An Introduction To The Acquisition Of Forensic Data From Android Mobile Devices

An Introduction to the Acquisition of Forensic Data from Android Mobile Devices

The role that a rich Digital Criminal Investigator (DFI) has in continuous learning opportunities, especially as technology expands and multiplies in all corners of communication, entertainment and business. As a DFI, we are dealing with a daily attack on new devices.

Many of these devices, such as your mobile phone or tablet, use the main operating systems you need to be accustomed to. In fact, the Android operating system is widely used in tablet and mobile industries. Given the dominance of the Android operating system on the mobile device market, DFI will run on Android devices during many surveys.

Although they acquire several models that suggest approaches data from Android devices, in this article four viable methods that DFI has to look at by evidence Android devices are collected.


A brief history of the Android operating system

Android's first commercial release was in September 2008 with version 1.0. Android is "free to use" an open operating system and was developed by Google's mobile devices.

Linux and Android

Today's repeat of Android OS is based on Linux. To clarify the point, note that Google chose the Linux kernel, the Linux operating system kernel to manage hardware chip processing, so that Google developers do not have to worry about the details, as the processing takes place in A specific hardware. This way your developers focus on a wide level of the operating system and features of the Android operating system user interface.

A large market share

The Android operating system has a significant market share in the mobile market, mainly due to its open source nature. The surplus of 328 million Android devices with the third quarter of 2016. Like DFI we can find Android-based hardware during a formal survey expected.
Think, however, that Android is today in version 7.1.1, every phone and manufacturers usually change the operating system for specific hardware and service offerings, an additional level of complexity of DFI, such as providing approach to data collection can Vary.
Before entering various additional features of the Android operating system, data collection more difficult to approach, let's take a look at the concept of a ROM version that is applied to an Android device.
If you think in the form of a tablet, unlike a cell phone, the tablet has a different ROM programming, unlike a cell phone, since the material resources between the tablet and the mobile phone will be different, even If two hardware devices are the hardware manufacturers themselves.
While there are similarities with the acquisition of data from a mobile phone, not all Android devices are the same, given that there are fourteen major versions of the Android operating system (versions 1.0 to 7.1.1), several businesses with specially designed ROM and many custom custom themes (client ROMs).
In general, applicable ROM level updates are included for each wireless device operation and basic system applications that work for a particular hardware device at a particular vendor (for example, Samsung S7 Verizon) and a specific application.

Exclusive redemption challenges

Mobile devices such as mobile phones, tablets, etc. face particular challenges in seizing evidence. As the battery life is limited to mobile devices, and is not generally recommended, a charger is used in one device, the level of isolation of proof can get critical condition on the device.
Android has a lot of security in the phone incorporates functions. The lock screen function can identify the device location and biometric features, such as fingerprints defined as PIN, password, pattern design, face detection, recognition are reliable. It is unlikely when the mobile device that has unlocked the screen is seized.
If the device is not locked, DFI control is easier because the DFI settings change your phone immediately. Place your phone in airplane mode. Once secure, you can turn on USB debugging later to allow Android Debug Bridge (ADB) to offer a good data collection.

Acquiring Android data

A hard disk of a desktop or laptop forensic copy format is insignificant when compared to the data mining process for the purchase of mobile data. Generally speaking, DFI has physical access to the hard disk ready, barrier-free, a bitstream image or bitstream image creation software is created.
Mobile devices have a hard time to store their data inside the phone in accessible areas. Exporting data via the USB port can be a challenge, but it can be done with care and luck on Android devices.

Once the Android device is seized and is secure, it's time to try the phone. There are various methods of collecting data for Android and they differ dramatically. This article presents and analyzes four key approaches to data collection. (- think of the "phone throw" and many Chinese mobile phones anonymously multiply in the market).

Acquire direct physical data. One of the rules of the DFI survey has not changed the data. Physical data acquisition from a mobile phone should consider the same rigorous procedures to verify and document that the physical method used, no data will change to the device.
The problem is that, depending on your chosen forensic acquisition tool, brand and phone model, carrier, version of Android operating system, user settings on phone with the root status of the device, the status of the lock if the PIN code is known, and if USB debugging is enabled on the device, you can not get the data from the device to be tested.

JTAG forensics (a variant of physical acquisition mentioned above)

As a definition, Forensic JTAG (Joint Test Action Group) is an advanced form of data collection. Unmanaged data is a JTAG special cable to be directly from the connected device. The acquisition of JTAG can usually be performed for blocked devices, damaged and inaccessible (locked).
Since it is a low-level copy when the device (either by the user or their respective manufacturers such as Samsung and some Nexus devices) is encrypted, the data needs to be purchased decrypted.
But since it is judged to stop Google encrypting the entire device with the version of Android OS 5.0, the full restrictive encryption device is somewhat limited, unless the user has defined the encryption of your device. Or Belkasoft (link: https: /: After the JTAG data is obtained from an Android device, the data collected as 3zx (link can be inspected and analyzed with tools / /).
Using the JTAG tool automatically makes top digital forensics extract items, including call logs, contacts, location data, browsing history, and more. This detection technique requires removing the device's memory chips. Due to the access problems in encrypted devices, the chip away is no encryption devices.

Data in the air

We know that Google is dominating data collection. Google is known for large numbers of mobile phones, tablets, laptops, computers and various other types of operating systems, storage devices. If you have a Google Account, DFI, download and access all of the information provided to your Google Account available to analyze users courtesy of Google.
The items that can be considered include Gmail, Contacts, Google Drive (which can be very revealing), Synchronized Chrome Drivers, Browser Bookmarks, Passwords, A List of Android Devices Registered (where the historical status Of each device can) and be tested. A note often repeated for data acquisition - when working on a mobile device, it is important to provide accurate and accurate documentation.


As described in this article, criminology of mobile devices, and in particular the Android operating system, other than traditional methods of digital forensics are used for laptops and desktops. While the personal computer easily in memory protection can easily be copied and the device can be saved, the reliable detection of mobile devices and data and is often problematic can be.
A structured approach to acquiring the mobile device and a planned approach is necessary for data collection. As mentioned above, they allow to introduce five DFI methods to the access device.

Load disqus comments

0 Comment