An Introduction to Forensics Data Acquisition From Android Mobile Devices

The role that a Digital Forensics Investigator (DFI) is rife with non-stop mastering opportunities, especially as generation expands and proliferates into every nook of communications, leisure, and enterprise. As a DFI, we address a daily onslaught of the latest devices. As the cellular telephone or pill, many of those gadgets use common running structures that we want to be acquainted with. Certainly, the Android OS is predominant in the tablet and mobile phone industry. Given the predominance of the Android OS in the cell device marketplace, DFIs will run into Android gadgets inside the direction of many investigations. While numerous models endorse tactics to obtaining statistics from Android devices, this newsletter introduces four possible strategies that the DFI has to don’t forget when evidence amassing from Android gadgets.

A Bit of History of the Android OS

Android’s first industrial release changed into in September 2008 with model 1.0. Android is the open supply and ‘loose to use’ working gadget for mobile gadgets advanced by Google. Importantly, early on, Google and other hardware corporations formed the “Open Handset Alliance” (OHA) in 2007 to foster and aid the growth of Android within the marketplace. The OHA now consists of 84 hardware groups, including giants like Samsung, HTC, and Motorola (to name a few). This alliance became set up to compete with businesses that had their personal marketplace offerings, including competitive devices provided via Apple, Microsoft (Windows Phone 10 – that’s now reportedly dead to the market), and Blackberry (which has ceased making hardware). Regardless if an OS is defunct or no longer, the DFI ought to understand approximately the various versions of more than one operating machine platform, specifically if their forensics recognition is in a particular realm, including mobile devices.

Linux and Android

The modern iteration of the Android OS is primarily based on Linux. Keep in mind that “based totally on Linux” does now not suggest the standard Linux apps will usually run on an Android and, conversely, the Android apps which you may enjoy (or are acquainted with) will now not always run on your Linux desktop. But Linux is not Android. To clarify the factor, please note that Google selected the Linux kernel, the vital part of the Linux running system, to manage the hardware chipset processing. Google’s builders would not be worried about the specifics of ways processing takes place on a given set of hardware. This lets their builders know the broader operating gadget layer and the personal interface features of the Android OS.


A Large Market Share

The Android OS has a big marketplace share of the cellular device marketplace, basically because of its open-source nature. An extra 328 million Android devices had been shipped as of the 0.33 quarter in 2016. And, consistent with netwmarketshare.Com, the Android operating gadget had the bulk of installations in 2017 — almost 67% — as of this writing.

As a DFI, we can anticipate coming upon Android-based total hardware within the direction of a typical investigation. Due to the open supply nature of the Android OS and the numerous hardware structures from Samsung, Motorola, HTC, and so on., the sort of mixtures among hardware type and OS implementation offer an extra challenge. Consider that Android is presently at version 7.1.1. Yet, every smartphone producer and cellular device provider will commonly adjust the OS for the precise hardware and carrier services, giving an extra layer of complexity for the DFI because the method to records acquisition may range.

Before we dig deeper into additional attributes of the Android OS that complicate the approach to records acquisition, let’s observe the concept of a ROM version to be carried out to an Android tool. As an overview, ROM (Read Only Memory) software is low-degree programming. This is near the kernel degree, and the unique ROM application is frequently known as firmware. Suppose you watched in terms of a pill in comparison to a mobile phone. In that case, the pill could have exceptional ROM programming as contrasted to a mobile cellphone because hardware capabilities between the pill and cell phone will be extraordinary. However, both hardware gadgets are from equal hardware producers. Complicating the need for more specifics within the ROM program, add within the particular requirements of cellular provider carriers (Verizon, AT&T, and many others.).

While there are commonalities of obtaining information from a cellular telephone, no longer all Android gadgets are identical, in particular in mind that there are fourteen principal Android OS releases available on the market (from variations 1.0 to 7.1.1), more than one providers with model-precise ROMs, and further infinite custom user-complied versions (patron ROMs). The ‘consumer compiled variants’ also are model-unique ROMs. In popular, the ROM-stage updates applied to every wi-fi tool will contain running and device fundamental packages that work for a particular hardware tool, for a given seller (as an instance, your Samsung S7 from Verizon), and for a particular implementation.

Even although there’s no ‘silver bullet’ method to investigating any Android device, the forensics research of an Android tool need to comply with the same trendy manner for the collection of proof, requiring a structured manner and approach that deal with the investigation, seizure, isolation, acquisition, examination, and evaluation, and reporting for any digital proof. When a request to look at a device is received, the DFI begins with planning and instruction to include the requisite method of acquiring gadgets, the vital office work to aid and report the chain of custody, the improvement of a motive announcement for the examination, the detailing of the device model (and different precise attributes of the obtained hardware), and a listing or description of the data the requestor is seeking to acquire.

Unique Challenges of Acquisition

Mobile gadgets, including mobile phones, capsules, and so on., face precise challenges at some stage in evidence seizure. Since battery life is restricted on cellular devices and is not normally endorsed that a charger is inserted into a tool, the isolation level of evidence amassing can be critical in obtaining the device. Confounding proper acquisition, the cell statistics, WiFi connectivity, and Bluetooth connectivity should also be blanketed in the investigator’s awareness in the acquisition. Android has many security capabilities built into the telephone. The lock-display screen characteristic can be set as PIN, password, drawing a pattern, facial recognition, location recognition, depending on on-device popularity, and biometrics together with fingerprints. An expected 70% of customers do use a few kinds of security protection on their smartphone. Critically, there is an available software program that the user may have downloaded, which could deliver them the capability to wipe the telephone remotely, complicating acquisition.

It is not going throughout the seizure of the cell tool that the screen might be unlocked. If the device isn’t locked, the DFI’s examination could be simpler because the DFI can exchange the settings on the phone right away. I get entry to the cellular cellphone, disable the lock-display and exchange the display screen timeout to its maximum fee (which may be as much as 30 minutes for a few gadgets). Keep in thoughts that of key importance is to isolate the smartphone from any Internet connections to save you far-flung wiping of the tool. Place the phone in Airplane mode. Attach an outside energy supply to the telephone after being positioned in a static-free bag designed to block radiofrequency alerts. Once comfortable, you need to be later able to permit USB debugging to permit the Android Debug Bridge (ADB), which could provide good facts seize. While it could be essential to examine the artifacts of RAM on a cell tool, this is not going to take place.

Acquiring the Android Data


Copying a difficult power from a computing device or PC in a forensically sound way is trivial compared to the records extraction strategies wished for mobile tool facts acquisition. Generally, DFIs have geared up physical get entry to a tough-power with no limitations, allowing for a bit circulation picture to be created by a hardware replica or software program. Mobile devices have their records saved the interior of the cellphone in difficult-to-reach locations. Extraction of records via the USB port can be a mission. However, it can be achieved with care and luck on Android gadgets.

After the Android tool has been seized and is secure, it is time to look at the telephone. There are numerous statistics acquisition techniques to be had for Android, and that they vary extensively. This article introduces and discusses four of the primary methods to method records acquisition. These 5 methods are mentioned and summarized below:

1. Send the device to the producer: You can ship the device to the producer for statistics extraction to cost extra time and money. However, it can be important not to have the precise talent set for a given tool or the time to learn. In particular, as mentioned earlier, Android has a plethora of OS versions based totally on the producer and ROM version, including the complexity of acquisition. Manufacturer’s typically made this service available to government corporations and law enforcement for most home gadgets, so if you’re an unbiased contractor, you will want to check with the manufacturer or gain support from the enterprise that you are operating with. Also, the producer research alternative may not be available for several worldwide fashions (just like the many no-name Chinese phones that proliferate the market – think of the ‘disposable smartphone’).

2. Direct bodily acquisition of the data. One of the guidelines of a DFI investigation is to in no way to regulate the statistics. The physical acquisition of data from a cellular phone needs to bear in mind the equal strict procedures of verifying and documenting that the bodily technique used will not alter any device statistics. Further, as soon as the device is connected, the jogging of hash totals is essential. Physical acquisition permits the DFI to achieve a full picture of the tool using a USB wire and forensic software program (at this point, you need to consider write blocks to prevent any changing of the data).

Connecting to a cell cellphone and grabbing an image simply isn’t as smooth and clear as pulling information from a tough pressure on a desktop pc. The hassle is that depending on your chosen forensic acquisition device, the precise make, and model of the smartphone, the carrier, the Android OS version, the person’s settings on the phone, the foundation reputation of the device, the lock status, if the PIN code is thought, and if the USB debugging alternative is enabled on the tool, you may no longer be able to accumulate the records from the tool beneath investigation. Simply put, physical acquisition ends up in the realm of ‘simply attempting it’ to look what you get and appear to the courtroom (or opposing facet) as an unstructured manner to gather facts, which could location the facts acquisition at risk.

Three. JTAG forensics (a version of bodily acquisition cited above). As a definition, JTAG (Joint Test Action Group) forensics is an extra advanced acquisition method. It is essentially a physical approach that entails cabling and connecting to Test Access Ports (TAPs) at the device and processing commands to invoke a switch of the uncooked facts saved in memory. Raw facts are pulled at once from the linked tool the usage of a unique JTAG cable. This is considered low-level records acquisition because there is no conversion or interpretation and is just like a bit-copy done when acquiring evidence from a computer or laptop computer difficult drive.

JTAG acquisition can frequently be achieved for locked, damaged, and inaccessible (locked) devices. Since it is a low-level reproduction, if the tool became encrypted (whether via the user or by way of the unique producer, including Samsung and a few Nexus devices), the acquired data will still need to be decrypted. But since Google decided to take away complete-device encryption with the Android OS five. Zero launches, the whole-tool encryption limitation is a piece narrowed, except the user has decided to encrypt their tool. After JTAG statistics is acquired from an Android tool, the acquired facts can be further inspected and analyzed with equipment consisting of 3zx (hyperlink: http://z3x-crew.Com/ ) or Belkasoft (link: https://belkasoft.Com/ ). Using JTAG tools will automatically extract key virtual forensic artifacts along with call logs, contacts, location statistics, browsing records, and plenty greater.


4. Chip-off acquisition. This acquisition technique calls for the elimination of reminiscence chips from the device. Produces raw binary dumps. Again, this is considered an advanced, low-degree acquisition and will require de-soldering of memory chips the use of fantastically specialized tools to cast off the chips and other specialized gadgets to read the chips. Like the JTAG forensics mentioned above, the DFI dangers that the chip contents are encrypted. But if the information is not encrypted, a chunk copy may be extracted as a raw image. The DFI will want to contend with block address remapping, fragmentation, and, if a gift, encryption. Also, numerous Android tool manufacturers, like Samsung, enforce encryption that can not be bypassed through or after the chip-off acquisition has been completed, even though the proper passcode is known. Due to the get entry to problems with encrypted gadgets, chip off is confined to unencrypted devices.

Five. Over-the-air Data Acquisition. We are each conscious that Google has mastered information series. Google is understood for retaining big amounts from cellular phones, drugs, laptops, computers, and other gadgets from various working machine sorts. If the user has a Google account, the DFI can access, download, and examine all facts for the given person beneath their Google consumer account, with the right permission from Google. This includes downloading data from the user’s Google Account. Currently, there are not any complete cloud backups to be had for Android customers. Data that can be examined encompass Gmail, touch statistics, Google Drive data (which may be very revealing), synced Chrome tabs, browser bookmarks, passwords, a list of registered Android gadgets (where place history for each device may be reviewed), and much greater.

The five strategies mentioned above aren’t always comprehensive listing. A regularly repeated observation surfaces about records acquisition – while working on a mobile device, proper and correct documentation is important. Further, documentation of the processes and approaches used, as well as adhering to the chain of custody strategies that you’ve hooked up, will make certain that proof gathered can be ‘forensically sound.’


As discussed in this article, cell tool forensics and Android OS are different from the conventional digital forensic procedures used for laptop and desktop computers. While the personal pc is without problems secured, the garage may be effortlessly copied, and the tool may be saved, safe acquisition of cellular gadgets and data may be and frequently is tricky. A based approach to acquiring the mobile device and a deliberate technique for statistics acquisition is essential. As cited above, the five strategies introduced will allow the DFI to benefit from getting the right of entry to the tool. However, there are numerous extra methods not discussed in this text. Additional research and device users via the DFI can be important.

You might also like