Forensic Acquisition: Android

January 29th, 2016 by Oleg Afonin
Category: «Did you know that...?», «General», «Tips & Tricks»

While here at ElcomSoft we offer a limited range of tools for acquiring Android devices that’s pretty much limited to over-the-air acquisition, we are still often approached with questions when one should use cloud extraction, and when other acquisition methods should be used. In this article, we decided to sum up our experience in acquiring the various Android devices, explaining why we decided to go for a cloud acquisition tool instead of implementing the many physical and logical extraction methods. This article is a general summary of available acquisition methods for the various makes, models, chipsets and OS versions of Android smartphones. The article is not intended to be a technical guide; instead, it’s supposed to give you a heads-up on approaching Android acquisition.

What Do You Have?

We love asking this question when it comes to iOS. Is the device locked? Do you know the passcode? Do you know the user’s Apple ID and password? Do you have access to the user’s computer? Does that computer have iTunes installed? And so on, and so forth. Unfortunately, considering the wide diversity of Android devices, the number of questions we’d have to ask regarding a single Android device would far exceed the short iOS questionnaire.

Android is a highly fragmented platform. Several hundred manufacturers, over 20,000 device models, countless chipsets coming from about a dozen manufacturers, as well as the wild west of Android versions, revisions and OEM customizations allow for no straightforward approach. Is the device encrypted? (That would be a given in iOS, but dubious with Android.) What version of Android is installed? (Most pre-Lollipop devices can be decrypted if they are not Samsung). Do you know the passcode? Is its bootloader unlocked (or semi-unlocked)? Is the phone rooted, or can you root it? Is there service access available on a given model? (LG has it on all devices, while MTK smartphones with unlocked bootloader also have service access available). Depending on all these factors, your approach to acquiring an Android smartphone can differ greatly.

There are certain things to consider:

      • Some Android devices come with factory unlocked bootloaders. These can be imaged with nearly 100% success rate (unless encrypted).
      • Some devices come with locked bootloaders, but are user-unlocked at some stage. These devices can also be imaged with near 100% success rate.
      • Some manufacturers (LG) have a backdoor, allowing to acquire the device via a service-level tool.LG Acquisition via LAF
      • Some chipset manufacturers (MTK, Qualcomm) also have service mode allowing examiners to image unencrypted devices even if they are locked with a passcode. Qualcomm-based devices can even ignore bootloader lock.
      • Some manufacturers and/or carriers impose restriction on bootloader unlocks. However, certain models (compatibility depends on the chipset and manufacturer of the device) may have backdoors or exploits allowing bypassing bootloader lock and boot into a custom recovery (but not permanently flash one). These devices are also relatively easy to acquire.
      • Finally, some devices come with locked bootloaders and no service mode or bootloader exploits. These will be the toughest to acquire, as live imaging will probably be your only option when it comes to physical acquisition.

When considering the exact method to choose for acquiring the device, you may find the following walkthrough handy.

Is the device encrypted?

Yes: If it’s a Samsung device running Android 4.0 through 4.4, or if it is running Android 5.0 or newer, live imaging is recommended (via “dd” if rooted, or via ADB backup if no root is available). You’ll need to know or recover the correct passcode to unlock the device. If, however, it’s an older non-Samsung device running Android 4.4 or earlier, proceed to physical acquisition as you may be able to recover the decryption key.

No: Proceed to physical acquisition.

Is it an LG smartphone? Android smartphones built by LG feature a proprietary service access mode called LAF. In this mode, you can dump the entire content of the device physical storage regardless of bootloader lock status. LG implements this mode via a proprietary protocol regardless of the chipset (it works on LG Qualcomm as well as LG MTK devices, and may work on future devices based on other chipsets). You will need LG drivers and a forensic tool supporting this service mode (such as Cellerbrite UFED or Oxygen Forensic Suite).

Is it based on the Qualcomm reference platform? Qualcomm reference platform specifies the use of a special HS-USB mode 9006, which provides access to all partitions regardless of the bootloader lock status. Dedicated drivers for Qualcomm Download Mode HS-USB 9006 are required. Note that once the correct drivers are installed, and the device is connected and switched into HS-USB 9006, its partitions will automatically appear in the Windows Disk Management console. Once they are there, you may use any mobile forensic tool or certain flash imaging tools to dump the content of the data partition.

Is it a Chinese phone equipped with an MTK chipset? Chipsets manufactured by MediaTek (MTK) empower the majority of Chinese smartphones such as those made by Xiaomi, Meizu, Oppo, Vivo, OnePlus, Cubot, Zoppo, ZTE, No. 1 and literally hundreds others. Chinese manufacturers rarely lock bootloaders of their devices, presumably for easier servicing. MTK smartphones with unlocked bootloaders can be imaged via a forensically sound method that exploits MTK service mode. Tools supporting this mode include Oxygen Forensic Toolkit.

Is the bootloader locked? Some devices come with factory-unlocked bootloaders, while others come with semi-locked bootloaders allowing to boot into (but not permanently flash) a custom boot image. Booting into a custom recovery allows either making a Nandroid backup or capturing an image of the entire data partition via “dd”.

Is the device rooted? The root status of the device only affects your ability to perform live imaging of the device. Rooted devices are easier to acquire as you may skip the rooting step with iffy outcome. If no root is available for a given device, you can still perform logical acquisition (via ADB backup) if you are able to go past the screen lock.

Do you know the user’s Google ID and password? Google collects an awful lot of data about its users. If someone is using the company’s cloud services or owns a smartphone running the Android OS (or, to be precise, is using a device with Google Mobile Services). Just how much data is available was described in our previous article, What Google Knows about You, and Why It Matters. Some of that data may be available via Google Takeout. For complete acquisition, consider using a forensic tool such as Elcomsoft Cloud Explorer.

Android Encryption

When considering logical vs. physical acquisition, be aware that device encryption may affect your ability to access information stored on the data partition. Depending on the version of Android and on whether or not the phone was made by Samsung, you may or may not be able to extract or recover decryption keys for the data partition.

Before Android 5.0 Lollipop, AOSP implemented a rather weak encryption scheme that could be broken by extracting the secret from the device storage. Samsung knew of this vulnerability, and designed its own proprietary encryption scheme that did not keep the decryption key alongside with the data itself. As a result, encrypted Samsung smartphones are a tough call even if they are running an early version of Android (pre-Lollipop).

In Android 5.0, Google adopted a much more secure encryption scheme similar to one developed by Samsung. In Android 5.x and 6.x, the secret is not stored alongside with the data, and cannot be extracted via physical imaging, JTAG or chip-off. Samsung also adopted this encryption standard in its devices running Android 5.x and newer.

The important conclusion:

      • Imaging an encrypted non-Samsung device running Android 4.4 KitKat or earlier? You may be able to recover the secret and decrypt encrypted data partitions.
      • Imaging an encrypted Samsung smartphone running Android 4.0 through 4.4? You may be unable to extract or recover the secret, and you may not be able to decrypt the encrypted partition. Live imaging, logical acquisition and cloud extraction are the only acquisition methods that may work.
      • Imaging an encrypted device running Android 5.x or newer? You may be unable to decrypt the device as the secret is not kept alongside the data. Lower level acquisition is just as fruitless; live imaging, logical acquisition and cloud extraction are the only acquisition methods that may work.

The Book on Mobile Forensics

Comprehensive technical information on acquiring Android devices will be available in the book we’re just about to publish. The book will be titled “Mobile Forensics: Advanced Investigative Strategies“. This book will be a part of Packt’s Learning Series, and should be released in Q2 2016. We’ll make an announcement in our blog once the book is up for sale.