An Introduction to Forensics Data Acquisition From Android Mobile Devices


The Digital Forensics Investigator (DFI) position is rife with non-stop learning possibilities, mainly as the era expands and proliferates into every corner of communications, entertainment, and business. As DFI, we cope with a daily onslaught of the latest devices. Like the cellular phone or pill, many of those devices use common working structures that we need to be familiar with. Certainly, the Android OS is most important in the pill and cell smartphone enterprise. Given the predominance of the Android OS in the cellular device market, DFIs will run into Android gadgets within the path of many investigations. While numerous fashions endorse procedures for obtaining data from Android devices, this text introduces four viable strategies that the DFI has to consider while proof amassing from Android devices.

A Bit of History of the Android OS

Android’s first commercial launch was in September 2008 with version 1.0. Android is the open supply and ‘free to use’ working machine for cellular gadgets evolved through Google. Importantly, early on, Google and different hardware groups fashioned the “Open Handset Alliance” (OHA) in 2007 to foster and help the Android boom inside the market. The OHA now consists of eighty-four hardware organizations, such as giants like Samsung, HTC, and Motorola (to name a few). This alliance became hooked up to compete with organizations with their personal marketplace services, including competitive devices presented by Apple, Microsoft (Windows Phone 10 – that’s now reportedly useless to the market), and Blackberry (which has ceased making hardware). Regardless of whether an OS is defunct, the DFI should know approximately the numerous versions of a couple of working gadget structures, mainly if their forensics attention is in a particular realm of cellular devices.

Android Mobile Devices

Linux and Android

The modern iteration of the Android OS is based totally on Linux. Remember that “based totally on Linux” no longer means the same old Linux apps will always run on an Android; conversely, the Android apps you may revel in (or are acquainted with) will not always run on your Linux laptop. But Linux is not Android. To clarify the factor, please note that Google decided on the Linux kernel, the vital part of the Linux working machine, to manipulate the hardware chipset processing so that Google’s developers would not be involved with the specifics of how processing occurs on a given set of hardware. This allows their builders to be aware of the broader operating device layer and the personal interface functions of the Android OS.

A Large Market Share

The Android OS has a significant market share of the mobile device marketplace, on the whole, due to its open-supply nature. An extra 328 million Android devices had been shipped as of the 1/3 quarter of 2016. And, in keeping with netwmarketshare.Com, the Android working gadget had the bulk of installations in 2017 — almost 67% — as of this writing.

As a DFI, we expect to come upon Android-primarily based hardware during normal research. Due to the open supply nature of the Android OS at the side of the various hardware structures from Samsung, Motorola, HTC, etc., the type of combos among hardware type and OS implementation presents a further challenge. Consider that Android is currently at version 7.1.1. Yet, each smartphone manufacturer and cell tool supplier will typically regulate the OS for the precise hardware and carrier offerings, giving the DFI an additional layer of complexity because that approach to statistics acquisition can also range.

Before we dig deeper into additional Android OS attributes that complicate the information acquisition approach, let’s examine the concept of a ROM model to be carried out on an Android device. As an outline, ROM (Only Memory) software is low-stage programming near the kernel degree, and the precise ROM software is regularly referred to as firmware. Suppose you suspect a tablet compared to a cell phone. In that case, the tablet can have distinctive ROM programming compared to a mobile phone because hardware functions among the pill and cellular telephone may be special, even supposing both hardware gadgets are from the same hardware producer. Complicating the want for more specifics in the ROM program, upload in the unique necessities of cellular carrier vendors (Verizon, AT&T, and so on.).

While there are commonalities in acquiring records from a mobile smartphone, no longer all Android gadgets are the same, especially in light that there are fourteen main Android OS releases available on the market (from versions 1. Zero to 7.1.1), a couple of providers with model-specific ROMs, and extra countless custom person-complied variations (consumer ROMs). The ‘client compiled variations’ are also version-precise ROMs. The ROM-degree updates implemented to every WiFi device will incorporate operating and system basic applications that work for a specific hardware device, for a given seller (for example, your Samsung S7 from Verizon), and a particular implementation.

Even though there’s no ‘silver bullet’ way to investigating any Android tool, the forensic investigation of an Android tool ought to comply with the identical well-known system for the gathering of evidence, requiring a structured process and method that deals with the research, seizure, isolation, acquisition, exam, and evaluation, and reporting for any virtual evidence. When a request to take a look at a device is received, the DFI begins with making plans and training to consist of the considered necessary approach of obtaining devices, the important paperwork to support and record the chain of custody, the development of a reason-assertion for the exam, the detailing of the device version (and other unique attributes of the obtained hardware), and a listing or description of the information the requestor is in search of to collect.

Unique Challenges of Acquisition

Mobile gadgets, including mobile telephones, capsules, etc., face particularly demanding situations during evidence seizure. Since battery life is confined on mobile gadgets and it isn’t normally recommended that a charger is inserted right into a device, the isolation level of evidence gathering may be essential for acquiring the device. Confounding right acquisition, the mobile facts, WiFi connectivity, and Bluetooth connectivity must also be included in the investigator’s recognition at some point of purchase. Android has many safety capabilities built into the smartphone. The lock-screen function may be set as PIN, password, drawing a pattern, facial recognition, area recognition, relying on on-device reputation, and biometrics, including fingerprints. An expected 70% of users use some security protection on their telephone. Critically, the available software program that the person may have downloaded can supply them the ability to wipe the smartphone remotely, complicating acquisition.

It is not going at some point of the seizure of the mobile device that the screen may be unlocked. If the tool isn’t locked, the DFI’s examination can be simpler because the DFI can promptly alternate the settings inside the cellphone. I enter the cellular smartphone, turn off the lock display, and rotate the display timeout to its highest value (which may be up to 30 minutes for some gadgets). Remember that of key significance is to isolate the cellphone from any Internet connections to save you far away from wiping the device. Place the smartphone in Airplane mode. Attach outside energy delivery to the cell phone after placing it in a static-unfastened bag designed to dam radiofrequency indicators. Once relaxed, you should later be able to allow USB debugging on the way to permit the Android Debug Bridge (ADB) that can offer proper information capture. While looking at the RAM artifacts on a cellular tool can be critical, this is not likely to occur.