How to connect an A...
 
Notifications
Clear all

How to connect an Android device in read only to a computer?

8 Posts
5 Users
0 Likes
867 Views
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

That is the question. I have found another similar question in the forum, but it does not satisfy my needs.

http//www.forensicfocus.com/Forums/viewtopic/t=12064/

Thanks!!!

 
Posted : 07/10/2015 10:32 pm
SamBrown
(@sambrown)
Posts: 97
Trusted Member
 

I think it's not possible. Connecting to an android device means you're communicating with a computer system. That's different from a simple mass storage device.

The only way is doing a physical dump via a forensic boot loader which is essentially an independent OS that just mounts the phones storage.

 
Posted : 08/10/2015 1:57 pm
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

I think it's not possible. Connecting to an android device means you're communicating with a computer system. That's different from a simple mass storage device.

The only way is doing a physical dump via a forensic boot loader which is essentially an independent OS that just mounts the phones storage.

Yes… I hoped an answer like this. It seems it is only possible by using an extractor like Cellebrite UFED, etc.

 
Posted : 08/10/2015 5:03 pm
(@gorvq7222)
Posts: 229
Reputable Member
 

In my opinion, it is not necessary to worry about this issue. Because mobile phone is different from computer hard disk. You can easily remove a computer hard disk and connect it to a write-block so as to do acquiring. As to mobile phone, you could not remove its "disk" like you do to a computer.

Second, when you use UFED or XRY, sometimes you will get a hint, they will want you to press button on the phone or turn on USB debug mode. Remember that? Yes, what you did that time did change the original evidence. So what's the difference you connect mobile phone to a read-only interface or not??? You still "pollute" Suspect's phone because forensic tools want you to do so,right?

So, I think you don't have to spend time finding read-only solution for mobile phones. It's not critical when it comes to mobile phone forensics.

 
Posted : 09/10/2015 2:10 pm
ForensicMeteor
(@forensicmeteor)
Posts: 60
Trusted Member
 

One thing to note, most phones do not communicate via usb protocol anymore. You're more than likely to encounter phones that communicate via MTP protocol. That is why phones are displayed as devices instead of removable disks.

 
Posted : 14/10/2015 1:33 am
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

One thing to note, most phones do not communicate via usb protocol anymore. You're more than likely to encounter phones that communicate via MTP protocol. That is why phones are displayed as devices instead of removable disks.

I had already been told about this, could explain it longer?

I mean, once your computer has recognized the mobile device, it appears as a device instead of a hard drive as you say, but the computer accesses the mobile device mandatorily, so it cannot be said it is connected in read only mode because of the MTP protocol.

Thanks!!

 
Posted : 14/10/2015 2:51 am
(@zergling)
Posts: 38
Eminent Member
 

In all the effort to establish a read-only connection you should consider the fact, that the phone memory state is constantly changing whenever it is running.

There a many debuggers, logs, kernel activities and application requests in working in the background that rule out the possibility to prevent changes on a running phone.

So you will have a hard time proving that you didnt change the data - even with a "read only" connection.

Small example

Lets assume that you have established a read-only usb connection and you have access to the internal sd card as a drive (like reading a sdcard with a write-protected cardreader)

In the moment you access the folders on the card your android storage service will start making requests to these files in order to respond to your requests (like "get files from folder"…) you wont "copy" any data to the phone but your actions will "trigger" events that will most likely update databases like "last access timestamp", the application or service wake up is also logged on most phones and so on…

 
Posted : 14/10/2015 12:07 pm
ForensicMeteor
(@forensicmeteor)
Posts: 60
Trusted Member
 

The only time you will truly be able to extract or image a device in read-only will be via Download mode through the bootloader on certain models/firmware.

 
Posted : 14/10/2015 9:40 pm
Share: