fbpx

Digital Forensics for Android Devices

It only took eight short years for Android to become the premier operating system for smartphones. Starting out with a humble 2% of the worldwide market share in 2009, phones running the open-source Android OS now command over 80% of the mobile phone market share worldwide. This malleable OS, based on a Linux kernel, sees use not only in smartphones, but also in tablets, smart TVs, and a myriad of other devices as well. As such, it stands to reason that when you need data extracted from a device for forensic analysis, you will find yourself dealing with Android devices more often than not. Gillware offers a full suite of Android forensics services as one of its services for law enforcement officials and legal professionals.

It only took eight short years for Android to become the premier operating system for smartphones. Starting out with a humble 2% of the worldwide market share in 2009, phones running the open-source Android OS now command over 80% of the mobile phone market share worldwide. This malleable OS, based on a Linux kernel, sees use not only in smartphones, but also in tablets, smart TVs, and a myriad of other devices as well. As such, it stands to reason that when you need data extracted from a device for forensic analysis, you will find yourself dealing with Android devices more often than not. Gillware offers a full suite of Android forensics services as one of its services for law enforcement officials and legal professionals.

The Necessity of Android Forensics

Over the course of the past two decades, phones stopped just being phones. Ever since the advent of basic smartphones around the end of the twentieth century, people no longer use their phones merely to speak to one another. Today, you can use your phone not only to send voice and text messages, but also to browse the Internet and send emails, take photos, listen to music, get directions to anywhere you need to go, play video games, pay for your groceries (and your bills), and more. The number of things we can do with our phones just keeps increasing.

As we entrust more and more of our data to our phones, we leave more and more traces of our presence and our activities on them. It seems just about everyone has a smartphone these days, even children (to the chagrin of some). And (unless you live in Silicon Valley) the vast majority of the smartphones around you run on the Android platform.

These Android devices are filled with absolutely critical data for any sort of investigation. Where did the user come from? Where were they going? What apps did they have installed, and what data did these apps leave behind? Who did they last speak to (or whose calls have they missed), and whose text messages did they delete? Who is in their contact list? What did their Internet browsing history look like? What did they take photos of?

In an investigation, any of these questions might not be answerable without the data from a mobile phone—but the answers could be just the breakthrough your case needs. With the help of skilled specialists in Android forensics to make sense of it all, even trace amounts of data on an Android device can provide answers to these questions.

Android Overview

The makeup of Android devices vary wildly across the many manufacturers of Android smartphones and other mobile devices. This provides a great challenge for Android forensics, as every smartphone and device manufacturer will do things a little differently and design their systems in different ways.

Android and iOS devices alike both store their data on internal NAND flash memory chips. One of the most crucial differences between Android and iOS devices is that Android smartphones, unlike iPhones, have both eMMC chips and removable SD cards for additional storage. These extra pieces of removable storage add yet another piece to the puzzle of Android forensics. Data from applications on the device can be split up across the internal eMMC chip and the removable memory card, complicating the task of forensic analysis. Third party applications will often have most of their data stored on an Android device’s removable SD card instead of its internal flash memory.

The Android O/S can use either the Linux 2.6 kernel or the SELinux kernel, which provides additional security control. There are three types of commonly used Linux filesystems, although an Android device can use any one of the myriad Linux filesystems available. Ext4, the most common filesystem, sees use on most new Android devices. YAFFS2, an open-source filesystem designed for devices using flash memory, uses advanced “garbage collecting” measures to clean up and erase deleted data faster, which can put forensic analysts at a disadvantage. Samsung Android devices typically use RFS (which stands for “robust filesystem”).

Data on most Android devices is not automatically backed up by default. However, Android users have the option of connecting their devices to their Google accounts. If the user chooses this option, the data on their phone can be backed up to Google’s cloud storage.

Android Forensics

What Services Does Gillware Offer for Android Forensics?

With so many different smartphone and smart device manufacturers releasing new products and new models, all running variations of the Android operating system, forensic investigators have to constantly stay on their toes. Being effective at Android forensics means constantly keeping a finger on the pulse of smart device technology and keeping an eye out and an ear open for all of the newest advancements and features of the Android O/S.

Gillware proudly features the extensive forensics skills of our president, Cindy Murphy. Cindy has worked in and with law enforcement for multiple years, earning her reputation as a highly-skilled and certified digital forensics expert. Our forensic investigators make use of smartphone forensics tools such as Cellebrite as well as internally-developed tools and solutions to carry out our investigations.

For years before the founding of Gillware Digital Forensics, Gillware’s data recovery lab has assisted in recovering data from Android phones. These data recovery cases ranged from the recovery of data from phones that had suffered severe physical damage to the recovery of deleted text messages and photos from healthy Android phones. At Gillware Digital Forensics, we can leverage the skills of our Android device data recovery experts in our Android forensic analysis.

For over a decade, Gillware has recovered data even when other means (and other recovery labs) failed to produce results. With the benefit of our data recovery lab and advanced techniques, our experts can recover data and perform forensic analysis on Android devices, even when the devices have been physically damaged or intentionally tampered with to prevent access to the critical data within. Our data recovery and forensic investigation skills also come in handy when the model of phone in question is not supported by commercially-available mobile forensics tools.

Let Us Exceed Your Android Forensics Needs

Our forensics experts at Gillware can provide every Android forensics service you need in the ever-shifting landscape of mobile forensics. Whether your forensic needs are mundane or exceedingly challenging, Gillware has the experts and the tools to succeed in the situations others might not.