An Introduction to Forensics Data Acquisition From Android Mobile Devices

The role of a Digital Forensics Investigator (DFI) is rife with non-stop learning possibilities, particularly as technology expands and proliferates into every nook of communications, entertainment, and business. As a DFI, we cope with each day’s onslaught of new devices. Like the cell smartphone or tablet, many of those devices use common working structures that we want to be familiar with. Certainly, the Android OS is the most important part of the pill and cell cellphone enterprise. Given the predominance of the Android OS inside the mobile device marketplace, DFIs will run into Android devices in many investigations. While several fashions advise tactics to obtain information from Android gadgets, this newsletter introduces four feasible techniques that the DFI should remember while proofreading Android devices.

A Bit of History of the Android OS

Android’s first industrial launch was in September 2008 with version 1.0. Android is an open-source and free-to-apply working machine for mobile devices advanced by Google. Importantly, early on, Google and other hardware groups fashioned the “Open Handset Alliance” (OHA) in 2007 to foster and support the Android boom in the market. The OHA now includes 84 hardware corporations, including giants like Samsung, HTC, and Motorola (to name a few). This alliance is installed to compete with companies in their marketplace offerings, including competitive devices supplied by Apple, Microsoft (Windows Phone 10 – now reportedly lifeless to the market), and Blackberry (which has ceased making hardware). Regardless of whether an OS is defunct, the DFI has to realize the diverse variations of multiple operating system structures, particularly if their forensics cognizance is in a particular realm of mobile devices.

Linux and Android

The present-day generation of the Android OS is based on Linux. Remember that “primarily based on Linux” does no longer mean the usual Linux apps will constantly run on an Android, and conversely, the Android apps that you might revel in (or are familiar with) will now not always run on your Linux laptop. But Linux isn’t Android. To clarify, please note that Google selected the Linux kernel, the important part of the Linux operating system, to manage the hardware chipset processing so that Google’s builders wouldn’t need to be involved in the specifics of how processing happens on a given hardware. This allows their developers to focus on the broader operating system layer and the consumer interface functions of the Android OS.

A Large Market Share

The Android OS has a tremendous market share in the mobile device marketplace, primarily because of its open-source nature. As of the third region in 2016, an excess of 328 million Android gadgets were shipped. According to netwmarketshare.com, the Android-running machine had the majority of installations in 2017—almost 67%—as of this writing.

As a DFI, we can assume that Android-based hardware will be primarily used within the route of standard research. Due to the open-source nature of the Android OS and the various hardware systems from Samsung, Motorola, HTC, and so on, the style of combinations among hardware kinds and OS implementation is a further undertaking. Consider that Android is currently at version 7.1.1. Still, each smartphone producer and mobile tool dealer will alter the OS for the specific hardware and provider offerings, giving the DFI an extra layer of complexity because the method of fact acquisition might also vary.

Before we dig deeper into extra attributes of the Android OS that complicate the approach to information acquisition, permit’s observe the idea of a ROM version to be carried out. As an outline, a ROM (Read Only Memory) application is low-degree programming. This is close to the kernel degree, and the precise ROM software is regularly known as firmware. Suppose you suspect in phrases of a tablet in evaluation to a cell phone. In that case, the pill may have extraordinary ROM programming, a comparable cell smartphone, considering that hardware features between and cellular smartphones might be unique, even though both hardware devices are from the same hardware producer. Complicating the want for greater specifics within the ROM application, add inside the precise necessities of cell service providers (Verizon, AT&T, etc.).

While there are commonalities in obtaining statistics from a cell phone, not all Android devices are identical, in particular in mind that there are fourteen major Android OS releases in the marketplace (from versions 1.0 to 7.1.1), more than one vendor with model-particular ROMs, and further infinite custom person-complied variants (client ROMs). The ‘customer compiled variants’ also are model-unique ROMs. The ROM-degree updates to every wireless tool will comprise operating and gadget primary packages that work for a particular hardware tool. For a given seller (such as your Samsung S7 from Verizon) for a specific implementation.

Even though there is no ‘silver bullet’ strategy to investigating any Android tool, the forensic investigation of an Android device ought to comply with the same standard method for the collection of evidence, requiring a based technique and method that deals with the investigation, seizure, isolation, acquisition, exam, and evaluation, and reporting for any digital evidence. When a request to take a look at a device is obtained, the DFI starts offevolved with making plans and instructions to include the needful technique of receiving devices, the necessary office work to support and record the chain of custody, the improvement of a purpose declaration for the examination, the detailing of the device version (and different specific attributes of the acquired hardware), and a list or description of the records the requestor is seeking to collect.

Unique Challenges of Acquisition

Mobile devices, consisting of cellular telephones, capsules, etc., face unique challenges during a proof seizure. Since battery life is restricted on cell gadgets and it isn’t commonly recommended that a charger be inserted right into a tool, the isolation level of proof-gathering can be vital in acquiring the tool. Confounding proper acquisition, the cell records, WiFi connectivity, and Bluetooth connectivity should be protected in the investigator’s recognition during acquisition. Android has many safety capabilities that have been constructed into the telephone. The lock-display screen feature can be set as PIN, password, sample drawing, facial popularity, region popularity, depending on on-device popularity, biometrics, and fingerprints. An estimated 70% of customers use some protection and safety measures on their telephones. Critically, the consumer might also have downloaded an available software program that can give them the capability to wipe the cell phone remotely, complicating acquisition.

It is not going at some point in the cellular device’s seizure that the display may be unlocked. If the tool isn’t always locked, the DFI’s examination may be simpler because the DFI can promptly trade the cellphone settings. I get the right of entry to authorize the cellular cellphone, turn off the lock display, and alternate the display timeout to its highest price (which can be up to 30 minutes for a few devices). Remember that one of the key significance is to isolate the telephone from any Internet connections to save you from remote wiping of the tool. Place the phone in Airplane mode. Attach an outside strength supply to the phone after being located in a static-loose bag designed to dam radiofrequency signals. Once secure, you have to be able to allow USB debugging later to permit the Android Debug Bridge (ADB), which could offer exact information capture. At the same time, studying RAM artifacts on a mobile device can be critical and will not manifest.

Acquiring the Android Data

Copying a tough force from a laptop or PC in a forensically sound manner is trivial compared to the records extraction techniques used for mobile tool records acquisition. Generally, DFIs have geared up bodily get entry to a tough drive with no boundaries, taking into account a hardware copy or software bit move photograph to be created. Mobile devices have their records saved inside of the telephone in difficult-to-attain locations. Extraction of records via the USB port may be a project. However, it may be achieved with care and good fortune on Android gadgets.

After the Android device is seized and secure, it is time to look at the telephone. There are numerous data acquisition techniques to be had for Android, and they fluctuate extensively. This article introduces and discusses 4 of the number one methods of records acquisition. These five techniques are cited and summarized below:

1. Send the device to the manufacturer: You can ship the tool to the producer for statistics extraction if you want to spend extra time and money, but it can be vital in case you do now not have the specific skill set for a given tool nor the time to examine. As stated earlier, Android has many OS versions based totally on the producer and ROM version, adding to the complexity of acquisition. Manufacturers typically make this carrier available to authorities, agencies, and regulation enforcement for maximum domestic gadgets, so if you’re an unbiased contractor, you’ll need to check with the producer or gain a guide from the organization you are orking with. The manufacturer research alternative might not be available for several international models (like the many no-call Chinese telephones that increase the market – think of the ‘disposable telephone’).

John R. Wright
Social media ninja. Freelance web trailblazer. Extreme problem solver. Music fanatic. Spent several months marketing pubic lice in the financial sector. Spent 2002-2008 supervising the production of ice cream in Africa. Had some great experience developing robotic shrimp in the aftermarket. Spent several years getting my feet wet with puppets in Miami, FL. Was quite successful at supervising the production of corncob pipes worldwide. What gets me going now is working with electric trains in Mexico.