Android Forensics

 Smartphones are changing the IT and Communication landscape vastly.  A Smartphone can do almost every good thing a computer can do. Today most of the corporate employee access and manage their official emails through the e-mail client installed on their Smartphone.

Right from booking movie tickets to making fund transfers, all e-commerce and online banking transactions can be done using a Smartphone. With high speed of 3G, Smartphones are getting more popular specially among working professionals and students.

As Smartphone market is growing, it is also catching bad guy’s attentions. For bad guys or hackers, it is easy to target mobile users as they are less aware and bother less about the risks associated with the mobile and mobile applications.

There are number of Mobile Operating Systems present in the market. Among these Mobile OS, Android, iOS and RIM are more popular than others. Android is the most widely used Mobile OS present in the market. According to Gartner report, Android had more than 36% share of the market by end of the first quarter of 2011.

It is quite obvious that the widely used platform is likely to be targeted more, as in the case of Microsoft Windows Operating System. A hacker wants to target mass and for doing that he has to target the most commonly used platform. Android is one such commonly used platform. As Android is capturing market, it is becoming favorite target platform of hackers.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

It is always a challenge for forensic examiners to discover the evidences from the Android devices. Android   has   a   different   and   newer   file   system, directory structure, runtime environment, kernel and libraries which make Android more complex to forensic examiner. We will discuss detailed forensics steps to examine Android device in later part of this article.

How Android can be used in Cyber Crime

Android can be used in cyber crime in two ways:

•   Android device is targeted by the attacker.

•    Android device is used as a means to carry out cyber crime.

Let us consider some of the real world cases. What if an Android device is discovered from a crime location?? What   all   evidences   can  be   discovered   from   the device?? Where exactly to look for the evidences??

These are some challenges faced while doing forensic analysis on Android device. First we will see what all bad things can be done with the Smartphone (or how a Smartphone can be used in various criminal activities).

Cyber Crimes through Smartphones

Software Theft: Software theft is now a common attack. If codebase of your software is stolen and sold to your rival, he can make a great loss to your company. Your rivals are ready to invest huge money to obtain source code of your key software.

A Smartphone can carry large volume of sensitive data. It can be used in carrying codebase of any key software of any company. There are security guards and other mechanism in place to check the employees and visitors, if they are carrying any business critical information in any form. But still they hardly check for Mobile phones.

In one classic case of Software theft, an unhappy employ of a company used to carry all source code of the key software of the company in her smart phone. She first copied the code in her phone’s external storage and then deleted the same data from the phone. When her phone was observed at security check, nothing was found in her phone. When she reached home, she used a tool to recover the deleted data. This way she took all the data out from her company and latterly she sold the source code to the rival of her employer.

Terrorist Activities: Terrorists also use Smartphones to exchange and store the information. They use Smartphones to communicate with the other member of the terrorist organization. They  also  use  GPS  to find locations. They can store various data in the Smartphone like maps or photos of target locations, encrypted and stagno files, instructions etc. They can use the phone to click photos of target locations.

Pornography/Child      Pornography:      Pornography is fully banned in a number of countries. And child pornography is considered a big offence across the world. Smartphone can be used to store, view, capture and exchange such kind of materials.

Sexual Harassment Cases: Smartphone can play big role in sexual harassment kind of cases. If a Smartphone is discovered from accused, a forensic examiner can get treasures of information from the device.

Financial Crimes: Every other bank is developing banking and other non-financial application to facilitate their  mobile  customers.  These  applications  can  be used for malicious activities by hackers. A Smartphone recovered in financial fraud cases can give many evidences about the case.

Murder Cases: Even in murder or other criminal cases, a Smartphone can provide evidence useful in solving the case. Right from call records and SMSes to facebook records or GPS data can be recovered from the phone.

Let us think about, what all evidences can be recovered from a Smartphone?? Where to look in the Smartphone?? We will discuss in coming section that what all evidences we can discover from a Smartphone:

Interesting locations for Forensics

Investigation

•   Phone Browser Memory

•   Application storage

•   External Card

•   SQLite database files

•   SMS

•   GPS data

•   Call records

•   Contact list

•   Social  networking  application  (Facebook,  Twitter, Orkut) records

•   Messenger (Yahoo, MSN) records

•   Email client data

•   System storage

•   Data stored in external card

How investigation of Android device is different than other   Smartphones??   Does   forensic   investigators really need to learn something special to analyze Android devices?? Can evidences be discovered from the device?? Are they admissible in the court of law??

Next section of the article will answer all the above questions in further detail.

Forensic Process of Android Device

Forensic process of Android phone will comprise of following steps:

Seizing Android device: If an Android device or any Smartphone is discovered from any crime location, first thing a forensic investigator should do is to click the photos of the crime scene including the photo of the device. If phone is ON, take photo of display as well.

If you find mobile to be ON then keep charging the mobile  so  that the battery does  not  drain.  In  case, we don’t charge the phone and the phone goes OFF, we may lose the important data especially regarding current or recent applications. If phone is OFF at the time it was recovered, keep it OFF. Seize all other available accessories i.e. memory card, data cable etc.

As soon as we recover anything, start labeling it. It is required to maintain and present a chain of custody at the court of law. A label should have the following minimum information on it:

•   What is the evidence?

•   How did you obtain it?

•   When was it collected?

•   Who all have handled it?

•   Why did that person handle it?

•    Where has it travelled and where was it ultimately stored?

•   What is Case ID?


C
hain of Custody is a chronological documentation of individuals who had physical possession of the evidence. Maintaining the chain of custody is vital and it guarantee the integrity of the evidence, right from collection to the final test result. Chain of custody is something must to have document in any criminal trial. If proper Chain of custody has not been maintained, court may not consider that evidence in making final verdict.

Creating 1:1 Image

Creating image is the most important task in any forensic analysis. It is the thumb rule in forensic investigation that you cannot work on primary evidences if you want them to take in the court of law. For that we need to create bit-by-bit image of the target device.

What is bit-by-bit image and how it is different from the copy-paste the content of entire disk??

If we copy and paste the content of a disk, this will only copy visible, hidden and system files. Whatever is deleted or not accessible by the OS would not be copied by copy command. So, for a thorough analysis, it is required to create a 1:1 image of the disk. Bit-by- bit image is as good as the original image. Thorough analysis is not the only reason we need to take 1:1 image, it is also required by the court of law. If you have not taken 1:1 image, your evidences are not admissible in the court of law.

How  we  will  take  image  of  an  Android  device?? How I can verify that my image is exact bit-by-bit copy of original disk or device?? How can I establish the authenticity of the image??

There are two locations to be taken image of in case of Android device. One is the device and other is the external card. We will see in following section that how to create a bit-by-bit image of the Android device. But before that we will see how to verify the image.

Before starting the imaging of original disk, calculate the hash value of it and note that down. Now after taking image, calculate the hash value again for the image. If hash values are same for both the image and disk, we can be sure that we have taken exact image of the original disk. Now we can work on image and evidences discovered from the image can be taken to the court along with the hash values calculated. The hash value establishes the authenticity of the image that it has not been tampered.

One more thing we should take care of before creating image is to make the target device in write protected mode. Whenever you connect any device to your computer, there are chances that some data can be written on the devices by any software, application or OS. In that case your evidence (device) is no more genuine. Just to avoid this kind of situation, make the disk or device write protected. To do that, use write protected cables present in the market. In this article, we will  make device write protected  by  software  to explain the technique.

Creating image of external memory card: We will start with simpler part of imaging, which is creating image of the memory card. In most of the cases, file system of the memory card is FAT32 and it is easy to image. There are lots of free and commercial tools available in the market which can help us in creating image of the memory card. We will use free version of Winhex to do that. Winhex is a powerful forensic tool. It is available in both freeware and commercial versions.

Note

Only commercial tools should be used to discover the evidences in case you want to take evidences to the court.

Here are the detailed steps to take the 1:1 image of the memory card:

First remove the SD card and connect the card to the computer with any card reader. Now we will make the device write protected through Winhex. Follow below step to do that: Open the disk in Winhex: Figure 2.

Go to Options then Edit mode and select first option

write protected mode:

Now calculate the hash value for SD card.

To calculate hash, go to Tools then Compute hash and choose any H ashing a lgorithm. We have t o compare this hash value w ith the hash value computed earlier for the image. Now we create the image of the disk. Go to File menu and click on Create Disk Image option for creating an i mage. C hoose Raw image option (.dd) t o create image, as dd image i s interpreted by a lmost a ll commercial and open source forensic tools

Image o f memory card is c reated. W e will use t his image for analysis in later part of the article.

Creating Image of Android device

This  is a   tricky  part. A ndroid  does  not p rovide  any direct w ay t o access o r view i ts i nternal d irectories or system f iles  and d irectories. B ut i nternal o r  system locations may have most critical data stored. Almost all applications write some application data and temporary data in t hese d irectories only. /data/data i s the most interesting location for the forensic investigator which is not accessible to the user. Only application or root users have access to these locations.

How w  e   can   access A ndroid   internal d  irectory structure?? H ow t o create the image o f the Android internal directory structure??

For t his we need t o obtain ROOT permission o n the

Android OS. In Android terminology, we need to ROOT the device t o get t he superuser permission. There are various techniques available in the market that can help you in rooting your Android phone. Among them, Odin3 software is one such popular tool. All you need to do is to check the build number of your phone. You can check it by visiting the following location in any Android phone: Settings-> About Phone-> Build number. Now Google for the rooted kernel for this build number and pass all the files to Odin3 software. This way you can ROOT your phone. There number of good tutorial available in the market on Android Rooting. As per my knowledge ROOTING is legal and it does not void any warranty. Still check local laws before rooting your phone. I have never come across such situations; still it is a general belief that rooting may harm your system or you may lose your entire data stored on the phone.

Note

In the rooting process, something will be written on target device and as I mentioned earlier, we can’t write anything on the phone, if we want to take that into court of law as evidence. The method and technique explained in this example may not be accepted by the court. In this case, one can take approval in advance from the court. That is again subject to local laws. So now we have root access on the phone, what next??

As it is known to all that Android uses Linux kernel

2.6.  By  downloading  Terminal  Emulator  application from the Android Market, we can run almost all Linux commands. So, to create image of device, we will be using dd command. DD stands for Data Description, it does low-level copying of data in Linux. The dd command will help us in creating bit-by-bit image of Android device.

To take backup, insert a fresh SD card in device and copy the target data there. Typical syntax of DD command:

dd if=/dev/fd0 of=tmp.image

Where if is input file and of is output file. Again, output of the dd command is understood by all commercial and open source forensic tools including WinHex, EnCase, Helix, Forensic Toolkit etc.

To take the backup of the Android system folders, go to /proc/mnt file and open the mnt file.

dev:   size  erasesize name mtd0: 000a0000 00020000 „misc” mtd1: 00480000 00020000 „recovery” mtd2: 00300000 00020000 „boot” mtd3: 0fa00000 00020000 „system” mtd4: 02800000 00020000 „cache” mtd5: 093a0000 00020000 „userdata”

Copy one by one location through DD command.

To understand the concept, we will be copying some directories with dd command.

Recovering Data

Now we are done with the imaging part. The image created in above steps can be accepted by any forensic tool. We will be using free version of Winhex to recover and analyze the data as well.

In   most   of   cases,   criminal   deletes   suspicious data or even format the entire disk. Suppose in any pornography related case, we hardly find anything in the device, because all data has been intestinally deleted. So, before starting analysis part, it is recommended to recover all deleted or destroyed data first.

To recover deleted data, open the image file in Winhex. Go to File menu then Open option, select the image file and click ok. Figure 7 show the opened image file.

As  we  can  see  from  the  above  screenshot,  all data is represented in hex form. To make the data understandable, we need to interpret the image as disk. To do that, go to Specialist menu and click on Interpret Image File As Disk.

Folders highlighted in the Figure 9 are the deleted folders.

To recover deleted files or folder, right click on target folder and click on Recover/Copy and select location to save the file.

There are number of tools available to recover deleted or destroyed data. All well known forensic tools

like FTK or EnCase have inbuilt feature of identifying and restoring deleted data.

Analyzing the Data

Analyzing Android data is a bit different; one should know the important locations to be checked out. More manual intelligence is required in this step of forensic analysis of Android device. For example, in case of money laundering related cases; email, browser data and banking application related data must be looked at to discover any clue. Same is true in the case of sexual harassment case; emails, social networking data, SMS will be interesting locations to search for evidences.

For example below file was recovered from Skype application. I have used same dd command to recover this file. The format for this file was .DAT. I have opened this file in a text editor (notepad in this case). You can see email addresses, Skype ids, chat records; everything in plain text. Same way you can get useful information from other applications like Facebook, Yahoo Messenger, Twitter etc. All application related data can be found at the following location:

/data/data/com.application/;

Analyzing SQLite database files

SQLite database files are most interesting files for forensic investigators. One will get most critical information  here, even username  and  passwords  in some cases.

SQLite is a lightweight database (RDBMS) and used by almost all Smartphone OS like Android, iOS and Blackberry. SQLite files can be found at the following location:

/data/data/com.application_name/databases

For example we want to see all SQLite files created and maintained by Facebook. Then we need to look at following location for db files:

/data/data/com.facebook.katana/

databses

All SQLite files stored with .db format.   I   have   copied   a   few sample .db files (from Facebook, email client etc) using dd command to explain analysis of SQLite database files.

To  understand  the  concept,  I will be using free version of Epilog tool. Epilog is a powerful tool for all kind of SQLite files.

Open  a  db  file  in  Epilog  tool, in this example we are opening fb.db (Facebook db file). Check Do Generic Record Extraction checkbox and click on process. You can observe in above screenshot, fb.db file contain some really useful information. In our case, we can see full names, email ids, phone numbers of the friends added in Facebook friendlist of the suspect. By opening the correct db file, we can even find all the chat logs, personal messages and other details. In some cases, you may even find username and password stored in a SQLite files.

viaExtract Tool

There are a number of good forensic tools available in the market, out of them I found viaExtract tool to be very useful and easy to use for Android forensic. This tool is specially meant for Android forensic by viaForensic.

In this tool, you just need to connect the phone to the machine where viaExtract is installed. Phone should be in USB debugging mode. To make phone in USB Debugging mode, go to Settings-> Applications-> Development and select USB Debugging mode. Now you just need to click Next and tool will recover and analyze the device. As an output, you get final reportwith all the useful information like Contacts, SMSes, IM records etc. Figure   12   shows   the   HTML report  from  viaExtract  tool,  we cans see all SMS details here.

Note: Even viaExtract will write something on the device.

Reporting Evidences

Reporting has to be done on case to case basis. There are different ways of reporting evidences in corporate cases and criminal cases. Reported evidences should be clear, give direct or indirect reference to the possible scenarios of crime.

In a criminal case, where we want to present evidences in the court of law, it is also required to map the findings with respective laws. In addition to evidences, it is also required to present Chain of Custody. Again reporting depends on country to country, as the Cyber Laws varies with geography.

Conclusion

To summarize, analyzing Android for  forensic  purpose  employs totally  different  techniques  than the traditional forensics. It involves

heavy manual intelligence and interference. Maintaining integrity of primary evidences is also a challenge. There are tools available in the market for Android Forensics but still there are gaps to be filled and a lot to be done in this direction. After learning about forensic process, it will

by MANISH CHASTA

Analyst, working with Indusface (www.indusface.com) as Principal Consultant. He is having more than 5.5 years of experience  in  Information   and  Application  security.  He  is currently  managing  team  of  security  engineers  and  doing a vast research in Mobile Application Security. He is also handling   prime   customer   accounts   for   the   company.   He has authored numerous security articles for ClubHack and Palisade. He has audited 200+   mobile and web-applications in the areas of Internet Banking, Core Banking (Flexcube), Finance, Healthcare, CRM, telecom  and eCommerce.  He has Security and Ethical Hacking to multiple clients. Email id: chasta.manish@gmail.com

10 thoughts on “Android Forensics”

  1. Interesting article…thank you for taking the time to write it.

    Question: Where are the Figures called out in your article? They do not appear in any browser of mine. Without them, some of the content is unusable.

    Also, I would like to comment on your assertion: “Thorough analysis is not the only reason we need to take 1:1 image, it is also required by the court of law. If you have not taken 1:1 image, your evidences are not admissible in the court of law.”

    Courts in my jurisdiction do not “require” a 1:1 image. It is preferred, yes–but not required. This is a very sweeping statement and, in my opinion, inaccurate and misleading, since partial or altered evidence can be admitted by a court of law, if the examiner follows chain-of-custody and thoroughly documents procedure and purpose for the partial or altered evidence. The court might agree that the condition of the evidence, seizure/imaging circumstances, or employed procedure does not invalidate the integrity, relevance and weight of the evidence, and may, subsequently, admit the evidence. An example of such “altered” evidence is the live capture of system memory which is typically admissible. By virtue of live capture process, the original evidence is altered. If one documents procedure and handles the evidence using “best practice,” the evidence will likely still be admissible.

    If your limiting statement is made based upon strict law enforced by particular jurisdiction (country, state, city), you need to state such. Otherwise, it can mislead and, possibly, compromise the methods used by an a less-informed examiner that reads this article.

  2. “Only commercial tools should be used to discover the evidences in case you want to take evidences to the court.”

    silly note, why is that the case? Open Source Tools are way better, to make sure there do what they should do. or isnt so?

    • Court does not consider evidences collected by open source tools.This is law and if you want to prove something that needs to be collected, then Commercial Tools with Proper chain of custody maintained is a better choice.

  3. Good read….

    However, I would strongly recommend that if you seize a smartphone i.e Android phone that is ON consider putting it into a Faraday bag or into a flight mode. I have seen many times phones being remotely erased after leaving crime scene.

    -Hast

  4. DD does not stand for disk duplicate. The original writer of the software wanted to call the software “cc” for copy and convert. However, that name was taken. So he change the name to the next letter in the alphabet. “dd”.

  5. 1. Someone Asked if “dd” stood for “disk duplicate”, and you replied something like, “no it doesn’t, it was going to be called ‘cc’ and that name was taken so they used the next letter (d).” In the article above, however, you stated that ‘dd’ stands for “Data Description”. Both cannot be correct.

    2. I’m a bit confused as to the concept of 1:1 imaging and how it relates to “terminal emulator” (console) commands such as “dd”. My understanding of the term “image”, when used in the current context, is that it refers to the EXACT sector for sector copying of a storage device. Meaning that you start at the very beginning of the storage medium and copy every single nanometer until you get to the end. Free space, deleted files, slack space…everything.

    There’s no need for interpretation of the copied data at this point. It’s just “1”s and “0”s. So “terminal emulator” has nothing to do with it – since you’re not reading the filesystem, you’re just copying blindly. Like if I were given a flyer to copy, and the flyer was written in Chinese. I don’t know Chinese, yet I can still make copies of the flyer without ever knowing what it said.

    Your method relies on rooting the phone, and then using the “root” status to issue commands and access areas not normally available; exactly what you can’t do if you want to use the evidence in a court of law. So basically, the entire article is nullified and it starts to look like you’re making it up as you go along.

    Can you provide links to law, code or legal precedent or even current white papers?

Leave a Comment

Latest Videos

Latest Articles