Android Forensics Concept

Transcription

1 Android Forensics Concept Written by Zlatko Jovanovic Widely use of personal handheld devices, opened the new area in computer forensics field, called phone, cell, or mobile forensics. In the last few years, new type of personal handheld devices took over the market. That new type is Android device. The name is based on the platform devices use, which is a version of Linux 2.6 kernel (Hoog, 2011). At the beginning of the era of handheld devices, iphone had a dominant role at the market. Lately Apple is losing its market share to the Android devices, which is bringing a challenge for the Forensic experts. While computer forensics is in a sense narrowed discipline, mobile, or Android forensics, is a broader discipline. Reason for that are numbers of manufacturers and vendors, and each of them has its own devices, software, and accessories. There are now thousands of different devices with different hardware and software. As Hoog said, we have more than fifty manufacturers, over three hundred Android devices, four major releases, and hundreds of minor releases, the possible combinations are vast (Hoog, 2011). Forensic investigation of the Android devices has the same principles and practices as the computer forensics. Android forensics also requires five phases during the investigation: Preserving Identifying Acquiring Analyzing Reporting They are all equally important, and require precise steps and procedures to complete them. The steps to accomplish those five phases differ based on the device used in the investigation. Knowing of the operating system used, its version, type of memory, and file system is crucial for successful investigation of the Android device. Nena Lim and Anna Khoo (2009) compare Computer Forensics and Forensics of handheld devices with several issues, and found that they differ in following: on/off dilemma evidence volatility imaging process size of evidence technological development operating systems training Forensic tools (Nena & Anna, 2009).

2 One of the main differences between computer and mobile forensics, and main issue that arise during mobile forensics, is data acquisition. Because of its volatile nature, data acquisition from mobile device in most cases has to be live, which brings an issue of data tempering or losing. That is due to the volatile nature of the memory used in Android devices (RAM), which loses its content once powered off. RAM memory in the Android devices could have data such as: Passwords encryption keys usernames application data Data from the system processes and services (Hoog, 2011). Hoog is pointing out the important capability of the Android device, which is "a mechanism for dumping an application's memory to a file" (Hoog, 2011). Besides the RAM memory, Android devices have nonvolatile memory too. It is called NAND and it is flash type of memory. NAND memory is organized in chunks and blocks. Memory organization and data storing give huge possibility for investigators for data carving. Data found on the handheld devices is more private and could say more about the owner than data found in the personal computer. GPS coordinates can help investigators reconstruct user's physical position at the time in question. Hoog is listing the sample of the data that could be found in the Android device and includes the following: Text messages (SMS/MMS) Contacts Call logs messages Instant messenger/ Chat GPS coordinates Photos/ Video Web history Search history Driving directions Social media clients (Facebook, Twitter) Calendar appointments

3 Financial information Shopping history Music collection, files and files sharing (Hoog, 2011). Boot process is very different from the boot process used in the personal computers regardless of Operating System installed. It consists of seven key steps: Power on and on-chip boot ROM code execution The boot loader The Linux kernel The init process Zygote and Dalvik The system server Boot complete (Hoog, 2011) Android devices have file system that differs from file systems found on the personal computers. They are similar to file systems found on Linux systems. Some of the file systems are: rootfs tmpfs cgroup proc sysfs devpts ext3 yaffs2 vfat (Hoog, 2011). YAFFS2 was developed exclusively for android devices by Aleph One Ltd. It is "a log-structured file system, provides built in wear-leveling and error correction, capable of handling bad blocks, and is fast and has a small footprint in RAM" (Hoog, 2011). The issue with the YAFFS2 is that there is no forensic tool that supports it. It will probably stay that way, because it was announced that Android will move to an EXT4 file system. Rapid development of Android devices confirmed what was known by forensic experts already - continuously education is a must. With so many manufacturers, operating systems, and different devices, no one

4 can consider himself/herself a truly expert. There is still no forensic tool that can be used with any device. The race is still on.

5 References Hoog, A. (2011). Android forensics, Investigation, Analysis and Mobile security for Google Android. Waltham, MA: Syngress. NENA, L., & ANNE, K. (2009). Forensics of Computers and Handheld Devices Identical or Fraternal Twins?. Communications Of The ACM, 52(6),