A Digital Forensics Investigator (DFI) function is rife with continuous knowledge of possibilities, especially as the era expands and proliferates into each nook of communications, entertainment, and business. As a DFI, we deal with a day-by-day onslaught of recent devices. Like the cell smartphone or pill, many of these devices use common operating structures that we want to be familiar with. Certainly, the Android OS is important in the tablet and cell phone industry. Given the predominance of the Android OS within the mobile device market, DFIs will run into Android gadgets within the direction of many investigations. While numerous fashions advise procedures to acquire data from Android gadgets, this newsletter introduces four feasible techniques that the DFI needs not to forget when proof amassing from Android gadgets.
A Bit of History of the Android OS
Android’s first industrial release changed into in September 2008 with version 1. Zero. Android is the open supply and ‘free to apply’ running gadget for mobile devices evolved by way of Google. Importantly, early on, Google and different hardware organizations fashioned the “Open Handset Alliance” (OHA) in 2007 to foster and help the boom of the Android inside the market. This alliance was mounted to compete with corporations who had their very own market services, along with competitive gadgets supplied with the aid of Apple, Microsoft (Windows Phone 10 – that’s now reportedly dead to the marketplace), and Blackberry (which has ceased making hardware). The OHA now includes 84 hardware organizations, including giants like Samsung, HTC, and Motorola (to call a few). Regardless if an OS is defunct or not, the DFI must recognize the numerous variations of a couple of working gadget platforms, specifically if their forensics cognizance is in a selected realm, including cellular devices.
Linux and Android
The current new release of the Android OS is based on Linux. Keep in mind that “based totally on Linux” does now not imply the standard Linux apps will always run on an Android and, conversely, the Android apps which you would possibly experience (or are acquainted with) will now not necessarily run in your Linux computer. But Linux isn’t always Android. To clarify the point, please observe that Google decided on the Linux kernel, the crucial part of the Linux working gadget, to manipulate the hardware chipset processing so that Google’s builders wouldn’t be concerned with the specifics of the ways processing occurs a given set of hardware. This allows their builders to attention to the broader operating system layer and the person interfaces capabilities of the Android OS.
The Android OS has a significant market share of the cellular tool market, on the whole, due to its open-source nature. An excess of 328 million Android gadgets had been shipped as of the third area in 2016. And, consistent with netwmarketshare.Com, the Android operating device had the bulk of installations in 2017 — nearly sixty-seven % — as of this writing.
As a DFI, we will count on to come upon Android-primarily based hardware inside the direction of ordinary research. Due to the open supply nature of the Android OS alongside the varied hardware structures from Samsung, Motorola, HTC, etc., the variety of mixtures between hardware kind and OS implementation offers an extra task. Consider that Android is presently at model 7.1.1. Still, each phone manufacturer and cellular tool dealer will typically adjust the OS for the specific hardware and provider services, giving a further layer of complexity for the DFI because the technique to facts acquisition might also vary.
Before we dig deeper into extra attributes of the Android OS that complicate the information acquisition method, let’s look at the concept of a ROM version that will be implemented to an Android device. As a top-level view, a ROM (Read Only Memory) application is low-stage programming that is close to the kernel stage, and the particular ROM software is regularly called firmware. If you think in phrases of a tablet in comparison to a mobile cellphone, the pill may have different ROM programming as contrasted to a cellular phone, since hardware capabilities between the tablet and cell smartphone may be distinct, even supposing each hardware devices are from the equal hardware manufacturer. Complicating the want for extra specifics in the ROM software, add in the specific requirements of mobile service providers (Verizon, AT&T, etc.).
While there are commonalities of obtaining records from a cellular phone, not all Android devices are the same, particularly in light that there are fourteen major Android OS releases on the market (from versions 1. Zero to 7.1.1), more than one provider with version-unique ROMs, and further infinite custom consumer-complied variations (consumer ROMs). The ‘consumer compiled variants’ are also model-unique ROMs. The ROM-degree updates applied to every wireless device will include operating and system simple packages that work for a specific hardware tool, a given seller (for example, your Samsung S7 from Verizon), and specific implementation.
Even though there may be no ‘silver bullet’ option to investigating any Android tool, the forensic investigation of an Android device should follow the same preferred manner for the gathering of evidence, requiring a structured system and technique that cope with the investigation, seizure, isolation, acquisition, exam, and analysis, and reporting for any digital evidence. When a request to study a device is acquired, the DFI begins with making plans and guidance to include the considered necessary method of acquiring gadgets, the important paperwork to guide and file the chain of custody, the development of a reason announcement for the examination, the detailing of the tool model (and other unique attributes of the obtained hardware), and a listing or description of the information the requestor is looking for to gather.
Unique Challenges of Acquisition
Mobile devices, including cell telephones, pills, etc., face particular demanding situations at some point of seizure. Since battery existence is constrained on mobile devices and it isn’t normally encouraged that a charger is inserted right into a tool, the isolation stage of evidence collecting can be crucial in obtaining the device. Confounding proper acquisition, the mobile statistics, WiFi connectivity, and Bluetooth connectivity ought to additionally be protected within the investigator’s recognition all through acquisition. Android has many protection capabilities built into the smartphone. The lock-display characteristic may be PIN, password, drawing a sample, facial recognition, vicinity reputation, trusted-tool reputation, and biometrics such as fingerprints. An envisioned 70% of customers do use a few kinds of protection on their smartphones. Critically, there may be to be had software that the consumer may additionally have downloaded, which can give them the ability to wipe the telephone remotely, complicating acquisition.
It is unlikely that the display screen could be unlocked at some point of the seizure of the cellular tool. If the device isn’t locked, the DFI’s exam may be less complicated because the DFI can alternate the settings within the phone directly. I you get entry is authorized to the cellular smartphone, disable the lock-display and change the display screen timeout to its most fee (which may be up to a half-hour for a few devices). Keep in mind that the key signature is to isolate the smartphone from any Internet connections to prevent far-off wiping of the device. Place the telephone in Airplane mode. Attach an outside power delivery to the smartphone after being located in a static-free bag designed to dam radiofrequency signals. Once relaxed, you must later enable USB debugging on the way to allow the Android Debug Bridge (ADB), which could offer excellent records to seize. While it can be important to observe RAM artifacts on a cell device, this is not going to occur.
Acquiring the Android Data
Copying a hard pressure from a computer or laptop pc in a forensically sound way is trivial compared to the facts extraction strategies needed for mobile device statistics acquisition. Generally, DFIs have equipped bodily to get admission to a difficult pressure and not to use barriers, taking into account a hardware replica or software program bit circulation image to be created. Mobile devices have their facts stored interior of the telephone in tough-to-reach locations. Extraction of data via the USB port may be an undertaking. However, it may be accomplished with care and good fortune on Android gadgets.
After the Android tool has been seized and is comfy, it’s time to study the cellphone. There are several facts acquisition techniques to be had for Android, and they fluctuate notably. This article introduces and discusses 4 of the number one methods to approach statistics acquisition. These five methods are stated and summarized underneath:
1. Send the tool to the manufacturer: You can ship the device to the producer for facts extraction, on the way to cost extra money and time; however, it may be essential if you do no longer have the specific ability set for a given device nor the time to examine. Specifically, as referred to in advance, Android has many OS versions primarily based on the manufacturer and ROM model, including the complexity of acquisition. Manufacturer’s normally making this provider available to authorities, businesses, and law enforcement for most home gadgets, so if you’re an impartial contractor, you may need to test with the manufacturer or advantage support from the company with which you are operating. Also, the manufacturer investigation alternative may not be available for numerous international models (like the many no-name Chinese phones that proliferate the marketplace – think about the ‘disposable phone).
2. Direct physical acquisition of the data. One of the guidelines of a DFI investigation is never to alter the statistics. The bodily acquisition of information from a cell phone must bear in mind the same strict tactics of verifying and documenting that the bodily method used will no longer modify any facts on the device. Further, once the device is hooked up, the running of hash totals is vital. The physical acquisition allows the DFI to attain a complete picture of the device using a USB wire and forensic software (at this factor, you must be contemplating write blocks to prevent any changing of the information). Connecting to a cell phone and grabbing an image isn’t always as smooth and clean as pulling data from a hard power on a computing device laptop. The hassle is that relying on your chosen forensic acquisition device, the precise make, and version of the cellphone, the provider, the Android OS version, the consumer’s settings at the phone, the root reputation of the device, the lock popularity, if the PIN code is thought, and if the USB debugging option is enabled at the device, you may no longer be capable of gathering the facts from the device underneath research. Body acquisition finally ends up inside the realm of ‘simply trying it’ to see what you get and can seem to the court (or opposing aspect) as an unstructured manner to accumulate records, that could vicinity the information acquisition at the chance.
3. JTAG forensics (a version of bodily acquisition cited above). By definition, JTAG (Joint Test Action Group) forensics is a superior manner of statistics acquisition. Basically, it is a bodily method that entails cabling and connecting to Test Access Ports (TAPs) on the tool and using processing instructions to invoke a switch of the uncooked statistics saved in reminiscence. Raw data is pulled immediately from the connected device by the usage of a special JTAG cable. This is considered low-degree facts acquisition because there’s no conversion or interpretation, just like a bit-reproduction. This is carried out whilst obtaining evidence from a laptop or computer pc hard pressure. JTAG acquisition can frequently be carried out for locked, damaged, and inaccessible (locked) gadgets. Since it’s far a low-level reproduction, if the tool changed into encrypted (whether by the consumer or through the unique manufacturer, such as Samsung and some Nexus devices), the obtained information will nonetheless need to be decrypted. But because Google determined to remove whole-device encryption with the Android OS five.0 release, the whole-tool encryption challenge is a piece narrowed unless the consumer has decided to encrypt their tool. After JTAG records are received from an Android device, the received statistics can be similarly inspected and analyzed with equipment including 3zx (link: http://z3x-crew.Com/ ) or Belkasoft (hyperlink: https://belkasoft.Com/ ). Using JTAG gear will routinely extract key virtual forensic artifacts, including call logs, contacts, location facts, surfing records, and loads more.
Four. Chip-off acquisition. This acquisition technique requires the removal of reminiscence chips from the device. Produces uncooked binary dumps. Again, that is considered a complicated, low-stage acquisition and will require de-soldering of reminiscence chips the usage of extraordinarily specialized tools to get rid of the chips and other specialized devices to read the chips. Like the JTAG forensics mentioned above, the DFI risks that the chip contents are encrypted. But if the statistics aren’t encrypted, a bit copy can be extracted as an uncooked picture. The DFI will need to cope with a block with remapping, fragmentation, and, if present, encryption. Also, numerous Android tool manufacturers, like Samsung, implement encryption that cannot be bypassed for the duration or after the chip-off acquisition has been completed, even though the best passcode is understood. Due to the get admission to troubles with encrypted gadgets, chip-off is restrained to unencrypted gadgets.
Five. Over-the-air Data Acquisition. We are very aware that Google has mastered information collection. Google is understood for retaining massive quantities from mobile phones, drugs, laptops, computer systems, and different devices from diverse working device types. If the person has a Google account, the DFI can get admission to, download, and examine all data for the given user below their Google person account, with proper permission from Google. This involves downloading statistics from the person’s Google Account. Currently, there aren’t any complete cloud backups available to Android users. Data that can be tested consist of Gmail, touch information, Google Drive information (which may be very revealing), synced Chrome tabs, browser bookmarks, passwords, a listing of registered Android gadgets (where place records for each device may be reviewed), and lots greater.
The five methods noted above aren’t always a complete listing. A frequently-repeated word surfaces approximately record acquisition – when working on a cell tool, right and accurate documentation is essential. Further, documentation of the approaches and methods used in addition to adhering to the chain of custody processes that you’ve mounted will ensure that proof accrued can be ‘forensically sound.’
As mentioned in this text, mobile tool forensics, specifically the Android OS, isn’t the same as the conventional digital forensic methods used for laptops and desktop computers. While the personal pc is without problems secured, the garage may be without difficulty copied, and the device may be stored, secure acquisition of cell gadgets and statistics may be and frequently is difficult. A structured method for acquiring the cellular device and a deliberate technique for information acquisition is essential. As mentioned above, the 5 strategies brought will permit the DFI to gain access to the device. However, there are several extra techniques not discussed in this article. Additional research and tool use by the DFI will be important.