Edith Cowan UniversityResearch Online ECU Publications Pre. 2011 2010 Android Forensics: Simplifying Cell Phone Examinations. Jeff Lessard Champlain College Gary Kessler Edith Cowan University This article was originally published as: Lessard, J., & Kessler, G.C. (2010). Android Forensics: Simplifying Cell Phone Examinations. Small Scale Digital Device Forensics Journal, 4(1), 1-12. This Journal Article is posted at Research Online. http://ro.ecu.edu.au/ecuworks/6479 there is also a potential increase for criminals to use innovation in mobile and offer consumers a richer. and better mobile experience" (OHA.1. including Acer. ARM. and chat logs. The Alliance is a coalition of capability of these devices is growing. While Android initially launched with only one phone on T-Mobile. However. market named Android and it will likely gain in appeal and however. Mobile devices probably have more probative information that can be linked to an individual per byte examined than most computers -. number of activities such as committing fraud over e-mail.3% of mobile handset manufactures and service providers to semiconductor phones in use in the United States were reported to be smart manufacturers and software developers.6 access the phone's information.com. market share over the next year. software. Even different model cell phones made by the same The basic architecture of Android is shown in Figure manufacture may require different data cables and software to 1. NO. LG Electronics. With the increased availability of these powerful and T-Mobile. Part of the problem lies in the plethora of cell phones available today and a general lack of hardware. Indeed. the fundamentals of acquiring and analyzing an image. When running on a hard drive. 2010). there are initial challenges to the forensic community. mobile devices are already showing themselves to have a large volume of probative information that is linked to an individual with just basic call history. The Open Handset Alliance (OHA). have remained the same. system to the operating system and the effectiveness of certain tools. Kessler Champlain College Gary Kessler Associates j. phones (AdMob. harassment through text messages. there is a new smart phone OS on the and firmware update. Criminals could use smart phones for a expensive. Sprint.and this data is harder to acquire in a forensically proper fashion.net Authors' Note The good news is there are numerous people in the field working on making smart phone forensics easier. etc. HTC.p. With each new phone the iPhone. Intel. eBay.lessard802@gmail. trafficking of child pornography. contact. less this technology as well. browser history. Verizon and AT&T as well. such as e-mail. or /dev/hd0. SEPTEMBER 2010. Google. as is the number of more than 50 mobile technology companies ranging from people utilizing them. 4. By the end of 2009. Introduction Introduction to Android It is hardly appropriate to call the devices many use to Android is an operating system (OS) developed by the receive the occasional phone call a telephone any more.). Android architecture (Android. At its core. These differences range from the media on which data is stored and the file Figure 1. communications related to narcotics. Android OS builds are based on the Linux 2. The stated goal of the OHA is to "accelerate devices. the Linux system device defaults to the first physical hard drive. and text message data. phones are now available on Sprint. 2009b).com Edith Cowan University gck@garykessler. kernel.SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL. several new versions of Android OS have been available to Blackberry phones and a growing number of resources about customers via upgrades or new phone purchases. 2009. Already This paper was initially written during the fall of 2009 and since that there is material available on how to conduct an examination on time. and/or interface standardization within the industry. Qualcomm. n. smart phones contain even more useful information. In . 46. ISSN# 1941-6164 1 Android Forensics: Simplifying Cell Phone Examinations Jeff Lessard Gary C. The data stored on smart phones could be extremely useful to analysts through the course of an investigation. dex) files (DalvikVM. 2009a).SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL. forensics is The phone first needs to be connected to the in its infancy. developed in 2002. Linux only understands character and block devices. The first. the device. AccessData's FTK Imager v2. 2008). With Linux on flash.1.5. SD cards use Although the data cable for the Hero is a proprietary the FAT32 file system and are easily imaged and examined HTC cable (ExtUSB). Once the phone is connected. A Memory Technology Device (MTD) is needed to provide an interface between the Linux OS and the physical flash device because flash memory devices are not seen as character or block devices (Dedekind. 2009). SEPTEMBER 2010. older chips support a 512 byte page size whereas newer NAND memory Although an analysis of the removable memory of the has 2096 byte pages. respectively. NO. this section will explore the steps of the analysis examination machine using a write blocker to ensure the of an Android device.1 was employed. ISSN# 1941-6164 2 addition. an ordinary mini-USB cable will work using traditional forensics tools (including write-blocking for data transfers. 2009). stored to the memory card. Android applications (the apps of today's common parlance) are compiled into Dalvik executable (.5 (aka Cupcake) (Figure 2). little different than a standard Android phone because HTC Application cannot interfere with each other without being employs its own Sense user interface (UI) on the device. Making an image from the phone's memory card is quite simple Acquiring a Physical Image of an Android Device and normal procedures for imaging a device can be used. it is uncertain how much (if any) this impacts a and techniques could allow investigators to recover data from forensic investigation of the HTC Hero. a Flash Transition layer provides the system device functionality. While the Sense UI changes the look and feel of impede a forensic examination although some of the basic tools the device. in particular. video over USB and would be desired for consumer The Android file system is Yet Another Flash File applications but is not required for any type of forensics System 2 (YAFFS2).0 (Gingerbread) is expected viewed by other applications by default. was the first analysis. Sprint HTC Hero (left) and information screen of test stored on either the device's storage or on the removable secure device (right). the SQLite databases. The security mechanisms of the Android OS could Miller. most obvious step is to perform a traditional forensics analysis of the microSD card from the Connecting the device via a data cable phone. then appears asking the user to mount the device (Figure 3). 4. The following methods were assembled integrity of the data. Files can be Figure 2. The analysis described below was Android allows each application to run its own process. it can still be a valuable tool.2 (Froyo) and v3. however. This is the least effective method as it can only is access the data that apps directly store on the SD card. the latest version of Android other files created by one Android app cannot automatically be available was v2. This is where one will find the majority of data that could be of interest in an investigation. 2009). YAFFS. which given the explicit permissions to do so (Android. In the analysis here. 2002). During a forensic examination one will be mainly concerned with the Libraries and. YAFFS2 was designed in 2004 in response to the Imaging the memory card availability of larger sized NAND flash devices. Another screen Andrew Hoog and ViaForensics.com.com. it will from research done and methods created by the prompt that the USB cable is connected and ask the user to android/htcmodding community as well as assistance from select to copy files to/from the host computer. 2009b). file system designed for NAND (Not-AND) flash memory devices. data or As of July 2010. The VM nature of before the end of the year. performed during the fall of 2009 on a Sprint HTC Hero Security is permissions-based and attached at the process level running Android v1. such as keyboards and disk drives. 2009.com. YAFFS2 is backward compatible with phone has its limitation and phone system data is likely not YAFFS (Manning. . The Hero is a by assigning user and group identifiers to the applications. digital (SD) memory card (Android. Since Android is still an emerging OS and. The Android Runtime System utilizes the Dalvik virtual machine (VM). which allows multiple applications to be run concurrently as each application is its own separate VM. Unlike the typical desktop operating system. The HTC cable handles running music and hardware) (TalkForensics. will not be used on any Google-branded devices (HTC. SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL. needs to have a third party Save the image by using the File. The following method. Additional information can also be hidden and uncovered.e. FTK Imager "Drive Selection" screen. Obtaining a dd image file is possible when the permissions are altered to gain access to the root directory. and/or install custom firmware on the phone (Purdy. sending the devices that do not involve adding anything to the phone but output to a raw dd image file. having the appropriate permissions to take root actions. go to the File pulldown menu. there is an 8GB microSD card in the mean accessing the root directory/permissions and then device. 4. it has a necessary appropriate drivers. SEPTEMBER 2010. The and select the Add Evidence open. run homebrewed applications. can turn on this function. accomplished by rooting the phone.1. tailored to be forensically sound if an alternate way to obtain Note that the SD card should be put aside and not replaced in root is found. then. If issues arise. 2009). in its current iteration. Export disk image program installed on the device in order to get root permissions option. and then choose Physical modding community -. merely means to gain access to the root directory (/) and Now in FTK Imager. be sure should be viewed more of a proof of concept that could be to verify the hash prior to any subsequent analysis (Figure 5). Universal Serial Bus (USB) debugging will have to be enabled on the phone. modern day hackers (in the 1970s Drive. The device's memory can contain extremely valuable data. and other phone data. the phone. While the term rooting can have a negative Once connected. (The rationale for using dd for this is not the case on the Hero. Access to memory can be Figure 3. call logs. important to note that this method (at least for the Sprint HTC Hero). such as Web history. ISSN# 1941-6164 3 Figure 5. image files is provided below. selecting Applications. passwords. such as: the contact list. the device will look for any connotation (similar to jailbreaking an iPhone). rather than a logical image of the partition. There are different ways to gain root permissions on other \\PHYSICALDRIVE5 was selected and imaged. USB Debugging In order to acquire access to the root directory. Make sure to take a physical image of the entire drive and likely would not be admissible in a court room setting. Although the default setting is “disabled. In this case. "USB Connected" screen. . FTK Imager image summary screen. changing the data in such a way is not forensically sound and would not be done in an investigation. Note that the device will be the same size as the intentions of the device designers or vendors -.” going to Settings. drivers are made different meaning than is generally perceived. images viewed on the phone.i. NO. text messages.) As with any image file. Select the drive that is appropriate to the Android device sense of the word) who like to modify devices beyond the (Figure 4). choosing Development and touching the checkbox. substantially modifying the phone to increase battery life or performance. It is Figure 4. Rooting a device available on HTC's website. e-mails.. Obviously. and fragments of other data. Importance of rooting the device in order to obtain a dd image The ability to physically image memory is the holy grail of mobile device forensics.uses the term to memory card (in this case. NO. system. 2009). the Linux kernel makes use of an MTD properly and that USB debugging is enabled. If presented with a locked device. and then entering the > adb shell /data/local/asroot2 /system/bin/sh instruction. In the Windows command line. 4. Starting the Android SDK in Windows. is available. the examiner should Kit (SDK) (Android Developers. one may # chmod 4755 su either attempt the method and hope that USB debugging is currently enabled by the user or must defeat the lock screen by some other method and then enable debugging using the outlined method above.com (2009) and is the result of the work of many users at the XDA Developers forum (forum. using the command (Hoog. Without the use of a list of devices. the majority of this examination (Figure 7): will focus on the information in mtd3 and mtd5. the dd command can be used to # mount -o remount. 2009a): /dev/block/mtdblock3 /system . For a Windows now have root permissions and can image the Android device. to test out if it is functioning properly.org. The following method was • mtd4 holds cache designed for the Sprint HTC Hero running OS version 1. If everything is working properly. In order to image memory.1. Preparing the Hero for rooting The method described here is based upon descriptions at The Unlockr.xda- developers. a list of attached devices will show up with a The file system of the Android device is stored in a corresponding serial number (Figure 6). If not presented with a few different places within /dev. or Windows computer system. there are six files of interest located in /dev/mtd/ (Android-DLs.5 and • mtd5 holds user data utilizes a program called AsRoot2 (ZenThought.rw -t yaffs2 image the memory files. the Android SDK shell will > adb push asroot2 /data/local/ need to again be launched. continue The next step is to ensure that the phone and the and try to make a dd image of the memory (per the instructions Android development bridge (ADB) are both functioning as below). start the shell by executing /data/local/asroot2 the adb shell command. expected. $ /data/local/asroot2 /system/bin/sh Once in the shell.com. Figure 7. As before. and Creating a dd image of memory run the adb devices command. • mtd2 contains the boot partition • mtd3 contains system files The method necessary to obtain root is specific to each phone and OS varient. The archive needs to be downloaded and the files extracted the files Although it is important to image each file to obtain to the Tools folder and then execute the following commands the complete operating system. Tools (ADT) on the host Linux. navigate to the > adb shell chmod 0755 AndroidSDK\tools directory.SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL. one must check that drivers are functioning traditional hard drive. move to the AndroidSDK folder. Be sure to insert a fresh SD card in the phone (do not replace the original SD card in the phone as it contains evidence that this process will alter). MacOS. 2009). The ADT is part of the Android Software Development If these steps all work correctly. The Android root access software was created by Christopher Lais at ZenThought. ISSN# 1941-6164 4 Root access will not be possible if an examiner # cd /system/bin encounters a locked Android device that does not have USB # cat sh>su debugging enabled.com/). Although it may differ for other android phones. that allows for the embedded OS running directly on flash (SSI Embedded Systems. download the SDK ZIP file and extract the files to the It should be noted that there is no real indicator that root access host computer. 2009): • mtd0 handles miscellaneous tasks • mtd1holds a recovery image Figure 6. 2008). Obtaining root access of the Android device in The first step is to set up the Android Development Windows. SEPTEMBER 2010. navigate to the tools subfolder. 4.SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL.1. since today's forensic software does not mount the useful information was the single recovered PDF file. ISSN# 1941-6164 5 and Portable Data Format (PDF) documents were recovered. phone book months old and had been used extensively for data applications. information. Most of the recovered documents were not of a real evidentiary value. Examination of Memory Figure 9. this information can be helpful to determine what specific camera took an image. left).81. the ability for string searches was was extremely fragmented and while Acrobat Reader reported paramount. and Portable Network Graphics (PNG) images. NO. SEPTEMBER 2010. FTK was able When setting up the analysis in FTK.709 BitMap (BMP). as dd if=/dev/mtd/mtd0 of=/sdcard/mtd0. The file was 2 MB in size and was for full indexing and data carving. It is also extremely important to not mix up the input file (if) and output file (of) parameters so as to not inadvertently destroy any data. This file YAFFS2 file system. Recovered files: Web page (left) and Google search The examination of the memory image files was history (right). For this reason. Note that this command will direct the output to the SD card. Obtaining root access of the Android device in Windows. using a block size of 1024 bytes. The command above will make a bit-for-bit image of the mtd0 file. Figure 8. The HTML files included 28 Exchangeable Image File (EXIF) data for JPEGs. Joint Photographic Experts Group (JPEG). 207 Hypertext Markup Language (HTML) search history (Figure 9. YouTube videos visited. it is imperative that a formatted and wiped SD card is placed into the phone and that the evidentiary SD card is put aside. Facebook status updates. A large portion of the HTML files were advertisements and only four files were complete snapshots of Web pages (Figure 9. Be sure to use a write-blocker when accessing the files on the SD card. At this point. Repeat this command five more times in order to image the remaining five files of interest (Figure 8). and add all six files for substantially larger than all of the other recovered documents. In this case. Graphics Interchange Format bs=1024 (GIF). It was difficult to look through . FTK was selected because of its data carving and searching One particularly interesting document that contained capabilities. browser history. and music played from the SD card. It analysis. and copy the image file to Recovered documents the SD card. select options to view the contents. the dd files can be analyzed using any forensics software.dd were 12. the subject phone was approximately two contained information such as text messages. Google After data carving. right). that the file was corrupt and could not be opened. performed using Access Data's Forensic Tool Kit (FTK) v1. something is happening like a progress bar would. this one: grids for Sudoku games. contacts. indicating suspect's e-mail address. The search in the booting process and features the HTC logo in a beveled tool is quite powerful but in order to use it. followed by a preview of the The mtd3. images recipient information. namely images ranging from contact photos. Maybe impre. When trying to find boots. and yielded some helpful information. keyboards.. yielded 1628 hits over 92 files. only 30 images from the user's Gmail account were found. The highly fragmented condition of some of these images suggests that the amount of space allowed for caching of images viewed from Gmail is not large. surprisingly. Recovered images cover art from Pandora. Recovered images from this location included some that employed. These were the types of pictures one would expect to find. were viewed from e-mail. the source of light in the image changes as it pans across emails. A search for j.dd file contains the user data and. a Hero splash screen. and widgets. As the phone to have an idea of what to search for. an examiner needs silver text on a reflective black background. it is possible that FTK was not able to locate or identify the images. Specifically if they didnt speak each others language.Ryan and Ysa<br><br>I quite impressed with the talk they gave our class.dd file contains contents of the Android messages than a system where only Web mail has been cache. I never really thought about the difficulty of communicating across cultures and how it would impact a relationship. image previews of videos from SprintTV and YouTube. weather. not Figure 11. and call history. There are While browsing through images and documents three different images: the HTC logo. User names and passwords found in plaintext. 4. although on the Gmail account. It is likely that if the suspect were using a mobile e- mail client (such as a gmail application) would yield more The mtd4. Backgrounds for a labyrinth style game. SEPTEMBER 2010. This logo for example. The files generally was merely an animated GIF file. The mtd5. is where the majority of the recovered images blacked out for publication.1. As on a typical computer.. and navigation apps were found. alarm clocks. downloads .lessard802@gmail. ISSN# 1941-6164 6 because it was so fragmented but searching the document made from browser Web pages.dd file contained images for different body of the message and then the rest of the e-mail and applications. contacts. and sent to someone via the Multimedia Messaging Service (MMS) or e-mail to those from applications such as Facebook. this Android device had nearly 13.000 images. NO. were found. Alternatively. Recovered images: Corrupted image file (left) and intact image file (right).perhaps amazed they let everyone in to their life like that. The first noteworthy images found were the ones displayed as the phone is booting up.ö7`à..ö7c$Ryan and Ysa I quite impressed with the talk they gave our class.SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL.com >. and icons from applications. The HTC logo screen is displayed at two points text messages. Interestingly. camera. some of the images were corrupted while others were perfectly intact (Figure 10). The best explanation is that they were preloaded from viewing the email. only some of which would be interesting Searching in a forensics examination. were never specifically called up or viewed on the phone. pictures taken with the Hero's camera information easier to find. started with the e-mail address. j. Many of the strings found looked like for bookmarks.com. and icons for check boxes. FTK was unable to locate a Sprint screen.. a logical starting point would be to search for the the logo – this seems like a loading screen.lessard802@gmail. although the user never selected to download or view them. Another interesting result was that two of the images in the cache. I guess the international language is truly dance.<br> Figure 10. e-mails.. Maybe impressed isnt quite the right word for it . the Hero was hooked up again to the examination machine and the directory /data/data was inspected. contact and phonebook information was found quite files. several Figure 18.SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL. several of the search hits found the displayed username and password for dd if=/data/data/subdir/databases/file. ISSN# 1941-6164 7 Hoog (2009b) has reported that the Android browser valuable files were uncovered. After searching for that Figure 13. This database file yielded account information (including an unencrypted password) (Figure 14) as well as account information for Twitter sites that the user follows (Figure 15).db that held all of the password information (Figure 11). Logical Examination Figure 15. After the process of browsing each of these folders.providers. dd commands to create images of database (. In addition. listing the subdirectories and looking for databases. 4. contacts appears to be /data/data/com. the database associated with htctwitter.db.db several Web sites. Following the naming convention of the path where contacts.db. which defines whether the message was a private (0) or a normal tweet (1). with detailed information about the sender. Information about Twitter sites that the user follows. much of the data that was viewable in FTK was information. Figure 17. As expected. As before. The actual path for the Figure 14.db was found. This is very helpful for the forensic examiner although a poor security practice from the user perspective.htctwitter/databases/htcchrip. While many people appropriately worry about saving their username and password information on their computers. NO.android. It was located in a few different places and in pieces but that is likely due to the fact that FTK was unable to recognize the operating system and. easily. This output also contains a field named is_public. SEPTEMBER 2010. most are likely less careful with similar data stored on their phone. Contents of the /data/data directory. and 154 subdirectories were found (Figure 12). and may even know how to hide those traces. one of which yielded a piece of a database of=/sdcard/file. developed by HTC.db. before data carving. The first such file examined was /data/data fragmented and difficult to read. Looking at files logically can /com. 1460 Twitter updates were found. When searching for e-mail addresses.htc. .db) string. Figure 12.1. the files were copied stores passwords in plaintext right next to a username and to the SD card using the dd command (Figure 13): Uniform Resource Locator (URL). Although it is valuable to perform a physical The database files found by a logical examination of examination to access deleted information that might otherwise the Android device yielded a significant amount of interesting go unnoticed. Data typed into browser forms. Passwords found in plaintext. references were found to a file named contacts. everything was just considered unallocated space. Username and password of HTC Twitter user. show whole databases that are not fragmented.contacts/ databases/contacts. the Twitter application called Peep. data typed into forms (Figure 18). including the user name and the encrypted passwords (Figure 23).browser/databases /browser.db. Figure 25. Browser history.maps/databases/search_history. Last known geographic location. Figure 22. URLs. ISSN# 1941-6164 8 Figure 23. Figure 19.db. Voice mail audio files. Note that the contents in this database included /data/data/com. . Figure 20. MMS/SMS message information.android. including picture and text message Figure 21. 4.android . SEPTEMBER 2010.android.telephony /databases/ directory contains information related to the messaging applications.SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL. The Google applications database is found in /data/data/com. /geolocation.db is a separate database for the Android browser. Another interesting file is the /data/data/com.google. The /data/data/com. The database file /data/data/com.db database contains the MMS and Short Message Service (SMS) messages [Address field truncated] The Google maps database can be found in (Figure 24). This more than 45 days prior were available.browser/gears Figure 24. Google apps account information.android. which stores the last known location as reported by the GPS satelites (Figure 21). It is likely that the file contains the history saved for all searches entered into the retained deleted messages would depend on the phone and Google maps application (Figure 22).providers. This file contains Google apps account information.android some deleted messages although no messages that were deleted . NO.db. Google maps database. The mmssms. web browser history (Figure 19) and search history (although it was thought that this information had been deleted) (Figure 20). The contents of this file included usernames. individual user.google. and plaintext passwords (Figure 17). Browser search history.googleapps/databases/accounts. data.apps.1. 1.providers. and name from a phonebook look up.dat. Files related to Telenav can be found in the /data/data/com. subject. Contact history information. type of call (1 = incoming. date. the time of the most recent contact.AMR (Figure 25). Figure 26.google.com. videos. or BlueTooth (BT). 2 = outgoing.app. and includes e-mail messages. receiver. communications cell phones (Figure 26).vnotes/fil es directory.android. The history information such as sender. Playback and analysis of voice mail audio files. Other potentially useful information in contacts.SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL. Forensic Extraction Device (UFED) was also employed to and contains information that is available when accessing acquire information from the phone. SEPTEMBER 2010. length of call in Figure 27. ISSN# 1941-6164 9 example of the complete body of an e-mail can be found in Figure 29. Adaptive Multi-Rate (AMR) files use a standard audio format Figure 29.sprint/ files directory.db file is the address books. which contains recent location information (Figure 27). Figure 31. and a snippet of the message body (Figure 28). The UFED is a stand- Gmail via the application rather than via the browser.db includes contact names. and last time the contact information was updated (Figure 30). date received.telenav. Finally.lessard @gmail. Figure 28.db database contains the call history. the HTC Hero also synchronizes contact's Facebook status updates with the phone book. Number and name fields that is commonly found in Global System for Mobile (GSM) truncated for publication. Facebook status updates. including the phone number. call history.providers. The most useful file appears to be ANDROID_TN55_recent_stops. text database for the user j. but can be found in the /data/data/com. The /data/data/com.coremobility.contacts/ databases/contacts. The alone hardware device that is designed to pull contact lists and mailstore.com. When viewed Figure 30.j. seconds. UFED communicates with a cell phone via a data cable. Voice mail audio files are not stored in a typical database file. Call history database. That information is also stored in contacts. Telenav is the Sprint navigation application. if available (Figure 29).lessard@gmail. contact photo file (if used). Telenav recent stops information.android. An infrared (IR). Subscriber Information Module (SIM) data can be acquired directly from the card or . logically. Complete e-mail. Android phones also contain extensive call history and contact information.app. Analysis With the CelleBrite The /data/data/com. 4. Gmail database file. deleted history is not shown.gm For comparison purposes.android. a CelleBrite Universal ail/databases directory contains files related to Gmail. number of times contacted. music. NO. 3 = missed).db (Figure 31). custom ringtone (if used). ringtones. pictures. and device identifying information. using the file names VN-*. Figure 29. voice mail and calls (Figure 34). Two of the picture files extracted by the UFED. SEPTEMBER 2010. The one video that was found was taken with the camcorder feature in the Hero (Figure 36). Web and data and time of the data acquisition (Figure 32). 49 missed messages. This experiment in acquiring information from an Android device using multiple methods is far from conclusive. The UFED acts as a write blocker so no information is written to the phone when conducting an examination (CelleBrite. did not find all examination of the phone itself. USB storage and USB debugging both need to be turned on. 192 outgoing calls. In this search history. 4. Note also the different picture file naming Figure 32. format. Some of the call history information extracted by the have netted better handling of the file system UFED. and missed calls update). screenshots of bookmarked Websites. and even GPS data. The 69 pictures that were extracted from the phone came from shots taken by the phone's camera. although physical acquisition is not supported for the HTC Hero. Two images are shown in Figure 35. could be helpful to a mobile forensic software level. messages.SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL. acquire data. The UFED walks an examiner through the steps needed to logically Figure 35. the UFED recovered 1070 SMS messages (Figure 33). In order to connect the HTC Hero to the UFED. deleted SMS messages. • Logical analysis of specific databases The CelleBrite device starts its report with basic phone o Pros: Recovered virtually everything that identifying information. while the picture at the bottom was not taken by this phone. found passwords with relative ease. The UFED can acquire data logically or physically. (bottom). and FTK easily could in the future with an incoming calls (top). It was able to passwords. outgoing calls (middle). Video file extracted by the UFED. mobile equipment identifier (MEID). and one video. further evidence that the files were created by different cameras. countless hours would have to be spent to try to locate and piece everything together (although another forensic suite may Figure 34. e-mail data with complete 56 contacts. Figure 36. Phone identifying information from the UFED. o Cons: Required root access. Some of the SMS messages extracted by the UFED [Phone numbers truncated for publication]. although it provided some interesting insights: • dd analysis with FTK o Pros: Found deleted text messages and contacts that would have likely not been located utilizing another method. and those received and downloaded as MMS messages. report on each category 100% correctly. the examination output in this case was an HTML file directed to a USB thumb drive. . and the investigation including call history. 69 pictures. and contact info. Note that the EXIF information suggests that this phone may have taken the image at the top. such as the acquired device type. 2010).1. results extremely fragmented. pictures. MMS/SMS instance. NO. ISSN# 1941-6164 10 while in place in the phone. 107 incoming calls. Summary of Results Figure 33. phone records. as confirmed by o Cons: Required root access. Indeed.S. 2009. 2009. Kit.infradead. it was not the best method in this case.html Expect to begin seeing it everywhere. References It appears that browsing the databases logically netted AdMob. browser. 2009. December 16). December 16). Dalvik virtual machine. FTK would be most valuable when searching for very specific strings of text. 2009. Kessler. unless otherwise noted. BusinessWeek Online. While Android is powerful. o Cons: Logical extraction only (physical Security and Law.com/guide/basics/what-is-android. however. SEPTEMBER 2010. 2008) all http://developer. AdMob mobile metrics report. 2010. from Conclusion http://developer. from http://android-dls.html Cell phones are becoming even more sophisticated and Android-DLs.com. What is android? Retrieved December 21. from http://www. HTC Web site.html implementations and some with manufactures making custom UIs. 2009. Download the Android SDK. As it stands now.. A. A. from specific YAFFS2 support would make the physical analysis a http://developer.com/sdk/index. were taken by Retrieved December 21. A different tool or forensics software with Android. (2009.businessweek.com/UFED-Standard- kitchen appliances. (2009a. (2009a.1. Retrieved December 21. Both law enforcement and the private sector need to Android-DLs Web site. January).android. _886305. able.linux-mtd. Ed. Retrieved December 21. He is a Certified Computer o Pros: Recovered MMS/SMS messages. aside from the user content/uploads/2010/01/AdMob-Mobile-Metrics-Dec-09. This paper is an expansion of his senior thesis HTC. stand-alone method. (2009. Retrieved December 21. of Digital Forensic Practice and Journal of Digital Forensics. (2010). CelleBrite Web site.admob. UFED standard kit.S. 2010. photos. August 15. (2010. Lomas.com/wp- image is extremely valuable but. the standardization will make mobile forensics simpler in Hoog.S.SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL. Retrieved December 21. as the market for Android continues to 2009. Android CelleBrite.dalvikvm. 2009.cellebrite. has multiple firmware from http://www. HTC Sense user interface [Video]. adjunct associate professor at Edith Cowan University (Perth. Obtaining a dd February 2. Retrieved December The number of Android phones will be continuously 21. As it stands now. (2009. from http://viaforensics. and . or search history. Android security and permissions. January 12).com/forum/android- grow. Retrieved December 21. and contact information. from Paraben (2008). (2009b.com/android- Jeff Lessard received a B. Android. DalvikVM. Vermont) in text.php invest time and money into learning about new operating ?title=HOWTO:_Unpack%2C_Edit%2C_and_Re-Pack_Boot_Images systems and developing new forensic methods.com. 2009. Retrieved the most information in an easily viewable way. Memory technology devices. 2009.htm At the time of this project.org/faq /general. in Digital Investigation Management . learning how to forensically acquire information from forensics/inputoutput-error-trying-to-dd-android-devblock-devices/ these devices becomes essential for mobile device examiners. March 6). March 16). from http://metrics. Input/output error trying to dd Android /dev/block devices. video. 2009).com/us/content/interactive/mediagallery/htc-sense. from Jeff. complex. 2009. Android sales. will overtake Dedekind. call Examiner (CCE) and Certified Information Systems Security logs. December). being made to meet the new technology. (2009).android. Professional (CISSP).com/ increasing as more manufactures adopt the budding OS. Retrieved is not just for phones either. is president of Gary Kessler Associates. viaForensics Web site.html currently offer some type of Android solution and more tools will be adding support as Android gains in popularity. and military applications (Spencer.XRY (Micro Systemation.pdf reconstructing where all the pieces fit. Hoog. the long run. Android Developers Web site. by some estimates.flv Gary C. steps are Android Developers. degree in Computer & Digital forensics/android-browser-stores-passwords-sensitive-data-plain- Forensics from Champlain College (Burlington.com. project. Android browser stores passwords and Author Information other sensitive data in plain text. and is an associate editor at the Journal simple. Linux iPhone sales within the next two to three years (Lomas. (2009. 2009). N. from http://www. from http://viaforensics. NO.com. December 7). All screen shots. from Western Australia).com/guide/topics/security/security.html winner. http://www.com/globalbiz/content/mar2009/gb2009036 Vermont Internet Crimes Against Children (ICAC) Task Force. (2009b. and mobile device examiner for the http://www. 4. (2008).android. he was an Associate Professor and director of the M.html December 2009. acquisition not yet supported). CelleBrite (2010). did not recover e-mails.htc. Memory Technology Devices FAQ. ISSN# 1941-6164 11 • Data extraction with the CelleBrite UFED program at Champlain College.com/wiki/index. Retrieved December 21. viaForensics Web site. it can be used on computers. Android could overtake iPhone by 2012. Edit and re-pack boot images. Retrieved December 21. While Android forensics is still in its infancy. October 19). Retrieved December 21.msab.com/show. ISSN# 1941-6164 12 Manning.com/embedded_linux_managing_memory. November 7).com/2009/11/07/how-to-root-your-cdma-htc-hero- sprint-verizon/ ZenThought. from http://www.html Purdy. from http://www. PocketGamer.biz Web site. (2009.Cell phone forensic software.XRY system.paraben-forensics.asp?c=14567 TalkForensics. (2008.pocketgamer. Retrieved December 21. from http://www. (2008). Five great reasons to root your Android phone. July 1). How to: Root your Sprint HTC Hero. 2009. (2008). from http://lifehacker. September 27).Managing flash memory.com. HTC's Sense UI not coming to any "Google" branded phones. June 25).com/2009 /06/25/htcs-sense-ui-not- coming-to-any-google-branded-phones/ Open Handset Alliance (OHA). NO. ASRoot2 software. Retrieved December 21. lifehacker Web site. August 21). (2009. 2009. Retrieved December 21. 2009. (2009.openhandsetalliance.aspx?userurl=TalkForensics&yea r=2009&month=09&day=27&url=Andrew-Hoog-of-viaForensics- talks-about-Android-forensics The Unlockr. 2009.biz/r/PG. K.SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL.org/tmp/asroot2 . from http://www. Retrieved December 21.blogtalkradio. . R.engadget. engadget Web site. C. Retrieved December 21. SSI Embedded Systems Programming Web site. from http://www. July 24).com Paraben Corp. Retrieved December 21. S. Paraben's Device Seizure . Retrieved December 21.net/yaffs-nand-specific-flash-file-system- introductory-article Micro Systemation. Embedded Linux .com/cell_models. from http://www.1.ht ml Spencer. ZenThought. SEPTEMBER 2010. 2009. (2002. from http://theunlockr. Android appliances on the horizon. (2009). YAFFS The NAND-specific flash file system. from http://zenthought. Andrew Hoog of viaForensics talks about Android forensics [Audio Podcast]. from http://www. September 20). 2009. 4. 2009. (2009.com/en/mobile-forensic-products/XRY-Mobile- Version-Forensic-Software/ Miller. 2009. 2009. 2009. Paraben Forensic Tools Web site.Biz/Android /news. Retrieved December 21. (2009. (2009). Open handset alliance home page. from http://www.com/5342237/five-great-reasons-to-root-your- android-phone SSI Embedded Systems. 2009. Retrieved December 21.yaffs. Retrieved December 21. Micro Systemation Web site.org Web site.ssiembedded.