The role of a digital forensic investigator (DFI) has many opportunities for continuous learning, especially as technology expands and spreads to every corner of communication, entertainment and business. As DFI, we deal with a daily attack of new devices. Many of these devices, such as mobile phone or tablet, use common operating systems that we need to be familiar with. Certainly, Android OS is prevalent in the tablet and mobile phone industry. Given the predominance of Android OS in the mobile device market, DFIs will run into Android devices over the course of many studies. Although there are several models that suggest approaches to retrieve data from Android devices, this article introduces four viable methods that DFI should consider when gathering evidence from Android devices.
A bit of history with Android OS
Android’s first commercial release was in September 2008 with version 1.0. Android is the open source and ‘free to use’ operating system for mobile devices developed by Google. Importantly, Google and other hardware companies early established the “Open Handset Alliance” (OHA) in 2007 to promote and support the growth of Android in the market. OHA now consists of 84 hardware companies including giants such as Samsung, HTC and Motorola (to name a few). This alliance was created to compete with companies that had their own market offerings, such as competitive devices offered by Apple, Microsoft (Windows Phone 10 – now reportedly dead on the market) and Blackberry (which has ceased to manufacture hardware) . Whether an operating system is off or not, DFI needs to know about the different versions of multiple operating system platforms, especially if their forensic focus is in a specific area, e.g. Mobile devices.
Linux and Android
The current iteration of Android OS is based on Linux. Remember that “based on Linux” does not mean that the usual Linux apps always run on an Android, and vice versa, the Android apps that you may like (or know) may not necessarily run on your Linux desktop . But Linux is not Android. To clarify this point, you should note that Google chose the Linux kernel, the most important part of the Linux operating system, to manage the hardware pipette set processing, so that Google’s developers do not have to pay attention to the specifics of how processing is done on a given set of hardware. This allows their developers to focus on the broader operating system layer and UI features of Android OS.
A large market share
Android OS has a significant market share in the mobile device market, mainly due to its open source nature. A surplus of 328 million Android devices was shipped as of Q3 2016. And according to netwmarketshare.com, the Android operating system had the majority of installs in 2017 – nearly 67% – as of this writing.
As DFI, we can expect to encounter Android-based hardware during a typical investigation. Due to the open source code of Android OS along with the various hardware platforms from Samsung, Motorola, HTC, etc., different combinations of hardware type and OS implementation pose an additional challenge. Consider that Android is currently in version 7.1.1, and yet each phone manufacturer and mobile device provider will typically change the operating system to the specific hardware and service offerings, providing an additional layer of DFI complexity as the data collection process may vary.
Before we delve deeper into additional attributes for Android OS that complicate the data collection approach, let’s look at the concept of a ROM version that will be applied to an Android device. As an outline, a Read Only Memory (ROM) program is low-level programming that is close to the core level, and the unique ROM program is often called firmware. If you think of a tablet as opposed to a mobile phone, the tablet will have different ROM programming as opposed to a mobile phone, as the hardware functions between the tablet and the mobile phone will be different, even though both hardware devices are from the same hardware manufacturer. Complicating the need for more specifications in the ROM program, add the specific requirements of cell providers (Verizon, AT&T, etc.).
While there is a commonality of retrieving data from a mobile phone, not all Android devices are equal, especially given that there are fourteen major Android OS releases on the market (from version 1.0 to 7.1.1), several carriers with model specific ROMs and additional countless custom editions (user ROMs). ‘Custom Compositions’ are also model-specific ROMs. In general, ROM-level updates used for each wireless device will include operating and system-based applications that work for a specific hardware device, for a given vendor (for example, your Samsung S7 from Verizon) and for a specific deployment.
While there is no ‘silver bullet’ solution to investigate any Android device, the forensic examination of an Android device must follow the same general process of gathering evidence, which requires a structured process and approach that addresses the investigation, seizure , isolation, acquisition, investigation and analysis and reporting for all digital evidence. When a request to investigate a device is received, DFI starts with planning and preparation to include the required method of device acquisition, the necessary paperwork to support and document the storage chain, the development of a purpose statement for the study, the details of the device model ( and other specific attributes of the acquired hardware) and a list or description of the information that the requester seeks to acquire.
Unique acquisition challenges
Mobile devices, including mobile phones, tablets, etc., face unique challenges during the seizure of evidence. Since the battery life is limited on mobile devices and it is not typically recommended that a charger be inserted into a device, the isolation stage for evidence collection can be a critical condition when purchasing the device. Confirmation of correct acquisition, mobile phone data, WiFi connection and Bluetooth connection must also be included in the investigator’s focus during the acquisition. Android has many security features built into the phone. The lock screen feature can be set for PIN code, password, pattern drawing, face recognition, location recognition, trusted device recognition, and biometrics such as fingerprints. It is estimated that 70% of users use some sort of security protection on their phone. There are critically available software that the user may have downloaded, which may allow them to wipe the phone remotely and complicate the acquisition.
It is unlikely during the seizure of the mobile device that the screen will be unlocked. If the device is not locked, DFI’s investigation will be easier because DFI can change the settings on the phone immediately. If mobile phone access is allowed, disable the lock screen and change the screen timeout to its maximum value (which may be up to 30 minutes for some devices). Keep in mind that it is important to isolate the phone from any internet connection to prevent remote wipe of the device. Place the phone in flight mode. Plug an external power supply into the phone after it is placed in a static-free case designed to block radio frequency signals. Once secure, you should be able to enable USB debugging later, allowing Android Debug Bridge (ADB) to provide good data capture. While it may be important to investigate the artifacts of RAM on a mobile device, this is unlikely to happen.
Acquisition of Android data
Copying a hard drive from a desktop or laptop computer in a forensic manner is trivial compared to the data extraction methods needed for mobile device data collection. In general, DFIs have ready physical access to a hard drive without barriers, so a hardware copy or software bitstream image can be created. Mobile devices have their data stored inside the phone in hard to reach places. Extracting data through the USB port can be a challenge, but can be done with care and success on Android devices.
Once the Android device has been seized and secure, it’s time to investigate the phone. There are several different data collection methods for Android and they are drastically different. This article introduces and discusses four of the primary ways to approach data collection. These five methods are listed and summarized below:
1. Send the device to the manufacturer: You can send the device to the manufacturer for data extraction, which will cost extra time and money, but may be necessary if you do not have the special skill set for a given device or the time to learn. As mentioned earlier, Android has an abundance of OS versions based on the manufacturer and ROM version, which adds to the complexity of the acquisition. The manufacturer generally makes this service available to government agencies and law enforcement for most domestic entities, so if you are an independent contractor you will need to contact the manufacturer or get support from the organization you work with. The manufacturer research option may not be available for several international models (such as the many unnamed Chinese phones that are spreading the market – think of the ‘disposable phone’).
2. Direct physical acquisition of the data. One of the rules of a DFI study is to never change the data. The physical acquisition of data from a mobile phone must take into account the same rigorous processes of verifying and documenting that the physical method used does not change any data on the device. Once the device is connected, it is necessary to run hash totals. Physical acquisition allows DFI to get a full view of the device using a USB cord and forensic software (at this point, consider writing blocks to prevent changing the data). Connecting to a mobile phone and grabbing an image just isn’t as clean and clear as pulling data from a hard drive on a desktop computer. The problem is that depending on your forensic procurement tool, the specific model and model of the phone, the carrier, the Android OS version, the user’s settings on the phone, the root status of the device, the lock status if the PIN code is known and the USB debugging option is enabled on the device, you may not be able to retrieve the data from the device being examined. In short, physical acquisition in the area “just try it” ends up seeing what you get, and it may appear to the court (or the opposite) as an unstructured way of collecting data, which could jeopardize data collection.
3. JTAG forensics (a variation of physical acquisition noted above). By definition, JTAG (Joint Test Action Group) forensics is a more advanced way of collecting data. It is essentially a physical method involving cabling and connecting to Test Access Ports (TAPs) on the device and using processing instructions to invoke a transfer of the raw data stored in memory. Raw data is pulled directly from the connected device using a special JTAG cable. This is considered low-level data collection as there is no conversion or interpretation and is similar to a bit copy performed when acquiring evidence from a hard drive on a desktop or laptop computer. JTAG acquisition can often be performed on locked, damaged and inaccessible (locked) devices. Since it is a low-level copy if the device was encrypted (whether by the user or by the particular manufacturer, such as Samsung and some Nexus devices), the acquired data still needs to be decrypted. However, when Google decided to remove any device encryption with the Android OS 5.0 release, the entire device encryption restriction is slightly narrowed unless the user has decided to encrypt their device. After JTAG data is acquired from an Android device, the acquired data can be further investigated and analyzed with tools such as 3zx (link: http://z3x-team.com/ ) or Belkasoft (link: https://belkasoft.com/ ). Using JTAG tools automatically extracts key digital forensic artifacts including call logs, contacts, location data, transparency history and more.
4. Chip-off acquisition. This acquisition technique requires the removal of memory chips from the device. You produce raw binary dumps. Again, this is considered an advanced low-level acquisition and requires the remission of memory chips using highly specialized tools for removing chips and other specialized devices for reading chips. Like the JTAG crime technique mentioned above, DFI risks that the chip content is encrypted. However, if the information is not encrypted, a bit copy can be extracted as a raw image. DFI will have to struggle with block address redirection, fragmentation and, if present, encryption. Several Android device manufacturers, such as Samsung, also enforce encryption that cannot be bypassed during or after the chip-off acquisition, even if the correct password is known. Due to the encryption device access problems, chip off is limited to non-encrypted devices.
5. Over-the-air Data Acquisition. We are all aware that Google has mastered data collection. Google is known for maintaining huge volumes from mobile phones, tablets, laptops, computers and other devices from various operating system types. If the user has a Google Account, DFI can access, download and analyze all information for the given user under their Google user account with appropriate permission from Google. This involves downloading information from the user’s Google Account. Currently, no full cloud backups are available for Android users. Researchable data includes Gmail, contact information, Google Drive data (which can be very revealing), synced Chrome tabs, browser bookmarks, passwords, a list of registered Android devices (where location history for each device can be reviewed), and much more.
The five methods mentioned above are not a comprehensive list. An often-repeated note surfaces about data collection – when working on a mobile device, accurate and accurate documentation is important. Furthermore, documentation of the processes and procedures used, as well as adherence to the chain of custody processes that you have established, will ensure that evidence collection is ‘forensically justifiable’.
As discussed in this article, mobile device forensics, and especially Android OS, are different from the traditional digital forensic processes used for laptops and desktops. While the personal computer is easily secured, storage can be easily copied and the device can be stored, secure acquisition of mobile devices and data can often be problematic. A structured approach to acquiring the mobile device and a planned approach to data collection are needed. As mentioned above, the five introduced methods allow DFI to access the device. However, there are several additional methods not discussed in this article. Further research and use of tools from DFI will be needed.