Android Smart Phone Forensics using Open Source Tools

Abstract

Mobile Smart Phone Technology (MSPT) is one of the greatest civilizations in history, but, unfortunately, the same is being taken advantage of and unseemly conduct is inevitable. Android Technology is fast evolving and dominating over its competitors because of its features, open-source architecture and ease of customization. In addition, Android Apps often use Self-Signed certificates unlike Apple Apps bound by Certificate Authority. To overcome the challenges of security in the newer versions of Android, the concept of a Virtual Android phone using a Genymotion Emulator is adopted. This approach will help in analyzing the latest phones through open-source tools without the need to physically procure them. The virtual phone interface is the same as the physical phone but it obviates the need to root/bypass the phone security, thereby allowing the researcher to concentrate on developing techniques for extracting forensic artifacts. Open source tools are used to carry out the research and a comparative analysis is done so that a combination of tools can be used to extract the maximum artifacts from the phone.

Introduction

I. INTRODUCTION

Law enforcement agents consider any MSPT to be a significant source of evidence when a crime has been committed. According to [1], the comprehensive review of mobile device versus desktop usage reflected that mobile devices successfully compete for user’s attention and globally, 68.1% of all website visits in 2020 came from mobile devices. MSTPs are slowly replacing their desktop counterparts in human-to-computer interactions and automatically have become large digital storage vaults that store personal and professional secrets. It is therefore pertinent to invest more time towards finding efficient techniques in extracting and analyzing data on MSPTs particularly biased towards Android Technology because it has the largest market share the world over. In the recent publication by [2], Android OS had the largest market share of 71.74%, Fig. 2 is indicative.

II. THEORETICAL BACKGROUND

A lot of scholars and Cyber Security specialists have been researching Android Smartphone forensics using open-source tools and research in the subject area is still ongoing. This effort has gone a long way towards availing economic solutions within the android forensics fraternity. According to [4] [5], several different types of data extractions determine how much data is obtained from the device. They state that Physical acquisition contains most data followed by File System acquisition, Logical Acquisition and Photographic documentation respectively. The extraction of data can be affected by three things are Type of Mobile Device, the Diversity of Forensic Tools and the Physical State of Devices. In their study, [6] worked on finding the best method to produce more evidential artefacts from android technology. The research was performed on Alcatel One Touch 6012x (4.2.2). Various open source tools were used including manual extraction through adb pull and dd command. The analysis concluded that a proper step-by-step combination of tools is effective in getting meaningful insights. The best solution for extracting data from various Android mobile devices was delved into by [7]. A comparative study of UFED, Paraben, XRY and Mobiledit was done on four various Android phones. It turned out that commercial tools were a critical solution for data acquisition in cases where Android devices are not rooted.

However, the logical acquisition was deemed a good alternative in the absence of expensive commercial tools. The paper by [8] sought to find a convenient way to bypass rooting by use of custom recovery. Team Win Recovery Project (TWRP) was utilized to unlock the bootloader and put a custom ROM in order to access root privilege and extract a disk dump via dd command. This method successfully facilitated forensics to take place and was further recommended for trial with emerging Android Technologies. The same concept was discussed by [9] in their study and stock ROM and custom ROM ware explained on how they can facilitate a step-by-step rooting procedure. In their research paper, [10] explored on various acquisition techniques in which a comparative study was done to come up with a better approach. Commercial tools offered a better solution than open-source tools in which software-based acquisition was found more feasible than hardware besides it posing a risk of compromising the integrity of the original image. The research concluded that no one tool does it all.

A comparison between Paraben E3:DS and Autopsy was carried out by [11] to analyze a logical image that had been acquired on Nexus 6P (V7.1.2) using the Titanium backup application. The research focused on the extraction of evidential artefacts from applications in which Paraben E3:DS produced the best results. The study concluded that more artefacts can still be extracted provided the rightful forensic tools are identified. The effectiveness of rooting in the recovery from anti-forensics was done by [12]. The approach taken was to compare results from Logical and Physical images of Samsung Note 4 (6.0.1). It was discovered that even after factory resetting the phone, the physical image was able to recover both existing and deleted data but the logical image recovered only existing data. According to [13] [14], adb pull particularly serves the purpose of transferring the files from the mobile device under investigation to the forensic station workstation. Because many partitions require root permission to be accessed, it is therefore pertinent to first root the mobile device before pulling logical files. Conferring from [15] [16], Android Debug Bridge (ADB) is a tool by Android Software Developers Kit (SDK) and is utilized to facilitate a smooth connection between an Android device and a computer in order to extract various images from a mobile device. The prerequisite for using adb is to first enable the USB debugging mode on the Android device. As stated by [17] [18], rooting allows an examiner to access elevated privileges on a mobile device which would otherwise not have been accessed in normal mode. It can be used legally or illegitimately.

It is clear from this review of literature that Android Technology is fast evolving and more research needs to be conducted. In all the papers reviewed, the highest version of Android worked with was 7.1.2 yet according to [19], the latest release of Android is version 12. From this gap, the researchers derived the following Hypothesis: Open Source mobile forensic tools are somehow relevant to preceding Android Technologies and can still be relevant to emerging Android Technologies. This assumption was the centre of the investigation and was tested for proof throughout the study with a set of selected open-source tools.

VII. LIMITATIONS

Though the virtual environment provisioned a free-of-cost base for the research, it had its own limitations. The virtual environment did not allow for a complete practical performance as other aspects of it were assumed and preconfigured. Also, the Genymotion virtual devices could not support applications which are not from the Google Play Store despite being rooted, therefore, other open-source tools could not be tested for their relevance yet this could have been achieved if it were a real phone. Another major drawback of the virtual environment was the unexpected crushing of Genymotion devices but this was later overcome by taking snapshots. Regardless of the stated limitations, the research study was successfully carried out with compatible open-source tools and a comparative study was done to bring a conclusion to the study as shown in Table 4. Though some of the tools proved irrelevant, some were relevant and can actually be used in the forensics of emerging Android Technologies.

Conclusion

From this study, it can be easily deduced that some of the tools and techniques used are still relevant or partially relevant whilst others are not. It is also pertinent to note from this research that not one tool does it all, a good combination of tools can be much more relevant in providing solutions than depending on one tool. In this research, a combination of tools managed to provide some good forensic results. It should be noted that the findings of this research are not conclusive as the study was performed on a virtual plartform which omitted some of the critical aspects faced in a real physical environment. For instance, Genymotion virtual phones come by default rooted which is not always the case in real situations. To some extent there is an oversight to other challenges of antiforensics posed by the Original Equipment Manufacturers (OEMs) in an effort to ensure user data privacy. Despite the stated limitations, the researchers believe the study will contribute in knowledge acquisition of performing forensics on emerging android Technology. The researcher recommends that the same study be conducted on physical devices for further exploration.

References

[1] https://gs.statcounter.com/os-market-share/mobile/worldwide# [2] https://www.perficient.com/insights/research-hub/mobile-vs-desktop-usage, last accessed 2021/11/27. [3] Tamma Rohit and Tindall Donnie 2015 Learning Android Forensics page 4 [4] Afonin Oleg and Katalov Vladimir 2016 Mobile Forensics-Advanced Investigative strategies page 22 [5] Scrivens, Nathan & Lin, Xiaodong. (2017). Android digital forensics: data, extraction and analysis. 26. 10.1145/3063955.3063981. [6] MRKAI?, I. (2016). Android forensic using some open source tools. In The Eighth International Conference on Business Information Security (BISEC-2016), Belgrade, Serbia, 15th October. [7] Agrawal A.K., Khatri P., Sinha S.R. (2018) Comparative Study of Mobile Forensic Tools. In: Kolhe M., Trivedi M., Tiwari S., Singh V. (eds) Advances in Data and Information Sciences. Lecture Notes in Networks and Systems, vol 38. Springer, Singapore. https://doi.org/10.1007/978-981-10-8360-0_4 [8] Agrawal A.K., Sharma A, Sinha S.R and Khatri P International Journal of Electronic Security and Digital Forensics, 2020 Vol.12 No.1, pp.118 – 137 [9] Kamble, J. (2015) ‘Digital forensic investigation procedure’, International Journal for Advance Research Science and Engineering, Vol. 4, pp.157–168. [10] S. C. Sathe and N. M. Dongre, \"Data acquisition techniques in mobile forensics,\" 2018 2nd International Conference on Inventive Systems and Control (ICISC), 2018, pp. 280-286, doi: 10.1109/ICISC.2018.8399079. [11] M. Raji, H. Wimmer and R. J. Haddad, \"Analyzing data from an android smartphone while comparing between two forensic tools\", SoutheastCon 2018, pp. 1-6, 2018. [12] M. Boueiz, \"Importance of rooting in an Android data acquisition,\" 2020 8th International Symposium on Digital Forensics and Security (ISDFS), 2020, pp. 1-4, doi: 10.1109/ISDFS49300.2020.9116445. [13] Andrew Hoog, Android Forensics: Investigation, Analysis and Mobile Security for Google Android 1st Edition, Syngress, 2011, page 218. [14] https://developer.android.com/studio/commandline/adb.html, last accessed 2022/01/15 [15] S. J. Yang, J. H. Choi, K. B. Kim, and T. Chang, “New acquisition method based on firmware update protocols for Android smartphones,” Digit. Investig., vol. 14, no. S1, pp. S68–S76, 2015 [16] D. Quick and M. Alzaabi, “Forensic analysis of the Android file system Yaffs2,” Proc. 9th Aust. Digit. Forensics Conf., no. December, 2011. [17] J. Grover, “Android forensics: Automated data collection and reporting from a mobile device,” Digital Investigation, vol. 10, pp. S12–S20, 2013. [18] M. -R. Boueiz, \"Importance of rooting in an Android data acquisition,\" 2020 8th International Symposium on Digital Forensics and Security (ISDFS), Beirut, Lebanon, 2020, pp. 1-4, doi: 10.1109/ISDFS49300.2020.9116445. [19] https://www.techradar.com/in/news/android-12-news, last accessed 2022/01/01.

Copyright

Copyright © 2023 Austin Makate, Martin Muduva, Ronald Chiwariro, Animesh Kumar Agrawal, Pallavi Khatri. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.