I – Android operating system overview
Android is a Linux-based operating system, and it’s a Google open source platform for mobile phones. Android is the world’s most widely used smartphone operating system.
Android has been developed by Google as an open and free option for hardware manufacturers and phone carriers. This makes Android the software of choice for companies who require a low-cost, customizable, lightweight operating system for their smart devices without developing a new OS from scratch. Android’s open nature has further encouraged the developers to build a large number of applications and upload them onto Android Market.
II – What is Android Forensic
Digital forensics is a branch of forensic science focusing on the recovery and investigation of raw data residing in electronic or digital devices. Mobile forensics is a branch of digital forensics related to the recovery of digital evidence from mobile devices.
III – Android Forensic Setup
Having an established forensic environment before the start of an examination is important as it ensures that the data is protected while the examiner maintains control of the workstation.
Setting up a proper lab environment is an essential part of a forensic process. Android forensic setup usually involves the following:
- Start with a fresh or forensically sterile computer environment. This means that other data is not present on the system or is contained in a manner that it cannot contaminate the present investigation
- Install basic software necessary to connect to the device. Android forensic tools and methodologies will work on Windows, Linux, and OS X platforms.
- Obtain access to the device. An examiner must be able to enable settings or bypass them in order to allow the data to be extracted from the Android device.
- Issue commands to the device through the methods defined.
IV – Image an Android Phone
Imaging a device is one of the most important steps in mobile device forensics. The rule of thumb when dealing with a forensic examination is to ensure that the data present on the device is not modified in any way, wherever possible. In forensics, this process of obtaining a physical or logical acquisition is commonly called imaging the device. A physical image is preferred as it is a bit-by-bit copy of the Android device memory.
The data extraction techniques on an Android device can be classified into three types:
- Manual data extraction
- Logical data extraction
- Physical data extraction
You can read the technical details here.
In this article, I will guide you through the manual with the root device.
V – Manual data extraction
Prepare
- Android Device rooted
- Android Terminal Emulator – You can download here
- ADB – Download here
- Autopsy – Download here
Perform
Step 1: Install Android Terminal Emulator
Method 1: Install via ADB
- Download file .apk in here.
Download complete. Connect your devices with PC and install via ADB.
Command: adb install file.apk
Method 2: Install on Google Play Store
Step 2: Create image with dd command
Once Android Terminal Emulator is installed, the partitions can be acquired from the Android device using the following steps:
- Using the dd command: The dd command can be used to create a raw image of the device. This command helps us to create a bit-by-bit image of the Android device by copying low-level data.
- Inserting a new SD card: Insert a new SD card into the device in order to copy the image file to this card. Make sure this SD card is wiped and does not contain any other data.
- Executing the command: The file system of an Android device is stored in different locations within the /dev partition. A simple mount command on a Xiaomi MI4 phone returns the following output:
From the preceding output, we can identify the blocks where the /system, /data, and /cache partitions are mounted. Although it’s important to image all the files, most of the data is present in the /data and /system partitions. When time allows, all partitions should be acquired for completeness.
In this article, we will create image with user data. In this demo, the partition containing user data is:
/dev/block/platform/msm_sdcc.1/by-name/userdata
dd command:
dd if=[ source] of=[destination]
In this demo:
dd if=/dev/block/platform/msm_sdcc.1/by-name/userdata of=/data/tmp.image
Copy file image. Use ADB:
Command: adb pull [source] [destination]
Step 3: Analysis
Download and instal Autopsy.
Run Autopsy:
Creat New case:
Click Finish:
Select image:
Select Option:
Result:
You can view more information: Call logs, Accounts, Contacts,…
References:
- Practical Mobile Forensic