An Introduction to Forensics Data Acquisition From Android 
Mobile Devices

The role that a Digital Forensics Investigator (DFI) is rife with continuous learning opportunities, especially as technology expands and proliferates into every corner of communications, entertainment and business. As a DFI, we affect a daily onslaught of latest devices. Many of those devices, just like the telephone or tablet, use common operating systems that we'd like to be conversant in . Certainly, the Android OS is predominant within the tablet and telephone industry. Given the predominance of the Android OS within the mobile device market, DFIs will run into Android devices within the course of the many investigations. While there are several models that suggest approaches to acquiring data from Android devices, this text introduces four viable methods that the DFI should consider when evidence gathering from Android devices.

A Bit of History of the Android OS

Android's first commercial release was in September, 2008 with version 1.0. Android is that the open source and 'free to use' OS for mobile devices developed by Google. Importantly, early on, Google and other hardware companies formed the "Open Handset Alliance" (OHA) in 2007 to foster and support the expansion of the Android within the marketplace. The OHA now consists of 84 hardware companies including giants like Samsung, HTC, and Motorola (to name a few). This alliance was established to compete with companies who had their own market offerings, like competitive devices offered by Apple, Microsoft (Windows Phone 10 - which is now reportedly dead to the market), and Blackberry (which has ceased making hardware). Regardless if an OS is defunct or not, the DFI must realize the varied versions of multiple OS platforms, especially if their forensics focus is during a particular realm, like mobile devices.

Linux and Android

The current iteration of the Android OS is predicated on Linux. confine mind that "based on Linux" doesn't mean the standard Linux apps will always run on an Android and, conversely, the Android apps that you simply might enjoy (or are familiar with) won't necessarily run on your Linux desktop. But Linux isn't Android. To clarify the purpose , please note that Google selected the Linux kernel, the essential a part of the Linux OS , to manage the hardware chipset processing in order that Google's developers wouldn't need to worry with the specifics of how processing occurs on a given set of hardware. this enables their developers to specialise in the broader OS layer and therefore the interface features of the Android OS.

A Large Market Share

The Android OS features a substantial market share of the mobile device market, primarily thanks to its open-source nature. An more than 328 million Android devices were shipped as of the third quarter in 2016. And, consistent with, the Android OS had the majority of installations in 2017 -- nearly 67% -- as of this writing.

As a DFI, we will expect to encounter Android-based hardware within the course of a typical investigation. thanks to the open source nature of the Android OS in conjunction with the numerous hardware platforms from Samsung, Motorola, HTC, etc., the variability of combinations between hardware type and OS implementation presents a further challenge. Consider that Android is currently at version 7.1.1, yet each phone manufacturer and mobile device supplier will typically modify the OS for the precise hardware and repair offerings, giving a further layer of complexity for the DFI, since the approach to data acquisition may vary.

Before we dig deeper into additional attributes of the Android OS that complicate the approach to data acquisition, let's check out the concept of a ROM version which will be applied to an Android device. As an summary , a ROM (Read Only Memory) program is low-level programming that's on the brink of the kernel level, and therefore the unique ROM program is usually called firmware. If you think that in terms of a tablet in contrast to a telephone , the tablet will have different ROM programming as contrasted to a telephone , since hardware features between the tablet and telephone are going to be different, albeit both hardware devices are from an equivalent hardware manufacturer. Complicating the necessity for more specifics within the ROM program, add within the specific requirements of cell service carriers (Verizon, AT&T, etc.).

While there are commonalities of acquiring data from a telephone , not all Android devices are equal, especially in light that there are fourteen major Android OS releases on the market (from versions 1.0 to 7.1.1), multiple carriers with model-specific ROMs, and extra countless custom user-complied editions (customer ROMs). The 'customer compiled editions' also are model-specific ROMs. generally , the ROM-level updates applied to every wireless device will contain operating and system basic applications that works for a specific hardware device, for a given vendor (for example your Samsung S7 from Verizon), and for a specific implementation.

Even though there's no 'silver bullet' solution to investigating any Android device, the forensics investigation of an Android device should follow an equivalent general process for the gathering of evidence, requiring a structured process and approach that address the investigation, seizure, isolation, acquisition, examination and analysis, and reporting for any digital evidence. When an invitation to look at a tool is received, the DFI starts with planning and preparation to incorporate the requisite method of acquiring devices, the required paperwork to support and document the chain of custody, the event of a purpose statement for the examination, the detailing of the device model (and other specific attributes of the acquired hardware), and an inventory or description of the knowledge the requestor is seeking to accumulate .

Unique Challenges of Acquisition

Mobile devices, including cell phones, tablets, etc., face unique challenges during evidence seizure. Since battery life is restricted on mobile devices and it's not typically recommended that a charger be inserted into a tool , the isolation stage of evidence gathering are often a critical state in acquiring the device. Confounding proper acquisition, the cellular data, WiFi connectivity, and Bluetooth connectivity should even be included within the investigator's focus during acquisition. Android has many security measures built into the phone. The lock-screen feature are often set as PIN, password, drawing a pattern, face recognition , location recognition, trusted-device recognition, and biometrics like finger prints. An estimated 70% of users do use some sort of security protection on their phone. Critically, there's available software that the user may have downloaded, which may give them the power to wipe the phone remotely, complicating acquisition.

It is unlikely during the seizure of the mobile device that the screen are going to be unlocked. If the device isn't locked, the DFI's examination are going to be easier because the DFI can change the settings within the phone promptly. If access is allowed to the telephone , disable the lock-screen and alter the screen timeout to its maximum value (which are often up to half-hour for a few devices). confine mind that of key importance is to isolate the phone from any Internet connections to stop remote wiping of the device. Place the phone in Airplane mode. Attach an external power supply to the phone after it's been placed during a static-free bag designed to dam radiofrequency signals. Once secure, you ought to later be ready to enable USB debugging, which can allow the Android Debug Bridge (ADB) which will provide good data capture. While it's going to be important to look at the artifacts of RAM on a mobile device, this is often unlikely to happen.

Acquiring the Android Data

Copying a hard-drive from a desktop or laptop pc during a forensically-sound manner is trivial as compared to the info extraction methods needed for mobile device data acquisition. Generally, DFIs have ready physical access to a hard-drive with no barriers, allowing a hardware copy or software bit stream image to be created. Mobile devices have their data stored inside the phone in difficult-to-reach places. Extraction of knowledge through the USB port are often a challenge, but are often accomplished with care and luck on Android devices.

After the Android device has been seized and is secure, it's time to look at the phone. There are several data acquisition methods available for Android and that they differ drastically. this text introduces and discusses four of the first ways to approach data acquisition. These five methods are noted and summarized below:

1. Send the device to the manufacturer: you'll send the device to the manufacturer for data extraction, which can cost overtime and money, but could also be necessary if you are doing not have the actual skill set for a given device nor the time to find out . especially , as noted earlier, Android features a plethora of OS versions supported the manufacturer and ROM version, adding to the complexity of acquisition. Manufacturer's generally make this service available to government agencies and enforcement for many domestic devices, so if you're an independent contractor, you'll got to ask the manufacturer or gain support from the organization that you simply are working with. Also, the manufacturer investigation option might not be available for several international models (like the various no-name Chinese phones that proliferate the market - consider the 'disposable phone').

2. Direct physical acquisition of the info . one among rules of a DFI investigation is to never to change the info . The physical acquisition of knowledge from a telephone must take under consideration an equivalent strict processes of verifying and documenting that the physical method used won't alter any data on the device. Further, once the device is connected, the running of hash totals is important . Physical acquisition allows the DFI to get a full image of the device employing a USB cord and forensic software (at now , you ought to be thinking of write blocks to stop any altering of the data). Connecting to a telephone and grabbing a picture just isn't as clean and clear as pulling data from a tough drive on a personal computer . the matter is that counting on your selected forensic acquisition tool, the actual make and model of the phone, the carrier, the Android OS version, the user's settings on the phone, the basis status of the device, the lock status, if the PIN code is understood , and if the USB debugging option is enabled on the device, you'll not be ready to acquire the info from the device under investigation. Simply put, physical acquisition finishes up within the realm of 'just trying it' to ascertain what you get and should appear to the court (or opposing side) as an unstructured thanks to gather data, which may place the info acquisition in danger .

Article Source:

Article Source: