SlideShare a Scribd company logo

Android forensic acquisition

Download as PPTX, PDF
D
Detectalix

The document details the storage architecture of Android devices, explaining the differences between internal and external storage, and highlights key partitions relevant for forensic investigations. It covers the process of rooting Android devices to access all data partitions and describes methods for logical and physical data acquisition. Additionally, it outlines the steps for imaging both external micro-SD cards and internal storage, emphasizing the use of tools like ADB and dc3dd for data recovery and forensic analysis.

Technology
Related topics:
Digital Forensics
1 of 10
Download to read offline
1
2
3
4
5
6
7
8
9
10
ANDROID DEVICE IMAGING
DATA STORAGE ON ANDROID • Two storage locations: internal and external. • Internal storage is the device flash memory that stores the kernel, system libraries and binaries, apps data and more. • External storage is usually a removable micro-SD card and mainly contains user data.
PARTITION LAYOUT • Main internal storage partitions: - Boot - Recovery - Data - System - Cache • The data partition is the most relevant to a forensic investigation as it contains the apps and user data.
ANDROID ROOTING • To access all the partitions and data we must have root permissions on the device. • The procedure to obtain root privileges is called rooting. • It is usually required to unlock the bootloader to root the device. • A very useful resource is the XDA Developer Forum: forum.xda-developers.com/
ANDROID DEBUG BRIDGE (ADB) • The Android Debug Bridge (ADB) is a CLI tool, part of the Android SDK Platform-Tools, to communicate with and control USB connected Android devices. • It allows to list connected devices, pull and push files from and to the device, execute a shell and install apps on the device. • If the device is turned on, the USB debugging option must be enabled under “Developer options” in the system settings.
LOGICAL AND PHYSICAL ACQUISITION • Two types of acquisition: logical and physical. • Logical acquisition involves the copy of all or part of the files and directories at the file system level. • Physical acquisition involves copying the device storage bit by bit at a raw level, like on computers.
PHYSICAL ACQUISITION OF EXTERNAL STORAGE • Physical imaging involves acquiring both the removable micro-SD card and the internal memory. • To image the micro-SD, we must remove it from the device, connect to the forensic workstation using a hardware or software write-blocking technique and then acquiring it directly with dc3dd, like with a hard drive.
PHYSICAL ACQUISITION OF INTERNAL STORAGE • Imaging the internal storage is trickier, as we have to execute dc3dd directly on the device. • So it must be an ARM statically cross-compiled binary, which we can download at: https://github.com/jakev/android-binaries/blob/master/dc3dd • We should not copy it on the internal storage, as it could overwrite possible evidence • We instead copy the dc3dd binary on a clean micro-SD card, with the sufficient capacity to store an image of the internal memory, and insert it into the device.
PHYSICAL ACQUISITION OF INTERNAL STORAGE • We connect the device to the forensic workstation and spawn a shell on the device with adb shell • We have to identify the input for dc3dd to image but dc3dd doesn’t accept directories as input. • We need to list the block device files, associated with the various partitions, with the command: ls –l /dev/block/ • The internal flash memory is usually associated with the mmcblk0 device file and all the files with this name followed by “p” and a number represent its partitions.
PHYSICAL ACQUISITION OF INTERNAL STORAGE • Before doing so, we must remount the sdcard to run dc3dd, as by default Android mounts SD cards with the -noexec option, that doesn’t allow to run applications on the SD card itself: mount -o remount,rw,exec /storage/sdcard1/ • Then we cd to /storage/sdcard1 and execute the command: ./dc3dd if=/dev/block/mmcblk0 of=mmcblk.img hash=sha512 log=mmcblk.log • Note that the image and log output files are written on the micro- SD card

More Related Content

PPTX
Computer Virus
OECLIB Odisha Electronics Control Library
 
PPTX
Netbeans
acosdt
 
PDF
Servlet and servlet life cycle
Dhruvin Nakrani
 
PPT
Web indexing finale
Ajit More
 
PPTX
Computer Science:Java jdbc
St Mary's College,Thrissur,Kerala
 
PPT
SOAP, WSDL and UDDI
Shahid Shaik
 
PPTX
JRE , JDK and platform independent nature of JAVA
Mehak Tawakley
 
PPTX
Software
fiza1975
 
Computer Virus
OECLIB Odisha Electronics Control Library
 
Netbeans
acosdt
 
Servlet and servlet life cycle
Dhruvin Nakrani
 
Web indexing finale
Ajit More
 
Computer Science:Java jdbc
St Mary's College,Thrissur,Kerala
 
SOAP, WSDL and UDDI
Shahid Shaik
 
JRE , JDK and platform independent nature of JAVA
Mehak Tawakley
 
Software
fiza1975
 

Similar to Android forensic acquisition (20)

PPTX
Android forensics an Custom Recovery Image
Mohamed Khaled
 
PDF
Mobile Forensic Webinar by Forensic Academy
Forensic Academy
 
PPTX
Mobile Forensics and Investigation Android Forensics
Don Caeiro
 
PPTX
Forensic Investigation of Android Operating System
nishant24894
 
PPTX
Mobile device forensics
Suresh Kumar
 
PDF
Comparison of android and black berry forensic techniques
Yury Chemerkin
 
PDF
Android Forensics: Exploring Android Internals and Android Apps
Moe Tanabian
 
PPTX
Android– forensics and security testing
Santhosh Kumar
 
PDF
A Comparison Study of Android Mobile Forensics for Retrieving Files System
CSCJournals
 
PPTX
Linux Kernel MMC Storage driver Overview
RajKumar Rampelli
 
PDF
Comparison of android and black berry forensic techniques
STO STRATEGY
 
PPTX
Mobile Forensics
primeteacher32
 
PDF
Android forensics (Manish Chasta)
ClubHack
 
PPTX
811719104102_Tamilmannavan S.pptx
DEVIKAS92
 
PPT
Manish Chasta - Android forensics
Positive Hack Days
 
PPTX
Forensic_Imaging_Presentationhjsksjsj.pptx
kingtigerdhanu6903
 
PPTX
Why cant all_data_be_the_same
Skyler Lewis
 
PPTX
Android_Forensic_Automator_Detailed_No_Images.pptx
likhithkumpala159
 
PDF
DefCon 2012 - Gaining Access to User Android Data
Michael Smith
 
PDF
Man-In-The-Disk
Priyanka Aash
 
Android forensics an Custom Recovery Image
Mohamed Khaled
 
Mobile Forensic Webinar by Forensic Academy
Forensic Academy
 
Mobile Forensics and Investigation Android Forensics
Don Caeiro
 
Forensic Investigation of Android Operating System
nishant24894
 
Mobile device forensics
Suresh Kumar
 
Comparison of android and black berry forensic techniques
Yury Chemerkin
 
Android Forensics: Exploring Android Internals and Android Apps
Moe Tanabian
 
Android– forensics and security testing
Santhosh Kumar
 
A Comparison Study of Android Mobile Forensics for Retrieving Files System
CSCJournals
 
Linux Kernel MMC Storage driver Overview
RajKumar Rampelli
 
Comparison of android and black berry forensic techniques
STO STRATEGY
 
Mobile Forensics
primeteacher32
 
Android forensics (Manish Chasta)
ClubHack
 
811719104102_Tamilmannavan S.pptx
DEVIKAS92
 
Manish Chasta - Android forensics
Positive Hack Days
 
Forensic_Imaging_Presentationhjsksjsj.pptx
kingtigerdhanu6903
 
Why cant all_data_be_the_same
Skyler Lewis
 
Android_Forensic_Automator_Detailed_No_Images.pptx
likhithkumpala159
 
DefCon 2012 - Gaining Access to User Android Data
Michael Smith
 
Man-In-The-Disk
Priyanka Aash
 
Ad

More from Detectalix (7)

PPTX
Windows Recycle Bin Analysis with free tools
Detectalix
 
PPTX
Windows Registry analysis with RegRipper
Detectalix
 
PPTX
Introduction to the Sleuth Kit and filesystem forensics
Detectalix
 
PPTX
iOS free, open source forensic tools
Detectalix
 
PPTX
Drive Imaging with dc3dd
Detectalix
 
PPTX
Intro to digital forensic imaging
Detectalix
 
PPTX
Brief introduction to digital forensics
Detectalix
 
Windows Recycle Bin Analysis with free tools
Detectalix
 
Windows Registry analysis with RegRipper
Detectalix
 
Introduction to the Sleuth Kit and filesystem forensics
Detectalix
 
iOS free, open source forensic tools
Detectalix
 
Drive Imaging with dc3dd
Detectalix
 
Intro to digital forensic imaging
Detectalix
 
Brief introduction to digital forensics
Detectalix
 
Ad

Recently uploaded (20)

PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPT
Teaching material agriculture food technology
LiaRayya
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Approach and Philosophy of On baking technology
30anthuong17
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Teaching material agriculture food technology
LiaRayya
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 

Android forensic acquisition

  • 2. DATA STORAGE ON ANDROID • Two storage locations: internal and external. • Internal storage is the device flash memory that stores the kernel, system libraries and binaries, apps data and more. • External storage is usually a removable micro-SD card and mainly contains user data.
  • 3. PARTITION LAYOUT • Main internal storage partitions: - Boot - Recovery - Data - System - Cache • The data partition is the most relevant to a forensic investigation as it contains the apps and user data.
  • 4. ANDROID ROOTING • To access all the partitions and data we must have root permissions on the device. • The procedure to obtain root privileges is called rooting. • It is usually required to unlock the bootloader to root the device. • A very useful resource is the XDA Developer Forum: forum.xda-developers.com/
  • 5. ANDROID DEBUG BRIDGE (ADB) • The Android Debug Bridge (ADB) is a CLI tool, part of the Android SDK Platform-Tools, to communicate with and control USB connected Android devices. • It allows to list connected devices, pull and push files from and to the device, execute a shell and install apps on the device. • If the device is turned on, the USB debugging option must be enabled under “Developer options” in the system settings.
  • 6. LOGICAL AND PHYSICAL ACQUISITION • Two types of acquisition: logical and physical. • Logical acquisition involves the copy of all or part of the files and directories at the file system level. • Physical acquisition involves copying the device storage bit by bit at a raw level, like on computers.
  • 7. PHYSICAL ACQUISITION OF EXTERNAL STORAGE • Physical imaging involves acquiring both the removable micro-SD card and the internal memory. • To image the micro-SD, we must remove it from the device, connect to the forensic workstation using a hardware or software write-blocking technique and then acquiring it directly with dc3dd, like with a hard drive.
  • 8. PHYSICAL ACQUISITION OF INTERNAL STORAGE • Imaging the internal storage is trickier, as we have to execute dc3dd directly on the device. • So it must be an ARM statically cross-compiled binary, which we can download at: https://github.com/jakev/android-binaries/blob/master/dc3dd • We should not copy it on the internal storage, as it could overwrite possible evidence • We instead copy the dc3dd binary on a clean micro-SD card, with the sufficient capacity to store an image of the internal memory, and insert it into the device.
  • 9. PHYSICAL ACQUISITION OF INTERNAL STORAGE • We connect the device to the forensic workstation and spawn a shell on the device with adb shell • We have to identify the input for dc3dd to image but dc3dd doesn’t accept directories as input. • We need to list the block device files, associated with the various partitions, with the command: ls –l /dev/block/ • The internal flash memory is usually associated with the mmcblk0 device file and all the files with this name followed by “p” and a number represent its partitions.
  • 10. PHYSICAL ACQUISITION OF INTERNAL STORAGE • Before doing so, we must remount the sdcard to run dc3dd, as by default Android mounts SD cards with the -noexec option, that doesn’t allow to run applications on the SD card itself: mount -o remount,rw,exec /storage/sdcard1/ • Then we cd to /storage/sdcard1 and execute the command: ./dc3dd if=/dev/block/mmcblk0 of=mmcblk.img hash=sha512 log=mmcblk.log • Note that the image and log output files are written on the micro- SD card