Mobile forensics is a branch of digital forensics which is evolving in today's digital era. Android forensics deals with extracting, recovering and analyzing the data present on an Android device through various techniques. However, it is important to have a clear understanding of the platform and other fundamentals before we dive in and find out how to extract data. In this chapter, we will cover the following topics:
Mobile forensics
Mobile forensics approach
Android architecture
Android security
Android hardware components
Android boot process
The world today is experiencing technological innovation like never before. This growth is almost exponential in the field of mobile devices. Gartner, a technology research and advisory firm, in their forecasts published in June 2014, predicted that mobile phone shipments are soon set to break 2.4 billion units. This statistic alone reflects the unprecedented growth of mobile devices. Mobile phones have not only increased in number but also have become more sophisticated in terms of functionality.
The following screenshot referenced from http://en.wikipedia.org/wiki/File:Mobile_phone_subscribers_1997-2014_ITU.svg shows the increase in graph of mobile phone subscribers per 100 inhabitants from 1997 to 2014:

Mobile phone subscribers per 100 inhabitants from 1997-2014
Within mobile phones, smart phones are very much becoming the norm. Improvements in the computing power and data storage of these devices enable us to perform a wide range of activities. We are increasingly becoming dependent on these mobile devices for most of our activities. Apart from performing routine tasks such as making calls, sending messages, and so on, these devices also support other activities such as sending e-mails, surfing the Internet, recording videos, creating and storing documents, identifying locations with Global Positioning System (GPS) services, managing business tasks, and much more. In other words, mobile devices are now a repository of sensitive personal information, containing a wealth of user data. Quite often, the data sitting on a device is more valuable than the device itself. For instance, calls made from a device could be valuable information for law enforcement agencies. The fact that mobile forensics played a crucial role in solving high-profile cases, such as the 2010 Times Square car bombing attempt and the Boston marathon bombings, reaffirms the increasing role of mobile forensics in many government and law enforcement cases.
Mobile device forensics is a branch of digital forensics which deals with extracting, recovering and analyzing digital evidence or data from a mobile device under forensically sound conditions. Simply put, it deals with accessing the data stored on devices which includes SMS, contacts, call records, photos, videos, documents, application files, browsing history and so on, and also recovering data deleted from devices using various forensic techniques. It is important that the process of recovering or accessing details from a device is forensically sound, if it has to be admitted in a court of law and to maintain the integrity of the evidence. If the evidence has to be admitted in a court of law, it is important that the original device is not tampered with.
Note
The term forensically sound is often used in the digital forensics community to clarify the correct use of a particular forensic technology or methodology. Mobile forensics, especially Android forensics, is evolving fast, owing to the fact that it has a market share of 84 percent (as per market research firm IDC).
As explained by Eoghan Casey in his book Digital Forensics and Investigation, forensic soundness is not just about keeping original evidence unaltered. Even the routine task of acquiring data from a hard drive using a hardware write-blocker may cause alterations (for example, making a hidden area of the hard drive accessible) on the drive. One of the keys to forensic soundness is documentation. Documenting how the device is handled from the beginning is very important. Hence, an investigation can be considered forensically sound if the acquisition process preserves the original data and its authenticity and integrity can be validated. Evidence integrity checks ensure that the evidence has not been tampered with from the time it was collected. Integrity checks are done by comparing the digital fingerprint of the evidence taken at the time of collection with the digital fingerprint of the evidence in current state.
There is a growing need for mobile forensics due to several reasons. Some of the prominent reasons are:
Use of mobile phones to store personal information
Increased use of mobile phones to perform online activity
Use of mobile phones in several crimes
Mobile forensics on a particular device is primarily dependent on the underlying operating systems. Thus we have different fields such as Android forensics, iOS forensics, Blackberry forensics, and so on.
Once the data is extracted from a device, different methods of analysis are used based on the underlying case. As each investigation is distinct, it is not possible to have a single definitive procedure for all cases. However, the overall process can be broken into five phases as shown in the following diagram:

Phases in mobile forensics
The following section discusses each phase in detail:
This phase begins when a request for examination is received. It involves preparing all of the paperwork and forms required to document the chain of custody, ownership information, the device model, its purpose, the information that the requestor is seeking, and so on. The chain of custody refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. From the details submitted by the requestor, it's important to have a clear understanding of the objective for each examination.
Handling the device during seizure is one of the important steps while performing forensic analysis. The evidence is usually transported using anti-static bags which are designed to protect electronic components against damages produced by static electricity. As soon as the device is seized, care should be taken to make sure that our actions don't result in any data modification on the device. At the same time, any opportunity that can aid the investigation should also not be missed.
Following are some of the points that need to be considered while handling an Android device during this phase:
With increasing user awareness on security and privacy, most of the devices now have screen lock enabled. During the time of seizure, if there is a chance to do so, disable the passcode. Some devices do not ask the user to re-enter the passcode while disabling the lock screen option.
If the device is unlocked, try to change the settings of the device to allow greater access to the device. Some of the settings that can be considered to achieve this are as follows:
Enable USB debugging: Enabling this option gives greater access to the device through Android debug bridge (adb) connection. We are going to cover adb connection in detail in Chapter 2, Setting Up Android Forensic Environment. This will greatly aid the forensic investigator during the data extraction process. In Android devices, this option is usually found under Settings | Developer options, as shown in the following screenshot. In later Android versions starting from 4.2, the developer options are hidden by default. To enable them, navigate to Settings | About Phone and tap on Build number 7 times.
Enable stay awake setting: Enabling this option and charging the device will make the device stay awake which means that, it doesn't get locked. In Android devices, this option is usually found under Settings | Developer options, as shown in the following screenshot:
Stay awake and USB debugging options
Increase Screen timeout: This is the time for which the device will be active once it is unlocked. Depending on the device model, this time can be set up to 30 minutes. In most devices, it can be accessed under Settings | Display | Screen timeout, as shown in the following screenshot:
Note
Please note that the location to access this item changes across different versions and models of Android phones.
Screen timeout option on an Android device
In mobile forensics, it is of critical importance to protect the seized device so that our interaction with the evidence (or for that matter, an attacker's attempt to remotely interact with the device) does not change the evidence. In computer forensics, we have software and hardware write blockers that can perform this function. But in mobile forensics, since we need to interact with the device to pull the data, these write blockers are not of any use. Another important aspect is that we also need to prevent the device from interacting with wireless radio networks. As mentioned earlier, there is a high probability that an attacker can issue remote wipe commands to delete all data, including e-mails, applications, photos, contacts, and other files on the device.
The Android Device Manager (ADM) and several other third-party apps allow the phone to be remotely wiped or locked. This can be done by signing into the Google account that is configured on the mobile device. Using this software, an attacker can also locate the device, which could pose a security risk. For all these reasons, isolating the device from all communication sources is very important.
Tip
Have you thought about remote wipe options that do not require internet access? Mobile Device Management (MDM) software provides a remote wipe feature just by sending an SMS. Isolating the device from all communication options is crucial.
To isolate the device from a network, we can put the device in Airplane mode if there is access to the device. Airplane mode disables a device's wireless transmission functions, such as cellular radio, Wi-Fi, and Bluetooth. However, this may not always be possible because most of the devices are screen-locked. Also, as Wi-Fi is now available in airplanes, some devices now allow Wi-Fi access in Airplane mode. Hence, an alternate solution would be to use a Faraday bag or RF isolation box, as both effectively block signals to and from the mobile phone. But, one concern with these isolation methods however, is that once they're employed, it is difficult to work with the phone because you cannot see through them to use the touch screen or keypad. For this reason, Faraday tents and rooms exist, as shown in the following screenshot (taken from http://www.technicalprotection.co.uk/), but are very expensive.

Pyramid-shaped Faraday tent
Even after taking all these precautions, certain automatic functions, such as alarms can trigger. If such a situation is encountered, it must be properly documented.
The acquisition phase refers to the extraction of data from the device. Due to the inherent security features of mobile devices, extracting data is not always straight forward. Depending on the operating system, make, and model of the device, the extraction method is decided. The following types of acquisition methods can be used to extract data from a device:
Manual acquisition: This is the simplest of all acquisition methods. The examiner uses the user interface of the phone to browse and investigate. No special tools or techniques are required here, but the limitation is that only those files and data that are visible through a normal user interface can be extracted. Data extracted through other methods can also be verified using this.
Logical acquisition: This is also called logical extraction. This generally refers to extracting the files that are present on a logical store such as a filesystem partition. This involves obtaining data types, such as text messages, call history, pictures and so on, from a phone. The logical extraction technique works by using the original equipment manufacturer's APIs for synchronizing the phone's contents with a computer. This technique usually involves extracting the following evidence:
Call Logs
SMS
MMS
Browser history
People
Contact methods
Contacts extensions
Contacts groups
Contacts phones
Contacts setting
External image media (metadata)
External image thumbnail media (metadata)
External media, audio, and misc. (metadata)
External videos (meta data)
MMSParts (includes full images sent via MMS)
Location details (GPS data)
Internet activity
Organizations
List of all applications installed, along with their version
Social networking apps data such as WhatsApp, Skype, Facebook, and so on.
Filesystem acquisition: This is a logical procedure and generally refers to the extraction of a full file system from a mobile device. File system acquisition can sometimes help in recovering deleted contents (stored in SQLite files) that are deleted from the device.
Physical acquisition: This involves making a bit-by-bit copy of the entire flash memory. The data extracted using this method is usually in the form of raw data (as a hexadecimal dump), which can then be further parsed to obtain file system information or human readable data. Since all investigations are performed on this image, this process also ensures that original evidence is not altered.
In this phase, different software tools are used to extract the data from the memory image. In addition to these tools, an investigator would also need the help of a hex editor, as tools do not always extract all the data. There is no single tool that can be used in all cases. Hence, examination and analysis requires a sound knowledge of various file systems, file headers, and so on.
Documentation of the examination should be done throughout the process, noting down what was done in each phase. The following points might be documented by an examiner:
Date and time the examination started
Physical condition of the phone
The status of the phone when received (ON/OFF)
Make, model, and operating system of the phone
Pictures of the phone and individual components
Tools used during the investigation
Data documented during the examination
The data extracted from the mobile device should be clearly presented to the recipient so that it can be imported into other software for further analysis. In the case of civil or criminal cases, wherever possible, pictures of data, as it existed on the cellular phone, should be collected, as they can be visually compelling to a jury.