An Introduction to Forensics Data Acquisition From Android Mobile Devices


A Digital Forensics Investigator (DFI) position is rife with non-stop getting to know opportunities, specifically as technology expands and proliferates into each nook of communications, enjoyment, and enterprise. As a DFI, we address an everyday onslaught of the latest devices. Like the cell smartphone or pill, many of those devices use common running structures that we want to be acquainted with. Certainly, the Android OS is principal within the pill and cell phone enterprise. Given the predominance of the Android OS within the mobile device marketplace, DFIs will run into Android gadgets inside the path of many investigations. While numerous models endorse procedures for obtaining records from Android gadgets, this text introduces 4 possible techniques that the DFI should recollect while gathering evidence from Android gadgets.

A Bit of History of the Android OSAndroid Mobile Devices

Android’s first business release was in September 2008 with version 1. Zero. Android is the open-source and ‘free to use’ operating gadget for cell devices evolved through Google. Importantly, early on, Google and different hardware groups fashioned the “Open Handset Alliance” (OHA) in 2007 to foster and guide the increase of Android inside the marketplace. This alliance became mounted to compete with companies who had their personal market offerings, including aggressive devices presented via Apple, Microsoft (Windows Phone 10 – which is now reportedly useless to the market), and Blackberry (which has ceased making hardware). The OHA now consists of eighty-four hardware corporations consisting of giants like Samsung, HTC, and Motorola (to name some). Regardless of whether an OS is defunct or no longer, the DFI should recognize approximately the diverse variations of more than one running system, particularly if their forensics attention is in a specific realm, including mobile devices.

Linux and Android


The current generation of the Android OS is primarily based on Linux. Keep in mind that “based totally on Linux” does no longer imply the usual Linux apps will constantly run on an Android and, conversely, the Android apps that you would possibly enjoy (or are acquainted with) will now not always run for your Linux computing device. But Linux isn’t Android. To clarify the factor, please word that Google decided on the Linux kernel, the essential part of the Linux running system, to manipulate the hardware chipset processing so that Google’s builders would not be involved with the specifics of how processing occurs a given set of hardware. This allows their builders to awareness of the broader working gadget layer and the user interface capabilities of the Android OS.

A Large Market Share

The Android OS has a giant market share of the cell device marketplace, often because of its open-source nature. An extra 328 million Android gadgets were shipped as of the 0.33 sector in 2016. And, in line with netwmarketshare.Com, the Android-running device had the bulk of installations in 2017 — nearly 67% — as of this writing.

As a DFI, we can expect to encounter Android-primarily based hardware inside the direction of a standard investigation. Due to the open supply nature of the Android OS and the numerous hardware platforms from Samsung, Motorola, HTC, etc., the kind of combinations among hardware kind and OS implementation gives an additional assignment. Consider that Android is currently at model 7.1.1. Still, every telephone manufacturer and cell tool provider will generally regulate the OS for the specific hardware and service offerings, giving an extra layer of complexity for the DFI since the method to statistics acquisition may additionally vary.

Before we dig deeper into extra attributes of the Android OS that complicate the technique to statistics acquisition, allow’s examine the idea of a ROM model to be applied to an Android device. To overview, a ROM (Read Only Memory) software is low-level programming close to the kernel stage, and the specific ROM application is frequently referred to as firmware. If you watched in terms of a pill in evaluation to a cellular cellphone, the tablet could have different ROM programming as contrasted to a mobile telephone, seeing that hardware functions among the tablet and cell phone might be extraordinary, even if each hardware gadgets are from the equal hardware manufacturer. Complicating the want for more specifics in the ROM software, upload inside the unique requirements of cellular provider carriers (Verizon, AT&T, and many others.).

While there are commonalities of acquiring facts from a cellular phone, not all Android devices are identical, in particular in mind that there are fourteen essential Android OS releases on the market (from versions 1.0 to 7.1.1), multiple companies with version-particular ROMs, and further infinite custom user-complied variants (customer ROMs). The ‘client compiled variations’ are also version-precise ROMs. In trendy, the ROM-degree updates carried out to every wireless tool will include working and system simple programs that work for a selected hardware tool, for a given vendor (for instance, your Samsung S7 from Verizon), and a selected implementation.

Android Mobile Devices

Even though there’s no ‘silver bullet’ method to investigating any Android tool, the forensics research of an Android device should comply with the same general manner for the gathering of evidence, requiring a structured technique and approach that cope with the investigation, seizure, isolation, acquisition, exam, and evaluation, and reporting for any virtual proof. When a request to examine a device is obtained, the DFI begins with planning and preparation to encompass the considered necessary technique of obtaining gadgets, the necessary paperwork to guide and report the chain of custody, the improvement of a motive declaration for the examination, the detailing of the device version (and different specific attributes of the acquired hardware), and a listing or description of the records the requestor is seeking to gather.

Unique Challenges of Acquisition

Mobile devices, along with cellular telephones, capsules, etc., face specific demanding situations at some point of seizure. Since battery life is constrained on cellular devices and it isn’t always normally encouraged that a charger is inserted right into a tool, the isolation stage of evidence accumulating may be essential in acquiring the device. Confounding right acquisition, the cell records, WiFi connectivity, and Bluetooth connectivity should additionally be covered inside the investigator’s consciousness at some stage in the acquisition. Android has many protection features constructed into the phone. The lock-display screen function may be set as PIN, password, drawing a sample, facial popularity, place recognition, relied upon on-device popularity, and biometrics, including fingerprints—and anticipated 70% of customers use some safety protection on their telephone. Critically, there’s to be had the software program that the consumer can also have downloaded, which can give them the potential to wipe the smartphone remotely, complicating acquisition.

It is unlikely throughout the seizure of the cell tool that the display screen can be unlocked. If the tool is not locked, the DFI’s exam might be less complicated because the DFI can trade the settings inside the cellphone right away. If access is permitted to the cellular cellphone, disable the lock-display screen and trade the display screen timeout to its maximum cost (which may be as much as the half-hour for a few devices). Keep in mind that of key importance is to isolate the cellphone from any Internet connections to prevent faraway wiping of the tool. Place the phone in Airplane mode. Attach an external strength supply to the cell phone after it’s been positioned in a static-free bag designed to block radiofrequency signals. Once comfortable, you have to be later able to enable USB debugging on the way to permit the Android Debug Bridge (ADB), which can offer excellent records capture. While it may be important to observe RAM artifacts on a cellular device, this is unlikely to occur.

Acquiring the Android Data

Copying difficult pressure from a computing device or computer laptop in a forensically sound manner is trivial compared to the records extraction methods needed for cell device records acquisition. Generally, DFIs have equipped bodily get right of entry to a difficult-pressure without limitations, making an allowance for a hardware copy or software bit circulate picture to be created. Mobile gadgets have their records stored inside of the smartphone in difficult-to-attain locations. Extraction of information through the USB port may be a mission but may be carried out with care and luck on Android gadgets.

After the Android tool has been seized and is cozy, it is time to look at the cellphone. There are numerous statistics acquisition methods available for Android, and they fluctuate notably. This article introduces and discusses four of the primary ways to technique statistics acquisition. These 5 strategies are stated and summarized under:

1. Send the tool to the producer: You can send the device to the manufacturer for information extraction, with a purpose to cost extra time and money, but it can be vital in case you do not have the precise ability set for a given tool nor the time to study. Specifically, as referred to earlier, Android has a plethora of OS versions based on the manufacturer and ROM version, adding to the complexity of acquisition. Manufacturer’s usually made this provider to be had to government companies and regulation enforcement for maximum home gadgets, so in case you’re an unbiased contractor, you may want to test with the manufacturer or gain assistance from the corporation which you are operating with. Also, the producer investigation option may not be available for numerous international fashions (just like the many no-call Chinese telephones that proliferate the marketplace – consider the ‘disposable phone).

2. Direct bodily acquisition of the data. One of the policies of DFI research is to in no way to regulate the statistics. The bodily acquisition of statistics from a cellular phone needs to remember the identical strict tactics of verifying and documenting that the physical technique used will not alter any statistics on the device. Further, as soon as the tool is connected, the jogging of hash totals is essential. Physical acquisition permits the DFI to gain a complete photo of the tool by using a USB twine and forensic software program (at this factor, you ought to be taking into account write blocks to save you any altering of the information). Connecting to a cell telephone and grabbing a photograph just isn’t as clean and clean as pulling information from a difficult force on a computing device laptop. The trouble is that relying on your chosen forensic acquisition device, the unique make and model of the telephone, the provider, the Android OS model, the consumer’s settings at the phone, the foundation popularity of the tool, the lock fame, if the PIN code is thought, and if the USB debugging choice is enabled on the device, you could no longer be capable of gathering the facts from the device beneath investigation. Placed, bodily acquisition ends up within the realm of ‘simply trying it’ to peer what you get and may appear to the court (or opposing side) as an unstructured manner to accumulate data that could region the information acquisition at the chance.

3. JTAG forensics (a version of bodily acquisition cited above). As a definition, JTAG (Joint Test Action Group) forensics is an extra advanced manner of statistics acquisition. It is largely a physical technique that involves cabling and connecting to Test Access Ports (TAPs) at the device and processing commands to invoke a transfer of the raw statistics stored in reminiscence. Raw statistics are pulled without delay from the related tool the use of a special JTAG cable. This is considered low-level information acquisition because there’s no conversion or interpretation and is similar to a piece-copy that is carried out when acquiring evidence from a computing device or laptop computer tough power. JTAG acquisition can regularly be completed for locked, broken, and inaccessible (locked) gadgets. Since it is a low-level replica, if the device was encrypted (whether or not with the person’s aid or through the specific manufacturer, which includes Samsung and a few Nexus devices), the acquired records will still want to be decrypted. But considering that Google determined to get rid of entire-tool encryption with the Android OS 5. Zero release, the whole-tool encryption predicament is a piece narrowed until the person has decided to encrypt their tool. After JTAG information is acquired from an Android device, the received records can be similarly inspected and analyzed with equipment consisting of 3zx (link: http://z3x-crew.Com/ ) or Belkasoft (link: https://belkasoft.Com/ ). Using JTAG equipment will robotically extract key digital forensic artifacts, including name logs, contacts, place statistics, surfing history, and loads more.

4. Chip-off acquisition. This acquisition method calls for the elimination of reminiscence chips from the device. Produces raw binary dumps. Again, that is considered a complicated, low-degree acquisition and could require de-soldering memory chips using notably specialized gear to take away the chips and other specialized gadgets to read the chips. Like the JTAG forensics mentioned above, the DFI risks that the chip contents are encrypted. But if the facts aren’t encrypted, a bit of reproduction may be extracted as an uncooked photo. The DFI will want to cope with block deal with remapping, fragmentation, and, if the gift, encryption. Also, several Android tool producers, like Samsung, enforce encryption that can not be bypassed during or after the chip-off acquisition has been finished, although the precise passcode is understood. Due to the get entry to troubles with encrypted gadgets, chip off is confined to unencrypted devices.

5. Over-the-air Data Acquisition. We are very aware that Google has mastered facts series. Google is understood for maintaining large quantities from cellular phones, tablets, laptops, computer systems, and different gadgets from diverse working machine types. If the user has a Google account, the DFI can get admission to, download, and examine all records for the given consumer below their Google user account, with proper permission from Google. This involves downloading information from the person’s Google Account. Currently, there are no full cloud backups available to Android customers. Data that may be examined encompass Gmail contact records, Google Drive information (which may be very revealing), synced Chrome tabs, browser bookmarks, passwords, a list of registered Android gadgets (wherein location history for each tool can be reviewed), and lots greater.

The five methods referred to above aren’t always comprehensive listing. An often-repeated observe surfaces about statistics acquisition – whilst operating on a cell tool, proper and correct documentation is essential. Further, documentation of the methods and approaches used, as well as adhering to the chain of custody methods that you’ve installed, will ensure that evidence gathered will be ‘forensically sound.’


As discussed in this newsletter, mobile tool forensics, and mainly the Android OS, is different from the traditional digital forensic strategies used for pc and computing device computers. While the private computer is without problems secured, storage can be copied, and the tool may be stored, secure acquisition of cell gadgets and data can be and frequently is problematic. A structured technique for obtaining the mobile tool and a deliberate technique for records acquisition are important. As noted above, the 5 strategies introduced will allow the DFI to advantage access to the tool. However, there are numerous extra strategies not mentioned in this newsletter. Additional research and tool use through the DFI can be important.