Android Forensic Setup and Pre Data Extraction Techniques - Practical Mobile Forensics

Information Technology Reference

In-Depth Information

Handling an Android device

Handling an Android device in a proper manner prior to the forensic investigation is a very

important task. Care should be taken to make sure that our unintentional actions don't result

in data modification or any other unwanted happenings. The following sections throw light

on certain issues which need to be considered while handling the device in the initial stages

of forensic investigation.

With the improvements in technology, the concept of device locking has effectively

changed over the last few years. Most users now have a passcode locking mechanism en-

abled on their device due to the increase in general security awareness. Before we look at

some of the techniques to bypass the locked Android devices, it is important not to miss an

opportunity to disable the passcode when there is a chance.

When an Android device, which is to be analyzed, is first accessed, check if the device is

still active (unlocked). If so, change the settings of the device to enable greater access to

the device. So, when the device is still active, consider performing the following tasks:

• Enabling USB debugging : Once the USB debugging option is enabled, it gives

greater access to the device through the adb connection. This is of great signific-

ance when it comes to extracting data from the device. The location to enable USB

debugging might change from device to device but it's usually under Developer

Options in Settings . Most methods for physically acquiring Android devices re-

quire USB debugging to be enabled.

• Enabling the "Stay awake" setting : If the Stay awake option is selected and the

device is connected for charging, then the device never locks. Again, if the device

locks, the acquisition could be halted.

• Increasing screen timeout : This is the time for which the device will be effect-

ively active once it is unlocked. The location to access this setting varies depend-

ing upon the model of the device. On a Samsung Galaxy S3 phone, you can access

the same under Settings | Display | Screen Timeout .

Apart from this, as mentioned in Chapter 1 , Introduction to Mobile Forensics , the device

needs to be isolated from the network to make sure that remote wipe options do not work

on the device. The Android Device Manager allows the phone to be remotely wiped or

locked. This can be done by signing in to the Google account, which is configured on the

mobile. More details about this are mentioned in the following section. If the Android

device is not set up to allow remote wiping, the device can only be locked using the

Android Device Manager. Also, there are several Mobile Device Management ( MDM )

Search WWH ::

Custom Search

Home