An Introduction to Forensics Data Acquisition From Android Mobile Devices

The role that a Agenda Forensics Investigator (DFI) is abounding with affiliated acquirements opportunities, abnormally as technology expands and proliferates into every bend of communications, ball and business. As a DFI, we accord with a circadian aggression of new devices. Abounding of these devices, like the corpuscle buzz or tablet, use accepted operating systems that we charge to be accustomed with. Certainly, the Android OS is absolute in the book and corpuscle buzz industry. Accustomed the advantage of the Android OS in the adaptable accessory market, DFIs will run into Android accessories in the advance of abounding investigations. While there are several models that advance approaches to accepting abstracts from Android devices, this commodity introduces four applicable methods that the DFI should accede if affirmation accretion from Android devices.

A Bit of History of the Android OS

Android’s aboriginal bartering absolution was in September, 2008 with adaptation 1.0. Android is the accessible antecedent and ‘free to use’ operating arrangement for adaptable accessories developed by Google. Importantly, aboriginal on, Google and added accouterments companies formed the “Open Handset Alliance” (OHA) in 2007 to advance and abutment the advance of the Android in the marketplace. The OHA now consists of 84 accouterments companies including giants like Samsung, HTC, and Motorola (to name a few). This accord was accustomed to attempt with companies who had their own bazaar offerings, such as aggressive accessories offered by Apple, Microsoft (Windows Buzz 10 – which is now reportedly asleep to the market), and Blackberry (which has able authoritative hardware). Regardless if an OS is asleep or not, the DFI accept to apperceive about the assorted versions of assorted operating arrangement platforms, abnormally if their forensics focus is in a authentic realm, such as adaptable devices.

Linux and Android

The accepted abundance of the Android OS is based on Linux. Keep in apperception that “based on Linux” does not beggarly the accepted Linux apps will consistently run on an Android and, conversely, the Android apps that you adeptness adore (or are accustomed with) will not necessarily run on your Linux desktop. But Linux is not Android. To assay the point, amuse agenda that Google alleged the Linux kernel, the capital allotment of the Linux operating system, to administer the accouterments chipset processing so that Google’s developers wouldn’t accept to be anxious with the specifics of how processing occurs on a accustomed set of hardware. This allows their developers to focus on the broader operating arrangement band and the user interface appearance of the Android OS.

A Large Bazaar Share

The Android OS has a abundant bazaar allotment of the adaptable accessory market, primarily due to its open-source nature. An balance of 328 actor Android accessories were alien as of the third division in 2016. And, according to, the Android operating arrangement had the aggregate of installations in 2017 — about 67% — as of this writing.

As a DFI, we can apprehend to appointment Android-based accouterments in the advance of a archetypal investigation. Due to the accessible antecedent attributes of the Android OS in affiliation with the assorted accouterments platforms from Samsung, Motorola, HTC, etc., the array of combinations amid accouterments blazon and OS accomplishing presents an added challenge. Accede that Android is currently at adaptation 7.1.1, yet anniversary buzz architect and adaptable accessory supplier will about adapt the OS for the specific accouterments and annual offerings, giving an added band of complication for the DFI, back the admission to abstracts accretion may vary.

Before we dig added into added attributes of the Android OS that complicate the admission to abstracts acquisition, let’s attending at the abstraction of a ROM adaptation that will be activated to an Android device. As an overview, a ROM (Read Only Memory) affairs is low-level programming that is abutting to the atom level, and the altered ROM affairs is about alleged firmware. If you anticipate in agreement of a book in adverse to a corpuscle phone, the book will accept altered ROM programming as assorted to a corpuscle phone, back accouterments appearance amid the book and corpuscle buzz will be different, even if both accouterments accessories are from the aforementioned accouterments manufacturer. Complicating the charge for added specifics in the ROM program, add in the specific requirements of corpuscle annual carriers (Verizon, AT&T, etc.).

While there are commonalities of accepting abstracts from a corpuscle phone, not all Android accessories are equal, abnormally in ablaze that there are fourteen aloft Android OS releases on the bazaar (from versions 1.0 to 7.1.1), assorted carriers with model-specific ROMs, and added endless custom user-complied editions (customer ROMs). The ‘customer aggregate editions’ are aswell model-specific ROMs. In general, the ROM-level updates activated to anniversary wireless accessory will accommodate operating and arrangement basal applications that works for a authentic accouterments device, for a accustomed bell-ringer (for archetype your Samsung S7 from Verizon), and for a authentic implementation.

Even admitting there is no ‘silver bullet’ band-aid to investigating any Android device, the forensics assay of an Android accessory should chase the aforementioned accepted action for the accumulating of evidence, acute a structured action and admission that abode the investigation, seizure, isolation, acquisition, assay and analysis, and advertisement for any agenda evidence. If a appeal to appraise a accessory is received, the DFI starts with planning and alertness to cover the requisite adjustment of accepting devices, the all-important paperwork to abutment and certificate the alternation of custody, the development of a purpose annual for the examination, the annual of the accessory archetypal (and added specific attributes of the acquired hardware), and a annual or description of the advice the requestor is gluttonous to acquire.

Unique Challenges of Acquisition

Mobile devices, including corpuscle phones, tablets, etc., face altered challenges during affirmation seizure. Back array activity is bound on adaptable accessories and it is not about recommended that a charger be amid into a device, the abreast date of affirmation accretion can be a analytical accompaniment in accepting the device. Confounding able acquisition, the cellular data, WiFi connectivity, and Bluetooth connectivity should aswell be included in the investigator’s focus during acquisition. Android has abounding aegis appearance congenital into the phone. The lock-screen affection can be set as PIN, password, cartoon a pattern, facial recognition, area recognition, trusted-device recognition, and biometrics such as feel prints. An estimated 70% of users do use some blazon of aegis aegis on their phone. Critically, there is accessible software that the user may accept downloaded, which can accord them the adeptness to apple-pie the buzz remotely, complicating acquisition.

It is absurd during the admission of the adaptable accessory that the awning will be unlocked. If the accessory is not locked, the DFI’s assay will be easier because the DFI can change the settings in the buzz promptly. If admission is accustomed to the corpuscle phone, attenuate the lock-screen and change the awning abeyance to its best amount (which can be up to 30 annual for some devices). Keep in apperception that of key accent is to abstract the buzz from any Internet admission to anticipate bound wiping of the device. Abode the buzz in Airplane mode. Attach an alien ability accumulation to the buzz afterwards it has been placed in a static-free bag advised to block radiofrequency signals. Already secure, you should afterwards be able to accredit USB debugging, which will acquiesce the Android Debug Bridge (ADB) that can accommodate acceptable abstracts capture. While it may be important to appraise the artifacts of RAM on a adaptable device, this is absurd to happen.

Acquiring the Android Data

Copying a hard-drive from a desktop or laptop computer in a forensically-sound abode is atomic as compared to the abstracts abstraction methods bare for adaptable accessory abstracts acquisition. Generally, DFIs accept accessible concrete admission to a hard-drive with no barriers, acceptance for a accouterments archetype or software bit beck angel to be created. Adaptable accessories accept their abstracts stored central of the buzz in difficult-to-reach places. Abstraction of abstracts through the USB anchorage can be a challenge, but can be able with affliction and luck on Android devices.

After the Android accessory has been bedeviled and is secure, it is time to appraise the phone. There are several abstracts accretion methods accessible for Android and they adapt drastically. This commodity introduces and discusses four of the primary means to admission abstracts acquisition. These 5 methods are acclaimed and abbreviated below:

1. Forward the accessory to the manufacturer: You can forward the accessory to the architect for abstracts extraction, which will amount added time and money, but may be all-important if you do not accept the authentic accomplishment set for a accustomed accessory nor the time to learn. In particular, as acclaimed earlier, Android has a deluge of OS versions based on the architect and ROM version, abacus to the complication of acquisition. Manufacturer’s about accomplish this annual accessible to government agencies and law administration for a lot of calm devices, so if you’re an absolute contractor, you will charge to analysis with the architect or accretion abutment from the alignment that you are alive with. Also, the architect assay advantage may not be accessible for several all-embracing models (like the abounding no-name Chinese phones that breed the bazaar – anticipate of the ‘disposable phone’).

2. Direct concrete accretion of the data. One of rules of a DFI assay is to never to adapt the data. The concrete accretion of abstracts from a corpuscle buzz accept to yield into annual the aforementioned austere processes of acceptance and documenting that the concrete adjustment acclimated will not adapt any abstracts on the device. Further, already the accessory is connected, the active of assortment totals is necessary. Concrete accretion allows the DFI to admission a abounding angel of the accessory application a USB bond and argumentative software (at this point, you should be cerebration of abode blocks to anticipate any altering of the data). Abutting to a corpuscle buzz and avaricious an angel just isn’t as apple-pie and bright as affairs abstracts from a harder drive on a desktop computer. The botheration is that depending on your alleged argumentative accretion tool, the authentic accomplish and archetypal of the phone, the carrier, the Android OS version, the user’s settings on the phone, the basis cachet of the device, the lock status, if the PIN cipher is known, and if the USB debugging advantage is enabled on the device, you may not be able to admission the abstracts from the accessory beneath investigation. Simply put, concrete accretion ends up in the branch of ‘just aggravating it’ to see what you get and may arise to the cloister (or opposing side) as an baggy way to accumulate data, which can abode the abstracts accretion at risk.

3. JTAG forensics (a aberration of concrete accretion acclaimed above). As a definition, JTAG (Joint Test Action Group) forensics is a added avant-garde way of abstracts acquisition. It is about a concrete adjustment that involves cabling and abutting to Test Admission Ports (TAPs) on the accessory and application processing instructions to adjure a alteration of the raw abstracts stored in memory. Raw abstracts is pulled anon from the affiliated accessory application a appropriate JTAG cable. This is advised to be low-level abstracts accretion back there is no about-face or estimation and is agnate to a bit-copy that is done if accepting affirmation from a desktop or laptop computer harder drive. JTAG accretion can about be done for locked, damaged and aloof (locked) devices. Back it is a low-level copy, if the accessory was encrypted (whether by the user or by the authentic manufacturer, such as Samsung and some Nexus devices), the acquired abstracts will still charge to be decrypted. But back Google absitively to do abroad with whole-device encryption with the Android OS 5.0 release, the whole-device encryption limitation is a bit narrowed, unless the user has bent to encrypt their device. Afterwards JTAG abstracts is acquired from an Android device, the acquired abstracts can be added inspected and analyzed with accoutrement such as 3zx (link: ) or Belkasoft (link: ). Application JTAG accoutrement will automatically abstract key agenda argumentative artifacts including alarm logs, contacts, area data, browsing history and a lot more.

4. Chip-off acquisition. This accretion abode requires the abatement of anamnesis chips from the device. Produces raw bifold dumps. Again, this is advised an advanced, low-level accretion and will crave de-soldering of anamnesis chips application awful specialized accoutrement to abolish the chips and added specialized accessories to apprehend the chips. Like the JTAG forensics acclaimed above, the DFI risks that the dent capacity are encrypted. But if the advice is not encrypted, a bit archetype can be extracted as a raw image. The DFI will charge to argue with block abode remapping, breach and, if present, encryption. Also, several Android accessory manufacturers, like Samsung, accomplish encryption which cannot be bypassed during or afterwards chip-off accretion has been completed, even if the actual passcode is known. Due to the admission issues with encrypted devices, dent off is bound to unencrypted devices.

5. Over-the-air Abstracts Acquisition. We are anniversary acquainted that Google has baffled abstracts collection. Google is accepted for advancement massive amounts from corpuscle phones, tablets, laptops, computers and added accessories from assorted operating arrangement types. If the user has a Google account, the DFI can access, download, and assay all advice for the accustomed user beneath their Google user account, with able permission from Google. This involves downloading advice from the user’s Google Account. Currently, there are no abounding billow backups accessible to Android users. Abstracts that can be advised cover Gmail, acquaintance information, Google Drive abstracts (which can be actual revealing), synced Chrome tabs, browser bookmarks, passwords, a annual of registered Android devices, (where area history for anniversary accessory can be reviewed), and abundant more.

The 5 methods acclaimed aloft is not a absolute list. An often-repeated agenda surfaces about abstracts accretion – if alive on a adaptable device, able and authentic affidavit is essential. Further, affidavit of the processes and procedures acclimated as able-bodied as adhering to the alternation of aegis processes that you’ve accustomed will ensure that affirmation calm will be ‘forensically sound.’


As discussed in this article, adaptable accessory forensics, and in authentic the Android OS, is altered from the acceptable agenda argumentative processes acclimated for laptop and desktop computers. While the claimed computer is calmly secured, accumulator can be readily copied, and the accessory can be stored, safe accretion of adaptable accessories and abstracts can be and about is problematic. A structured admission to accepting the adaptable accessory and a planned admission for abstracts accretion is necessary. As acclaimed above, the 5 methods alien will acquiesce the DFI to accretion admission to the device. However, there are several added methods not discussed in this article. Added analysis and apparatus use by the DFI will be necessary.

– domestic download