The role which a Digital Forensics Investigator (DFI) is rife with continuous learning opportunities, especially as technology expands and proliferates into every corner of communications, entertainment and business. As a DFI, we handle a daily onslaught of latest devices. Many of these devices, much like the cell phone or tablet, use common systems that we have to be familiar with. Certainly, the Android OS is predominant inside the tablet and cellphone industry. Given the predominance with the Android OS inside the mobile device market, DFIs will come across Android devices within the course of many investigations. While there are numerous models that suggest methods to acquiring data from Android devices, this information introduces four viable methods the DFI should think about when evidence gathering from Android devices.
A Bit of History from the Android OS
Android’s first commercial release what food was in September, 2008 with version 1.0. Android would be the open source and ‘free to use’ main system for cellular devices developed by Google. Importantly, ahead of time, Google as well as other hardware companies formed the “Open Handset Alliance” (OHA) in 2007 to foster and secure the growth with the Android inside marketplace. The OHA now is made of 84 hardware companies including giants like Samsung, HTC, and Motorola (to mention a few). This alliance was established to contend with companies who had their very own market offerings, for instance competitive devices supplied by Apple, Microsoft (Windows Phone 10 – that’s now reportedly dead on the market), and Blackberry (that’s ceased making hardware). Regardless if an OS is defunct or you cannot, the DFI need to know about the various versions of multiple computer platforms, especially when their forensics focus is at a particular realm, such as cellular phones.
Linux and Android
The current iteration with the Android OS will be based upon Linux. Keep in mind that “based on Linux” doesn’t mean the usual Linux apps will invariably run on an Android and, conversely, the Android apps that you could enjoy (or are informed about) won’t necessarily operate on your Linux desktop. But Linux is just not Android. To clarify the actual, take note that Google selected the Linux kernel, the primary part with the Linux os, to regulate the hardware chipset processing making sure that Google’s developers wouldn’t need to be concerned using the specifics of how processing occurs over a given list of hardware. This allows their developers to target the broader os layer and also the user interface features with the Android OS.
A Large Market Share
The Android OS includes a substantial market share on the mobile device market, primarily due to the open-source nature. An excess of 328 million Android devices were shipped as on the third quarter in 2016. And, in accordance with netwmarketshare.com, the Android os had the bulk of installations in 2017 — nearly 67% — by this writing.
As a DFI, expect to encounter Android-based hardware inside the course of a standard investigation. Due to your open source nature in the Android OS with the varied hardware platforms from Samsung, Motorola, HTC, etc., the range of combinations between hardware type and OS implementation presents an extra challenge. Consider that Android currently is at version 7.1.1, yet each phone manufacturer and mobile device supplier will typically change the OS to the specific hardware and service offerings, giving yet another layer of complexity for your DFI, since approach to data acquisition can vary greatly.
Before we dig deeper into additional attributes from the Android OS that complicate the method of data acquisition, let’s consider the concept of any ROM version that is to be applied to an Android device. As an overview, a ROM (Read Only Memory) program is low-level programming that may be close for the kernel level, plus the unique ROM program is usually called firmware. If you think with regard to a tablet not like a cellular phone, several will have different ROM programming as contrasted to a cellular telephone, since hardware features between named and cellular phone will be different, regardless of whether both hardware tools are from the identical hardware manufacturer. Complicating the requirement of more specifics within the ROM program, add inside specific requirements of cell service carriers (Verizon, AT&T, etc.).
While you’ll find commonalities of acquiring data from a mobile phone, its not all Android items are equal, particularly in light that you can find fourteen major Android OS releases available (from versions 1.0 to 7.1.1), multiple carriers with model-specific ROMs, and extra countless custom user-complied editions (customer ROMs). The ‘customer compiled editions’ are model-specific ROMs. In general, the ROM-level updates used on each wireless device will contain operating and system basic applications that operates for a unique hardware device, for the given vendor (as an example your Samsung S7 from Verizon), and for a selected implementation.
Even though there is absolutely no ‘silver bullet’ answer to investigating any Android device, the forensics investigation of your Android device should keep to the same general process for your collection of evidence, requiring an arranged process and approach that address the investigation, seizure, isolation, acquisition, examination and analysis, and reporting for virtually every digital evidence. When a request to consider a device is received, the DFI depends on planning and preparation to feature the requisite approach to acquiring devices, the essential paperwork to guide and document the chain of custody, enhancing a purpose statement for that examination, the detailing on the device model (along with other specific attributes from the acquired hardware), as well as a list or description in the information the requestor is aiming to acquire.
Unique Challenges of Acquisition
Mobile devices, including mobile phones, tablets, etc., face unique challenges during evidence seizure. Since life of the battery is limited on cellular phones and it isn’t typically recommended that the charger be inserted into a tool, the isolation stage of evidence gathering could be a critical state in getting the device. Confounding proper acquisition, the cellular data, WiFi connectivity, and Bluetooth connectivity should also be included inside investigator’s focus during acquisition. Android has lots of security features included in the phone. The lock-screen feature is usually set as PIN, password, drawing a pattern, facial recognition, location recognition, trusted-device recognition, and biometrics like finger prints. An estimated 70% of users do use some form of security protection on their own phone. Critically, there’s available software the user could possibly have downloaded, which may give them to be able to wipe the telephone remotely, complicating acquisition.
It isn’t likely during the seizure on the mobile device which the screen will likely be unlocked. If the device just isn’t locked, the DFI’s examination is going to be easier for the reason that DFI can adjust the settings from the phone promptly. If access is in a position to the cellular telephone, disable the lock-screen and change the screen timeout to its maximum value (which might be up to a half-hour for some devices). Keep in mind that of key importance is always to isolate the unit from any Internet connections in order to avoid remote wiping with the device. Place the telephone in Airplane mode. Attach a power supply on the phone after it has been positioned in a static-free bag built to block radiofrequency signals. Once secure, you must later have the capacity to enable USB debugging, that could allow the Android Debug Bridge (ADB) that could provide good data capture. While it can be important to consider the artifacts of RAM using a mobile device, this most likely to happen.
Acquiring the Android Data
Copying a hard-drive from your desktop or mobile computer in a forensically-sound manner is trivial as compared to your data extraction methods meant for mobile device data acquisition. Generally, DFIs have ready physical access to your hard-drive without any barriers, allowing for just a hardware copy or software bit stream image being created. Mobile devices their very own data stored inside on the phone in difficult-to-reach places. Extraction of internet data through the USB port can be quite a challenge, but might be accomplished carefully and luck on Android devices.
After the Android device may be seized and is also secure, it is time to consider the phone. There are several data acquisition methods intended for Android and they also differ drastically. This article introduces and discusses four in the primary strategies to approach data acquisition. These five methods are noted and summarized below:
- Send the device for the manufacturer: You can send the device to your manufacturer for data extraction, that could cost additional time and money, but might be necessary unless you have the specific skill set for just a given device nor some time to learn. In particular, as noted earlier, Android includes a plethora of OS versions in accordance with the manufacturer and ROM version, adding to your complexity of acquisition. Manufacturer’s generally get this to service open to government agencies and law enforcement officials for most domestic devices, so if you are an independent contractor, you have got to check with the company or gain support through the organization that you’ll be working with. Also, the maker investigation option may not be designed for several international models (just like the many no-name Chinese phones that proliferate the marketplace – think in the ‘disposable phone’).
- Direct physical acquisition on the data. One of rules of your DFI investigation is usually to never to alter your data. The physical acquisition of web data from a cellular phone must take into consideration the same strict processes of verifying and documenting how the physical method used won’t alter any data on the unit. Further, once these devices is connected, the running of hash totals is required. Physical acquisition allows the DFI to get a full image with the device having a USB cord and forensic software (now, you ought to be considering write blocks to counteract any altering in the data). Connecting to a cellular phone and grabbing a photo just isn’t as clean and clear as pulling data at a hard drive with a desktop computer. The problem is that determined by your selected forensic acquisition tool, your make and model in the phone, the carrier, the Android OS version, a person’s settings on the product, the fundamental status from the device, the lock status, if your PIN code is understood, and if your USB debugging choices enabled on it, you may not be capable of acquire the data from your device under investigation. Simply put, physical acquisition ends up from the realm of ‘just trying it’ to view what you get and might appear on the court (or opposing side) being an unstructured method to gather data, which may place the details acquisition at an increased risk.
- JTAG forensics (a variation of physical acquisition noted above). As a definition, JTAG (Joint Test Action Group) forensics can be a more advanced way of web data acquisition. It is essentially an actual method that needs cabling and connecting to Test Access Ports (TAPs) on these devices and using processing instructions to invoke a transfer with the raw data saved in memory. Raw details are pulled directly in the connected device employing a special JTAG cable. This is considered to become low-level data acquisition since there isn’t any conversion or interpretation and is particularly similar to your bit-copy that’s done when acquiring evidence coming from a desktop or laptop hard drive. JTAG acquisition is often done for locked, damaged and inaccessible (locked) devices. Since it is usually a low-level copy, if the unit was encrypted (whether through the user or by the specific manufacturer, for example Samsung and a few Nexus devices), the acquired data will still have to be decrypted. But since Google made a decision to do away with whole-device encryption using the Android OS 5.0 release, the whole-device encryption limitation is usually a bit narrowed, unless anyone has determined to encrypt their device. After JTAG info is acquired from an Android device, the acquired data might be further inspected and analyzed with tools for example 3zx (link: http://z3x-team.com/ ) or Belkasoft (link: https://belkasoft.com/ ). Using JTAG tools will automatically extract key digital forensic artifacts including call logs, contacts, location data, browsing history and also a lot more.
- Chip-off acquisition. This acquisition technique necessitates removal of memory chips from your device. Produces raw binary dumps. Again, this really is considered a high level, low-level acquisition and can require de-soldering of memory chips using highly specialized tools to take out the chips along with other specialized devices to learn the chips. Like the JTAG forensics noted above, the DFI risks how the chip contents are encrypted. But when the information just isn’t encrypted, somewhat copy may be extracted to be a raw image. The DFI will have to contend with block address remapping, fragmentation and, if present, encryption. Also, several Android device manufacturers, like Samsung, enforce encryption which is not bypassed during or after chip-off acquisition is completed, whether or not the correct passcode is famous. Due on the access difficulty with encrypted devices, chip off is fixed to unencrypted devices.
- Over-the-air Data Acquisition. We are each conscious that Google has mastered data collection. Google is understood for maintaining massive amounts from cellphones, tablets, laptops, computers as well as other devices from various operating-system types. If the user features a Google account, the DFI can access, download, and analyze all information to the given user under their Google user account, with proper permission from Google. This involves downloading information from your user’s Google Account. Currently, you’ll find no full cloud backups offered to Android users. Data that is usually examined include Gmail, contact details, Google Drive data (which may be very revealing), synced Chrome tabs, browser bookmarks, passwords, a listing of registered Android devices, (where location history for every device is usually reviewed), and many more.
The five methods noted above just isn’t a comprehensive list. An often-repeated note surfaces about data acquisition – when working using a mobile device, proper and accurate documentation is critical. Further, documentation in the processes and procedures used in addition to adhering on the chain of custody processes that you’ve got established will that evidence collected will probably be ‘forensically sound.’
As discussed in this short article, mobile device forensics, particularly the Android OS, is different on the traditional digital forensic processes used by laptop and a desktop. While the computer system is easily secured, storage could be readily copied, and also the device could be stored, safe acquisition of cellular devices and data is usually and often is problematic. A structured procedure for acquiring the mobile device as well as a planned way of data acquisition is critical. As noted above, the 5 methods introduced will enable the DFI to gain access on the device. However, there are numerous additional methods not discussed in this short article. Additional research and tool use with the DFI will likely be necessary.