In this chapter, we'll cover the following recipes:
There are a lot of tools for analysis of physical dumps and backups of mobile devices running Android operating systems. These tools include all the best mobile forensics tools, such as UFED Physical Analyzer (Cellebrite), Oxygen Forensics (Oxygen Forensics, Inc), .XRY (MSAB), MOBILedit Forensic Express (COMPELSON Labs), and Secure View (Susteen).
Computer forensics software developers also try to include the functionality for extracting and analyzing mobile devices in their products. These tools are: Encase Forensic (OpenText Corp.), MPE+ (AccessData), Belkasoft Evidence Center (Belkasoft), AXIOM (Magnet Forensics), E3: UNIVERSAL (Paraben Corporation), and so on.
It is surprising, but some mobile forensics experts do not know that physical dumps and backups can be analyzed via a free tool – Autopsy, or via a cheap tool that has good functionality - Andriller.
Manufacturers of hardware solutions for damaged mobile device analysis, such as Rusolut Sp. and ACE Lab companies, also...
The undeniable advantage of Autopsy over other mobile forensics tools is that it is free, meaning that it is available for anyone who wants to analyze his mobile device. Physical dumps of mobile devices running Android operating systems can be analyzed via Autopsy.
Go to the website of the program. In the website's menu select Autopsy | Download and click Download Now. On the download page, select the version of the program that corresponds to your operating system by clicking on Download 64-bit or Download 32-bit. When the installation file is downloaded, go to the directory on your computer where the downloaded files are saved, and double-click the icon of the downloaded file. Follow the instructions during installation of the program.
The Oxygen Forensic program has already been described in the Chapter 1, SIM Cards Acquisition and Analysis. The Oxygen Forensic program has a specialized Oxygen Forensic Extractor module that can be used to make logical extraction, backup, and physical dump of a mobile device running Android operating systems. The Oxygen Forensic program is able to import and analyze the mobile device’s data extracted via other hardware and software. The program can import the following types of images and data of Android devices:
As an example, the import of data from Android TOT containers will be described. These containers can be created by some types of flashers during the process of an Android device’s memory reading.
The Belkasoft Evidence Center program has already been described in Chapter 2, Android Devices Acquisition. This program has functionality for data import from physical dumps and backups of Android mobile devices.
In this chapter, we will describe how to analyze a backup of an Android mobile device via Belkasoft Evidence Center.
New Case button.Case name, Root folder, Case folder, Investigator, and Time zone. If necessary, you can add a more detailed description of the case in the Description window.Create and open button located at the bottom of this window. In the next window, in the drop-down menu, you can select the category of files that will be displayed in it.Android backup file (* .ab) category, select the Android device's backup file, and then click the Next...The AXIOM program, developed by the Magnet Forensics company, is a popular tool that is used both for computer forensics and for mobile forensics. It has three components:
The AXIOM program is able to extract data from Android mobile devices and analyze backups and physical dumps of such devices created earlier via Magnet Acquire or other tools.
In this chapter, we will describe the analysis of an Android mobile device via AXIOM.
As mentioned before, classical tools for computer forensics also increase their functionality in the examination of mobile devices. This is due to the fact that every year the number of mobile devices that come for examination to forensic laboratories increases. It means that experts need software for their analysis. Encase Forensic is following this trend. If we take a look at User Manual Encase Forensic, we can see that one third of this document is dedicated to the mobile devices' data extraction and analysis, their physical dumps, and backups. Encase Forensic can extract data from Android mobile devices and analyze their backups and physical dumps.
In this chapter, we will describe the analysis of an Android mobile device’s backup via Encase Forensic.
Any expert understands the importance of analyzing the thumbnail databases of graphics files and video files on the device. As well as on computers, similar bases can be found on Android mobile devices. The complexity of their examination is that its bases have different names and are saved on different paths (depending on the Android version). Even before the option of such bases analysis appeared in mobile forensics tools, in our forensic laboratory, ThumbnailExpert was used for detection and analysis of such databases.
ThumbnailExpert is designed to search for unusual thumbnail databases of graphics files created by various computer programs, but in addition to the extraction and analysis of thumbnail databases of the programs that are known to the tool, you can also search for new thumbnail databases. In order to search for such bases on an Android mobile device, you should copy the partition "user" filesystem from your mobile device to your computer...
© 2017 Packt Publishing Limited All Rights Reserved
