An Introduction to Forensics Info Acquisition From Android Cellular Equipment

The purpose that a Digital Forensics Investigator (DFI) is rife with steady mastering chances, specifically as know-how expands and proliferates into each individual corner of communications, enjoyment and business. As a DFI, we deal with a each day onslaught of new units. Several of these gadgets, like the mobile phone or tablet, use widespread operating methods that we will need to be common with. Unquestionably, the Android OS is predominant in the tablet and cell mobile phone industry. Given the predominance of the Android OS in the cell product market, DFIs will run into Android devices in the course of many investigations. While there are a number of styles that advise techniques to getting knowledge from Android equipment, this post introduces four viable approaches that the DFI should really contemplate when proof collecting from Android products.

A Little bit of Background of the Android OS

Android’s 1st professional release was in September, 2008 with version 1.. Android is the open up source and ‘free to use’ operating procedure for cell products made by Google. Importantly, early on, Google and other components corporations fashioned the “Open Handset Alliance” (OHA) in 2007 to foster and help the progress of the Android in the market. The OHA now is composed of 84 hardware providers such as giants like Samsung, HTC, and Motorola (to name a couple of). This alliance was recognized to compete with firms who experienced their possess industry offerings, these types of as competitive equipment available by Apple, Microsoft (Windows Phone 10 – which is now reportedly lifeless to the market place), and Blackberry (which has ceased earning components). Regardless if an OS is defunct or not, the DFI will have to know about the a variety of variations of many operating process platforms, specifically if their forensics concentrate is in a unique realm, this sort of as mobile units.

Linux and Android

The recent iteration of the Android OS is based mostly on Linux. Retain in thoughts that “based mostly on Linux” does not suggest the standard Linux apps will generally run on an Android and, conversely, the Android applications that you could love (or are familiar with) will not essentially operate on your Linux desktop. But Linux is not Android. To explain the issue, please note that Google picked the Linux kernel, the necessary part of the Linux operating technique, to control the hardware chipset processing so that Google’s builders wouldn’t have to be involved with the specifics of how processing happens on a offered set of hardware. This makes it possible for their builders to concentration on the broader operating technique layer and the person interface characteristics of the Android OS.

A Massive Sector Share

The Android OS has a significant industry share of the mobile gadget sector, generally due to its open-source mother nature. An excessive of 328 million Android devices have been shipped as of the third quarter in 2016. And, according to, the Android operating program had the bulk of installations in 2017 — almost 67% — as of this writing.

As a DFI, we can count on to face Android-based mostly components in the system of a common investigation. Owing to the open up resource nature of the Android OS in conjunction with the different hardware platforms from Samsung, Motorola, HTC, and so forth., the assortment of mixtures amongst hardware sort and OS implementation provides an further problem. Contemplate that Android is at present at variation 7.1.1, still just about every cellular phone manufacturer and cell gadget supplier will usually modify the OS for the unique components and services choices, offering an more layer of complexity for the DFI, since the technique to facts acquisition may possibly range.

Just before we dig deeper into supplemental characteristics of the Android OS that complicate the strategy to info acquisition, let’s glimpse at the strategy of a ROM variation that will be applied to an Android system. As an overview, a ROM (Read through Only Memory) program is lower-stage programming that is shut to the kernel amount, and the unique ROM method is frequently identified as firmware. If you believe in phrases of a tablet in contrast to a cell mobile phone, the pill will have distinctive ROM programming as contrasted to a cell phone, because hardware features between the pill and mobile mobile phone will be distinct, even if the two hardware products are from the exact hardware company. Complicating the need to have for additional particulars in the ROM system, incorporate in the unique specifications of mobile support carriers (Verizon, AT&T, and many others.).

When there are commonalities of getting information from a cell cellphone, not all Android gadgets are equal, specially in gentle that there are fourteen main Android OS releases on the market place (from versions 1. to 7.1.1), various carriers with model-particular ROMs, and added a great number of personalized consumer-complied editions (consumer ROMs). The ‘customer compiled editions’ are also model-precise ROMs. In common, the ROM-amount updates utilized to each wireless product will contain operating and technique simple programs that functions for a particular components unit, for a provided vendor (for case in point your Samsung S7 from Verizon), and for a unique implementation.

Even while there is no ‘silver bullet’ answer to investigating any Android device, the forensics investigation of an Android unit need to follow the very same common method for the collection of proof, demanding a structured system and solution that tackle the investigation, seizure, isolation, acquisition, examination and assessment, and reporting for any electronic evidence. When a ask for to analyze a unit is obtained, the DFI commences with planning and planning to include the requisite method of attaining gadgets, the important paperwork to assist and document the chain of custody, the development of a reason statement for the evaluation, the detailing of the system model (and other unique attributes of the obtained hardware), and a checklist or description of the details the requestor is looking for to obtain.

Unique Difficulties of Acquisition

Cell units, including mobile telephones, tablets, etc., encounter unique challenges in the course of proof seizure. Considering that battery life is constrained on cell units and it is not ordinarily advisable that a charger be inserted into a device, the isolation phase of proof accumulating can be a vital state in obtaining the machine. Confounding suitable acquisition, the cellular information, WiFi connectivity, and Bluetooth connectivity should really also be provided in the investigator’s target throughout acquisition. Android has quite a few safety options crafted into the cellular phone. The lock-display feature can be set as PIN, password, drawing a pattern, facial recognition, area recognition, dependable-device recognition, and biometrics such as finger prints. An believed 70% of people do use some style of safety protection on their cellular phone. Critically, there is out there program that the person could have downloaded, which can give them the capability to wipe the mobile phone remotely, complicating acquisition.

It is unlikely in the course of the seizure of the cell device that the monitor will be unlocked. If the gadget is not locked, the DFI’s examination will be much easier due to the fact the DFI can change the settings in the mobile phone immediately. If entry is authorized to the mobile phone, disable the lock-screen and change the display screen timeout to its optimum value (which can be up to 30 minutes for some gadgets). Preserve in intellect that of important relevance is to isolate the cell phone from any Internet connections to avert distant wiping of the system. Put the phone in Plane method. Attach an exterior energy provide to the cellular phone after it has been put in a static-free bag intended to block radiofrequency indicators. After safe, you should afterwards be capable to empower USB debugging, which will allow for the Android Debug Bridge (ADB) that can present good facts capture. When it may possibly be essential to look at the artifacts of RAM on a mobile product, this is unlikely to occur.

Obtaining the Android Facts

Copying a difficult-travel from a desktop or laptop laptop in a forensically-seem manner is trivial as in contrast to the details extraction procedures wanted for cellular gadget details acquisition. Usually, DFIs have completely ready bodily access to a challenging-push with no boundaries, making it possible for for a hardware copy or software package little bit stream picture to be designed. Mobile products have their details saved inside of of the cellular phone in tricky-to-achieve destinations. Extraction of details by the USB port can be a problem, but can be completed with treatment and luck on Android devices.

Just after the Android unit has been seized and is secure, it is time to take a look at the cellular phone. There are numerous info acquisition approaches accessible for Android and they vary drastically. This short article introduces and discusses 4 of the most important methods to strategy details acquisition. These 5 techniques are observed and summarized down below:

1. Send the system to the manufacturer: You can mail the system to the company for info extraction, which will price further time and income, but may be vital if you do not have the individual talent established for a offered gadget nor the time to find out. In distinct, as mentioned previously, Android has a plethora of OS versions based mostly on the maker and ROM edition, including to the complexity of acquisition. Manufacturer’s typically make this assistance accessible to government companies and regulation enforcement for most domestic equipment, so if you happen to be an unbiased contractor, you will want to check out with the manufacturer or achieve support from the group that you are performing with. Also, the company investigation selection may possibly not be readily available for quite a few intercontinental designs (like the several no-identify Chinese telephones that proliferate the current market – think of the ‘disposable phone’).

2. Direct bodily acquisition of the info. Just one of procedures of a DFI investigation is to never to change the information. The actual physical acquisition of facts from a mobile mobile phone must consider into account the similar rigorous processes of verifying and documenting that the bodily approach utilized will not alter any details on the device. Further, the moment the unit is linked, the jogging of hash totals is essential. Bodily acquisition lets the DFI to get a whole image of the gadget employing a USB cord and forensic software (at this place, you should be thinking of generate blocks to avert any altering of the facts). Connecting to a cell cellular phone and grabbing an impression just just isn’t as thoroughly clean and clear as pulling data from a tough drive on a desktop computer. The dilemma is that based on your picked forensic acquisition software, the individual make and model of the mobile phone, the carrier, the Android OS edition, the user’s options on the mobile phone, the root status of the system, the lock position, if the PIN code is acknowledged, and if the USB debugging solution is enabled on the machine, you could not be equipped to receive the data from the system less than investigation. Simply just put, bodily acquisition ends up in the realm of ‘just attempting it’ to see what you get and may well show up to the courtroom (or opposing facet) as an unstructured way to gather facts, which can area the data acquisition at chance.

3. JTAG forensics (a variation of physical acquisition noted higher than). As a definition, JTAG (Joint Examination Motion Team) forensics is a more superior way of info acquisition. It is fundamentally a physical process that consists of cabling and connecting to Test Access Ports (Taps) on the machine and applying processing guidelines to invoke a transfer of the uncooked data saved in memory. Raw facts is pulled directly from the related machine working with a specific JTAG cable. This is thought of to be reduced-amount data acquisition since there is no conversion or interpretation and is equivalent to a little bit-duplicate that is completed when acquiring evidence from a desktop or laptop personal computer tough travel. JTAG acquisition can usually be completed for locked, damaged and inaccessible (locked) units. Given that it is a lower-amount duplicate, if the gadget was encrypted (whether or not by the consumer or by the specific manufacturer, this kind of as Samsung and some Nexus equipment), the obtained information will nonetheless need to have to be decrypted. But because Google determined to do absent with full-gadget encryption with the Android OS 5. release, the full-system encryption limitation is a little bit narrowed, unless of course the user has established to encrypt their product. Right after JTAG knowledge is acquired from an Android machine, the acquired information can be even more inspected and analyzed with resources this sort of as 3zx (connection: ) or Belkasoft (url: ). Using JTAG equipment will instantly extract crucial electronic forensic artifacts including phone logs, contacts, locale data, searching history and a good deal a lot more.

4. Chip-off acquisition. This acquisition procedure necessitates the removing of memory chips from the machine. Creates uncooked binary dumps. Once more, this is viewed as an state-of-the-art, reduced-amount acquisition and will involve de-soldering of memory chips applying extremely specialized instruments to take out the chips and other specialised equipment to go through the chips. Like the JTAG forensics famous over, the DFI risks that the chip contents are encrypted. But if the data is not encrypted, a little bit copy can be extracted as a uncooked picture. The DFI will require to contend with block handle remapping, fragmentation and, if existing, encryption. Also, several Android machine makers, like Samsung, implement encryption which cannot be bypassed during or following chip-off acquisition has been done, even if the accurate passcode is acknowledged. Thanks to the entry concerns with encrypted gadgets, chip off is limited to unencrypted devices.

5. Over-the-air Data Acquisition. We are each mindful that Google has mastered info collection. Google is acknowledged for maintaining huge quantities from mobile telephones, tablets, laptops, desktops and other products from different operating system sorts. If the user has a Google account, the DFI can obtain, down load, and analyze all info for the supplied person less than their Google consumer account, with suitable permission from Google. This will involve downloading facts from the user’s Google Account. At present, there are no full cloud backups readily available to Android end users. Knowledge that can be examined consist of Gmail, call info, Google Generate data (which can be pretty revealing), synced Chrome tabs, browser bookmarks, passwords, a record of registered Android products, (where by spot history for each individual device can be reviewed), and much extra.

The 5 methods noted previously mentioned is not a comprehensive record. An often-recurring be aware surfaces about details acquisition – when functioning on a cell machine, proper and correct documentation is vital. Additional, documentation of the processes and treatments utilised as nicely as adhering to the chain of custody procedures that you have recognized will guarantee that proof gathered will be ‘forensically audio.’


As talked over in this post, cell machine forensics, and in certain the Android OS, is various from the traditional digital forensic processes applied for notebook and desktop computers. While the private computer is effortlessly secured, storage can be conveniently copied, and the product can be stored, harmless acquisition of cellular equipment and data can be and frequently is problematic. A structured strategy to attaining the cell unit and a prepared method for info acquisition is needed. As famous above, the 5 solutions launched will let the DFI to obtain entry to the gadget. Nevertheless, there are various further approaches not talked over in this report. Further research and device use by the DFI will be necessary.