Introduction
Conducting forensic analysis on an Android tablet requires a deep understanding of both the Android operating system and digital forensic tools. This guide will walk you through the steps involved in a thorough forensic investigation of an Android tablet, covering essential tools and techniques.
Importance of Mobile Device Forensics
Mobile device forensics is crucial in digital investigations, allowing data extraction and analysis from mobile devices in a forensically sound manner. This process involves identifying, acquiring, analyzing, and reporting on evidence found on the device, providing a comprehensive view of an individual's digital activities and interactions.
Tools and Techniques
Logical Extraction
Logical extraction involves connecting the device to a forensic workstation via a hardware cable or a protocol like Bluetooth. This method is quick and straightforward but limited in data recovery. Common tools include Oxygen Forensic Device Extractor and XRY Logical.
Physical Extraction
Physical extraction involves copying the device's flash memory bit by bit. This method is more extensive but technically complex and dependent on the manufacturer. Tools like Cellebrite UFED Physical Pro and XRY Physical are used for this purpose.
Automated Data Collection
Tools like DroidWatch perform automated data collection and reporting without needing initial connection signatures or physical access to the device. These are useful when immediate access is not possible.
Steps in Conducting Android Tablet Forensics
Seizing the Device
Carefully collect the tablet from its user while documenting the chain of custody. Maintain a record of who handled the device and when. A search warrant is usually required if the device is used in a criminal investigation.
Documenting the Crime Scene
Thoroughly document the crime scene, including taking photos of the device and its display if turned on. If the tablet is off, keep it off to prevent data loss. Seize and label all available accessories, such as memory cards and data cables.
Maintaining Chain of Custody
Ensure the evidence collected is admissible in court by maintaining the chain of custody. Each piece of evidence should be labeled with:
- What is the evidence?
- How was it obtained?
- When was it collected?
- Who handled it?
- Why did that person handle it?
- Where has it traveled and where was it ultimately stored?
- What is the Case ID?
Acquiring the Data
Create a sector-level duplicate of the device, known as “imaging” or “acquisition.” Compare the duplicate image and the original device through a hashing function to ensure it is an exact copy.
Analyzing the Data
Begin analyzing the data to confirm hypotheses or search for hidden information. Specialized tools help find and recover data located within accessible hard disk space, deleted disk space, or the operating system cache.
Reporting
Store and analyze the acquired data to reconstruct a plausible version of events. Prepare a report, which may be technical or non-technical depending on the audience, including all findings and conclusions drawn from the analysis.
Forensic Process of Android Devices
Seizing Android Device
When discovering an Android device at a crime scene, take photos of the scene, including the device. If the phone is on, photograph the display. Keep charging the phone to prevent data loss if it is on. If off, keep it off. Seize all accessories like memory cards and data cables.
Chain of Custody
Label all recovered items immediately. Maintain and present a chain of custody in court. Labels should include:
- What is the evidence?
- How was it obtained?
- When was it collected?
- Who handled it?
- Why did that person handle it?
- Where has it traveled and where was it ultimately stored?
- What is the Case ID?
Generic Record Extraction
Use tools like ADB (Android Debug Bridge) to analyze both volatile and non-volatile data of an Android device. Data includes internal and external storage, shared preferences, internet artifacts, user data, application data, and hidden directories.
Analyzing SQLite Database Files
Android devices store data in .sqlite files. These files contain valuable information such as full names, email IDs, and phone numbers. Tools like DB Browser can uncover significant evidence by opening the correct db file.
Capturing Network Packets
Tools like TcpDump and Wireshark capture network packets and analyze them for potential evidence. These tools help identify logs of WhatsApp and Facebook applications, which can be crucial in identifying the root cause of the crime.
Interesting Locations for Forensics
When investigating an Android device, several locations can yield valuable evidence:
- Phone Browser Memory: Browsing history and cookies
- Application Storage: Data stored by installed applications
- External Card: Data on external memory cards
- SQLite Database Files: Structured data used by various applications
- SMS: Short Message Service records
- GPS Data: Location history
- Call Records: Call logs
- Contact List: Phonebook entries
- Social Networking Application Records: Data from social media apps like Facebook, Twitter, Orkut
- Messenger Records: Data from messaging apps like Yahoo, MSN
- Email Client Data: Emails and email client settings
- System Storage: Operating system files and settings
Android System Artifacts
Android system artifacts provide insights into device information and usage patterns. These artifacts include:
- Device Property Artifacts: Settings like settings_secure.xml, version, last_boot_time_utc
- SIM Card Details: telephony.db
- Device Battery Usage: turbo.db
- Battery Usage by Apps: battery-usage-db-v4
- Battery Usage by Bluetooth: bluetooth.db
- Paired Bluetooth Devices: bt_config.conf
- Lock Screen Settings: locksettings.db
- ADB Connections: ADB_keys
Tools for Android Forensics
Commercial Tools
Commercial tools like Cellebrite UFED Physical Pro and XRY Physical are widely used for their comprehensive capabilities in extracting and analyzing data from Android devices.
Open-Source Tools
Open-source tools like ADB (Android Debug Bridge) and DB Browser are useful for analyzing .sqlite files and capturing network packets. However, they have limitations in data extraction and analysis.
Challenges in Android Forensics
Rooting the Phone
Rooting the phone is often necessary to access areas not normally available. This process can be complex and requires technical expertise.
Maintaining Integrity of Primary Evidence
Maintaining the integrity of primary evidence is crucial. Any interference or manual intervention can compromise the evidence, making it inadmissible in court.
Bypassing Phone Locks
Bypassing phone locks can be challenging, especially with new technologies and updates. This requires continuous updates in forensic techniques and tools.
