Learning Android Forensics E-Book

Learning Android Forensics Second Edition

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Gebin GeorgeAcquisition Editor:Rohit RajkumarContent Development Editor:Ronn KurienTechnical Editor:Prachi SawantCopy Editor: Safis EditingProject Coordinator:Jagdish PrabhuProofreader: Safis EditingIndexer:Pratik ShirodkarGraphics:Tom ScariaProduction Coordinator: Jyoti Chauhan

First published: April 2015 Second edition: December 2018

Production reference: 1211218

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78913-101-7

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools, to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

Packt.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the authors

Oleg Skulkin is senior digital forensic analyst at Group-IB, one of the global leaders in preventing and investigating high-tech crimes and online fraud. He holds a number of certifications, including GCFA, MCFE, and ACE. Oleg is the co-author of Windows Forensics Cookbook and Practical Mobile Forensics, as well as the author of many blog posts and articles you can find online. Finally, he is one of the people behind Cyber Forensicator.

Donnie Tindall is a principal incident response consultant with the Crypsis Group, where he handles incident response engagements encompassing the full lifecycle of cyber security events. His corporate and consulting background is primarily in conducting sensitive forensics examinations for federal government clients, particularly the U.S. military and the Intelligence Community. Before moving into Incident Response, Donnie had an extensive background in mobile forensics, application security research, and exploitation. He is also an IACIS Certified Forensic Computer Examiner and former Community Instructor of FOR585, the SANS Institute's smartphone forensics course.

Rohit Tamma is a security program manager currently working for Microsoft. With over 9 years of experience in the field of security, his background spans management and technical consulting roles in the areas of application and cloud security, mobile security, penetration testing, and security training. Rohit has also co-authored a couple of books, Practical Mobile Forensics and Learning Android Forensics, which explain a number of ways of performing forensics on mobile platforms. You can contact him on Twitter at @RohitTamma.

About the reviewers

Igor Mikhaylov has been working as a forensic examiner for 21 years. During this time, he has attended a lot of seminars and training classes organized by leading digital forensic companies (such as Guidance Software, AccessData, and Cellebrite) and forensic departments of government organizations of the Russian Federation. He has experience and skills in computer forensics, incident response, cell phone forensics, chip-off forensics, malware forensics, data recovery, digital image analysis, video forensics, and big data. He has written three tutorials on cell phone forensics and incident response for Russian forensic examiners. Gautam Kumawat is world's youngest cyber crime investigator and self-trained cyber security expert who hails from India. He is currently helping various prestigious institutions, such as the State Police, the Central Bureau of Investigation, the Department of Defense, the Indian Army, and the Central Detective Training School, in the sphere of training officials and solving complex cyber crime cases. He has also provided training for the New York City Police Department and Interpol. His expertise in the cyber security industry far outweighs the standard number of security assessments, audits, compliance, governance, incident response, and forensic projects that he carries out in day-to-day operations involving big fortune companies.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Learning Android Forensics Second Edition

About Packt

Why subscribe?

Packt.com

Contributors

About the authors

About the reviewers

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Introducing Android Forensics

Mobile forensics

The mobile forensics approach

Investigation preparation

Seizure and isolation

The acquisition phase

Examination and analysis

Reporting

Challenges in mobile forensics

Android architecture

The Linux kernel

Hardware abstraction level

Android Runtime

Native C/C++ Libraries

Java API Framework

The application layer

Android security

Security at OS level through the Linux kernel

Permission model

Sample permission model in Android

Application sandboxing

SELinux in Android

Application signing

Secure inter-process communication

Binder communication model

Android hardware components

Core components

Central Processing Unit (CPU)

Baseband processor

Memory

SD Card

Display

Battery

Android boot process

Boot ROM code execution

The bootloader

The Linux kernel

The init process

Zygote and Dalvik

System server

Summary

Setting up the Android Forensic Environment

Android forensic setup

Android SDK

Installing the Android SDK

Android Virtual Device

Connecting and accessing Android devices from the workstation

Identifying the correct device cable

Installing device drivers

Accessing the device

Android Debug Bridge

Using ADB to access the device

Detecting a connected device

Directing commands to a specific device

Issuing shell commands

Basic Linux commands

Installing an application

Pulling data from the device

Pushing data to the device

Restarting the ADB server

Viewing log data

Rooting Android

What is rooting?

Why root?

Recovery and fastboot

Recovery mode

Accessing recovery mode

Custom recovery

Fastboot mode

Locked and unlocked boot loaders

How to root

Rooting an unlocked boot loader

Rooting a locked boot loader

ADB on a rooted device

Summary

Understanding Data Storage on Android Devices

Android partition layout

Common partitions in Android

Identifying partition layout

Android file hierarchy

Overview of directories

The acct directory

The cache directory

The config directory

The data directory

The dev directory

The mnt directory

The proc directory

The sbin directory

The storage directory

The system directory

Application data storage on the device

Shared preferences

Internal storage

External storage

SQLite database

Network

Android filesystem overview

Viewing filesystems on an Android device

Common Android filesystems

Flash memory filesystems

Media-based filesystems

Pseudo filesystems

Summary

Extracting Data Logically from Android Devices

Logical extraction overview

What data can be recovered logically?

Root access

Manual ADB data extraction

USB Debugging

Using adb shell to determine if a device is rooted

adb pull

Recovery Mode

Fastboot mode

Determining bootloader status

Booting to a custom recovery image

ADB backup extractions

Extracting a backup over ADB

Parsing ADB backups

Data locations within ADB backups

ADB dumpsys

Dumpsys batterystats

Dumpsys procstats

Dumpsys user

Dumpsys App Ops

Dumpsys Wi-Fi

Dumpsys notification

Dumpsys conclusions

Helium backup extractions

Bypassing Android lock screens

Lock screen types

None/Slide lock screens

Pattern lock screens

Password/PIN lock screens

Smart Locks

Trusted Face

Trusted Voice

Trusted Location

Trusted Device

On-body Detection

General bypass information

Removing Android lock screens

Removing PIN/password with ADB

Removing PIN/Password with ADB and SQL

Android SIM card extractions

Acquiring SIM card data

SIM Security

SIM cloning

Summary

Extracting Data Physically from Android Devices

Physical extraction overview

What data can be acquired physically?

Root access

Extracting data physically with dd

Determining what to image  

Writing to an SD card

Writing directly to an examiner's computer with netcat

Installing netcat on the device

Using netcat

Extracting data physically with nanddump

Extracting data physically with Magnet ACQUIRE

Verifying a full physical image

Analyzing a full physical image

Autopsy

Issues with analyzing physical dumps

Imaging and analyzing Android RAM

What can be found in RAM?

Imaging RAM with LiME

Acquiring Android SD cards

What can be found on an SD card?

SD card security

Advanced forensic methods

JTAG

Chip-off

Summary

Recovering Deleted Data from an Android Device

Data recovery overview

How can deleted files be recovered?

Recovering deleted data from SD cards

Recovering deleted records from SQLite databases

Recovering deleted data from internal memory

Recovering deleted data using file carving

Summary

Forensic Analysis of Android Applications

Application analysis overview

Why do app analysis?

Layout of this chapter

Determining which apps are installed

Understanding Unix epoch time

Wi-Fi analysis

Contacts/Call analysis

SMS/MMS analysis

User dictionary analysis

Gmail analysis

Google Chrome analysis

Decoding the Webkit time format

Google Maps analysis

Google Hangouts analysis

Google Keep analysis

Converting a Julian date

Google Plus analysis

Facebook analysis

Facebook Messenger analysis

Skype analysis

Recovering video messages from Skype

Snapchat analysis

Viber analysis

Tango analysis

Decoding Tango messages

WhatsApp analysis

Decrypting WhatsApp backups

Kik analysis

WeChat analysis

Decrypting the WeChat EnMicroMsg.db

Summary

Android Forensic Tools Overview

Autopsy

Creating a case in Autopsy

Analyzing data in Autopsy

Belkasoft Evidence Center

Creating a case in Belkasoft Evidence Center

Analyzing data in Belkasoft Evidence Center

Magnet AXIOM

Creating a case in Magnet AXIOM

Analyzing data in Magnet AXIOM

Summary

Identifying Android Malware

An introduction to Android malware

Android malware overview

Banking malware 

Spyware

Adware

Ransomware

Cryptomining malware

Android malware identification

Android malware identification using antivirus scanners

Android malware identification using VirusTotal

Android malware identification using YARA rules

Summary

Android Malware Analysis

Dynamic analysis of malicious Android applications 

Dynamic analysis using an online sandbox

Static analysis of malicious Android applications

Unpacking Android applications

Manifest file decoding and analysis

Android application decompilation

Viewing and analyzing decompiled code

Summary

Further reading

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

Many forensic examiners rely on commercial, push-button tools to retrieve and analyze data, even though there is no tool that does either of these jobs perfectly.

Learning Android Forensics will introduce you to the most up-to-date Android platform and its architecture, and provide a high-level overview of what Android forensics entails. You will understand how data is stored on Android devices and how to set up a digital forensic examination environment. As you make your way through the chapters, you will work through various physical and logical techniques to extract data from devices in order to obtain forensic evidence. You will also learn how to recover deleted data and forensically analyze application data with the help of various open source and commercial tools. In the concluding chapters, you will explore malware analysis so that you'll be able to investigate cyber security incidents involving Android malware.

By the end of this book, you will have a complete understanding of the Android forensic process, explored open source forensic tools, and investigated mobile cyber security incidents.

Who this book is for

If you are a forensic analyst or an information security professional wanting to develop your knowledge of Android forensics, then this is the book for you. Some basic knowledge of the Android mobile platform is expected.

What this book covers

Chapter 1, Introducing Android Forensics, helps you to understand the Android architecture and the security model that is crucial to have a proper understanding of Android forensics. This chapter will also explain the inherent security features in Android OS, such as application sandboxing, and permission model, to safeguard the device from various threats and also pose as an obstacle for forensic experts during investigation.

Chapter2, Setting Up the Android Forensic Environment, takes you through everything that is necessary to have an established forensic setup for examining Android devices.

Chapter 3, Understanding Data Storage on Android Devices, helps you to know what kind of data is stored on the device, where it is stored, how it is stored, and details of the filesystems on which the data is stored. This knowledge is especially important to a forensic analyst to take an informed decision about where to look for data and techniques that can be used to extract the same. 

Chapter 4, Extracting Data Logically from Android Devices, covers logical data extraction, and the use of free and open source tools wherever possible. The majority of the material covered in this chapter will use the Android Debug Bridge (ADB) methods.

Chapter 5, Extracting Data Physically from Android Devices, covers physical data extraction, using free and open source tools wherever possible.

Chapter 6, Recovering Deleted Data from an Android Device, provides an overview regarding the recovery of data deleted from an Android device.

Chapter 7, Forensic Analysis of Android Applications, covers application analysis, using free and open source tools. This chapter will focus on analyzing the data that would be recovered using any of the logical or physical techniques, while also relying heavily on the storage methods. We will see numerous SQLite databases, XML files, and other file types from various locations within the file hierarchy described in that chapter.

Chapter 8, Android Forensic Tools Overview, provides an overview of the free and commercial Android forensic tools, and demonstrates how to use the tool for common investigative scenarios.

Chapter 9, Identifying Android Malware, includes an overview of what malware is, and how to identify it using antivirus scanners, VirusTotal and YARA rules.

Chapter 10, Android Malware Analysis, describes the process of dynamic and static analysis of malicious Android applications.

To get the most out of this book

This book covers various forensic approaches and techniques on Android devices. The content is organized in a manner that allows any user to examine an Android device and perform forensic investigation. No prerequisite knowledge is needed because all the topics are explained, from basic to in-depth. A knowledge of mobile platforms, especially Android, will definitely be an advantage. Wherever possible, the steps required to perform various forensic activities using tools are explained in detail.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/9781789131017_ColorImages.pdf.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in, and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Introducing Android Forensics

Mobile forensics is a branch of digital forensics that is evolving in today's digital era and is constantly changing as new phones are released and operating systems are updated. Android forensics deals with extracting, recovering, and analyzing data present on an Android device through various techniques. Due to the open nature of the Android operating system, these forensic techniques and methods can apply to more than just mobile phones: refrigerators, vehicle entertainment units, televisions, watches, and many more devices run Android.

It's important to have a clear understanding of the platform and other fundamentals before we dive in and find out how to extract data. In this chapter, we'll cover the following:

Mobile forensics

The mobile forensics approach

Challenges in mobile forensics

Android architecture

Android security

Android hardware components

Android boot process

The world today is experiencing technological innovation like never before, and this growth is almost exponential in the field of mobile devices. Gartner, a technology research and advisory firm, in their forecasts published in January 2018, estimated that mobile phone shipments in 2017 totaled 2.28 billion units and would increase to 2.32 billion in 2018. This statistic alone reflects the unprecedented growth of mobile devices. Mobile phones have not only increased in number but also have become more sophisticated in terms of functionality. The increase of mobile phone subscribers from 1997 to 2018 is significantly high.

You probably don't need to be told that smartphones are an increasingly large subset of mobile phones. The improvements in the computing power and data storage of these devices enable us to perform a wide range of activities, and we are increasingly becoming dependent on these mobile devices. Apart from performing routine tasks such as making calls and sending messages, and so on, these devices also support other activities such as sending emails, surfing the internet, recording videos, creating and storing documents, identifying locations with Global Positioning System (GPS) services, and managing business tasks. In other words, mobile devices are now repositories of sensitive personal information.

Quite often, the data sitting in a device is more valuable than the device itself. Imagine a case involving the smartphone of a suspected terrorist; how useful would it be for law enforcement to access every contact, call, SMS, or email that the suspect had sent or received? Or, perhaps even better, every location that the phone had been? While much of this data is generally available through the service provider, that often requires additional warrants or subpoenas and can take a significant amount of time. And consider third-party applications; WhatsApp chat content, for example, is end-to-end encrypted, and no amount of subpoenas to Facebook can recover that data. This book will show you how to recover data, such as WhatsApp chats, that may not be recoverable through any other method. The fact that mobile forensics played a crucial role in solving cases such as the 2010 Times Square car bombing attempt and Boston marathon bombings, reaffirms the increasing role of mobile forensics in solving many cases.

Mobile forensics

Mobile device forensics is a branch of digital forensics that deals with extracting, recovering, and analyzing digital evidence or data from a mobile device under forensically sound conditions. Simply put, it deals with accessing the data stored on devices, which includes SMS, contacts, call records, photos, videos, documents, application files, browsing history, and so on, and recovering data deleted from devices using various forensic techniques. It is important that the process of recovering or accessing details from a device is forensically sound if it has to be admitted in a court of law and to maintain the integrity of the evidence. If the evidence has to be admitted in a court of law, it's important to work only on the image file and not on the original device itself.

As explained by Eoghan Casey, in his book Digital Forensics and Investigation, forensic soundness is not just about keeping the original evidence unaltered. Even the routine task of acquiring data from a hard drive using a hardware write blocker may cause alterations (for example, making a hidden area of the hard drive accessible) on the drive. One of the keys to forensic soundness is documentation. Documenting how the device is handled from the beginning is very important. Hence, an investigation can be considered forensically sound if the acquisition process preserves the original data and its authenticity and integrity can be validated. Evidence integrity checks ensure that the evidence has not been tampered  with from the time it was collected. Integrity checks are done by comparing the digital fingerprint of the evidence taken at the time of collection with the digital fingerprint of the evidence in its current state.

There is a growing need for mobile forensics due to several reasons, some of which include the following:

Use of mobile phones to store personal information

Increased use of mobile phones to perform online activities

Use of mobile phones in several crimes

Mobile forensics on a particular device is primarily dependent on the underlying operating system. Hence, we have different fields such as Android forensics, iOS forensics, and so on.

The mobile forensics approach

Once the data is extracted from a device, different methods of analysis are used based on the underlying case. As each investigation is distinct, it is not possible to have a single definitive procedure for all of the cases. However, the overall process can be broken down into five phases, as shown in the following diagram:

The following section discusses each phase in detail.

Investigation preparation

This phase begins when a request for examination is received. It involves preparing all of the paperwork and forms required to document chain of custody, ownership information, device model, purpose, information that the requestor is seeking, and so on. Chain of custody refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. From the details submitted by the requestor, it's important to have a clear understanding of the objective for each examination.

Seizure and isolation

Handling the device during seizure is one of the important steps while performing forensic analysis. The evidence is usually transported using anti-static bags, which are designed to protect electronic components against damage produced by static electricity. As soon as the device is seized, care should be taken to make sure that our actions don't result in any data modification on the device. At the same time, any opportunity that can aid the investigation should also not be missed. The following are some of the points that need to be considered while handling an Android device during this phase:

With increasing user awareness of security and privacy, most devices now have screen lock enabled. During the time of seizure, if there is a chance (for instance, the phone is recovered unlocked), disable the passcode. Some of the devices don't ask the user to reenter the passcode while disabling the lock screen option.

If the device is unlocked, try to change the settings of the device to allow greater access to the device. The following are some of the settings that can be considered to achieve this:

Enable USB debugging

: Enabling this option gives greater access to the device through the

Android Debug Bridge

(

ADB

) connection. We are going to cover the ADB in detail in

Chapter 2

,

Setting Up the Android Forensic Environment

. This will greatly aid the forensic investigator during the data extraction process. In Android devices, this option is usually found under

Settings

|

Developer

options

, as shown in the following screenshot. On newer Android versions starting from 4.2, developer options are hidden by default. To enable them, navigate to

Settings

|

About Phone

 (or

Settings | System | About Phone

on Android 8.0 or higher

)and tap on the 

Build

number seven times. 

Enable the Stay Awake setting

: Enabling this option and charging the device will make the device stay awake; in other words, it doesn't get locked. In Android devices, this option is usually found under

Settings

|

Developer options

, as shown in the following screenshot:

Increase screen timeout

: This is the time for which the device will be active once it is unlocked. Depending on the device model, this time can be set up to 30 minutes. In most devices, it can be accessed under

Settings

|

Display

|

Screen Timeout.

In mobile forensics, it is of crucial importance to protect the seized device so that our interaction with the evidence (or, for that matter, an attacker's attempt to remotely interact with the device) doesn't change the evidence. In computer forensics, we have software and hardware write blockers that can perform this function. But in mobile forensics, since we need to interact with the device to pull the data, these write blockers are not of any use. Another important aspect is that we also need to prevent the device from interacting with a wireless radio network. As mentioned earlier, there is a high probability that an attacker can issue remote wipe commands to delete all of the data including emails, applications, photos, contacts, and other files on the device.

The Android Device Manager and several other third party apps allow the phone to be remotely wiped or locked. This can be done by signing into the Google account that is configured on the mobile. Using this software, an attacker can also locate the device that could pose a security risk. For all of these reasons, isolating the device from all communication sources is very important.

To isolate the device from a network, we can put the device in Airplane mode if we have access to the device. Airplane mode disables a device's wireless transmission functions such as cellular radio, Wi-Fi, and Bluetooth. However, as Wi-Fi is now available in airplanes, some devices now allow Wi-Fi access in Airplane mode. The following screenshot shows the quick settings available by dragging down the top menu bar from the lock screen:

An alternate solution would be to use a Faraday bag or RF isolation box, as both effectively block signals to and from the mobile phone. One concern with these isolation methods is that, once they're employed, it is difficult to work with the phone because you cannot see through it to use the touchscreen or keypad. For this reason, Faraday tents and rooms exist, as shown in the following screenshot:

Even after taking all of these precautions, certain automatic functions such as alarms can still trigger. If such a situation is encountered, it must be properly documented.

The acquisition phase

The acquisition phase refers to extraction of data from the device. Due to the inherent security features of mobile devices, extracting the data is not always straightforward. The extraction method is decided largely depending on the operating system, make, and model. The following are the types of acquisition methods that can be used to extract data from a device:

Manual acquisition

is the simplest of all of the acquisition methods. The examiner uses the user interface of the phone to browse and investigate. No special tools or techniques are required here, but the limitation is that only the files and data visible through the normal user interface can be extracted. Data extracted through other methods can also be verified using this. It should be noted that this option can very easily modify data on the device (for instance, opening an unread SMS will mark it as read), so these changes should be documented as thoroughly as possible.

Logical acquisition

, also called

logical extraction

, generally refers to extracting the files that are present on a logical store such as a file system partition. This involves obtaining data types such as text messages, call history, and pictures from a phone. The logical extraction technique works by using the original equipment manufacturer

Applications Programming Interfaces

(

APIs

) for synchronizing the phone's contents with a computer. This technique usually involves extracting the following evidence:

Call logs

SMS

MMS

Browser history

People

Contact methods

Contacts extensions

Contacts groups

Contacts phones

Contacts setting

External Image Media (metadata)

External Image Thumbnail Media (metadata)

External Media, Audio, and Misc. (metadata)

External Videos (meta data)

MMSParts (includes full images sent via MMS)

Location details (GPS data)

Internet activity

Organizations

List of all applications installed and their versions

Social networking app data such as WhatsApp, Skype, and Facebook

File System acquisition

is a logical procedure and generally refers to the extraction of a full file system from a mobile device. File system acquisition can sometimes help in recovering the contents (stored in SQLite files) that are deleted from the device.

Physical acquisition

involves making a bit-for-bit copy of an entire flash storage device, equivalent to a full image of a hard drive. The data extracted using this method is usually in the form of raw data (as a hexadecimal dump) that can then be further parsed to obtain file system information or human-readable data. Since all investigations are performed on this image, this process also ensures that an original evidence is not altered.

Examination and analysis

In this phase, different software tools are used to extract the data from the memory image. In addition to the tools, an investigator may also need the help of a hex editor, as tools do not always extract all of the data. There is no single tool that can be used in all cases. Hence, examination and analysis requires a sound knowledge of various file systems, file headers, and so on.

Reporting

Documentation of the examination should be done throughout the process, noting down what was done in each phase. The following are a few points that might be documented by an examiner:

The date and time the examination started

The physical condition of the phone

The status of the phone when received (ON/OFF)

The make, model, and operating system of the phone

Pictures of the phone and individual components

The tools used during the investigation (including the version number)

Data documented during the examination

The data extracted from the mobile device should be clearly presented to the recipient so that it can be imported into other software for further analysis. In the case of civil or criminal cases, wherever possible, pictures of data as it existed on the cellular phone should be collected, as they are visually compelling to a jury.

Challenges in mobile forensics

With the increased usage of Android devices and the wider array of communication platforms they support, the demand for forensic examination automatically has grown. While working with mobile devices, forensic analysts face a number of challenges. The following points shed light on some of the mobile forensics challenges faced today:

Preventing data alteration on the device

: One of the fundamental rules to remember in forensics is to preserve the original evidence. In other words, the forensic techniques that are applied on a device to extract any information should not alter the data present on the device. However, this is usually not practical with respect to mobile forensics because simply switching on a device might also change certain state variables present on the device. With mobile devices, background processes always run, and a sudden transition from one state to another can result in the loss or modification of data. Hence, there's a chance that data may be altered either intentionally or unintentionally by the forensic analyst. Apart from this, there is a high possibility that an attacker (or the user) can remotely change or delete the contents of the device. As mobile phones use different communication channels (cellular, Wi-Fi, Bluetooth, infrared, and so on), the possibility of communicating through them should be eliminated. Features such as remote data wiping would enable an attacker to remotely wipe the entire device just by sending an SMS or by simply pressing a button that sends a wipe request to the Android device. Unlike computer forensics, mobile device forensics requires more than just isolating the device from the network, and