Editor’s Note: Digital forensic investigation on mobile devices requires investigators to follow step by step workflow to extract and analyze digital evidence. In this article, forensic experts from SalvationDATA will continue to have a technical walkthrough on Android forensic data extraction using ADB to collect crucial device artifacts for digital forensic analysis and investigation.
Device Acquisition Procedure
The forensic acquisition is the steps of making a bit by bit replica of the custodian device while maintaining the integrity of the data stored in the device. Android devices however come with a two-level of access which an investigator has to determine in preliminary acquisition steps.
Understanding Level of Access:
Android devices offer two-level of access that are root or non-root access. Devices come pre-built with non-rooted access, Which allows investigators to perform logical acquisition instead of physical acquisition. In simple terms, whatever information is stored and available logically can be acquired.
Root accessed devices however offer a complete level of device access, which can also be determined as administrator access. Here devices can be acquired locally and physically. The logical partitions, system partitions, ram, and ROM are available for acquisition.
How to determine a device is rooted or non-rooted?
Using forensic utilities:
Machine Prerequisites :
a. Execute CD /data
b. Ls to view the files and folders present in the current directory
c. If LS returns no data, then the system files and folders are hidden. Which cannot be modified as it requires root permission. Hence, the device is non-rooted.
Traversing System Folders — (Non-Rooted Device)
Traversing System Folders — (Rooted Device)
Device imaging can be performed once we have identified the device is rooted or non-rooted.
Rooted Device Acquisition
Devices with root access can be acquired using manual methods or using a forensic tool such as SPF Pro.
Manual Acquisition Method:
Once you enter as a root user, check for the mounted partitions-
Exploring the available partitions:
Using DD command we can acquire a memory block/partitions.
Execute the following DD commands:
DD if=”/dev/block/mmcblk0” of=”/extSdCard/image/mmcblk0.dd”
Transfer the acquired memory blocks to investigation machine using ADB pull or direct file transfer using MTP:
You can transfer the image files by copying the files from the SDCARD using a memory card reader. Always ensure while transferring files from one source to a destination, a write blocker should be always active so that we can refrain from the modification of evidence. Software-based write blockers can be utilized or the memory card should be mounted in read-only mode.
Non-Rooted Device Acquisition
Devices with non-root access can be acquired using logical acquisition techniques. Non-Rooted Device can be temporarily rooted and acquired but the process tampers with the user data hence is not recommended. With limited access to the user device, non-rooted device acquisition techniques extract minimal data from an Android Device. The following steps enumerate the procedure to acquire a non-rooted device:
1. Discovering the device via ADB
2. Executing ADB backup
3. Now accept the Full Desktop backup by entering a secure password
4. A backup file (backup.ab) gets created after the backup is successfully created
a. Executing Local Backups
b. Navigate to Device>Settings> Backup and Restore
c. Check for the available backup locations such as System setting and Application Data
d. Validate the selected items and start the backup process
Device acquisition depends on the investigator to thoroughly maintain the integrity of the image. Image integrity can be maintained using hashing methods.
Hashing can be performed using software utilities or mobile forensic software such as SPF Pro creates hashes from the initial acquisition steps.
Image hashing depends on the algorithm investigator defines to check data for integrity. The hashing algorithms such as MD5, SHA1, SHA256 are utilized to create a unique hash value. The hash value can be revalidated at any point in the investigation to denote that the image data stays intact.
Manual Hashing Methods:
While performing acquisition using the DD command, we can also hash the output image to file. Rooted Android device supports only the MD5 algorithm hashing by default.
Syntax:[dd if=/dev/block/memory-block /of=/sdcard/output-image.dd | md5sum > hash.txt]
Creates a DD image of the memory block and creates a text file with the computed image hash.
Hashing Using Software Utilities:
Forensic Software utilities provide the functionality to create hashes based on algorithms such as md5, sha1, sha256, etc.
Once we have generated a backup file of the Android device, the backup file is in .ab format and can be imported into a preferred analysis tool to parse the data and present it in a readable format, such as SalvationDATA’s mobile forensic system SPF Pro (SmartPhone Forensic System Professional).
SPF Pro supports to load and directly analyze an ab format ADB backup file, extract and present the acquired data in a way that is easy to read for forensic inspections.
Above is the forensic extraction procedure when we accomplished the complete extraction of digital evidence from Android devices using ADB commands. Android Forensic Investigation requires an investigator to be proficient regarding the extraction and analysis of evidence. The methods involved and the amount of data collected while performing device acquisition can become a crucial pointer determining the extraction of artifacts leading towards discovering evidence.
Android is a rapidly evolving operating system, hence the methods and acquisition methods will keep changing based on device & data access it is providing. Google timely releases patches for security enhancement and authorized device access. The extraction methods are also affected by the custom ROMs being developed by individual device manufacturers which causes an investigator to customize extraction methods every time. Thanks for reading!
The latest update of SPF Pro (SmartPhone Forensic System Professional) is released now!
V6.113 Version upgrade instructions:
1. Optimized the automatic extraction of Huawei. Improved the backup speed, support to the latest HiSuite version backup analysis.
2. Optimized the OPPO automatic extraction and backup tool. Improved the backup speed, allow users to try to continue the backup in the event of a backup failure, and improved stability.
3. Optimized the automatic extraction of vivo. Solved the problem that some mobile phones cannot extract data from some third-party apps.
4. Added “default iTunes backup password” setting, no need to manually enter when extracting.
5. Added “Calculate MD5 value of file when extracting file” setting, support export to report.
6. Optimized the analysis of iOS WeChat. Added group nickname, group joining method, and WeChat favorites data analysis.
7. Upgraded the “photo/screenshot” function. Support to save screenshots and photos to a custom node, and synchronize to the extraction results.
8. Updated some plugins:
Android: Skype(Intl), Line, ArticleNews, KakaoTalk, NinthChat, OperaBrowser, OutlookMail, Snapchat, Whatsapp, XiaoMiBrowser
As an integrated digital forensics & forensic data recovery solution provider, would never stop satisfying clients by keeping updated its software. Here we are excited to announce that newest version of DRS (Data Recovery System) is releasing today!
Let’s have a look what new features have been added to this all-in-one forensic data recovery tool:
1. Physical diagnostics is now available for all drives attached to the DRS hardware unit and your PC. Quick Diagnostics, Scan Bad Sector and Sector View are all accessible for drives plugged to the hardware unit or not.
2. New file system support: CDFS, UDF, F2FS are now supported for analysis (CDFS & UDF not supported for Pattern Scan).
3. New image format support: VHD, VHDX.
4. New search options: folder name search and time search. Allow users to search for folders with certain keywords or specify a certain time period to narrow down their search.
5. New feature in Disk Imaging: large disk image to small disk.
6. New feature in Hash Calculator: Hash calculation for physical drives.
7. New feature in imaging report: authentication of forensic image.
8. Multiple bugs fixed.
Click HERE to learn more about DRS.
Editor’s note: On 25th September 2019, SalvationDATA participated in the 2019 Neijiang Talent Ceremony – Big Data Security Seminar.
During the seminar, a high-end talent recruitment ceremony for SalvationDATA was held. SalvationDATA hired Professor Pan Quan, Associate Professor Liu Yong and Associate Professor Yang Tao from Northwestern Polytechnical University, served as the chief scientist, chief strategy officer, and artificial intelligence CTO of the Digital Forensics&Data Recovery Laboratory in Sichuan Province, and collaborated on new opportunities, new developments, and new achievements. Under the warm applause and common witness of everyone, Mr. Kenneth Liang, The founder of SalvationDATA, issued a letter of appointment to three experts, officially opening a new chapter in talent introduction.
Mr. Liang also delivered a keynote speech entitled “Tracing and Prevention of Big Data Security”. The speech explains and shares the traceability and prevention solutions of Big Data Security in cybercrime.
Check out our new event posted on Blog: [Product Launch] Leading Expert of Database Forensics Analysis System-DBF6300 Released Now!
Check out our new event posted on Blog: [Product Launch] The Efficient and Powerful Oracle Database Repair Tool-DBR for Oracle Released Now!
Editor’s note: In the end of November of 2020, SalvationDATA held the “SalvationDATA Global Partners Awards 2020-2021” for the global partners with the topic < Intelligent Technology Enlightens the Future>. More than one hundred of attendees discussed and exchanged their opinions about the future of this industry, they were the representatives of the leading IT enterprises, famous experts and scholars from universities and institutes. The interaction between the attendees and the SalvationDATA’s experts was very active, and they showed great interesting about the “iSee” Big Data Analytical Platform, DBF6300 Database Forensics and Digital lab & Command Center Integrated Solution.
Even though 2020 brought us many challenges and difficulties, SalvationDATA never give up in making the improvements and innovations with the support from every partner. SalvationDATA highly appreciates our cooperation these years, and “SalvationDATA Global Partners Awards 2020-2021” which aims to discuss and motivate the brand-new ideas about the industry trends and development in such a times full of challenges and chances, make new breakthroughs!
The onsite award is held in the Dading Centry Hotel, Chengdu, Sichuan and main schedule like below:
13:00 Guests Registration
13:30 Sponsor Opening
13:50 Experts Speech
14:30 “iSee” Big Data Analytical Platform Global Launching Show
15:40 Integrated Digital Lab Solution Global Launching Show
16:40 Outstanding Contribution Award
SalvationDATA global live streaming is held simultaneously: DBF6300 Database Forensics / SRS SSD Data Recovery / “iSee” Big Data Analytical Platform / Digital lab & Command Center Integrated Solution
14:00 South East Asia: Singapore, China HK, China Taiwan, Indonesia, Myanmar, Malaysia, Thailand, Vietnam, Cambodia……
15:30 Mid-East or South Asia: UAE, Saudi Arab, Aman, Qatar, Jordan, Israel, India, Nepal, Sri Lanka, Pakistan……
17:00 Europe: Russia, Spain, Italy, German, France, UK, Greece, Poland, Ukraine ……
18:30 Africa: South Africa, Kenya, Uganda, Morocco…….
21:00 South America: Brazil, Colombia, Peru, Argentina…….