An Introduction to Forensics Data Acquisition From Android Mobile Devices
The role that a Digital Forensics Investigator (DFI) is rife with continuous learning
opportunities, especially as technology expands and proliferates into every corner of communications,
entertainment and business. As a DFI, we deal with a daily onslaught of new devices. Many of
these devices, like the cell phone or tablet, use common operating systems that we need to be familiar with.
Certainly, the Android OS is predominant in the tablet and cell phone industry. Given
the predominance of the Android OS in the mobile device market, DFIs will run into Android
devices in the course of many investigations. While there are several models that suggest approaches
to acquiring data from Android devices, this article introduces four viable methods that the
DFI should consider when evidence gathering from Android devices.
A Bit of History of the Android OS
Android's first commercial release was in September, 2008 with version 1.0. Android is
the open source and "free to use" operating system for mobile devices developed by Google.
Importantly, early on, Google and other hardware companies formed the "Open Handset Alliance"
(OHA) in 2007 to foster and support the growth of the Android in the marketplace. The OHA now
consists of 84 hardware companies including giants like Samsung, HTC, and Motorola (to name a few).
This alliance was established to compete with companies who had their own market offerings,
such as competitive devices offered by Apple, Microsoft (Windows Phone 10 - which is now reportedly
dead to the market), and Blackberry (which has ceased making hardware).
Regardless if an OS is defunct or not, the DFI must know about the various versions of
multiple operating system platforms, especially if their forensics focus is in a particular
realm, such as mobile devices.
Linux and Android
The current iteration of the Android OS is based on Linux. Keep in mind that "based on
Linux" does not mean the usual Linux apps will always run on an Android and, conversely, the
Android apps that you might enjoy (or are familiar with) will not necessarily run on your Linux
desktop. But Linux is not Android.
To clarify the point, please note that Google selected the Linux kernel, the essential part
of the Linux operating system, to manage the hardware chipset processing so that Google's
developers wouldn't have to be concerned with the specifics of how processing occurs on a given
set of hardware. This allows their developers to focus on the broader operating system layer
and the user interface features of the Android OS.
A Large Market Share
The Android OS has a substantial market share of the mobile device market, primarily
due to its open-source nature. An excess of 328 million Android devices were shipped as of
the third quarter in 2016. And, according to netmarketshare.com, the Android operating system
had the bulk of installations in 2017 - nearly 67% - as of this writing.
As a DFI, we can expect to encounter Android-based hardware in the course of a typical
investigation. Due to the open source nature of the Android OS in conjunction with the varied
hardware platforms from Samsung, Motorola, HTC, etc., the variety of combinations between hardware
type and OS implementation presents an additional challenge.
Consider that Android is currently at version 7.1.1, yet each phone manufacturer and mobile
device supplier will typically modify the OS for the specific hardware and service offerings,
giving an additional layer of complexity for the DFI, since the approach to data acquisition may vary.
Before we dig deeper into additional attributes of the Android OS that complicate the
approach to data acquisition, let's look at the concept of a ROM version that will be applied
to an Android device. As an overview, a ROM (Read Only Memory) program is low-level programming
that is close to the kernel level, and the unique ROM program is often called firmware.
If you think in terms of a tablet in contrast to a cell phone, the tablet will have different
ROM programming as contrasted to a cell phone, since hardware features between the tablet and
cell phone will be different, even if both hardware devices are from the same hardware manufacturer.
Complicating the need for more specifics in the ROM program, add in the specific requirements
of cell service carriers (Verizon, AT&T, etc.).