Android Forensics: The Meticulous Study of an Android Smartphone

  author
Written By Andrew Jackson
Anuraag Singh
Approved By Anuraag Singh
Published On July 11th, 2022
Reading Time 12 Minutes Reading

Mobile phones were introduced way back, but the growing technology and change in era has also converted its usage from just calling and communicating to almost doing everything on the go. Emergence of smartphones majorly has also affected the adverse usage of the technology; owing to its reachability and affordable price. Thus, every other person is equipped with a smartphone, almost all of which are capable of replacing the use of computers. Right from calling, texting, emailing, data sharing, web browsing, to carrying out online transactions; smartphones have become smart enough to do possibly everything.

Though almost all smartphone platforms are equally involved and affected in cyber based criminal activities. But the overtly excessive use of Android OS has resulted in its involvement being comparatively a little more than the others (iOS, Symbian, Blackberry, etc.). The OS is open source, thus is used on a wide range of devices and not just the top brands.

Android Smartphone Forensics

In a case, a device can be on any of the two ends; victim or suspect. This paper covers the forensic examination of Android based smartphones to capture artifacts from its internal storage, that is otherwise not acquirable. The methodologies used in the process are applicable for acquiring data from both; a victim and suspect device respectively. Followed techniques and steps are tested and executed under the surveillance of expert investigators, thus cause no harm in any manner to the potential evidence stored on device. Also, the procedures are applicable for examining and digging into an Android device of any brand or OS version.

Stage 1: An Introduction To Android And Its Architectural Built

Android is a mobile operating system that was developed by OHA or Open Handset Alliance. The team was built with the motive of serving an affordable yet rich mobile experience to users by accelerating innovation on different mobile devices. Architecture of the Android OS is based on Linux 2.6 kernel build, which is best illustrated in the figure given below:

android-architecture

The Android architecture is designed as a stack of software comprising of an operating system, application, middleware, runtime environment, libraries, and service. In order to extend the optimal development and execution environment for applications on different mobile devices, the stacks are arranged in layers with corresponding elements integrated within them carefully.

Kernel of Android is based on Linux kernel subdivisions. Primarily, 3.4 or 3.14 versions of the Linux kernel have been used by Android since April 2014. It is the dedicated layer for hardware abstraction that operates hardware & its resources. It maintains several drivers for almost all hardware.

Android On-Device Storage

Data storage done on an Android device is significantly larger than any other smartphone. This storage is categorized into five groupings, i.e. internal, external storage, shared preferences, network, and SQLite. Whereas, the app data can be in different forms depending upon the following factors, i.e. apps that are:

  • Configured with the device or on its OS
  • Integrated by the manufacturer
  • Installed using wireless carriers
  • Additional Google or Android based apps
  • User installed

The files are located within the folder, access to which can only be gained via root.
The file system is a medium of arranging data in an efficient order, though the file system used by Android on different devices hasn’t remained the same but changes with the device. YAFFS, JFFS, and Ext* are some of the file systems that Android devices deal with. Ext4 FS has specifically been the most common one amongst all. Basically, any given FS that for which kernel can load drivers for is fair enough to be used for the OS.

Most devices in the initial days of the mobile OS have worked with older versions of Ext, YAFFS or JFFS. However, Ext version 4 has been the most reasonable choice amongst all due to its firm support for kernel and good enough achievements. In addition to the named file systems, many droid devices have also worked with the f2fs, i.e. Flash Friendly File System which belongs to Samsung. The file system was introduced only keeping in mind the medium for flash storage, as a result, maximizing performance of the NAND gated chip using devices.

Ext4 Replacing YAFFS

By the end of year 2010 Google announced usage of ext4 FS over YAFFS since then. These changes in file system were adopted with the motive of extending storage limit and add up other improvement on the performance end.

The FS supports larger volumes as well as file sizes and was introduced with backward compatibility to make mounting of previous FS versions possible. Moreover, YAFFS was single threaded and couldn’t be considered a FS supporting advancing changes. On the other hand, Ext4 is multi-threaded, i.e. capable of not only working with dual core devices, but also with the latest quad and octa core systems.

Nevertheless, these are not officially the only file systems that are used by Android. All files, operations, and directories, of an applet work through an abstract kernel layer, i.e. VFS (Virtual File System). And each file system is the implementation of the respective VFS that a device uses. The kernel module used for registering VFS supported operations of every file system is different.

NOTE: Knowing about the file system is a very important part of the investigation and is thus considered the primary & most significant focus of the entire procedure. With the help of FS details, sensitive information/data can be carved out from allocated as well as allocated / deleted spaces.

 

Acquisition of Evidence for Investigation

Drawing important data from the collected evidence is known as the procedure of Data Acquisition. However, when a mobile device is concerned, the procedure doesn’t remain as easy as it seems in the case of a hard drive. This is due to the condition in which a device has been acquired, i.e. with password protection, without USB access, etc. Considering the conditions, there are basically three ways of acquiring data that are followed during an Android forensic investigation:

TIP: If a password protected device has been acquired in an unlocked state, investigators can retain the current state to avoid losing access to the device. To do so, go to Settings on the device and choose Developer Options then select Stay Awake. This will ensure that the device’s screen never turns off (while on charging).

 

  • Manual. The case where an examiner manually, i.e. without the usage of any tool/technique captures data on the device by taking screenshots or pictures of every screen. The procedure is evidently time consuming, tedious, and not completely reliable as, only the data accessible to users can be acquired.
  • Physical. In this procedure imaging of each and every data present on the device is done, bit by bit. The bit by bit imaging includes copying – complete FS consisting of data, deleted data, along with unallocated spaces.
  • Logical. Under this data acquisition scheme, the examiner uses the device manufacturing application for synchronizing the contents onto a desktop computer. However, most of the tools offering logical acquisition are free of cost and as the procedure is simply an extraction of user accessible data, potential evidence may get skipped in the form of deleted data or information present in unallocated space.

TIP: There are plenty of ways through which (for instance) a suspect can remotely access the device & its data to wipe it, with no traces left behind. This makes the evidence vulnerable to tampering. Examiners can either keep the device in a Radio Frequency shielding bag or simply activate the device’s Airplane Mode to jam the networks. This will result in blocking any/all possible activities from taking place via network/remote access, i.e. the only way through which an outsider can get access of the device while it is under observation.

 

For the most part, data that are physically accessible (user accessible) is not of much use during an investigation. Thus, the internal storage of Android must be looked for, in order to capture strong, serviceable, dependable, and authentic information.

File Structure

Android system uses more than one partition for storing information/data belonging to or created on a device. The representation of these partitions is done by the name of directories on the file system, serving as mount points for them. Using the ‘df’ command on adb shell will list the Android directory. And the directories that will get listed are illustrated as follows along with the data type stored within each:

file-structure

Highlighted directories are the ones that are specifically important from an investigative point of view. These directories are: /system, /cache, and /data. Upcoming segments elaborate the means to access these directories in order to browse through the data stored within them.

Stage 2: Rooting and Accessing An Android Device

Access into the root folder/directories on the device offers rightful access to device memory storing a great set of valuable information. Contact lists, text messages, call log, and other data stored by the device (possibly unavailable to user access) and any other such information, is located in the root folder. Investigators can get their hands on such data via rooting used as the medium.

Rooting is a procedure used by members of the Modding community, i.e. users who prefer modifying the device specifications above its official and manufactured capability. The procedure offers access to the root directory and permissions of the device to permit the modification of performance or technical specs as per custom requirements.

Role of Android SDK

Android Software Development Kit has many significant options and features offered for developer access and usage purpose. One of these is ADB – Android Debug Bridge provided as a communicating interface for the Android system over a desktop computer. A computer provisions easy access to command shell further useful for installing, removing applications, and transferring data, from the OS when connected via ADB.

There are multiple known procedures available to easily root a mobile device. Once the device has been rooted, the following procedure can be executed:

    • Access to the device’s root folders using ADB

Directory-list

  • Check – storage, size, used/unused space of each partition on the command shell
  • Perform imaging of the directories via ‘dd’ command (.img file)

12

Chief Stages of Analysis: Imaging and Extraction

Imaging the system directories is the most crucial stage of any digital forensic investigation, including Android forensics. The permanent rule of all forensics is that, one cannot work on the primary evidence to abide by its representation in the court of law. Thus, bit by bit imaging of the involved device is considered very important.

We have used the ‘dd’ command for imaging Android system directories. ‘dd’ command is a Unix based utility meant for Unix or likewise OS. It is built with the purpose of emulating files into an image file. Given below is how the ‘dd’ command is used (for representational purpose):

Validating Acquired Data with Disk Image

It is highly necessary to calculate and take note of the original hash value of the disk before imaging it. However, MD5 hash value is not generated during the imaging process, thus a tool can be used for acquiring the same. For instance, ‘Busy Box’ is a complete toolkit of small Unix based utilities combined into a single executable file. It also happens to serve calculation of the hash value of a disk.

Once the hash value is acquired it must be calculated with the hash value of the disk image generated. Same hash values represent that, the evidence hasn’t been tampered with in any way during the process, which is valuable information to be represented in the court of law during litigation.

Examining Disk Image for Evidence Extraction

This part of investigation uncovers evidence with the help of disk image mounting tools. You can either go for a program that mount as well as reads the disk image data by enlisting the folder structure emulated like; the FTK Imager.

Otherwise, an application that can extract and generate a database (preferably; user data directory) in SQLite DB format can be adopted for the task. Scalpel is a one such reliable tool. Later, a SQLite database browser can be used for loading the extracted database for examination purpose.

In this case, we have chosen the second method, i.e. extraction of data in SQLite DB with its further processing done via a DB browser, SysTools SQLite Recovery. Images of the findings within different database tables are provided below for exemplification purpose.

Contact List

The table shows last time of contacting, number of times the contact has been contacted with, display name given to them, and other related information.

contacts

Messages

Address field shows the contact numbers that have ever been involved in a conversation made using the device. While the date and time stamp helps track down the exact duration at which a particular message was exchanged, while, the body field clearly lists the entire message exchanged in conversation with the corresponding contact number.

messages

Call Logs

On examining the call logs table, the following tabular list was revealed. The fields depict particular information each, as briefed below:

  • Number – The contact number
  • Date – Date and time
  • Duration – Call duration
  • Name – Name of the contact
  • Countryiso – Country

call-logs

 

TIP: The timestamp fields list a numerical arrangement to depict the respective information. This is not a random numeric arrangement rather the format in which Unix based timestamp is generated. These numbers can easily be converted using an online Unix timestamp converter to disclose the actual information. One of the timestamps has been converted below for illustration:

 

Example: 1427512846 is equal to Sat, 28 Mar 2015 03:20:46 GMT

An Observational Verdict

Android is not just limited to, mobile/smartphones, but have also captured other gadgets like; tablets, computers, etc. Thus, the forensic arena has a lot to look forward to and upgrade their skills for. Analysis on different devices will certainly involve different procedures according to their storage type and directory. However, by following the detailed information discussed in the blog above, investigators can successfully acquire potential evidence from an Android phone to further investigate upon. End report of the entire forensic analysis has to be created by the investigator, keeping in mind that the output is in a court admissible format.

  author

By Andrew Jackson

I am SQL DBA and SQL Server blogger too. I like to share about SQL Server and the problems related to it as well as their solution and also I do handle database related user queries, server or database maintenance, database management, etc. I love to share my knowledge with SQL Geeks.