An Introduction to Forensics Information Acquisition From Android Cellular Products

The part that a Electronic Forensics Investigator (DFI) is rife with ongoing understanding chances, specifically as technological know-how expands and proliferates into each individual corner of communications, enjoyment and small business. As a DFI, we offer with a day by day onslaught of new devices. Several of these gadgets, like the cell cell phone or pill, use common running units that we require to be familiar with. Certainly, the Android OS is predominant in the pill and cell mobile phone marketplace. Supplied the predominance of the Android OS in the cell product sector, DFIs will operate into Android devices in the class of many investigations. Even though there are various models that advise ways to attaining data from Android gadgets, this write-up introduces four practical solutions that the DFI should really think about when proof accumulating from Android devices.

A Little bit of History of the Android OS

Android’s to start with business launch was in September, 2008 with model 1.. Android is the open up resource and ‘free to use’ operating program for mobile products created by Google. Importantly, early on, Google and other hardware businesses fashioned the “Open up Handset Alliance” (OHA) in 2007 to foster and help the expansion of the Android in the market. The OHA now is made up of 84 hardware corporations together with giants like Samsung, HTC, and Motorola (to identify a number of). This alliance was founded to compete with firms who experienced their have industry offerings, this sort of as competitive units available by Apple, Microsoft (Home windows Cell phone 10 – which is now reportedly useless to the industry), and Blackberry (which has ceased making components). No matter if an OS is defunct or not, the DFI ought to know about the many variations of numerous working technique platforms, in particular if their forensics concentration is in a individual realm, these as cellular units.

Linux and Android

The recent iteration of the Android OS is primarily based on Linux. Preserve in intellect that “based mostly on Linux” does not necessarily mean the usual Linux apps will often run on an Android and, conversely, the Android applications that you may enjoy (or are familiar with) will not automatically operate on your Linux desktop. But Linux is not Android. To clarify the level, you should take note that Google selected the Linux kernel, the essential component of the Linux working technique, to take care of the components chipset processing so that Google’s developers would not have to be worried with the specifics of how processing happens on a supplied set of components. This permits their developers to target on the broader functioning system layer and the user interface characteristics of the Android OS.

A Big Market place Share

The Android OS has a substantial current market share of the cell unit market place, generally owing to its open up-resource mother nature. An excessive of 328 million Android equipment were shipped as of the 3rd quarter in 2016. And, according to, the Android operating method experienced the bulk of installations in 2017 — nearly 67% — as of this writing.

As a DFI, we can assume to come upon Android-primarily based hardware in the training course of a usual investigation. Because of to the open source mother nature of the Android OS in conjunction with the diversified components platforms from Samsung, Motorola, HTC, and so on., the selection of combinations involving hardware variety and OS implementation presents an more problem. Look at that Android is at this time at model 7.1.1, yet each individual cell phone producer and cellular unit provider will normally modify the OS for the particular hardware and services offerings, giving an more layer of complexity for the DFI, considering that the tactic to info acquisition may perhaps vary.

Just before we dig further into additional characteristics of the Android OS that complicate the approach to details acquisition, let’s seem at the notion of a ROM version that will be used to an Android system. As an overview, a ROM (Go through Only Memory) method is small-level programming that is shut to the kernel degree, and the exceptional ROM program is generally identified as firmware. If you believe in phrases of a tablet in contrast to a mobile cellphone, the pill will have distinctive ROM programming as contrasted to a mobile cell phone, considering the fact that components options involving the tablet and mobile cellphone will be distinctive, even if equally components gadgets are from the very same components producer. Complicating the want for much more specifics in the ROM application, increase in the precise prerequisites of cell assistance carriers (Verizon, AT&T, etc.).

When there are commonalities of obtaining details from a cell mobile phone, not all Android gadgets are equal, in particular in light-weight that there are fourteen big Android OS releases on the industry (from versions 1. to 7.1.1), multiple carriers with design-certain ROMs, and more countless custom person-complied editions (consumer ROMs). The ‘customer compiled editions’ are also design-unique ROMs. In basic, the ROM-amount updates utilized to every wi-fi gadget will consist of operating and program fundamental applications that performs for a unique components product, for a supplied vendor (for instance your Samsung S7 from Verizon), and for a individual implementation.

Even although there is no ‘silver bullet’ remedy to investigating any Android machine, the forensics investigation of an Android device ought to adhere to the exact standard approach for the assortment of evidence, requiring a structured course of action and tactic that deal with the investigation, seizure, isolation, acquisition, assessment and investigation, and reporting for any electronic proof. When a request to analyze a product is received, the DFI commences with preparing and planning to consist of the requisite system of buying units, the needed paperwork to assistance and document the chain of custody, the development of a function assertion for the assessment, the detailing of the product model (and other distinct attributes of the obtained hardware), and a listing or description of the information and facts the requestor is seeking to obtain.

Special Problems of Acquisition

Mobile equipment, together with cell telephones, tablets, etcetera., facial area exceptional problems during proof seizure. Since battery lifetime is constrained on cell gadgets and it is not commonly advisable that a charger be inserted into a product, the isolation stage of evidence accumulating can be a vital state in obtaining the unit. Confounding correct acquisition, the cellular facts, WiFi connectivity, and Bluetooth connectivity need to also be bundled in the investigator’s concentration for the duration of acquisition. Android has several safety functions designed into the cellular phone. The lock-screen aspect can be set as PIN, password, drawing a pattern, facial recognition, spot recognition, trustworthy-unit recognition, and biometrics such as finger prints. An approximated 70% of customers do use some form of protection defense on their cellphone. Critically, there is offered software that the user may have downloaded, which can give them the means to wipe the cellular phone remotely, complicating acquisition.

It is unlikely through the seizure of the mobile unit that the display screen will be unlocked. If the product is not locked, the DFI’s evaluation will be easier for the reason that the DFI can modify the settings in the mobile phone instantly. If access is authorized to the mobile telephone, disable the lock-display screen and modify the screen timeout to its utmost price (which can be up to 30 minutes for some gadgets). Retain in intellect that of vital value is to isolate the cellphone from any Net connections to avert remote wiping of the product. Spot the cellphone in Airplane method. Attach an exterior power supply to the cell phone immediately after it has been put in a static-absolutely free bag designed to block radiofrequency indicators. After protected, you need to later on be able to empower USB debugging, which will let the Android Debug Bridge (ADB) that can present fantastic knowledge capture. Whilst it might be vital to look at the artifacts of RAM on a cell gadget, this is unlikely to transpire.

Acquiring the Android Info

Copying a challenging-drive from a desktop or laptop computer pc in a forensically-seem fashion is trivial as in comparison to the facts extraction strategies essential for cell gadget details acquisition. Usually, DFIs have prepared physical access to a tough-travel with no barriers, allowing for a components duplicate or program bit stream graphic to be created. Cellular units have their details saved inside of the phone in tough-to-access sites. Extraction of information by means of the USB port can be a problem, but can be completed with care and luck on Android gadgets.

Just after the Android device has been seized and is secure, it is time to analyze the cellular phone. There are numerous data acquisition procedures obtainable for Android and they vary drastically. This report introduces and discusses four of the major means to tactic data acquisition. These 5 strategies are observed and summarized below:

1. Ship the device to the company: You can deliver the machine to the company for information extraction, which will charge added time and revenue, but may be essential if you do not have the individual ability set for a specified device nor the time to study. In individual, as famous previously, Android has a myriad of OS versions based on the producer and ROM variation, including to the complexity of acquisition. Manufacturer’s normally make this company obtainable to federal government organizations and law enforcement for most domestic gadgets, so if you happen to be an impartial contractor, you will need to have to check with the company or acquire assistance from the organization that you are doing work with. Also, the producer investigation selection may well not be accessible for various global models (like the numerous no-title Chinese telephones that proliferate the current market – think of the ‘disposable phone’).

2. Direct physical acquisition of the knowledge. Just one of rules of a DFI investigation is to never to change the facts. The physical acquisition of knowledge from a mobile mobile phone need to get into account the same rigid procedures of verifying and documenting that the bodily method applied will not change any facts on the system. Further, the moment the system is connected, the managing of hash totals is essential. Physical acquisition allows the DFI to acquire a total impression of the device working with a USB cord and forensic computer software (at this level, you ought to be wondering of compose blocks to reduce any altering of the knowledge). Connecting to a cell telephone and grabbing an graphic just just isn’t as clean up and clear as pulling information from a tricky travel on a desktop computer system. The dilemma is that relying on your chosen forensic acquisition software, the distinct make and model of the cellphone, the provider, the Android OS variation, the user’s options on the telephone, the root status of the product, the lock position, if the PIN code is acknowledged, and if the USB debugging possibility is enabled on the unit, you may not be able to receive the info from the device beneath investigation. Simply set, bodily acquisition finishes up in the realm of ‘just attempting it’ to see what you get and may well surface to the court (or opposing aspect) as an unstructured way to acquire details, which can area the data acquisition at possibility.

3. JTAG forensics (a variation of bodily acquisition famous over). As a definition, JTAG (Joint Test Motion Team) forensics is a a lot more highly developed way of details acquisition. It is primarily a bodily system that entails cabling and connecting to Take a look at Access Ports (Taps) on the unit and working with processing guidelines to invoke a transfer of the raw details saved in memory. Raw information is pulled right from the linked system using a special JTAG cable. This is considered to be small-amount facts acquisition given that there is no conversion or interpretation and is related to a bit-duplicate that is accomplished when attaining proof from a desktop or laptop computer personal computer challenging generate. JTAG acquisition can frequently be carried out for locked, damaged and inaccessible (locked) devices. Given that it is a lower-level copy, if the device was encrypted (no matter if by the user or by the particular maker, these types of as Samsung and some Nexus units), the acquired info will even now have to have to be decrypted. But given that Google determined to do absent with complete-gadget encryption with the Android OS 5. launch, the total-gadget encryption limitation is a little bit narrowed, except if the consumer has decided to encrypt their machine. Immediately after JTAG data is acquired from an Android gadget, the obtained details can be further inspected and analyzed with equipment this kind of as 3zx (hyperlink: ) or Belkasoft (hyperlink: ). Applying JTAG equipment will immediately extract essential digital forensic artifacts like get in touch with logs, contacts, site knowledge, searching history and a large amount much more.

4. Chip-off acquisition. This acquisition method necessitates the removing of memory chips from the system. Generates uncooked binary dumps. All over again, this is regarded an state-of-the-art, low-amount acquisition and will have to have de-soldering of memory chips utilizing very specialised applications to eliminate the chips and other specialised gadgets to go through the chips. Like the JTAG forensics mentioned over, the DFI dangers that the chip contents are encrypted. But if the information is not encrypted, a little bit duplicate can be extracted as a uncooked graphic. The DFI will have to have to contend with block deal with remapping, fragmentation and, if current, encryption. Also, quite a few Android system companies, like Samsung, enforce encryption which are unable to be bypassed all through or after chip-off acquisition has been done, even if the appropriate passcode is regarded. Due to the access problems with encrypted devices, chip off is minimal to unencrypted gadgets.

5. About-the-air Details Acquisition. We are just about every mindful that Google has mastered info selection. Google is recognised for sustaining enormous amounts from mobile telephones, tablets, laptops, personal computers and other gadgets from many running program kinds. If the person has a Google account, the DFI can obtain, obtain, and evaluate all info for the specified person under their Google user account, with good permission from Google. This includes downloading information and facts from the user’s Google Account. Now, there are no whole cloud backups accessible to Android buyers. Details that can be examined include things like Gmail, contact info, Google Travel information (which can be pretty revealing), synced Chrome tabs, browser bookmarks, passwords, a record of registered Android products, (where place heritage for each individual machine can be reviewed), and significantly more.

The five methods observed earlier mentioned is not a in depth record. An typically-recurring notice surfaces about facts acquisition – when performing on a cell device, appropriate and exact documentation is necessary. Additional, documentation of the processes and treatments utilised as properly as adhering to the chain of custody procedures that you have proven will make certain that proof collected will be ‘forensically sound.’


As discussed in this posting, cellular system forensics, and in distinct the Android OS, is unique from the classic electronic forensic processes used for notebook and desktop computer systems. Though the personalized pc is very easily secured, storage can be readily copied, and the gadget can be stored, safe acquisition of mobile gadgets and information can be and frequently is problematic. A structured method to attaining the cellular gadget and a planned strategy for knowledge acquisition is essential. As noted previously mentioned, the 5 strategies launched will enable the DFI to get accessibility to the system. Nevertheless, there are quite a few additional strategies not discussed in this short article. More research and device use by the DFI will be vital.