Android Forensics

Android forensics is a branch of mobile device forensics relating to recovery of

digital evidence or data from an android operating system under forensically sound conditions. The
phrase mobile device usually refers to mobile phones; however, it can also relate to any digital
device that has both internal memory and communication ability, including PDA devices, GPS devices
and tablet computers.

Mobile phones are proven to be valuable sources of information in the majority of investigations.
Parties in litigation seeking to prove wrongdoing often find important evidence, clues and traces by
analysing activities stored on cell phones and smart devices, including contacts and their creation
dates as well as when and how often certain phone numbers were called.

Digital forensic investigation on mobile devices requires an investigator to follow step by step
procedure to collect, extract and analyze digital evidence. To accomplish complete extraction of
digital evidence, the primary step is data collection or device acquisition.

Android forensics depends on the level of access a device provides which further determines the
level or depth of the data which an investigator can extract. Generally, an Android operating system
provides two layers of user access control which are rooted or non-rooted access. Primarily Android
OS does not provide user administrative or root access hence devices are manufactured with non-
root access.

Forensic Investigation requires in-depth recovery of artifacts for complete analysis. A rooted device
provides complete extraction of user data and access to the system partition. The system partition
stores complete application data, ROM and system files. For a non-rooted user, the partitions and
system folders are kept hidden with no access

Device accessibility
Non-Root Access
Generally manufacturer and Android do not provide root access to the device owner by default.
Non-rooted devices provide access to the internal and external memory storage medium which
enables an investigator to perform Logical Acquisition of the device.

The system, memory and internal partitions won’t be visible or accessible. However, full device
backup or adb backup can be utilized to perform logical acquisition of the device.

Root Access
A device with complete administrative access is what you get after rooting the device. Access to
device system, memory and internal partitions are granted to the super user or the root user.

For rooted devices a complete device acquisition can be performed using dd command or
automated tools. Root access also allows an investigator to perform data recovery and carving which
uncovers deleted evidence stored in the device.
How to determine a device is rooted or non-rooted?
Forensic utilities can determine if a device is rooted or non-rooted hence moves forward with the
method of acquisition as per the availability of the data.

Utilities such as Cellebrite, Mobiledit, Magnet AXIOM, etc. Software utilities provide stepwise
methods to acquire an Android device.

Connection Medium
Mobile device acquisition proficiency depends on the connection medium an investigator uses to
acquire an device.

USB connectivity
USB cable connectivity is considered to be the safest & proficient method to perform mobile device
acquisition . For mobile acquisition using usb cable the following settings has to be ensured for
uninterrupted device acquisition:

Enabling USB debugging

USB debugging is a developer option which enables analysis machine to establish connection with
the device where SDK functions are enabled. In simple words execution of linux commands in
terminal using ADB can be performed.

Enable USB debugging on your Android phone

On Android 4.1 and lower, the Developer options screen is available by default. On Android 4.2 and
higher, do the following:

1. Open the Settings app.

2. Select System.

3. Scroll to the bottom and select About phone.

4. Scroll to the bottom and tap Build number 7 times.

5. Return to the previous screen to find Developer options near the bottom.

6. Scroll down and enable USB debugging.

Device acquisitions are proficient using USB cable as then investigator can
terminate incoming or outgoing wireless connections by placing the device in
flight mode.However, if the USB connection cannot be established then other
wireless connection mediums can be utilized:
Bluetooth: Mobile acquisition can be performed by utilizing ADB via bluetooth
connection.

Wireless: Both mobile device and acquisition machine has to be connected to

same wifi network . Device acquisition can be performed by using
android device bridge via WiFi.

Device Acquisition
Forensic acquisition are the steps of making bit by bit replica of the custodian
device while maintaining the integrity of the data stored in the device.

Manual methods
Device Prerequisites:
- Device should be unlocked
- USB Debugging Should be enabled

Machine Prerequisites:
- Minimal ADB Installation (https://androidfilehost.com/?
fid=962339331459003166)
- Steps to Check Root Access
1. Close all the active connections by putting the device on flight mode
2. Unlock the device and connect it to the workstation via USB cable
3. Open CMD/PowerShell (Windows) or Terminal (Linux/Debian/Mac OS) and
execute the following commands

Android Debug Bridge (adb)

Android Debug Bridge (adb) is a versatile command-line tool that lets you communicate with a
device. The adb command facilitates a variety of device actions, such as installing and debugging
apps, and it provides access to a Unix shell that you can use to run a variety of commands on a
device. It is a client-server program that includes three components:

A client, which sends commands. The client runs on your development machine. You can invoke a
client from a command-line terminal by issuing an adb command.

A daemon (adbd), which runs commands on a device. The daemon runs as a background process on
each device.

A server, which manages communication between the client and the daemon. The server runs as a
background process on your development machine.
 Useful commands
Help

adb help // List all commands

== Shell
adb shell // Open or run commands in a terminal on the host Android device.

== Devices
adb usb

adb devices //show devices attached

adb devices -l //devices (product/model)

adb connect Ip address of device

Get device android version

adb shell getprop ro.build.version.release

Record Android Screen

Screenshot

Status of Your Device

it shows whether your device state is offline, bootloader, or in device mode

Get Device Serial Number

List Files

Copy Files from Computer to Phone

adb push [source] [destination] // Copy files from your computer to your phone.

Copy Files from Phone to Computer

adb pull [device file location] [local file location] // Copy files from your phone to your computer.

Install/Uninstall Apps
List all Installed Packages

For example, I want to search the package name for FDroid, so I will use the following command.

REBOOT ANDROID DEVICE INTO RECOVERY MODE

Reboot Android Device into Bootloader Mode

Executing ADB backup

Image Integrity
Device acquisition depends on the investigator to thoroughly maintain integrity of the image. Image
integrity can be maintained using hashing methods.

Hashing can be performed using software utilities or mobile forensic software such as Cellebrite, Ftk
imager, Magnet axiom ,Autospy creates hashes from the initial acquisition steps.

Image hashing depends on the algorithm investigator defines to check data for integrity. The hashing
algorithms such as MD5, SHA1 , SHA256 are utilized to create a unique hash value . The hash value
can be re validated at any point of the investigation to denote that the image data stays intact.

Hashing Using Software Utilities

Forensic Software utilities provide the functionality to create hashes based on algorithms such as
md5, sha1, sha256,etc.

Acquisitions performed using manual methods can be hashed separately using software utility such
as access data ftk imager.

Exporting File Hash List Hashed File Details

A list of MD5 and SHA1 hashes are created for the files. To verify integrity of the image at any point
of time during the investigation, an examiner can verify by recalculating the file hash.

Conclusion
Mobile Forensic is a necessary field in today’s society. The use of mobile
devices as popular platforms for various applications can offer imperative
evidence in forensic investigations
“A well trained, highly skilled digital forensics investigator plays an
essential role in the criminal investigation process when performing

forensics analysis of mobile devices that belong to suspects, witnesses,

victims or through the analysis of network traffic in response to computer
security incidents”