Android Forensics Techniques – Forensics Image Acquisition Process

Hello guys! today I am going to sharing the method of Android Forensics. With this method, you can create dd image for android and analyze or investigate. Nowadays the stories of crime are also increasing. In which mobile phone is often used in some way or the other. Almost everyone has an Android Phone.

In the previous blog, we discussed about Android Forensics logical acquisition. So in this blog, you will learn android forensics via physical acquisition, so read these steps carefully and enjoy.

What is Android Forensics?

Android Forensics comes under Mobile Forensics which is a branch of Digital Forensics. It is about the acquisition and analysis of Mobile Devices to recover digital evidence for forensics investigations.

Acquisition Protocols: You Should Follow In Real Case

1. Please handle the mobile devices with gloves. Fingerprints can be collected from mobile.
2. You must be noted important information on Chain of custody from, like- IMEI numbers, Serial numbers etc.
3. If you found mobile phone unlocked and running condition then make a note of all running applications and observe the files
4. Use Faraday Bag to collect the mobile phone.

Tools Required:

1. ADB
2. Kingoroot or other Root application
3. BusyBox
4. Autopsy
5. NetCat
6. USB Cable

Important Points You Must Know During Android Forensics

1. Android device must be rooted before acquiring image from device.
2. Make sure Busybox is successfully installed on android device. If it is not installed then you can install it with ADB.
3. If the device owner is present during acquisition then device password/pin or pattern lock details should be obtained. Many times manufacturers do not cooperating with law enforcement when the password is not available. They will refuse to unlock citing privacy and confidentiality.

How To Acquire Image From Android Mobile

Step#1. First of all, you need to connect your android phone to your computer via ADB. Make sure your USB Debugging mode is enabled. Now open your Terminal or CMD and type command adb devices and hit enter. Let’s confirm that android is connected or not.

Step#2. Now type command adb -d shell to access android. After type su command to get root permission of android. Now you will get a pop-up on your android device, you need to grant permission to continue. Once you grant the permission you can access the android as a root.

Step#3. Now you need to type command ls /data to find directories. You can only access these directories with root privileges.

Step#4. Now you need to check the partitions of android devices. Here you can create dd image for their partition. Just type command cat /proc/partitions and hit enter. You will get a list of partitions with different-different file sizes. Now you need to find mmcblk0 partition. In this partition, you will get the largest amount of data.

Setp#5. Now you need to establish a connection between the android and the computer system. By using this connection you can get dd image from android to your computer system directly. Just simply type command on new tab of terminal, adb forward tcp:8888 tcp:8888 and hit enter. Now android will read the command and send dd image to your computer.

Step#6. Now follow this command to create dd image of mmcblk0 partition. dd if=/dev/block/mmcblk0 | busybox nc -l -p 8888 and hit enter. Now your android will create dd image of this partition and transfer it to the computer through the netcat.

Step#7. Once the connection has been activated, the data will be in the form of android.dd now again type this command on new tab nc 127.0.0.1 8888 > android.dd and hit enter. Now the data will start obtaining to your computer. It will take too much time depend on memory of the android device. once the process will complete then image file can be analyzed with any software.

How To Analyze DD Image of Android

Here I will use Autopsy tool to analyze the dd image of android to collect data from it.

Step#1. Now download and install Autopsy on your computer system. After installation just simply on Autopsy and here you will get 3 options now click on new case.

Setp#2. Now fill the case name and choose case type single user and then click on next.

Step#3. Here you can fill in optional information like Examiner name, Phone number, contact details etc. After fill-up the details click on next.

Step#4. Here choose source type as Disk Image or VM File and click on next.

Step#5. Now select your dd image file from the location and click on next.

Step#6. Now you will get all partitions details here and you can choose any partition and analyze the dd image.

Step#7. In this section, you will get all files that were available on that device. If something was deleted from android then you can collect those file also. Now you can analyze and recover data/ evidence from dd image.

Step#8. After examination, if you want to create a report then click on the Tools option and you can see the generate report option, click on that. It will ask for report format, choose according to your need or just simply click on excel report. The report will be saved on your computer. Then you can present it as evidence.

Conclusion:

So guys in this blog you find the technique of android forensics. if you are a student and you don’t have a rooted device or you don’t want to root your android then you can use Genymotion on your computer. Here you will get virtual android where you can polish your skills.

If you like this article or found this blog was helpful for you then share this with your friends and still have any query then feel free to drop your comments here.