The role that a Digital Forensics Investigator (DFI) is rife with non-stop learning possibilities, in particular as technology expands and proliferates into every nook of communications, entertainment, and business. As a DFI, we cope with each day’s onslaught of new devices. Like the cell smartphone or tablet, many of those devices use common working structures that we want to be familiar with. Certainly, the Android OS is most important within the pill and cell cellphone enterprise. Given the predominance of the Android OS inside the mobile device marketplace, DFIs will run into Android devices in many investigations. While several fashions advise tactics to obtain information from Android gadgets, this newsletter introduces 4 feasible techniques that the DFI should keep in mind while proofreading Android devices.
A Bit of History of the Android OS
Android’s first industrial launch was in September 2008 with version 1.0. Android is the open-source and free to apply’ working machine for mobile devices advanced by using Google. Importantly, early on, Google and other hardware groups fashioned the “Open Handset Alliance” (OHA) in 2007 to foster and support the Android boom in the market. The OHA now includes 84 hardware corporations, including giants like Samsung, HTC, and Motorola (to name a few). This alliance becomes installed to compete with companies who had their personal marketplace offerings, including competitive devices supplied with the aid of Apple, Microsoft (Windows Phone 10 – that is now reportedly lifeless to the market), and Blackberry (which has ceased making hardware). Regardless if an OS is defunct or now not, the DFI has to realize the diverse variations of multiple operating system structures, particularly if their forensics cognizance is in a particular realm consisting of mobile devices.
Linux and Android
The present-day generation of the Android OS is based on Linux. Keep in mind that “primarily based on Linux” does no longer mean the usual Linux apps will constantly run on an Android and, conversely, the Android apps which you might revel in (or are familiar with) will now not always run on your Linux laptop. But Linux isn’t Android. To clarify the point, please word that Google selected the Linux kernel, the important part of the Linux operating system, to manage the hardware chipset processing so that Google’s builders wouldn’t need to be involved in the specifics of how processing happens on a given set of hardware. This allows their developers to focus on the broader operating system layer and the consumer interface functions of the Android OS.
The Android OS has a tremendous market percentage of the mobile device marketplace, primarily because of its open-source nature. An excess of 328 million Android gadgets was shipped as of the third region in 2016. According to netwmarketshare.Com, the Android-running machine had the majority of installations in 2017 — almost 67% — as of this writing.
As a DFI, we can assume to come upon Android-primarily based hardware within the route of standard research. Due to the open-source nature of the Android OS and the various hardware systems from Samsung, Motorola, HTC, and so on., the style of combinations among hardware kind and OS implementation provide a further undertaking. Consider that Android is currently at version 7.1.1. Still, each smartphone producer and mobile tool dealer will alter the OS for the specific hardware and provider offerings, giving an extra layer of complexity for the DFI because the method to fact acquisition might also vary.
Before we dig deeper into extra attributes of the Android OS that complicate the approach to information acquisition, permit’s observe the idea of a ROM version with a purpose to be carried out to an Android device. As an outline, a ROM (Read Only Memory) application is low-degree programming. This is close to the kernel degree, and the precise ROM software is regularly known as firmware. If you suspect in phrases of a tablet in evaluation to a cell phone, the pill may have extraordinary ROM programming as contrasted to a cell smartphone, in view that hardware features between the pill and cellular smartphone might be unique, even though both hardware devices are from the equal hardware producer. Complicating the want for greater specifics within the ROM application, add inside the precise necessities of cell service providers (Verizon, AT&T, etc.).
While there are commonalities in obtaining statistics from a cell phone, not all Android devices are identical, in particular in mind that there are fourteen major Android OS releases in the marketplace (from versions 1.0 to 7.1.1), more than one vendors with model-particular ROMs, and further infinite custom person-complied variants (client ROMs). The ‘customer compiled variants’ also are model-unique ROMs. The ROM-degree updates carried out to every wireless tool will comprise operating and gadget primary packages that work for a particular hardware tool. For a given seller (as your Samsung S7 from Verizon) for a particular implementation.
Even even though there is no ‘silver bullet’ strategy to investigating any Android tool, the forensic investigation of an Android device ought to comply with the same standard method for the collection of evidence, requiring a based technique and method that deal with the investigation, seizure, isolation, acquisition, exam, and evaluation, and reporting for any digital evidence. When a request to take a look at a device is obtained, the DFI starts offevolved with making plans and instruction to include the needful technique of obtaining devices, the necessary office work to support and record the chain of custody, the improvement of a purpose declaration for the examination, the detailing of the device version (and different specific attributes of the acquired hardware), and a list or description of the records the requestor is seeking to collect.
Unique Challenges of Acquisition
Mobile devices, consisting of cellular telephones, capsules, etc., face unique challenges during a proof seizure. Since battery life is restricted on cell gadgets and it isn’t always commonly recommended that a charger is inserted right into a tool, the isolation level of proof-gathering can be vital in acquiring the tool. Confounding proper acquisition, the cell records, WiFi connectivity, and Bluetooth connectivity should be protected in the investigator’s recognition in the course of acquisition. Android has many safety capabilities constructed into the telephone. The lock-display screen feature can be set as PIN, password, drawing a sample, facial popularity, region popularity, depended on on-device popularity, and biometrics along with fingerprints. An envisioned 70% of customers do use a few kinds of protection safety on their telephone. Critically, the consumer might also have downloaded an available software program that can give them the capability to wipe the cell phone remotely, complicating acquisition.
It is not going at some point in the cellular device’s seizure that the display may be unlocked. If the tool isn’t always locked, the DFI’s examination may be simpler because the DFI can promptly trade the cellphone settings. I get the right of entry to is authorized to the cellular cellphone, disable the lock-display, and alternate the display timeout to its most price (which can be up to 30 minutes for a few devices). Keep in mind that of key significance is to isolate the telephone from any Internet connections to save you remote wiping of the tool. Place the telephone in Airplane mode. Attach an outside strength supply to the telephone after being located in a static-loose bag designed to dam radiofrequency signals. Once secure, you have to be later able to allow USB debugging for you to permit the Android Debug Bridge (ADB), which could offer exact information capture. While it can be critical to study RAM artifacts on a mobile device, that is not going to manifest.
Acquiring the Android Data
Copying a tough-force from a laptop or pc pc in a forensically sound manner is trivial compared to the records extraction techniques wanted for mobile tool records acquisition. Generally, DFIs have geared up bodily get entry to a tough-drive with no boundaries, taking into account a hardware copy or software bit move photograph to be created. Mobile devices have their records saved inside of the telephone in difficult-to-attain locations. Extraction of records via the USB port may be a project. However, it may be achieved with care and good fortune on Android gadgets.
After the Android device has been seized and is secure, it is time to look at the telephone. There are numerous data acquisition techniques to be had for Android, and that they fluctuate extensively. This article introduces and discusses 4 of the number one methods to method records acquisition. These 5 techniques are cited and summarized beneath:
1. Send the device to the manufacturer: You can ship the tool to the producer for statistics extraction if you want to fee extra time and money, but it can be vital in case you do now not have the specific skill set for a given tool nor the time to examine. In unique, as stated earlier, Android has a plethora of OS versions based totally on the producer and ROM version, adding to the complexity of acquisition. Manufacturer’s typically made this carrier available to authorities, agencies, and regulation enforcement for maximum domestic gadgets, so if you’re an unbiased contractor, you’ll need to check with the producer or gain a guide from the organization that you are working with. The manufacturer research alternative might not be available for several international models (like the many no-call Chinese telephones that proliferate the market – think of the ‘disposable telephone’).