Multiple forensic methods may work for any one device, but what’s “recommended” may not always net more data; in fact, incorrectly applied methods could modify or wipe the evidence altogether. Do you know which is which?
Each advancement in mobile forensics methods has occurred in response to a need to cope with rising evidence volumes and technical complexity.
From manual to automated processes
To automate evidence collection, rather than have to use AT commands to capture mobile device data, forensic vendors came up with “quick” or logical methods that relied on a device manufacturer’s Application Programming Interface (API) to request call logs, contacts, SMS messages, etc. Often, these methods are based on the methodology used to back the data up.
Although these methods couldn’t copy portions of the file system the way a computer logical extraction does, they were a good, device-specific way to respond to the rapidly diversifying hardware, operating systems, and file systems on mobile devices—an array of permutations that, even today, can be confusing. Many different operating systems can be housed on any one of a number of file system structures, each applied to a different device make and model.
Relying on APIs, however, has its own limitations. Because lower level (Linux) kernel drivers for the display, camera, flash memory, keypad, wifi, audio, and other systems within the Android OS are not accessible from the application layer, the API can’t see or call deleted data, data such as call logs that are unavailable through API, and metadata such as wi-ﬁ networks, GPS locations, email headers and image EXIF data hidden within the file system or slack space on the device’s memory.
From logical to physical methods
Therefore, file-system (which captures data throughout a device’s file system—both live data, and data marked for deletion) and physical methods evolved, especially after more end users began to rely on password or other lock-screen protection for their devices.
Like logical methods, non-destructive physical methods use a connection with the device to use the appropriate drivers, or load the necessary code, to access the user partition and request the complete image of some portion of areas on the mobile device’s flash memory.
These methods include repair tools such as flasher boxes, and bootloaders that enable examiners to bypass lock-screen protection and obtain deleted data with fewer risks. They don’t make a true bit-for-bit physical copy, as do destructive methods such as chip-off, but they do change very little on the device other than the code needed to start.
Exploits and other methods
Owing to encryption and other increased user and data protections, however, forensic examiners have had to turn to “live” methods pioneered by mobile hackers to get around passwords. Some of these methods enable root access to devices for logical extractions. Other methods, including custom recovery partition flashing. These methods modify the device to a greater extent than API or bootloader methods do, but they don’t affect user data, and as long as you document them, remain forensically defensible.
Learn more about what’s involved with Android physical acquisitions as technology evolves. Pre-register for our white paper!