An Introduction to True Data Collection From Android Mobile Phones

The role of Digital Dictionary Investigator (DFI) is varied with continuous learning opportunities, especially as technology expands and increases in every corner of communication, entertainment and business . As a DFI, we deal with the daily onslaught of new devices. Many of these devices, like a cell phone or tablet, use common operating systems that we need to meet. Certainly, Android OS is dominant in the tablet and mobile phone company. Given the superiority of Android OS on the mobile phone market, DFI operators will become an Android device in many research. While there are some types of methods for obtaining data from an Android device, this article introduces four realistic methods that the DFI should consider when collecting evidence from an Android device.

Part of Android OS History

The first commercial Android version was in September 2008 with version 1.0. Android is an open source and "free-to-use" operating system for mobile devices that Google has developed. Important, initially, Google and other hardware companies formed the Open Handset Alliance (OHA) in 2007 to promote and promote Android's growth in the market. OHA now consists of 84 hardware companies including giants like Samsung, HTC and Motorola (to name a few). This alliance was created to compete with companies with own marketing services, such as the competitive devices offered by Apple, Microsoft (Windows Phone 10 – which is now dead on the market) and Blackberry (which has stopped making hardware). Regardless of whether or not the operating system is disconnected, DFI needs to know about different versions of many operating systems, especially if the legal focus is in a particular state, such as a mobile phone.

Linux and Android

The current repetition of Android OS is based on Linux. Keep in mind that "based on Linux" does not mean that ordinary Linux applications will always run on Android and, conversely, the Android applications you may enjoy (or know) will not necessarily run on your Linux desktop. But Linux is not Android. To clarify the point, keep in mind that Google selects the Linux kernel, the essential part of the Linux operating system, to control the hardware mapping so that Google's developer does not have to worry about how processing takes place on a particular set of hardware. This allows its developers to focus on the broad operating system and user interface of Android OS.

Large Market Share

Android OS has a significant market share of the mobile phone market, primarily because it is open to nature. Above 328 million Android devices were exported from the third quarter of 2016. And according to, Android's operating system had a larger portion of installations in 2017 – almost 67% – as with this writing.

Like DFI, we can expect to land on Android-based hardware in conjunction with typical research. Because of the open nature of Android OS in conjunction with diverse hardware platforms from Samsung, Motorola, HTC, etc., introduces a variety of combinations between hardware and OS implementation additional challenge. Consider Android is now in version 7.1.1, but at the same time, each phone manufacturer and mobile carrier will usually modify the OS for specific hardware and service bids and provide additional layers for DFI, as the data collection approach may vary.

Before we dig into the additional features of Android OS that complicate the approach to data collection, let's look at the term ROM version that will be applied to an Android device. As an overview, ROM is a program (Read Only Memory) application for a near-core, low-key, and unique ROM application is often called hardware. If you think about a tablet in contrast to a mobile phone, the tablet will have different ROM programming in contrast to a mobile phone, since the hardware between the tablet and the mobile phone will be different, even if both hardware devices are from the same hardware manufacturer. Follow the need for more information in the ROM application, add to the specific requirements of mobile operators (Verizon, AT & T, etc.).

While collecting data from mobile devices, not all Android Devices are equal, especially given that there are fourteen major Android OS releases in the market (from versions 1.0 to 7.1.1), many performers With model-specific ROM and additional number of user-defined versions (client ROM). The & # 39; customer compares versions & # 39; There are also model specific ROMs. Generally, ROM-level updates used on each wireless device will contain operating and system applications that work for a particular hardware device, for a particular vendor (for example, Samsung S7 from Verizon) and for specific execution.

While there is no "silverware" solution to investigate any Android device, a Android-based investigation should follow the same general process of collecting evidence and require a structured process and approach that addresses the investigation, Flog, Isolation, purchase, testing and analysis and reporting of digital data. When a request for a device is received, DFI initiates planning and preparation to include the necessary method of obtaining a device, necessary paperwork to support and document the custody chain, develop a prospectus for the investigation, the details

Unique Challenges Of Acquisition

Mobile devices, including Mobile phones, tablets, etc., face individual challenges during data. Since battery life is limited on mobile phones and it is usually not recommended to charge a charger, the isolation data of the evidence may be crucial when receiving the device. However, the proper acquisition of the mobile network, WiFi connection and Bluetooth connection should also be taken into account by the investigator. Android has many security features built into the phone. You can set the lock screen as a PIN, password, drawing pattern, face detection, location data, recognition of trusted devices, and biometrics, such as a fingerprint. Estimated 70% of users use some kind of security protection on their phone. In particular, software may be downloaded by the user, which may allow them to wipe the phone slightly and complicate the purchase.

The mobile phone is unlikely to open the screen. If the device is not locked, DFI viewing will be easier because DFI can change settings on the phone immediately. If you have access to your mobile phone, turn off the lock screen and change the time schedule of the display to the maximum value (which may be up to 30 minutes for some devices). Keep in mind that the key point is to isolate the phone from all Internet connections to prevent remote device removal. Put your phone in airplane technology. Attach an external power source to the phone after it has been placed in a stationary bag designed to shut down radio waves. Once safe, you should later enable USB debugging, which allows Android Debug Bridge (ADB) that can provide good data retrieval. While it's important to check the bug of RAM on a mobile phone, this is unlikely to happen.

Getting Android Data

Copying hard disk from a desktop or laptop in Forensically-Sound mode is trivial compared to data extraction methods needed for data transfer. Generally, DFIs have ready access to the hard drive without any obstacles, which allows to create hardware or software bits in an image to create. Mobile phones have data stored inside the phone in difficult places. Extracting data through the USB port can be challenging but can be met with care and luck on Android devices.

After the Android device has been paid and is safe, it's time to view the phone. There are several data collection methods available for Android and they vary greatly. This article presents and addresses four main ways of approaching data collection. These five methods are identified and summarized below:

1. Send the device to the manufacturer: You can send the device to the manufacturer to process data that will cost extra time and money, but may be necessary If you do not have certain skills for a particular device or time to study. In particular, as has been stated, Android surplus of OS versions has been based on the manufacturer and ROM version and adds to the complexity of the purchase. The manufacturer usually makes this service available to government and law enforcement in most household equipment. If you are a freelance developer, you need to contact the manufacturer or get support from the company you are working with. Also, the research option can not be available for some international types (as many non-anonymous Chinese phones are increasing the number of people – think about the disposable phone).

2. Direct physical acquisition of data. One of the rules of DFI research is never to change data. Physical acquisition of mobile data must take into account the same rigorous methods of verifying and documenting that the physical method used will not change the device information. Furthermore, when the device is connected, it is necessary to drive a hash. Physical acquisition allows DFI to get a full view of the device with USB cable and correct software (at this point, you should think about writing blocks to prevent data changes). Connecting to a mobile phone and grab a picture is just not as clear and clear as dragging data from the hard drive on a desktop computer. The problem is that it depends on the choice of legacy enhancement tool, particular type and type of phone, network operator, Android OS version, user settings on the phone, device root status, lock status, if the PIN code is known and if USB debugging is enabled on your device, you can not Get the data from the device being investigated. Simply put, your physical acquisition ends in the field of "just trying it" to see what you get and may appear before the court (or reverse side) as an inseparable way to collect data that may endanger data collection.

3. JTAG corrects (change of physical purchase above). As a definition, JTAG (Joint Test Action Group) certification is the most advanced method of data collection. It is basically a physical method that includes cabling and connection to TAPs on your device, and by using processing instructions to request the transfer of raw materials stored in memory. The raw data is drawn directly from the connected device using a special JTAG cable. This is thought to be the minimum range of data collection, as there is no transaction or interpretation, and is similar to a trash that is done when you receive evidence from your desktop or laptop hard drive. JTAG purchases can often be made for locked, damaged and inaccessible (locked) devices. Because there is a minimum scan, if your device was encrypted (whether the user or the manufacturer, like Samsung and some Nexus devices), you still need to decrypt the data purchased. But, as Google decided to go away with full-encryption capabilities with Android OS 5.0, the encryption restriction overall is slightly reduced unless the user has decided to encrypt his device. After purchasing JTAG data from the Android device, you can view the purchased data and analyze them with tools like 3zx (link: ) or Belkasoft (link : ). Using the JTAG tool automatically extracts digital correct sequences, including call logs, contacts, location data, browsing history, and much more.

4. Expired purchase. This purchase technique requires removing memory chips from the device. Produces raw double dumps. Again, this is considered a sophisticated, low-key acquisition and will require soldering smaller tiles with highly specialized tools to remove the tiles and other specialized devices to read the tiles. As stated in the JTAG of the above, DFI is concerned that chip content is encrypted. But if the information is not encrypted, you can drag a small copy as a raw image. DFI will need to conflict with renewal, fragmentation and, if applicable, encryption. Also, some Android device manufacturers, like Samsung, have completed encrypted, non-by-pass or after-chip encryption, even if the correct password is known. Due to access problems with encrypted devices, the tile is delimited by unencrypted devices.

5. Data processing overload. We are all aware that Google has taken data collection. Google is known to maintain large volumes from mobile phones, tablets, laptops, computers and other devices from various operating systems. If the user has a Google Account, DFI can access, download and report all information for that user under the Google Account, with the right of Google. This involves retrieving information from the user's Google Account. Currently, there are no full cloud updates available for Android users. Data that can be viewed is Gmail, contact information, Google Drive data (which may be very obvious), synced Chrome tabs, browser browser, password, list of listed Android devices (where you can view location history for each device) and much more.

The five methods listed above are not a comprehensive list. Highly recurring data collection data – When working with a mobile phone, accurate and accurate data is required. Further, process documentation and procedures that are used and following the ballast process you have established will ensure that the evidence collected becomes "correct sound."


Discussed in this article is a justification for mobile phones, especially Android OS, different from conventional digital rights practices used for laptop computers and computers. While your personal computer is secure, you can easily copy storage, and your device can be stored, secure purchases of mobile phones and data can be and is often a problem. Buying a mobile phone is encouraged and the proposed approach to data collection is necessary. As mentioned above, five methods announced will allow DFI to access the device. However, some other methods are not discussed in this article. Additional research and tooling at DFI will be necessary.

Source by Ron McFarland

Leave a Reply

Your email address will not be published. Required fields are marked *