UNIT – V

ANDROID FORENSICS
Android basics – Key Codes – ADB – Rooting Android – Boot Process – File Systems – Security – Tools –
Android Forensics – Forensic Procedures – ADB – Android Only Tools – Dual Use Tools – Oxygen
Forensics – MobilEdit – Android App Decompiling
1. What is the boot process?
Every operating system has a boot process. This begins when the power is turned on and
completes when the device’s operating system is fully loaded and functioning. Once the Android
device is powered on, execution starts with the boot ROM code. Once the boot sequence is
established, the initial boot loader is copied to the internal RAM. The Android boot loader
has Initial Program Load (IPL) and Second Program Load (SPL). IPL deals with detecting and
setting up the external RAM. Once the external RAM is available, SPL is copied into the RAM. SPL
tries to look for the Linux kernel, and is responsible for process management, memory
management, and enforcing security.
2. List the levels of Mobile Forensic Pyramid.
Mobile Forensics Pyramid – The level of extraction and analysis required depends on the
request and the specifics of the investigation. The levels are Manual, Logical, File System,
Physical (Non-invasive), physical (Invasive), Chip-off and MicroRead.
3. How is the TOOL ALL-IN-ONE used?
This tool is not designed just for forensics. It offers a user-friendly interface for operations such
as unlocking bootloaders, flashing custom recoveries like TWRP, installing drivers, and more.
The Bootloader unlock will ask to reboot the phone in fastboot mode. This tool is primarily
helpful to reboot into some specific mode such as fastboot or EDL.
4. Give the advantages of Android App decompiling.
i) Malware analysis: Crucial for analyzing suspicious or malicious apps and understanding
their behaviour
ii) Identify vulnerabilities: Helps security researchers find flaws like hardcoded
credentials, insecure API keys, or outdated libraries.
iii) Lost source code recovery: If a developer loses access to their original source code,
decompiling the APK can help recover a readable version.
iv) Debug production builds: Enables debugging of an app when only the compiled APK is
available.
5. List the adb shell commands to get information of the Android phone.
To get information regarding the phone itself, not just its content. There are a series of
commands that can be executed for this purpose:
adb shell getprop ro.product.model
adb shell getprop ro.build.version.release
adb shell getprop ro.serialno
adb shell getprop ro.board.platform
6. What are the cryptographic security features of Android device?
Cryptography is a critical part of security with any mobile device. In February 2019, Google
unveiled Adiantum, an encryption cipher designed primarily for use on devices that do not have
hardware-accelerated support for the Advanced Encryption Standard (AES). Adiantum is a
cipher construction for disk encryption, which uses the ChaCha cipher and
Advanced Encryption Standard (AES) ciphers, and Poly1305 cryptographic message
authentication code (MAC). ChaCha is a variant of the Salsa stream cipher.
7. Mention some of the versions of Android.
• Version 1.5 Cupcake • Version 1.6 Donut
• Version 2.0-2.1 Éclair • Version 2.2 Froyo
• Version 2.3 Gingerbread • Version 3.1 - 3.2 Honeycomb
 • Version 4.0 Ice Cream Sandwich
• Version 4.1 - 4.2 Jellybean • Version 4.3 Kitkat
• Version 5.0 Lollipop • Version 6.0 Marshmallow
• Version 7.0 Nougat • Version 8.0 Oreo
• Version 9.0 Pie • Android 10. This was called Q during beta testing.
• Android 11 Released February 2020
8. Mention the directories that may yield forensic evidence.
 The acct directory is the mount point for the control group and provides user accounting.
 The cache directory stores frequently accessed data. This will almost always be
interesting forensically.
 The data directory has data for each app. This is clearly critical for forensic examinations.
 The mnt directory is a mount point for all file systems and can indicate internal and
external storage such as SD cards.
9. What are the different date / time formats that are used in Android?
Android can use several different date/time formats. The following lists the various formats
available:
• UNIX, based on Jan 1, 1970
• GPS, based on Jan 6, 1980
• Some (such as Motorola) may use AOL, based on Jan 1, 1980
10. What are the keycodes that can be entered on an Android Phone to get useful information
from the phone?
There are a number of keycodes that can be entered on an Android phone to get useful information from
the phone. These are useful in diagnostics as well as forensics. Some are
Diagnostic configuration *#9090#
Battery Status *#0228#
System dump mode *#9900#
Testing Menu *#*#4636#*#*
11. Mention and explain the three components of ADB.
The Android Debugging Bridge has three components:
 A client, which sends commands. The client runs on the development machine. The
investigator can invoke a client from a command-line terminal by issuing an adb
command.
 A daemon (adbd), which runs commands on a device. The daemon runs as a background
process on each device.
 A server, which manages communication between the client and the daemon. The server
runs as a background process on your development machine.
12. Mention the use of kill-server command in adb.
If the device developer mode is not turned on and the ADB services has a problem. This requires
you to first kill the service, then restart it as shown here:
adb kill-server
adb start-server
13. List some of the common adb commands.
Command: adb pull - Pulls a single file or entire directory from the device to the connected
computer.
Command: adb restore <archive name> - Creates a backup of the device.
Command: adb reboot - This causes the phone to reboot, there are several modes:
adb reboot recovery
adb reboot bootloader
Command: adb shell dumpsys package com.android.chrome - will dump all the data for a
given package.
14. Compare the three file system in Android.
JFFS2
F2FS YAFFS2
(Journaling Flash
Feature (Flash Friendly File (Yet Another Flash
File System
System) File System version 2)
version 2)
Developed for raw
Designed for NAND flash Designed specifically
flash devices with
Purpose memory (e.g., SSDs, eMMC, for NAND flash in
no wear-leveling
UFS). embedded systems.
controller.
Uses nodes: inode, direct,
indirect. Organized into six
Data and metadata
regions: Superblock (SB),
Uses inodes and written together in
Checkpoint (CP), Segment
Structure dirent nodes chunks; uses a tree
Info Table (SIT), Node
(directory entries). structure and unique
Address Table (NAT),
object IDs for files.
Segment Summary Area
(SSA), and the Main Area.
Partial
Journaling Yes (check-pointing) Yes
(checkpoint only)
Kernel Still supported in Deprecated in new
3.8+ (widely supported)
Support AOSP kernels
Garbage
Yes Yes Minimal
Collection
15. Write about ART.
Android runtime (ART) is the application environment used by Android. It is a virtual machine.
Each application is executed in its own copy of the ART. ART replaces the earlier Dalvik system
(just in time compilation). But, ART uses ahead of time compiling (AOT). As soon as an app is
installed, it is compiled into executable code. This speeds up performance, but with a cost so
storage. However, modern devices have ever increasing storage space.
16. Give the command used for taking backup of the device.
To make a backup of the device. The general format of the command is:
adb backup -all -f backup.
A specific example would be:
adb backup -all -f c:\phonebackup\
17. What are the different flags in ls commands?
All commands in Linux have a number of flags, some of the flags are:
Show hidden files: ls -a
Show sizes in a human readable format: ls -lh
Recursively show sub directories: ls -R
Show last modification date: ls -ltr
See UID or GID of files: ls -n
Sort by time and date: ls –t
18. Mention the use of ps command and the common flags used in it.
The ps command is useful to have information about the running processes. It also has a number
of interesting flags that can alter the input. Some common flags are:
Show active processes: ps -A or ps -E
See processes running with root privileges: ps -U root -u root
See the process tree: ps -e –forest
See the process tree for a specific process: ps -f –forest -c sshd
See child processes for a specific process: ps – C sshd
19. What is the use of ps command and mention some of the common flags?
 The ps command is used to view any packages installed on the device. If there is spyware, a
hidden app, or other interesting apps, this will help you find them. There are several variations
of this command you will likely find quite useful. They are
pm list packages -f  See their associated file.
pm list packages -d  Filter to only show disabled packages.
pm list packages -e  Filter to only show enabled packages.
pm list packages -i  See the installer for the packages.
pm list packages -u  Also include uninstalled packages.
20. Give comparison of Android tools.
Tool Main Use Interface Key Features Pros Cons
ADB/Fastboot Easy-to-use
Relies heavily on
ADB/fastboot GUI commands, shell GUI, combines
ADB — limited if
Android automation + + access, ADB command-line
device has USB
Tools backup Shell backup file and GUI, free
debugging
handling support handling, rooting and open-
disabled
attempts source
Well-known Doesn’t extract
File system
forensic suite, data directly
Forensic analysis, data
detailed from phones —
Autopsy analysis of GUI carving, call logs,
reports, widely needs
device images messages, GPS
used in disk/image
data extraction
forensic labs dumps
Contact, Outdated,
Lightweight,
calendar, SMS, limited device
Accessing data good for older
and media support, not
BitPim from CDMA GUI CDMA phones,
extraction compatible with
feature phones helpful
(mainly LG, most modern
documentation
Samsung) smartphones
App
All-in-one Great for Linux-based VM
decompiling,
forensic VM training/labs, may be complex
OSAF Linux VM ADB tools,
with self-contained, for beginners;
Toolkit Desktop imaging scripts,
preloaded includes many no official
open-source
tools niche tools support
forensic utilities
13 mark questions:
1. Explain Android OS details and the steps involved in the boot process of android devices.
2. With neat diagram explain the general architecture of Android device.
3. Explain different tasks performed by Android forensic tools.
4. Explain in detail about oxygen forensics tools in Android devices.
5. Illustrate how specialized key codes are used to get information from phone and list some of
the common ADB commands.
6. Show how ADB is specifically used to conduct forensic examinations of Android devices.
7. Explain the file systems used with Android and the security features.
8. Explain how we should work with Android for performing a forensic exam..
9. Discuss about the extraction of diagnostic information from Android devices through the ADB
protocol.
10. Explain the tools that work with both Android and iOS and tools to decompile Android apps.
11. Analyze the various tools used for Android phones with its advantages and give the
architecture of Android Runtime(ART).
12. Illustrate how Autospy, BITPIM and OSAF were used for extracting digital evidence from
Android device.