i Android Mobile Forensic – All things in moderation

Android Mobile Forensic

I – Android operating system overview

Android is a Linux-based operating system, and it’s a Google open source platform for mobile phones. Android is the world’s most widely used smartphone operating system.

Android has been developed by Google as an open and free option for hardware manufacturers and phone carriers. This makes Android the software of choice for companies who require a low-cost, customizable, lightweight operating system for their smart devices without developing a new OS from scratch. Android’s open nature has further encouraged the developers to build a large number of applications and upload them onto Android Market.

II – What is Android Forensic

Digital forensics is a branch of forensic science focusing on the recovery and investigation of raw data residing in electronic or digital devices. Mobile forensics is a branch of digital forensics related to the recovery of digital evidence from mobile devices.

III – Android Forensic Setup

Having an established forensic environment before the start of an examination is important as it ensures that the data is protected while the examiner maintains control of the workstation.

Setting up a proper lab environment is an essential part of a forensic process. Android forensic setup usually involves the following:

  • Start with a fresh or forensically sterile computer environment. This means that other data is not present on the system or is contained in a manner that it cannot contaminate the present investigation
  • Install basic software necessary to connect to the device. Android forensic tools and methodologies will work on Windows, Linux, and OS X platforms.
  • Obtain access to the device. An examiner must be able to enable settings or bypass them in order to allow the data to be extracted from the Android device.
  • Issue commands to the device through the methods defined.

IV – Image an Android Phone

Imaging a device is one of the most important steps in mobile device forensics. The rule of thumb when dealing with a forensic examination is to ensure that the data present on the device is not modified in any way, wherever possible. In forensics, this process of obtaining a physical or logical acquisition is commonly called imaging the device. A physical image is preferred as it is a bit-by-bit copy of the Android device memory.

The data extraction techniques on an Android device can be classified into three types:

  • Manual data extraction
  • Logical data extraction
  • Physical data extraction

You can read the technical details here.

In this article, I will guide you through the manual with the root device.

V – Manual data extraction

Prepare

  • Android Device rooted
  • Android Terminal Emulator – You can download here
  • ADB – Download here
  • Autopsy –  Download here

Perform

Step 1: Install Android Terminal Emulator

Method 1: Install via ADB

  • Download file .apk in here.

Download complete. Connect your devices with PC and install via ADB.

Command: adb install file.apk

Method 2: Install on Google Play Store

Step 2: Create image with dd command

Once Android Terminal Emulator is installed, the partitions can be acquired from the Android device using the following steps:

  • Using the dd command: The dd command can be used to create a raw image of the device. This command helps us to create a bit-by-bit image of the Android device by copying low-level data.
  • Inserting a new SD card: Insert a new SD card into the device in order to copy the image file to this card. Make sure this SD card is wiped and does not contain any other data.
  • Executing the command: The file system of an Android device is stored in different locations within the /dev partition. A simple mount command on a Xiaomi MI4 phone returns the following output:

From the preceding output, we can identify the blocks where the /system, /data, and /cache partitions are mounted. Although it’s important to image all the files, most of the data is present in the /data and /system partitions. When time allows, all partitions should be acquired for completeness.

In this article, we will create image with user data. In this demo, the partition containing user data is:

/dev/block/platform/msm_sdcc.1/by-name/userdata

dd command:

dd if=[ source] of=[destination]

In this demo:

dd if=/dev/block/platform/msm_sdcc.1/by-name/userdata of=/data/tmp.image

Copy file image. Use ADB:

Command: adb pull [source] [destination]

Step 3: Analysis

Download and instal Autopsy.

Run Autopsy:

Creat New case:

 

Click Finish:

Select image:

Select Option:

Result:

You can view more information: Call logs, Accounts, Contacts,…

References:

  • Practical Mobile Forensic

Leave a Reply