Android Forensic Acquisition Techniques | Lucideus Forensics

Android Forensic Acquisition Techniques

“A technical walkthrough on Android forensic acquisition techniques to collect crucial device artifacts for Digital forensic analysis and investigation”

                                                                                                                       

Introduction

Digital forensic investigation on mobile devices requires an investigator to follow step by step procedure to collect, extract and analyze digital evidence. To accomplish complete extraction of digital evidence, the primary step is data collection or device acquisition.

Android forensics depends on the level of access a device provides which further determines the level or depth of the data which an investigator can extract. Generally, an Android operating system provides two layers of user access control which are rooted or non-rooted access. Primarily Android OS does not provide user administrative or root access hence devices are manufactured with non-root access.

Forensic Investigation requires in-depth recovery of artifacts for complete analysis. A rooted device provides complete extraction of user data and access to the system partition. The system partition stores complete application data, ROM and system files. For a non-rooted user, the partitions and system folders are kept hidden with no access

Gathering Information on Device Accessibility

Mobile device acquisition in simple words can be defined as the procedure to make a secure copy of the device where we can extract and analyze artifacts to discover crucial evidence. Android Mobile device acquisition depends on the following factors for data collection :

1. Device Security & Android Version
• Device Security
  Android devices comes with inbuilt security to deter users gaining device access with ease. The following security has to be bypassed or device has to be unlocked in-order to proceed further:

• Pattern
• A pattern based lock can be set by the user where a custom pattern is required to unlock the device
• Unlocks the device by using a specific swipe pattern along a series of nine dots.
• Pattern locks are stored in gestures.key file which can be replaced to bypass pattern security if the device already has root access and USB debugging is enabled.
• Password
• A lock can be set with 4 to 17 character which includes alphanumeric & mixed case passphrase. This is a highly secure device lock which requires a combination of manual and automated techniques to gain device access
• Password.key file stores the password set by the device user which is accessible with only root access.
• Combined Unlock Techniques
• Fingerprint
• Fingerprint based device unlock can be set for limited devices, it comes as an alternate unlock mechanism set with password/pattern or pin based locks.
• Bluetooth Device Lock & Unlock 
• A Bluetooth device can be utilized for device smart unlock which is an alternative unlock method sest with password/pattern  or pin based locks
• Android Version
• Android version becomes a crucial factor in gaining device access . It keeps on updating and releasing new versions securing the mobile devices. From providing different mechanism for device locking to enabling full device encryption android has reached to a state where gaining physical access becomes cumbersome.
• From an investigator point of view, unlocking device is the primary step towards acquisition. Hence different techniques has to be applied to bypass security based on the version the android is using.

2. Device accessibility

• Non-Root Access
• Generally manufacturer and Android do not provide root access to the device owner by default. Non-rooted devices provide access to the internal and external memory storage medium which enables an investigator to perform Logical Acquisition of the device.
• The system, memory and internal partitions won’t be visible or accessible. However, full device backup or adb backup can be utilized to perform logical acquisition of the device.
• Root Access

• A device with complete administrative access is what you get after rooting the device. Access to device system, memory and internal partitions are granted to the super user or the root user. 
• For rooted devices a complete device acquisition can be performed using dd command or automated tools. Root access also allows an investigator to perform data recovery and carving which uncovers deleted evidence stored in the device.

3. Connection Medium

• Mobile device acquisition proficiency depends on the connection medium an investigator uses to acquire an device.
• The following mediums can be utilized to acquire a mobile device which depends on availability and device status:
• USB connectivity
• USB cable connectivity is considered to be the safest & proficient method to perform mobile device acquisition . For mobile acquisition using usb cable the following settings has to be ensured for uninterrupted device acquisition:
• Connection Mode: MTP 

MTP Reference

• MTP connection mode allows logical access to the device internal memory . It differs from the previously used connection medium (USB Mass Storage) which used to emulate the internal memory as a logical partition rather than mounting as media device.

• Enabling USB debugging
• USB debugging is a developer option which enables analysis machine to establish connection with the device where SDK functions are enabled. In simple words execution of linux commands in terminal using ADB can be performed.
• Steps to Enable USB Debugging:
• Check the Android version & Follow the Steps:

Android version	Steps
V 5.0 and Above	1. Goto Settings > About Phone > Build number > Tap it 7 times to become developer;
	2. Again go to Settings > Developer Options > Check and allow USB Debugging.
V 4.2,4.3 and 4.4	1. Goto Settings > About Phone > Build number > Tap it 4-5 times to become developer;
	2. Again go to Settings > Developer Options > Check and allow USB Debugging.
V 3.0  to 4.1	1. Goto Settings > Developer Options > Enable and Allow USB Debugging.
V 2.0 to 2.3	1. Go to Settings > Applications > Development > USB Debugging.

• Other Connection mediums:

Device acquisitions are proficient using USB cable as then investigator can terminate incoming or outgoing wireless connections by placing the device in flight mode. 

However, if the USB connection cannot be established then other wireless connection mediums can be utilized:

• Bluetooth: Mobile acquisition can be performed by utilizing ADB via bluetooth connection.
• Wireless: Both mobile device and acquisition machine has to be connected to same wifi network . Device acquisition can be performed by using android device bridge via WiFi.

Device Acquisition Procedure

Device Acquisition

Forensic acquisition are the steps of making bit by bit replica of the custodian device while maintaining the integrity of the data stored in the device. Android devices however comes with a two level of access which an investigator has to determine in preliminary acquisition steps.

Understanding Level of Access :

Android devices offer two level of access that are root or non-root access. Devices comes pre-built with non-rooted access, Which allows investigator to perform logical acquisition instead of physical acquisition. In simple terms whatever information is stored and available logically can be acquired.

Root accessed devices however offer a complete level of device access, which can also can be determined as administrator access. Here devices can be acquired locally and physically. The logical partitions, system partitions, ram and ROM are available for acquisition.

How to determine a device is rooted or non-rooted?

• Using forensic utilities 

• Forensic utilities mostly available in the market are available for commercial purpose usage only. However, utilities such as Cellebrite, Oxygen Forensics, Magnet AXIOM, etc. Software utilities provide stepwise methods to acquire an Android device. 

• Forensic utilities can determine if a device is rooted or non-rooted hence moves forward with the method of acquisition as per the availability of the data.
• Manual methods
• Device Prerequisites:
• Device should be unlocked
• USB Debugging Should be enabled
• Machine Prerequisites :
• Minimal ADB Installation
• Steps to Check Root Access

1. Close all the active connections by putting the device on flight mode
2. Unlock the device and connect it to the workstation via USB cable
3. Open CMD/Powershell(Windows) or Terminal (Linux/Debian/Mac OS) and execute the following commands
• Adb devices
• A unique identifier with a device name should be visible.
• A popup will be displayed on the device consisting RSA fingerprint key and confirmation to add the machine as a trusted device

• Adb shell
• Shell access should be granted to the device 
• A basic list of Linux commands such as ls, dd, cat, etc is usable in the shell

• Su Command
• Checks if the device has superuser / root permissions.
• If permission is denied or command not found is displayed, the device should be non-rooted.
• Try accessing the system files & folders
• Execute CD /data
• Ls to view the files and folders present in the current directory 
• If LS returns no data, then the system files and folders are hidden. Which cannot be modified as it requires root permission. Hence, the device is non-rooted.

Traversing System Folders — (Non-Rooted Device)

Traversing System Folders — (Rooted Device)

Device Imaging

Device imaging can be performed once we have identified the device is rooted or non-rooted.
Rooted Device Acquisition
Devices with root access can be acquired using manual methods or using forensic utilities such as cellebrite, oxygen-forensics, magnet axiom, etc.

• Manual Acquisition Method
• Once you enter as a root user, check for the mounted partitions-
• Cat /proc/partition
• Displays the available partitions with size in kilobytes. The files are stored in /dev/block/partition name
• Available partitions Android Partitions

• Exploring the available partitions:
• Mmcblk0 : We can see that the partition has 15388672 KB size which is around 14.67 GB
• Mmcblk0p1 : Block Size — 20480 KB which is around 20 MB 
• Mmcblk0p2 : Block Size — 1280 KB which is around 20 MB 
• Mmcblk0p3 : Block Size — 1280 KB which is around 20 MB 
• Mmcblk0p4 : Block Size — 8192 KB which is around 8 MB 
• Mmcblk0p5 : Block Size — 8192 KB which is around 8 MB 
• Mmcblk0p6 : Block Size — 8192 KB which is around 8 MB 
• Mmcblk0p7 : Block Size — 204800 KB which i6s around 200MB 
• Mmcblk0p8 : Block Size — 16384 KB which is around 16 MB 
• Mmcblk0p9 : Block Size — 8192 KB which is around 8 MB 
• Mmcblk0p10 : Block Size — 2097152 KB which is around 2 GB
• Mmcblk0p11 : Block Size — 11616256 KB which is around 11.07 GB
• Mmcblk0p12 : Block Size — 524288 KB which is around 512 MB   
• Using DD command we can acquire a memory block / partitions.
• Advanced DD commands such as DCFLDD or DC3DD aren’t available for most of the devices. It can be executed if the device owner has pre installed DCFLDD or DC3DD binaries.
• Execute the following DD commands:
• Dd if= source” of=”destination directory/destination file.dd”
• DD command can create a disk image on the device via manual method. You can insert a blank SD card to output the image file to the external sdcard location.
• Sample command :
• DD if=”/dev/block/mmcblk0” of=”/extSdCard/image/mmcblk0.dd”
• Transfer the acquired memory blocks to investigation machine using adb pull or direct file transfer using MTP 

• You can transfer the image files by copying the files from the SDCARD using a memory card reader.

• Always ensure while transferring files from one source to a destination, a write blocker should be always active so that we can refrain from modification of evidence.
• Software based write blockers can be utilized or the memory card should be mounted in read only mode.

Non-Rooted Device Acquisition

Device with non-root access can be acquired using logical acquisition techniques. Non-Rooted Device can be temporarily rooted and acquired but the process tampers with the user data hence is not recommended.With limited access to the user device, non-rooted device acquisition techniques extracts minimal data from an Android Device.The following steps enumerates the procedure to acquire a non-rooted device:

1. Discovering the device via ADB:

2. Executing ADB backup 

3. Now accept the Full Desktop backup by entering a secure password 

4. A backup file(backup.ab) gets created after the backup is successfully created

• Executing Local Backups


• Local backup can be created in the device itself, it is much more faster than adb backup. However, an external SD Card is recommended to utilize for local backup storage.
• The following steps shows how to create local backups:

• Navigate to Device>Settings> Backup and Restore

• Check for the available backup locations such as System setting and Application Data

• Validate the selected items and start backup process

Observations

1. Local backups are created and stored in .bak file format 
2. Descript.xml file contains the backup file information.
3. The local backup contains application and user data backup

Image Integrity

Device acquisition depends on the investigator to thoroughly maintain integrity of the image. Image integrity can be maintained using hashing methods.

Hashing can be performed using software utilities or mobile forensic software such as cellebrite, oxygen forensics, magnet axiom creates hashes from the initial acquisition steps.

Image hashing depends on the algorithm investigator defines to check data for integrity. The hashing algorithms such as MD5, SHA1 , SHA256 are utilized to create a unique hash value . The hash value can be re validated at any point of the investigation to denote that the image data stays intact.

Manual Hashing Methods

While performing acquisition using DD command, we can also hash the output image to file. Rooted Android device supports only MD5 algorithm hashing by default.

Syntax:[dd if=/dev/block/memory-block /of=/sdcard/output-image.dd | md5sum > hash.txt]

Creates a DD image of the memory block and creates a text file with the computed image hash.

Hashing Using Software Utilities

Forensic Software utilities provide the functionality to create hashes based on algorithms such as md5, sha1, sha256,etc.

Acquisitions performed using manual methods can be hashed separately using software utility such as access data ftk imager.

Exporting File Hash List

Hashed File Details

MD5	SHA1	FileNames
CAD7A79129XXXXXXX6711B7696FFE7	6214286XXXXXXXXXX54F22165506615C4461	..\TEST-C01\IMAGE\DATAFS.DD

• A list of MD5 and SHA1 hashes are created for the files. To verify integrity of the image at any point of time during the investigation, an examiner can verify by recalculating the file hash.

Conclusion

Android Forensic Investigation requires an investigator to be proficient regarding acquisition, extraction and analysis of evidence. The methods involved and the amount of data collected while performing device acquisition, can become a crucial potinter determining extraction of artifacts leading towards discovering an evidence.

Android is a rapid evolving operating system, hence the methods and acquisition methods will keep changing on the basis of device &  data access it is providing. Google timely releases patches for security enhancement and authorized device access.  The acquisition methods are also affected by the custom ROMs being developed by individual device manufacturers which causes an investigator to customize acquisition methods every time. However, the basic device acquisition & data collection practices mentioned in the paper will remain constant for Android devices.