Book Image

Learning Android Forensics

By : Rohit Tamma, Donnie Tindall
Book Image

Learning Android Forensics

By: Rohit Tamma, Donnie Tindall

Overview of this book

Table of Contents (15 chapters)
Learning Android Forensics
About the Authors
About the Reviewers

The mobile forensics approach

Once the data is extracted from a device, different methods of analysis are used based on the underlying case. As each investigation is distinct, it is not possible to have a single definitive procedure for all cases. However, the overall process can be broken into five phases as shown in the following diagram:

Phases in mobile forensics

The following section discusses each phase in detail:

Investigation Preparation

This phase begins when a request for examination is received. It involves preparing all of the paperwork and forms required to document the chain of custody, ownership information, the device model, its purpose, the information that the requestor is seeking, and so on. The chain of custody refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. From the details submitted by the requestor, it's important to have a clear understanding of the objective for each examination.

Seizure and Isolation

Handling the device during seizure is one of the important steps while performing forensic analysis. The evidence is usually transported using anti-static bags which are designed to protect electronic components against damages produced by static electricity. As soon as the device is seized, care should be taken to make sure that our actions don't result in any data modification on the device. At the same time, any opportunity that can aid the investigation should also not be missed.

Following are some of the points that need to be considered while handling an Android device during this phase:

  • With increasing user awareness on security and privacy, most of the devices now have screen lock enabled. During the time of seizure, if there is a chance to do so, disable the passcode. Some devices do not ask the user to re-enter the passcode while disabling the lock screen option.

  • If the device is unlocked, try to change the settings of the device to allow greater access to the device. Some of the settings that can be considered to achieve this are as follows:

    • Enable USB debugging: Enabling this option gives greater access to the device through Android debug bridge (adb) connection. We are going to cover adb connection in detail in Chapter 2, Setting Up Android Forensic Environment. This will greatly aid the forensic investigator during the data extraction process. In Android devices, this option is usually found under Settings | Developer options, as shown in the following screenshot. In later Android versions starting from 4.2, the developer options are hidden by default. To enable them, navigate to Settings | About Phone and tap on Build number 7 times.

    • Enable stay awake setting: Enabling this option and charging the device will make the device stay awake which means that, it doesn't get locked. In Android devices, this option is usually found under Settings | Developer options, as shown in the following screenshot:

      Stay awake and USB debugging options

    • Increase Screen timeout: This is the time for which the device will be active once it is unlocked. Depending on the device model, this time can be set up to 30 minutes. In most devices, it can be accessed under Settings | Display | Screen timeout, as shown in the following screenshot:


    Please note that the location to access this item changes across different versions and models of Android phones.

    Screen timeout option on an Android device

In mobile forensics, it is of critical importance to protect the seized device so that our interaction with the evidence (or for that matter, an attacker's attempt to remotely interact with the device) does not change the evidence. In computer forensics, we have software and hardware write blockers that can perform this function. But in mobile forensics, since we need to interact with the device to pull the data, these write blockers are not of any use. Another important aspect is that we also need to prevent the device from interacting with wireless radio networks. As mentioned earlier, there is a high probability that an attacker can issue remote wipe commands to delete all data, including e-mails, applications, photos, contacts, and other files on the device.

The Android Device Manager (ADM) and several other third-party apps allow the phone to be remotely wiped or locked. This can be done by signing into the Google account that is configured on the mobile device. Using this software, an attacker can also locate the device, which could pose a security risk. For all these reasons, isolating the device from all communication sources is very important.


Have you thought about remote wipe options that do not require internet access? Mobile Device Management (MDM) software provides a remote wipe feature just by sending an SMS. Isolating the device from all communication options is crucial.

To isolate the device from a network, we can put the device in Airplane mode if there is access to the device. Airplane mode disables a device's wireless transmission functions, such as cellular radio, Wi-Fi, and Bluetooth. However, this may not always be possible because most of the devices are screen-locked. Also, as Wi-Fi is now available in airplanes, some devices now allow Wi-Fi access in Airplane mode. Hence, an alternate solution would be to use a Faraday bag or RF isolation box, as both effectively block signals to and from the mobile phone. But, one concern with these isolation methods however, is that once they're employed, it is difficult to work with the phone because you cannot see through them to use the touch screen or keypad. For this reason, Faraday tents and rooms exist, as shown in the following screenshot (taken from, but are very expensive.

Pyramid-shaped Faraday tent

Even after taking all these precautions, certain automatic functions, such as alarms can trigger. If such a situation is encountered, it must be properly documented.


The acquisition phase refers to the extraction of data from the device. Due to the inherent security features of mobile devices, extracting data is not always straight forward. Depending on the operating system, make, and model of the device, the extraction method is decided. The following types of acquisition methods can be used to extract data from a device:

  • Manual acquisition: This is the simplest of all acquisition methods. The examiner uses the user interface of the phone to browse and investigate. No special tools or techniques are required here, but the limitation is that only those files and data that are visible through a normal user interface can be extracted. Data extracted through other methods can also be verified using this.

  • Logical acquisition: This is also called logical extraction. This generally refers to extracting the files that are present on a logical store such as a filesystem partition. This involves obtaining data types, such as text messages, call history, pictures and so on, from a phone. The logical extraction technique works by using the original equipment manufacturer's APIs for synchronizing the phone's contents with a computer. This technique usually involves extracting the following evidence:

    • Call Logs

    • SMS

    • MMS

    • Browser history

    • People

    • Contact methods

    • Contacts extensions

    • Contacts groups

    • Contacts phones

    • Contacts setting

    • External image media (metadata)

    • External image thumbnail media (metadata)

    • External media, audio, and misc. (metadata)

    • External videos (meta data)

    • MMSParts (includes full images sent via MMS)

    • Location details (GPS data)

    • Internet activity

    • Organizations

    • List of all applications installed, along with their version

    • Social networking apps data such as WhatsApp, Skype, Facebook, and so on.

  • Filesystem acquisition: This is a logical procedure and generally refers to the extraction of a full file system from a mobile device. File system acquisition can sometimes help in recovering deleted contents (stored in SQLite files) that are deleted from the device.

  • Physical acquisition: This involves making a bit-by-bit copy of the entire flash memory. The data extracted using this method is usually in the form of raw data (as a hexadecimal dump), which can then be further parsed to obtain file system information or human readable data. Since all investigations are performed on this image, this process also ensures that original evidence is not altered.

Examination and Analysis

In this phase, different software tools are used to extract the data from the memory image. In addition to these tools, an investigator would also need the help of a hex editor, as tools do not always extract all the data. There is no single tool that can be used in all cases. Hence, examination and analysis requires a sound knowledge of various file systems, file headers, and so on.


Documentation of the examination should be done throughout the process, noting down what was done in each phase. The following points might be documented by an examiner:

  • Date and time the examination started

  • Physical condition of the phone

  • The status of the phone when received (ON/OFF)

  • Make, model, and operating system of the phone

  • Pictures of the phone and individual components

  • Tools used during the investigation

  • Data documented during the examination

The data extracted from the mobile device should be clearly presented to the recipient so that it can be imported into other software for further analysis. In the case of civil or criminal cases, wherever possible, pictures of data, as it existed on the cellular phone, should be collected, as they can be visually compelling to a jury.