Smartphone Forensics

Smartphone forensics is a branch of digital forensics, and refers to analyzing and

recovery of digital evidence i.e. data from various mobile device.

The concepts of smartphone forensic is similar to those in digital forensics but the file
system structures of a smartphone and a computer system differs.
In smartphone forensics evidence extraction is relied on the internal memory of a mobile
phone when one is capable to access those data and also from external storage.
There are many tool both open source and commercial available to retrieve and analyze
smartphone data from iOS, Android, Windows and BlackBerry devices in the market.
Each tool has its set of advantages and limitations.

Why Smartphone Forensics is needed?

Most importantly mobile phone technology is evolving at a rapid pace and digital
forensics relating to mobile devices seems to be evolving very slowly.
Mobile devices now a days are capable of storing a wealth of personal information such
as photos, videos, calendars, notes, SMS, MMS messages, email, web browsing
information, location information, and social networking messages and contacts often
intentionally, and unintentionally and this stands true for almost all mobile devices, such
as iOS, Android, Windows Phone BlackBerry and PDA.

NII confidential
It can be used as a communication tool in the process of committing a crime or it can
contain victim’s information etc.
Evidence to look for on a mobile phone while forensic investigation:
• Contact information.
• Text messages.
• Call records and history.
• E-mail.
• Photos.
• Audio and videos.
• Multi-media messages.
• Instant messaging.
• Web browsing history, bookmarks.
• Files and other documents.
• Phone settings, sim and other information.

Challenges in Mobile Forensics.

Performing forensics investigation on a mobile device can be challenging for any mobile
forensic expert on a number of level. Primary challenge faced are:

• File System Structure:

One of the primary challenge faced during a mobile forensic investigation is its
“File system Structure” as its different for all the mobile operating system available
in the market. Some operating system are also proprietary to the hardware.
Example: - Data files might be stored in several locations; some information can
be stored in phone’s sim card, external storage device or in ROM (read-only
memory) which typically is used to store the mobile’s operating system that is not
easily changeable by the user without root privileges.

• Ever evolving operating systems:

Smartphones have evolved into a full-fledged computing system that can run
various software on them and there are more operating systems for smartphones
than for PC’s. The mobile forensics investigator must be able to recognize a
phone’s model and know what data acquisition methods can be applied to the
device.
NII confidential
E.g. Evolution of Android Operating System.
 Initial release date O.S name Version

April 27, 2009 Cupcake 1.5

September 15, 2009 Donut 1.6

October 26, 2009 Éclair 2.0-2.1

May 20, 2010 Froyo 2.2-2.2.3

December 6, 2010 Gingerbread 2.3-2.3.7

February 22, 2011 Honeycomb 3.0-3.2.6

October 18, 2011 Ice Cream Sandwich 4.0-4.0.4

July 9, 2012 Jelly Bean 4.1-4.3.1

October 31, 2013 KitKat 4.4-4.4.4.

November 12, 2014 Lollipop 5.0-5.1.1

NII confidential
October 5, 2015 Marshmallow 6.0-6.0.1

• Maintaining Data Volatility

Facts regarding the seizure of any given device is that it may be necessary to keep
a seized device powered up until the analysis is complete in order to prevent loss
of important data that may be changed or overwritten when the phone shuts down
 or rebooted. In some of the cases a forensic analyst may also need to keep the
device in a faraday bag i.e. (a special bag made out of material that prevents
connectivity to cellular networks, Wi-Fi and Bluetooth to avoid any evidence from
being overwritten on the device.

Figure 1::Faradays Bag.

But putting the device into a faraday bag may not be good practice as the device
would recognize the network disconnection and it would change its status
information which can trigger new data to be written.

• Software tool for assessment

There are numerous software and hardware tools available for mobile phone
forensics in the market. To determine the correct solution for a particular
investigation is difficult as there are a lot of options available.

•
NII confidential
USB Debugging needs to be enabled on the device
In order to acquire access to the root directory, Universal Serial Bus (USB)
debugging will have to be enabled on the phone. Although by default this setting
is disabled.
 To enable it go to Settings  select Developer Options  Press the USB
Debugging checkbox, a window will pop up to enable this function  Press OK.
That’s it.
.

Figure 2::USB Debugging.

Tools for Smartphone forensics: -

Commercial Tools:
1) Encase smartphone forensics.
2) CelleBrite UFED Touch (Hardware based).
3) Paraben DS 7.
4) Oxygen forensics suite.

Command Line Tools:

NII confidential
1) ADB (Android Debug Bridge).
2) DD.
Tool: - Android Debug Bridge
Android Debug Bridge (adb) is a versatile command line tool that lets you communicate
with an emulator instance or connected Android-powered device.

Figure 3 :: ADB

It is a client-server program that includes three components:

• A client, which runs on your development machine. You can invoke a client from a
shell by issuing an adb command.

• A server, which runs as a background process on your development machine. The

server manages communication between the client and the adb daemon running on
an emulator or device.

• A daemon, which runs as a background process on each emulator or device

instance.

NII confidential
Figure 4::Connected device to adb.

Below are some of the command of ADB: -

• adb root (for super user permission).

• adb logcat (to see logs of phone).

• adb install (To install Apk file.).

NII confidential
adb devices (To check connected devices).
 • adb shell (for remote shell).

Mobile forensics methodology.

There are two category of mobile forensics:
• Manual forensics investigation.
Testing is done manually through command line tools such as adb rather through
automated tools.
• Automated forensics investigation.
This involves usage of automated tools such as Encase smartphone forensics,
Oxygen forensics suite.

While mobile forensics follow the same principles and ideas as those for digital
forensics i.e. the 6 A’s to be specific, some differences do exist in the Assessment and
Acquisition phase as follows:

• Assessment phase:

NII confidential
In the assessment phase, if the suspected mobile device is in working mode and
not powered off then forensic investigator has to immediately put the mobile
device into faraday bag as evidences residing on the device can be tempered if it
is accessible via wireless or telecom network be it GSM/CDMA.
Investigator also has to collect the charger and USB cable for the mobile device
and if it is not available then investigator must have alternate source of the power
 for that particular mobile device as it might be possible that inappropriate power
supply may instruct mobile OS to lock the mobile.

• Acquisition

This phase refers to retrieval of material from the device. Acquisition are of two
type:
1) Logical:
• Logical acquisition means bit-by-bit copy of directories and files that reside
on a logical storage.
• Logical are the most common technique, because they are the easiest and
often provide enough data.
• No root access needed, just USB debugging

• We will look further into adb logical extraction, then into commercial
forensic tools, including, CelleBrite, and Paraben products.
Advantage: - It is fast and the complexity is low, few or no change may
occur to the device.
Disadvantage: - Limited Data Availability, full image of the disk cannot be
obtained.

2) Physical

• Physical extraction can be achieved via hardware or software forensics.

• The ability to physically image memory is the holy grail of mobile device
forensics.
• Hardware-based extraction may involve physically tearing down the
device, rendering it likely inoperable.
• Software based extraction is a bit less destructive but the main concern is
the phone should be rooted.

NII confidential
• Physical extraction through software will attempt to acquire the entire
image of the device, including deleted data.
Advantage: - Full image of the device can be acquired, Availability of details is
very high, few or no change o the device if already rooted.
Disadvantage: - It is time consuming and requires the device to be rooted or
jailbroken.
Three methods to perform Mobile imaging:
Method 1:
If mobile is in “on” state, it should be always connected with appropriate power source.
If Mobile device is on, the evidences can be found in the 3 location: RAM (volatile
evidences can be found.), Internal Memory (Flash Memory/SSDs), and External
Memory Card (SD/Micro SD card).

Method 2:
If mobile is in “off” state. Evidences residing in the RAM will not be retrieved. In “off”
state, External memory can be imaged using various tools as memory cards may
contain a vast amount of data such as image, text file, excel sheets etc. And unlike
RAM within a device, such removable media is non-volatile storage and requires no
battery to retain data. And to image the Internal Memory of the mobile, chip off forensics
can be performed.
Chip off Forensic is often considered a last option in mobile forensic as this acquisition
procedure involves physically removing the non-volatile integrated circuit from a device
and reading it directly on an external specialized reader.

NII confidential
Figure 5:: Programmer and Reader adapter for Blackberry and Android.
But it is possible that one may destroy the circuit during the processes through physical
damage or due to heat and once chip is removed it cannot be added back to the original
circuit board.

Method 3:
If mobile is in “off” state. The investigator has to switch it on and take immediate
snapshot of the mobile screen. Additionally, one need to note and record the current
battery charge and start further investigation.

Imaging SD Card Using FTK Imager.

• Select Create Disk Image in FTK Imager.

Figure 6::Create Disk Image.

NII confidential
• Select the Physical Drive option.

Figure 7::Select Physical drive.

• Select the SD card from drive source.

NII confidential
Figure 8::Select the SD Card.
• Select the Image Type to be created.

Figure 9::Select image type.

• Fill the Evidence Item Information.

NII confidential
Figure 10::Fill the details.
• Select the destination where the image to be saved.

Figure 11::image destination folder.

• Click on Start button for image creation to begin.

NII confidential
Figure 12::Start Imaging.
 • Image of the SD Card has been successfully created.

Figure 13::Imaging of SD card complete.

Imaging Android File System using DD tool.

NII confidential
Figure 14::Check partition Location.
 Figure 15::Successful Image creation with DD.

Figure 16::Output image of file system

Rooting and Jailbreaking.

Jailbreaking and Rooting are methods that allows you unrestricted or administrative
access to entire file system of your mobile device. The difference between jailbreaking
and rooting is, Term Jailbreak refer to Apple iOS devices (iPhone, iPad, iPod touch),
while rooting refers to Android devices. It's basically the same concept, but different
terms for two mobile operating systems.
Importance of rooting the device in order to obtain an image of memory.

The ability to physically image memory is the holy grail of mobile device forensics. The
device's memory can contain extremely valuable data, such as contact list, call logs,
text messages, and other phone data. Additional information can also be uncovered

NII confidential
such as Web history, e-mails, images viewed on the phone, passwords, and fragments
of other data. Access to memory and this information can be accomplished by rooting
the phone.
To verify whether your phone is rooted or not use the application, Root Checker Basic.
 Figure 17: Root Checker App.

Types of Roots:

 Temporary root – Root access to the device only until device is rebooted, which
then disables root.
E.g. Check the User Debugging mode is running for temporary root access.

NII confidential
Figure 18:: Temporary access to the root directory.

 Permanent root – Root access remains even after reboots. Commonly enabled
with custom ROM.
E.g. For rooting the phone permanently use the tool RootGenius.
 Android directory structure

The most important locations for a forensic analyst are /system, /data, /Sdcard,
/ext_card.

• /system: It contains operating system-specific data contain various sub

directories to hold information about the system apps, fonts, libraries, executable
etc.

Figure 19:: System directory.

• /data: It contains user-specific data such as data stored by an SMS application.

We can see the executable files of each application installed in the “/data/app”
directory. This requires root privileges, which mean a user without a rooted
device cannot see the contents of this directory.

NII confidential
Figure 20:: Data directory.
 • /sdcard and /ext_card: In this specific case, we got sdcard for internal storage
and ext_card for external storage. Usually, sdcard is given for external storage.
These are used to store user data such as images, music files, videos etc.

Figure 21:: SD Card.

How to perform forensic investigation when the device is locked?

If a mobile device is locked out, the following approaches may be evaluated in order of
preference:
Ask the suspect – If a device is protected with a password, PIN, token, or other
authentication mechanism involving knowledge-based authentication, the suspect can
be queried for this information during the initial interview. Especially if the investigation
involves law enforcement, then the suspect is required as per law to divulge this
information or face penalties under the IT Act for obstruction of evidence.
Exploit possible insecure settings – Some models of phones may easily yield access
because of common user configuration errors. A user may set the phone lock, but not
change the security code from its default value, allowing anyone to gain access using
the default security code value to reset or disable the phone lock.
Root access will not be possible if an examiner encounters a locked Android device that
does not have USB debugging enabled. If presented with a locked device, one may
hope that USB debugging is currently enabled and must defeat the lock screen by some
other method.

NII confidential