates into every nook of communications, leisure, and enterprise. As a DFI, we address a daily onslaught of the latest devices. Like the cellular telephone or pill, many gadgets use common running structures with which we want to be acquainted. Certainly, the Android OS is predominant in the tablet and mobile phone industry. Given the predominance of the Android OS in the cell device marketplace, DFIs will run into Android gadgets in the direction of many investigations. While numerous models endorse tactics for obtaining statistics from Android devices, this newsletter introduces four possible strategies that the DFI must remember when evidence is amassing from Android gadgets.
A Bit of History of the Android OS
Android’s first industrial release changed in September 2008 with model 1.0. Android is the open supply and ‘loose to use’ working gadget for mobile gadgets advanced by Google. Importantly, early on, Google and other hardware corporations formed the “Open Handset Alliance” (OHA) in 2007 to foster and aid the growth of Android within the marketplace. The OHA now consists of 84 hardware groups, including giants like Samsung, HTC, and Motorola (to name a few). This alliance became set up to compete with businesses regarding their marketplace offerings, including competitive devices provided via Apple, Microsoft (Windows Phone 10 – now reportedly dead to the market), and Blackberry (which has ceased making hardware). Regardless of whether an OS is defunct or no longer, the DFI ought to understand approximately the various versions of more than one operating machine platform, specifically if their forensics recognition is in a particular realm, including mobile devices.
Linux and Android
The modern iteration of the Android OS is primarily based on Linux. Remember that “based totally on Linux” does not suggest that the standard Linux apps will usually run on an Android; conversely, the Android apps you may enjoy (or are acquainted with) will not always run on your Linux desktop. But Linux is not Android. To clarify the factor, please note that Google selected the Linux kernel, the vital part of the Linux running system, to manage the hardware chipset processing. Google’s builders would not be worried about the specifics of ways processing takes place on a given set of hardware. This lets their builders know the broader operating gadget layer and the personal interface features of the Android OS.
Because of its open-source nature, the Android OS has a large market share in the cellular device marketplace. An extra 328 million Android devices had been shipped as of the 0.33 quarter of 2016. And, consistent with netwmarketshare.com, the Android operating gadget had the bulk of installations in 2017—almost 67%—as of this writing.
As a DFI, we can anticipate coming upon Android-based total hardware within the direction of a typical investigation. Due to the open supply nature of the Android OS and the numerous hardware structures from Samsung, Motorola, HTC, etc., the sort of mixtures among hardware type and OS implementation offers an extra challenge. Consider that Android is presently at version 7.1.1. Yet, every smartphone producer and cellular device provider will commonly adjust the OS for the precise hardware and carrier services, giving the DFI an extra layer of complexity because the method of records acquisition may vary.
Before we dig deeper into additional attributes of the Android OS that complicate the approach to records acquisition, let’s observe the concept of a ROM version to be carried out to an Android tool. As an overview, ROM (Read Only Memory) software is low-degree programming. This is near the kernel degree, and the unique ROM application is frequently known as firmware. Suppose you watched in terms of a pill in comparison to a mobile phone. In that case, the pill could have exceptional ROM programming compared to a mobile cellphone because the hardware capabilities between the pill and cell phone will be extraordinary. However, both hardware gadgets are from equal hardware producers. Complicating the need for more specifics within the ROM program, add within the particular requirements of cellular provider carriers (Verizon, AT&T, and many others.).
While there are commonalities in obtaining information from a cellular telephone, no longer all Android gadgets are identical, in particular in mind that there are fourteen principal Android OS releases available on the market (from variations 1.0 to 7.1.1), more than one provider with model-precise ROMs, and further infinite custom user-complied versions (patron ROMs). The ‘consumer compiled variants’ also are model-unique ROMs. In popular, the ROM-stage updates applied to every WiFi tool will contain running and device fundamental packages that work for a particular hardware tool, for a given seller (for instance, your Samsung S7 from Verizon), and for a specific implementation.
Even though there’s no ‘silver bullet’ method to investigating any Android device, the forensics research of an Android tool needs to comply with the same trendy manner for the collection of proof, requiring a structured manner and approach that deals with the investigation, seizure, isolation, acquisition, examination, and evaluation, and reporting for any digital proof. When a request to look at a device is received, the DFI begins with planning and instruction to include the requisite method of acquiring gadgets, the vital office work to aid and report the chain of custody, the improvement of a motive announcement for the examination, the detailing of the device model (and different precise attributes of the obtained hardware), and a listing or description of the data the requestor is seeking to acquire.
Unique Challenges of Acquisition
Mobile gadgets, including mobile phones, capsules, etc., face precise challenges at some stage in evidence seizure. Since battery life is restricted on cellular devices and it is not normally endorsed that a charger is inserted into a tool, the isolation level of evidence amassing can be critical in obtaining the device. Confounding proper acquisition, the cell statistics, WiFi connectivity, and Bluetooth connectivity should also be blanketed in the investigator’s awareness of the acquisition. Android has many security capabilities built into the telephone. The lock-display screen characteristics can be set as PIN, password, drawing a pattern, facial recognition, location recognition, depending on on-device popularity, and biometrics together with fingerprints. An expected 70% of customers use some security protection on their smartphones. Critically, there is an available software program that the user may have downloaded, which could deliver them the capability to wipe the telephone remotely, complicating acquisition.
It is not going throughout the seizure of the cell tool that the screen might be unlocked. If the device isn’t locked, the DFI’s examination could be simpler because the DFI can exchange the settings on the phone right away. I enter the cellular cellphone, turn off the lock display, and exchange the display screen timeout to its maximum fee (which may be as much as 30 minutes for a few gadgets). Remember that the key importance is to isolate the smartphone from any Internet connections to save you from the far-flung wiping of the tool. Place the phone in Airplane mode. Attach an outside energy supply to the telephone after being positioned in a static-free bag to block radiofrequency alerts. Once comfortable, you must permit USB debugging later to allow the Android Debug Bridge (ADB), which could provide good facts. While it could be essential to examine the RAM artifacts on a cell tool, this will not take place.
Acquiring the Android Data
Copying difficult power from a computing device or PC in a forensically sound way is trivial compared to the records extraction strategies used for mobile tool facts acquisition. Generally, DFIs have geared up physical entry to a tough power with no limitations, allowing for a bit of circulation picture to be created by a hardware replica or software program. Mobile devices have their records saved on the interior of the cellphone in difficult-to-reach locations. Extraction of records via the USB port can be a mission. However, it can be achieved with care and luck on Android gadgets.
After the Android tool is seized and secure, it is time to look at the telephone. There are numerous statistics acquisition techniques to be had for Android, and they vary extensively. This article introduces and discusses four primary methods of records acquisition. These five methods are mentioned and summarized below:
1. Send the device to the producer: You can ship the device to the producer for statistics extraction, which costs extra time and money. However, it can be important not to have the precise talent set for a given tool or the time to learn. In particular, as mentioned earlier, Android has many OS versions based totally on the producer and ROM version, including the complexity of acquisition. Manufacturers typically make this service available to government corporations and law enforcement for most home gadgets, so if you’re an unbiased contractor, you will want to check with the manufacturer or gain support from the enterprise you are operating with. Also, the producer research alternative may not be available for several worldwide fashions (just like the many no-name Chinese phones that increase the market – think of the ‘disposable smartphone’).
2. Direct bodily acquisition of the data. One of the guidelines of a DFI investigation is to in no way to regulate the statistics. The physical acquisition of data from a cellular phone must bear in mind the equally strict procedures of verifying and documenting that the bodily technique used will not alter any device statistics. Further, as soon as the device is connected, the jogging of hash totals is essential. Physical acquisition permits the DFI to achieve a full picture of the tool using a USB wire and forensic software program (at this point, you need to consider writing blocks to prevent any changing of the data).
Connecting to a cell cellphone and grabbing an image isn’t as smooth and clear as pulling information from tough pressure on a desktop pc. The hassle is that depending on your chosen forensic acquisition device, the precise make and model of the smartphone, the carrier, the Android OS version, the person’s settings on the phone, the foundation reputation of the device, the lock status, if the PIN code is thought, and if the USB debugging alternative is enabled on the tool, you may no longer be able to accumulate the records from the tool beneath investigation. Put, physical acquisition ends up in the realm of ‘simply attempting it’ to look at what you get and appear to the courtroom (or opposing facet) in an unstructured manner to gather facts, which could locate the facts acquisition at risk.
Three. JTAG forensics (a version of bodily acquisition cited above). As a definition, JTAG (Joint Test Action Group) forensics is an extra advanced acquisition method. It is essentially a physical approach that entails cabling and connecting to Test Access Ports (TAPs) at the device and processing commands to invoke a switch of the uncooked facts saved in memory. Raw facts are pulled from the linked tool using a unique JTAG cable. This is considered low-level records acquisition because there is no conversion or interpretation and is just like a bit-copy done when acquiring evidence from a computer or laptop hard drive.
JTAG acquisition can frequently be achieved for locked, damaged, and inaccessible (locked) devices. Since it is a low-level reproduction, the acquired data will still need to be decrypted if the tool becomes encrypted (whether via the user or the unique producer, including Samsung and a few Nexus devices). Since Google decided to remove complete-device encryption with the Android OS 5. Zero launches, the whole-tool encryption limitation is a piece narrowed, except the user has decided to encrypt their tool. After JTAG statistics are acquired from an Android tool, the acquired facts can be further inspected and analyzed with equipment consisting of 3zx (hyperlink: http://z3x-crew.Com/ ) or Belkasoft (link: https://belkasoft.Com/ ). JTAG tools will automatically extract key virtual forensic artifacts along with call logs, contacts, location statistics, browsing records, and plenty more.
4. Chip-off acquisition. This acquisition technique calls for the elimination of reminiscence chips from the device. Produces raw binary dumps. Again, this is considered an advanced, low-degree acquisition and will require the de-soldering of memory chips, the use of very specialized tools to cast off the chips, and other specialized gadgets to read the chips. Like the JTAG forensics mentioned above, the DFI dangers that the chip contents are encrypted. However, if the information is not encrypted, a chunk copy may be extracted as a raw image. The DFI will want to contend with block address remapping, fragmentation, and, if a gift, encryption. Also, numerous Android tool manufacturers, like Samsung, enforce encryption that can not be bypassed through or after the chip-off acquisition has been completed, even though the proper passcode is known. Due to the get entry to problems with encrypted gadgets, chip-off is confined to unencrypted devices.
Five. Over-the-air Data Acquisition. We are each conscious that Google has mastered information series. Google is understood to retain large numbers of cellular phones, drugs, laptops, computers, and other gadgets from various working machines. If the user has a Google account, the DFI can access, download, and examine all facts for the given person beneath their Google consumer account, with the right permission from Google. This includes downloading data from the user’s Google Account. Currently, Android customers do not have any complete cloud backups. Data that can be examined include Gmail, touch statistics, Google Drive data (which may be very revealing), synced Chrome tabs, browser bookmarks, passwords, a list of registered Android gadgets (where place history for each device may be reviewed), and much more.
The five strategies mentioned above aren’t always comprehensive. A regularly repeated observation surfaces about records acquisition: proper and correct documentation is important- while working on a mobile device. Further, documentation of the processes and approaches used and adhering to the chain of custody strategies you’ve hooked up will ensure that the proof gathered can be ‘forensically sound.’
Conclusion
As discussed in this article, cell tool forensics and Android OS differ from the conventional digital forensic procedures used for laptop and desktop computers. While the personal PC is without problems, the garage may be effortlessly copied, and the tool may be saved, so the safe acquisition of cellular gadgets and data may be and frequently is tricky. A based approach to acquiring the mobile device and a deliberate technique for statistics acquisition is essential. As cited above, the five strategies introduced will allow the DFI to benefit from getting the right of entry to the tool. However, numerous other methods are not discussed in this text. Additional research and device users via the DFI can be important.
