Android Forensics

mobile login screen

Digital forensics is a branch of forensic science focusing on the recovery and investigation of raw data residing in electronic or digital devices. Mobile forensics is a branch of digital forensics related to the recovery of digital evidence from mobile devices. Android forensics is the branch of science which is related to recovery of digital evidence from android mobile devices. Android forensics can be divided into three main categories: the seizure, acquisition and analyses. At the crime scene a forensic expert has to take a lot of precautions so that the value of evidence collected may not get diminished in the seizure or acquisition or in analyses phase. For example, he should try to put the phone in flight mode, turn off all the communication paths like Wi-Fi, GPRS, Bluetooth, Infra-red if it is on state. He should also keep the phone in faraday bag which electronically shields any kind of communication with the device which in turn prevents remote wipes by the criminals. If USB debugging is ON the expert should try to make an image of the memories both RAM and NAND flash (Internal and External SD card) for analysis purpose. If USB debugging is OFF he should try to circumvent the passcode of the device and turn USB debugging ON If the phone is in on state but locked, and perform the above steps again before imaging the memories. If for some reason he is unable to circumvent the passcode he should try some other methods of flashing recovery ROMs for that he might have to turn off the smart phone but then again he should write a reason for taking such steps in the audit trail of all the procedures maintained by him.

Mobile Phone Evidence Extraction Process

There is no well-established standard process for mobile forensics. However, the given figure gives a overview of process carried out during extraction of evidence from mobile devices.

The evidence intake phase  

The evidence intake phase is the first phase that contains paperwork and request forms to document ownership information and the type of incident the mobile device was involved in, and outlines the type of data or information the requester is seeking.

The identification phase

The responsibility of forensic examiner  is to identify the given details for every examination of a mobile device:

The legal authority: It is a duty for the forensic examiner to know and document appropriate legal authority exists for the process of acquisition and examination of the device.

The goals of the examination: The examiner will identify the goal and purpose for the examination. The goal of the examination includes the selecting the appropriate tools and techniques to examine the phone which helps in  the increases the efficiency of the examination process.

The make, model, and identifying information for the device: As part of the examination, identifying the make and model of the phone assists in determining what tools would work with the phone. 

Removable and external data storage: Many mobile phones provide an option to extend the memory with removable storage devices, such as the Trans Flash Micro SD memory expansion card. In such cases when card is found must be removed from the , the card should be removed and processed using traditional digital forensic techniques. It is a good practice to acquire the card to ensure data stored on both the handset memory and card are linked for easier analysis. 

Other sources of potential evidence:  Mobile phones can be used as a good source of fingerprint and other biological evidence. These evidence should also be collected before the examination of the mobile phone. Examiners should wear gloves when handling the evidence.

The preparation phase 

After the identification of the mobile phone model, the preparation phase involves research regarding the particular mobile phone to be examined and the appropriate methods and tools to be used for acquisition and examination.

The isolation phase

To prevent modification of evidence on the mobile device by incoming calls, Bluetooth connections, Wi-Fi Hotspots or remote wiping of all the data from the device, the mobile device is isolated from all the communication networks by putting it on flight mode and keeping it in faraday bags which blocks radio signals.

The Processing Phase 

The phone should be acquired using a tested and repeatable method, which is forensically sound. In case of physical extraction is not possible or fail, an attempt should be made to acquire the file system of mobile device. Logical extraction should always be made as it may contains only parsed data and pointers to examine raw memory.

The Verification Phase

After the processing is done the examiner need to verify the accuracy of the acquired/extracted data and make sure that the data is not modified. This is done in several ways.

Comparing the extracted data to the handset data: The data extracted can be compared with the device itself or a logical report, keeping in mind that handling the original device may cause changes to the evidence (device itself).

Using multiple tools and comparing the results: To increase accuracy use multiple tools to extract data and compare results.

Using hash values: All images and file system (if file system extraction is supported) after the acquisition should be hashed to ensure the data is not changed after acquisition. Later any individual file is hashed and compared with the original hash value to find out if it has been changed or not. Any discrepancy in hash value must be explainable    (for eg. If the device is turned on the new hash value would be different).

The document and Reporting Phase

The forensic examiner is required to document and record the synchronous notes relating to what was done during the acquisition and examination process. Once the investigation is complete by the examiner, the result go through some peer review process to ensure that the data is checked and the investigation is complete. The examiner’s note may consists more than one of the following:

  • Examination start date and time
  • The physical condition of the phone
  • Photos of the phone and individual components
  • Phone status when received—turned on or off
  • Phone make and model
  • Tools used for the acquisition
  • Tools used for the examination
  • Data found during the examination
  • Notes from peer-review

The Presentation Phase

Here the data is represented in both paper and electronic formats. Your findings must be documented and presented in a manner that the evidence speaks for itself when in court. The findings should be clear, concise, and repeatable. During the investigation phase, whatsoever information is extracted must be clearly documented and presented to any other examiner or to a court.

The Archiving Phase

Court cases may continue for many years before the final judgment is arrived at, and most jurisdictions require that data be retained for long periods of time for the purposes of appeals. Therefore preserving the data extracted from the mobile phone is an important part of the overall process. It is also important that the data is retained in a useable format for the ongoing court process, for future reference, should the current evidence file become corrupt, and for record keeping requirements.

Tools used

Team Win Custom Recovery Rom

Team Win Custom recovery Rom gives you features of performing a full Nand flash backup, restore and wipe. It also give a feature to mount and unmount different key partitions for them to be accessed through ADB.

Super SU 

It is an android application which can be installed on a locked device through custom recovery rom such as TW Recovery. It is used to remove the sandboxing environment and achieve root privileges over android device.

WinHex

WinHex is a hexadecimal editor for the Windows operating system. It is used for forensics, data recovery, low-level data processing, and IT security. It allows the user to view files in hexadecimal format. It can also be used for imaging different file systems.

Android Platform Tools 

Platform-tools are used to support the features for the current android platform including adb which is acting like a bridge to communicate with emulator or device.[

Android Forensic Techniques

Screen Lock Bypassing Techniques

In all cases, circumventing the lock screen of a mobile device need to retrieving a file from the device. Pattern locks are stored as hash values at /data/system/gesture.key and PIN/Password locks are stored as hash values at /data/system/password.key. Additionally, the password.key hash is salted; the salt value is stored at /data/data/com.android.providers.settings/databases/settings.db prior to Android 4.4, and /data/system/locksettings.db on devices running Android 4.4 and higher.

If the device is locked, the examiner accesses these files by one of these methods

ADB

  • Requires root
  • Requires USB debugging
  • Requires Secure USB debugging pairing (depending on OS version)

Booting into a custom recovery mode

  • Does not require root (root will be given through the recovery image)
  • Does not require USB debugging (accomplished via fastboot)
  • Does not require Secure USB debugging (this is bypassed entirely)
  • Requires an unlocked bootloader
Deleting gesture.key file

Make a connection between the device with the forensic workstation using a USB cable. Present state of Android device at this point is displayed in the figure below.


We can clearly see that the phone is locked using a pattern swipe lock.

  • Open the command prompt and execute the following instructions: 

adb.exe shell  cd /data/system 

Check for the presence of gesture.key file by using ls command.

Now delete gesture.key file by using “rm gesture.key”, the next figure displays the output of the same. We are now checking the presence of gesture.key file which should not be there.

Reboot the device The figure 6 below displays that the pattern lock has been removed when the device is rebooted.

This method works when the device is rooted.

Replacing the gesture.key file

This method is similar to above it is just that instead of deleting gesture.key file we replace it with another gesture.key file. We are actually changing the pattern lock here instead of removing it.

 

Acquisition of Electronic Evidence

Imaging Android USB Mass Storage Devices

There are usually two types of storage available in android devices.

  • Secure Digital Card (SD Card) SD cards are portable, easily moving from one device to the next.Users want to copy songs, pictures, videos, or other files between their Android device and a computer, and these large capacity FAT file system partitions solve that issue.
  • Embedded MultiMediaCard (eMMC) – eMMC card type of storage is fixed as internal storage of the device and is similar to SD card. In eMMC user’s app data, typically stored in /data/data, is isolated for security and privacy reasons. Sensitive data which is not normally accessible to users is stored in eMMC.

How to forensically image the SD card/eMMC 

Internal Memory:

We will use android debug bridge in ubuntu os environment which is installed virtually as guest os on top of windows as host os.

As a precautionary measure we should always disable auto-mounting of USB devices because almost all operating systems make some changes to the USB devices after they mount to the OS. As a best practice we should use a hardware write-blocker before connecting to the forensics workstation.

For using adb commands we need usb debugging turned on in the phone. In case it is not turned on we cannot use this method, then of course we would need to use physical acquisition techniques like JTAG and Chip-off.

We have already installed android sdk and android platform tools on ubuntu machine. The phone is rooted using super su application. These are the pre-requisites of imaging internal memory partitions.

Creating DD image of internal memory

The Android file system is divided into a number of partitions, and it uses MTP as compared to old versions of android which used to have UMS for connecting flash drives to different types of operating systems. This new technology creates a lot of problem in acquisition of electronic evidences for an examiner. 

The most common partitions in Android system are data, cache, efs, boot and recovery. After gaining root access to partitions of android device which is Samsung Galaxy Grand I9082, we can use DF command to list all the partitions of the device as shown in figure

We are interested in /efs and /data partition of the internal memory in this research. It is to be noted that their respective mount points are /dev/block/mmcblk0p17 and /dev/block/mmcblk0p21. Now we will use dd command here to image these partitions onto the SD card of the device and also we will take the hashes of the partitions before and after the imaging to check the authenticity of the process .

Do check that the hashed output of the efs partition and its image is same, which means that the process is repeatable, reliable and authentic.

Similarly, the /data partition of android device is also imaged and its hash verified.

Imaging SD card

Since SD[ card contains media files such as images videos and other data the importance of acquiring an SD card cannot be ignored. We can take out the SD card from android device if physical acquisition is not possible in live machine and then image it by attaching it to write-blocker first. 

We are using an SD card user and since the write blocker is not available right now so we can go to the Disk Management tool in windows and right click the SD card partition to remove its drive letter and hence disabling its mount. This way there will be no changes to the SD card and the hash value will verify after imaging.

Right click the SD card partition and click change drive letter.

Now we will use WinHex tool to image SD card. First things first we need to set WinHex into Read Only mode as shown in figure below to further protect SD card from changes.

Now we will open the SD card disk by clicking tools and then open disk from the menu of WinHex as shown in figure.

We shall further select Raw Images option, check on both the compute hash options and also check on immediately verify image options for hash value verifications.

Finally the figure below shows the output image file and its log file containing hash values.

Conclusion

Android forensics is a complex science of collecting, acquiring and analysing electronic evidences in android devices with challenges rising with each update of the android system. This is still a novice technology with a lot of development pending. It is very difficult to acquire evidences which can be made admissible in the court of law as mobile is a device which changes every second there is always some amount of change which is bound happen even while you are investigating. So it is not easy to establish the authenticity of electronic evidences. However if standard procedures and technologies are used together in a well documented way with preservation of record procedures followed in every stage of the investigation, the evidences would hold better weightage in terms of evidentiary value in the court of law.


Leave a Reply

Your email address will not be published.