Android Forensics


It only took eight short years for Android to become the premier operating system for smartphones. Starting out with a humble 2% of the worldwide market share in 2009, phones running the open-source Android OS now command over 80% of the mobile phone market share worldwide. This malleable OS, based on a Linux kernel, sees use not only in smartphones, but also in tablets, smart TVs, and a myriad of other devices as well. As such, it stands to reason that when you need data extracted from a device for forensic analysis, you will find yourself dealing with Android devices more often than not. Gillware Digital Forensics offers a full suite of Android forensics services as one of its services for law enforcement officials and legal professionals.


The Necessity of Android Forensics

icon_cellphone-med_sqOver the course of the past two decades, phones stopped just being phones. Ever since the advent of basic smartphones around the end of the twentieth century, people no longer use their phones merely to speak to one another. Today, you can use your phone not only to send voice and text messages, but also to browse the Internet and send emails, take photos, listen to music, get directions to anywhere you need to go, play video games, pay for your groceries (and your bills), and more. The number of things we can do with our phones just keeps increasing.

As we entrust more and more of our data to our phones, we leave more and more traces of our presence and our activities on them. It seems just about everyone has a smartphone these days, even children (to the chagrin of some). And (unless you live in Silicon Valley) the vast majority of the smartphones around you run on the Android platform.

These Android devices are filled with absolutely critical data for any sort of investigation. Where did the user come from? Where were they going? What apps did they have installed, and what data did these apps leave behind? Who did they last speak to (or whose calls have they missed), and whose text messages did they delete? Who is in their contact list? What did their Internet browsing history look like? What did they take photos of?

In an investigation, any of these questions might not be answerable without the data from a mobile phone—but the answers could be just the breakthrough your case needs. With the help of skilled specialists in Android forensics to make sense of it all, even trace amounts of data on an Android device can provide answers to these questions.


Android Overview

The makeup of Android devices vary wildly across the many manufacturers of Android smartphones and other mobile devices. This provides a great challenge for Android forensics, as every smartphone and device manufacturer will do things a little differently and design their systems in different ways.

Android and iOS devices alike both store their data on internal NAND flash memory chips. One of the most crucial differences between Android and iOS devices is that Android smartphones, unlike iPhones, have both eMMC chips and removable SD cards for additional storage. These extra pieces of removable storage add yet another piece to the puzzle of Android forensics. Data from applications on the device can be split up across the internal eMMC chip and the removable memory card, complicating the task of forensic analysis. Third party applications will often have most of their data stored on an Android device’s removable SD card instead of its internal flash memory.

The Android O/S can use either the Linux 2.6 kernel or the SELinux kernel, which provides additional security control. There are three types of commonly used Linux filesystems, although an Android device can use any one of the myriad Linux filesystems available. Ext4, the most common filesystem, sees use on most new Android devices. YAFFS2, an open-source filesystem designed for devices using flash memory, uses advanced “garbage collecting” measures to clean up and erase deleted data faster, which can put forensic analysts at a disadvantage. Samsung Android devices typically use RFS (which stands for “robust filesystem”).

Data on most Android devices is not automatically backed up by default. However, Android users have the option of connecting their devices to their Google accounts. If the user chooses this option, the data on their phone can be backed up to Google’s cloud storage.


Android Device Forensics

Because Android devices come in so many different shapes and sizes and there are so many different ways to use the Android O/S, Android devices present unique challenges to forensic investigators, and there are no one-size-fits-all approaches to android forensics.

Android forensics is delicate work. Just a few of the challenges in Android device forensics include the task of isolating the Android phone to prevent evidence contamination, as well as recovering deleted data before NAND flash memory garbage collection algorithms purge it from the chip.

There are multiple levels to the Android O/S architecture. The Linux kernel at the lowest level deals with the various hardware drivers (camera, wi-fi, audio, etc.). The middle levels deal with the core libraries and frameworks which allow the phone’s apps to function. The top “user space” level includes everything the user can access on their own without “rooting” the device for superuser privileges.

However, in order to understand how an Android device has been used and what data lies within it, a forensic investigator cannot merely concern themselves with the tip of the iceberg. Android forensics involves searching for data not only at the user space level, but at all levels of the Android architecture.

There are many different techniques a forensic analyst can use to access an Android phone. Each technique, depending on the situation, has varying degrees of success and various risks and rewards. It takes a skilled forensic analyst to know which techniques to use in order to both mitigate or prevent evidence contamination and recover as much forensic evidence as possible.


What Services Does Gillware Digital Forensics Offer for Android Forensics?

With so many different smartphone and smart device manufacturers releasing new products and new models, all running variations of the Android operating system, forensic investigators have to constantly stay on their toes. Being effective at Android forensics means constantly keeping a finger on the pulse of smart device technology and keeping an eye out and an ear open for all of the newest advancements and features of the Android O/S.

Gillware Digital Forensics proudly features the extensive forensics skills of our president, Cindy Murphy. Cindy has worked in and with law enforcement for multiple years, earning her reputation as a highly-skilled and certified digital forensics expert. Our forensic investigators make use of smartphone forensics tools such as Cellebrite as well as internally-developed tools and solutions to carry out our investigations.

Android Forensics

For years before the founding of Gillware Digital Forensics, Gillware’s data recovery lab has assisted in recovering data from Android phones. These data recovery cases ranged from the recovery of data from phones that had suffered severe physical damage to the recovery of deleted text messages and photos from healthy Android phones. At Gillware Digital Forensics, we can leverage the skills of our Android device data recovery experts in our Android forensic analysis.

For over a decade, Gillware Data Recovery has recovered data even when other means (and other recovery labs) failed to produce results. With the benefit of our data recovery lab and advanced techniques, the experts at Gillware Digital Forensics can recover data and perform forensic analysis on Android devices, even when the devices have been physically damaged or intentionally tampered with to prevent access to the critical data within. Our data recovery and forensic investigation skills also come in handy when the model of phone in question is not supported by commercially-available mobile forensics tools.

Recovering Data from Broken Android Devices

Our forensic data recovery experts use advanced data recovery techniques to create forensic images of the data storage media within Android devices, even devices that have been exposed to fire, submerged in water for extended periods, run over by a car, or have sustained any other sort of damage that may render the device nonfunctional.

Gillware has pioneered techniques and tools for recovering the raw NAND flash memory from monolithic solid state memory chips used to store data on modern Android devices. Using the advanced tools, write-blocked forensic imaging technology, and the techniques practiced in our secure data recovery lab, our Android phone recovery technicians can access and create forensic images of the device’s eMMC or eMCP chip, removable SD or microSD card, and SIM card without altering the data on the device.

In many cases, especially when the device has been severely damaged, Android forensics is like putting together a jigsaw puzzle without all the pieces. No one knows this better than the Android data extraction experts at Gillware.

Expert Testimony

At Gillware Digital Forensics, our Android forensics experts also offer expert testimony in court. One of the most important facets of an Android forensics investigation is being able to clearly communicate the complex and nuanced results of the forensic investigation of an Android mobile phone or other smart device. Instead of taking the risk that laypeople could misrepresent the results of a forensic investigation, you can rely on Gillware’s expertise to make sure our forensic findings are clearly presented by an expert and well understood by the court.


Let Gillware Digital Forensics Meet Your Android Forensics Needs

Our forensics experts at Gillware Digital Forensics can provide every Android forensics service you need in the ever-shifting landscape of mobile forensics. Whether your forensic needs are mundane or exceedingly challenging, Gillware Digital Forensics has the experts and the tools to succeed in the situations others might not.

To get started, follow the link below to request an initial consultation with Gillware Digital Forensics.