Information Technology Reference
In-Depth Information
Imaging an Android Phone
Imaging a device is one of the most important steps in mobile device forensics. The rule of
thumb when dealing with a forensic examination is to ensure that the data present on the
tion to Mobile Forensics
, all the changes by the examiner from the previous testing and
validation should be well documented. When possible, it's imperative to obtain a physical
image of the Android device before performing any techniques to extract the data directly
from the device. In forensics, this process of obtaining a physical or logical acquisition is
commonly called
imaging the device
. A physical image is preferred as it is a bit-by-bit
copy of the Android device memory.
It is important to understand that a bit-by-bit image is not similar to copying and pasting
the contents on the device. If we copy and paste the contents on a device it will only copy
the available files such as visible files, hidden files, and system-related files. This method
is considered a logical image. With this method, deleted files and files that are not access-
ible are not copied by the copy command. Deleted files can be recovered (based on the cir-
cumstances) using certain techniques, which we are going to see in the following chapters.
Hence, you need to take a 1:1 bit-by-bit image of the device memory to obtain all of the
data.
Let's first revisit how imaging is done on a desktop computer as it helps us to correlate and
realize the problems associated with imaging Android devices. Let's assume that a desktop
computer, which is not powered on, is seized from a suspect and sent for forensic examina-
tion. In this case, a typical forensic examiner would remove the hard disk, connect it to a
write blocker and obtain a bit-by-bit forensic image using any of the available tools. The
original hard disk is then safely protected during the forensic imaging of the data. With an
Android device, all the areas that contain data cannot be easily removed. Also, if the device
is active at the time of receiving it for examination, it is not possible to analyze the device
without making any changes to it because any interaction would change the state of the
device.
An Android device may have two file storage areas, internal and external storage. Internal
storage refers to the built-in non-volatile memory. External storage refers to the removable
storage medium such as a micro SD card. However, it's important to note that some devices
do not have a removable storage medium such as an SD card, but they divide the available
permanent storage space into internal and external storage. Hence, it's not always true that
external storage is something that is removable. When a removable SD card is present, a
