By Andrew Hoog | June 5, 2011
Android Forensic Techniques
NOTE: This chaper is from my book “Android Forensics: Investigation, Analysis, and Mobile Security for Google Android” published by Syngress in 2011. Syngress authorized me to publish the chapter Android Forensic Techniques online. If you find the content helpful, please consider purchasing the book.
- Procedures for handling an Android device
- Imaging Android USB mass storage devices (coming soon)
- Logical techniques (coming soon)
- Physical techniques (coming soon)
Before we dive into the actual Android forensic techniques, there are a number of considerations that influence which technique forensic analysts should use. In this section, we will discuss the different types of investigations, the differences between logical and physical techniques, and how to limit or avoid modifications to the device.# Types of Investigations
There are a variety of situations that might benefit from the results of an Android forensic investigation. While the application of forensics is a commonality in all the situations, each one may require different procedures, documentation, and overall focus.
The first situation that people think of in general is investigations that will likely be adjudicated in a criminal or civil court of law. In these situations, there are a number of important considerations:
- Chain of custody
- Detailed contemporaneous notes and final reporting
- Possible validation of results using different tools or investigators
- Fact or opinion based testimony
Another common scenario is internal investigations in corporations. These investigations may end up litigated in court, but often they are used to deter- mine the root cause of an issue (whether that is a system, external attack, or internal employee) and may result in disciplinary action against an employee.
Internal corporate investigations can cover many areas but the most common include:
- Intellectual property or data theft
- Inappropriate use of company resources
- Attempted or successful attack against computer systems
- Employment-related investigations including discrimination, sexual harassment, etc.
- Security audit (random or targeted)
There is also a need for forensics in cases involving family matters. The most common cases involve:
- Child custody
- Estate disputes
One final area where forensic investigation can yield significant value is for the security and operation of a government. Governments are usually the largest employer in a country and the United States is a good example. According to the US Census Bureau, data from the 2009 Annual Survey of Public Employment and Payroll revealed that the Federal government across all functions had over 3 million employees, while state and local governments has 16.6 million full-time equivalent employees (Government Employment & Payroll, n.d.).
Beyond employment-related matters, countries are also the potential target of attacks and foreign government intelligence gathering. Forensics can play a key role in thwarting attacks against a country, investigating successful attacks, counter intelligence scenarios, and in providing valuable intelligence needed for the gov- erning of the country.
Difference Between Logical and Physical Techniques
Android forensic techniques are either logical or physical in nature. A logical technique extracts allocated data and is typically achieved by accessing the file system. Allocated data simply means that the data are not deleted and are accessible on the file system. One exception to this definition is that some files, such as an SQLite database, can be allocated and still contain deleted records in the database. While recovery of the deleted data requires special tools and techniques, it is possible to recover deleted data from a logical acquisition.
Physical techniques, on the other hand, target the physical storage medium directly and do not rely on the file system itself to access the data. There are advantages to this approach; the most significant is that physical techniques likely provide access to significant amounts of deleted data. As discussed in Chapter 4, file systems often only mark data as deleted or obsolete, and do not actually erase the storage medium unless needed. As physical forensic techniques provide direct access to the storage medium, it is possible to recover both the allocated and the unallocated (deleted or obsolete) data.
Of course, the analysis of an Android physical acquisition is generally far more difficult and time consuming. Also, the physical techniques are more difficult to execute and missteps could leave the device inaccessible.
In Android forensics, the most common logical technique does not provide direct access to the file system and operates at a more abstract and less-effective level than the traditional logical techniques, which can acquire all nondeleted data directly from the file system. This technique, which relies on the Content Providers built into the Android platform and software development kit (SDK), is effective in producing some important forensic data, but only a fraction of the data that are available on the system.
Modification of the Target Device
One of the guiding principles of any forensic investigation is to avoid modification of the target device in any manner. In many cases, this is achievable. For example, let’s assume you are handed a desktop computer that is not powered on. You are informed it was seized from a suspect and that you need to launch a forensic investigation. The device is fairly easy to investigate without material changes to the data after you take custody. A typical investigation would fully document the computer, remove the hard drive, and connect it to a physical write blocker and acquire a bit-by-bit forensically sound image of the hard drive. The investigation would then take place on copies of the forensic image and the original device would remain unchanged.
As the power and functionality of computers has increased, this ideal situation has become more and more difficult to achieve. First, let’s assume you are called to the scene of an investigation and there is a desktop computer, but this time the computer is in operation. Any interaction with the computer, whether you simply move it or even physically unplug the device, will modify the device in some way. While many examiners advocate simply unplugging the computer, unplugging the computer still changes the computer as the contents of RAM, open network connections, and more (all of which can be quite valuable in an investigation) are permanently lost.
If you instead decide to examine the device while it is running, all interactions change the device. To further complicate an investigation, it is possible that the computer is leveraging encryption and, while the device is running, that data may be accessible. However, if the device is powered off and you don’t have the encryption keys, then you may permanently lose the ability to recover that data.
Another complicating factor can be the existence of servers that have special hardware, complex setups, or that simply cannot be powered down without significant impact to other systems or people. Some examples of complex service setups include complicated RAID setup, setups that rely on network-based storage area networks (SAN), and unsupported hardware. In such cases, the examiner must interact directly with the device while it is running even though those actions change the device.
Of course, mobile devices, and Android devices in particular, are nearly impossible to forensically analyze without any impact to the device. Unlike desk- tops, notebooks, and servers, there are portions of storage on an Android device that cannot be easily removed. And if the device is powered on, a shutdown of the device or pulling the battery again changes the device.
When mobile phones were first showing up in investigations, there was very little data stored in them that could be extracted from the device. Many investigations used traditional approaches, such as a search warrant on the wireless carrier to obtain call detail records. It was also possible to remove the subscriber identity module (SIM) card on GSM devices and extract some data. As phones began to store more data, there developed a deep divide between examiners who advocated the older methods (which had little impact on the device and subsequently retrieved only nominal data) and those who advocated exploiting the device more fully. The techniques used to exploit the devices did modify the device, leading to the ensuing debate.
As of 2011, much of the debate has subsided because the amount of data mobile devices now hold necessitates the more intrusive techniques. The Association of Chief Police Officers in the United Kingdom produces guidelines that address this issue quite clearly. The guide, Good Practice Guide for Computer-Based Electronic Evidence (ACPO Good Practice Guide, n.d.), establishes four principles of computer-based electronic evidence:
- No action taken by law enforcement agencies or their agents should change data held on a computer or storage media, which may subsequently be relied upon in court.
- In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
- An audit trail or other record of all processes applied to computer-based elec- tronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
- The person in charge of the investigation (the case officer) has overall respon- sibility for ensuring that the law and these principles are adhered to.
As mobile devices clearly present a circumstance where it is necessary to access the original device directly, then it is permissible provided the examiner is suffi- ciently trained, provides valid reasons for their approach and keeps a clear audit trail so that their actions are repeatable by a third party. This is certainly good advice and helps provide a solid framework for the forensic investigation of mobile devices.