Extracting data from dump of mobile devices running Android operating system

In this article, we are going to tell about opportunities of utilizing programs that are used on a day-to-day basis in computer forensics and examination for analysis of mobile devices running Android operating system.

Introduction
Most of the mobile devices in the world run Android operating system. It is no wonder that such devices are often received for forensic examination. However, during examination of mobile devices running Android operating system (hereafter mobile devices) forensic expert face the following difficulties:
1. There is no forensic program that supports extracting data from all mobile devices existing in the world.
2. There are a great number of programs designed for Android operating system, which data could potentially be interesting to investigators. So far, there is no forensic program supporting analysis of logs and data from all of such programs.
3. The time, when investigators were interested in the data from a phone book, calls, SMS messages that were extracted by forensic expert, has passed. Now they are also interested in history of network resources (browsers’ data), history of the short messages exchange programs, deleted files (graphic files, videos, SQLite database, etc.) and other valuable criminalistics information.
4. Criminals often delete files from memory of their mobile devices, trying to hide information about committed crime.
5. Forensic laboratories and examining subdivisions can not afford to buy specialized software packages (.XRY (Micro Systemation) [1], UFED (Cellebrite Forensics) [2] etc.) because of the high cost.

What should forensic expert do in such situation? Let’s try to find out.
1. Physical data extraction from mobile devices
Considering the fact that investigators are also interested in deleted files that are in the memory of mobile devices, forensic expert has to do physical data extraction from the memory of mobile device. That means that forensic expert has to get a complete copy of the examined device. He can do a physical memory dump using the following methods:
1. Direct data extraction from memory chips of mobile device using «Chip-off» method.
It is the most difficult method of data extraction, but sometimes it is the only way to extract data from the device.
2. Extracting data from mobile device memory using debug interface JTAG.
This is popular method of data extraction via flasher tools RIFF-box, Octopus, etc. It allows extracting data from devices that have negligible hardware and software damages. It is important to realize that some flasher tools create a mobile device memory dump in their own format (which differs from RAW). Such dumps have to be converted into the format, which is supported by the forensic programs that forensic expert has.
3. Data extracting via specialized programs (e.g., Oxygen Forensic Suit [3]) and hardware-software complexes (.XRY (Micro Systemation) [1], UFED (Cellebrite Forensics) [2], Secure View 3 [4]).
Such tools use the safest method of root-access [5] to mobile device. It means that forensic expert can not always get a root-access to a mobile device, but the device will be operational after the examination. It is possible to get root-access using other more efficient methods. However, there is a chance to damage the examined device.
4. Creation of the mobile device memory copy manually [6], [16].
5. Combined methods.
For example, in case when data of user is saved in extended memory of central processor of mobile device (it is typical for so-called “Chinese cell-phones” («Chinese mobile devices», «Chinese phones»)). ARM processors of Mediatek, Spreadtrum и Infineon firms are used in such devices and it is possible to apply combinations of methods: extracting data from a chip of mobile device «Chip-off» (when the central processor, which contains user’s data, is desoldered) and then user’s data extracting via JTAG interface.

Usually, during creation of the mobile device memory copy, you can get files with specific names, which can give you an idea, what kind of data these files contain. For example, during creation of memory copy of mobile device Oxygen Forensic Suit [3], usually files mmsblk0, mmsblk1 are created. In this case mmsblk0 is a copy of the mobile device memory; mmsblk1 is a copy of a memory card installed in the mobile device.

Using UFED (Cellebrite Forensics) [2], for certain devices you can receive a file set. For example, for Huawei S7 Ideos this set will contain the following files: blk0_mmcblk0.bin, mtd0_boot.bin, mtd1_system.bin, mtd2_recovery.bin, mtd3_splash.bin, mtd4_misc.bin, mtd5_cache.bin, mtd6_userdata.bin, mtd7_logo.bin. In this case blk0_mmcblk0.bin is a copy of the mobile device memory; mtd0_boot.bin, mtd1_system.bin …etc. – are copies of logical partitions of the device.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


2. Logical data extraction
2.1. Gaining an access to the data that are in the dump of a mobile device memory
It does not matter which method forensic expert uses to get mobile device memory dump, at the end he will receive a file (or several files), which has to be examined somehow and he needs to extract necessary data.

In case, the task of forensic expert is extracting only logical data that is in the memory dump of a mobile device running Android operating system, he can mount a received image on FTK Imager [7, 8] or UFS Explorer [9]. Memory dumps of mobile devices running Android operating system usually contain a great number of logical partitions (ref. Figure 1). Mobile device user’s data are in the logical partition, which is named «USERDATA». From this partition, you can extract such data as databases (usually, such databases have SQLite format), videos, graphic files, audio files, etc.

android fig 1
Figure 1. View of logical partitions of Samsung GT-I9300 in the window «Evidence Tree» of the FTK Imager program.

In case, forensic expert examines the file that is a copy of a logical partition, which has YAFFS2 file system, he can gain access to logical data of this file via Encase Forensic version 7 [10].

2.2. Decoding of SQLite database
As a rule, SQLite databases extracted from mobile device memory dump are of the utmost interest to forensic expert. First, it is connected with the fact that valuable criminalistics information is stored in this format. In SQLite databases the following data are stored: a phone book, calls, SMS messages, MMS messages, dictionaries, data of mobile device web-browsers, mobile device system’s logs and etc. The list of the most valuable SQLite databases, from criminalistics point of view, is given in the Table 1.

Mobile devices SQLite databases

Type of data Name of file
1 Phone book \data\data\com.android.providers.contacts\ databases\contacts2.db
2 SMS, MMS messages \data\data\com.android.providers.telephony\ databases\mmssms.db
3 Calendar \data\com.android.providers.calendar\databases\ calendar.db
4 Log \data\com.sec.android.provider.logsprovider\ databases\logs.db
5 User’s data \data\system\users\accounts.db
6 Web-browser history \data\data\com.android.browser\databases\ browser2.db
7 Dictionary \data\user\comc.android.providers.userdictionary\ databases\user_dict.db

Table 1.

For more detailed information about the names of databases that might be valuable for forensic expert and their location you can follow the link [11].

Forensic expert should choose a tool very carefully – SQLite analysis program. It is connected with the fact that many viewer-programs can not decode some timestamps formats and recover deleted data that are in this kind of databases.

Some researchers [8] propose to use two programs to decode files from SQLite databases: DCode v4.02a, SQLite Database Browser 2.0b1. In case we use combination of these programs, there is still a problem of recovering and analyzing of deleted files.
One of the tools that solve this problem is Oxygen Forensic® SQLite Viewer [3]. This utility program is oriented on decoding SQLite bases also it can recover data.

3. Recovering of deleted data and files
Recovering of mobile devices’ deleted data and files is a complicated process. It is connected with hardware organization of data storage in the mobile devices memory chips and also with specific features of the file systems. It is not common, but the most of forensic programs do not support YAFFS2 file system. That is why forensic expert can find himself in a situation when his program is not able to recover anything from mobile device memory dump during the examination of physical dump of mobile devices running Android operating system.

As our practice shows, it is difficult to recover deleted videos and large files from such dumps.

In our laboratory, Belkasoft Evidence Center [12], UFS Explorer [9], R-Studio [13] showed the best results in sphere of recovering deleted data from dumps of mobile devices running Android operating system. However, unlike UFS Explorer [9] and R-Studio [13], Belkasoft Evidence Center [12] can recover not only graphic files, Microsoft Office documents, etc. but also calls («Calls»), SMS-messages («SMS»), web-browser history («Browser history»), calendar («Calendar»), social networks data from «Facebook», «Twitter», «Vkontakte» («Facebook», «Twitter», «Vkontakte»), short messages exchange programs data from «ICQ», «Kik», «Line», «Mail.Ru Agent», «Skype», «Viber», «WhatsApp», information about installed utility software («Installed Applications») and etc. (ref. Figure 2). Recovery of deleted short messages exchange programs history might be very important during investigation of some cases.

android fig 2

Figure 2. Window of Belkasoft Evidence Center in which selection of recovery operation is performed, during examination of mobile devices memory dumps.

Recovery of deleted data from dumps of mobile devices running Android operating system which contain YAFFS2 file systems can be rather complicated. For recovery of deleted data and files from dumps of mobile devices running Android operating system which contain YAFFS2, we recommend to use the following programs: Encase Forensic version 7 [10], The Sleuth Kit [15] or Belkasoft Evidence Center [12].

android fig 3

Figure 3. Window of Belkasoft Evidence Center in which found information is shown.

4. Analysis of thumbnails bases
Simular to the Microsoft Windows operating systems, in Android operation system there are files that are thumbnails bases and that contain thumbnails of grafic and video files, created by the user (including deleted files). In Microsoft Windows operating systems thumbnails bases have names: Thumbs.db or thumbcache_xxx.db (where xxx is the size of the thumbnail in the base). In Android operating system there is no unified name of such bases. Also, it is worth noting that these bases can be found as in internal storage as in the memory card installed in the mobile device.

For thumbnails bases search we use ThumbnailExpert Forensic [15]. As a rule, such files allow to receive valuable criminalistics information, if the main evidences are graphic files (photos) or videos that were taken by examined mobile device.

android fig 4
Figure 4. Window of ThumbnailExpert Forensic in which found information is shown.

5. Examples of data recovery from from dump of mobile devices running Android operating system
5.1. Example 1. Case of commiting sexual harrasment towards a child
During examination, it was found that a criminal took a video on which he was commiting sexual harrasment towards a child. When the mobile device came to the laboratory, video was deleted by the criminal. It seemed impossible to recover the video from device memory. However, via Belkasoft Evidence Center [12] graphic file – thumbnail, which was earlier on the examined device, was recovered. Despite of the fact that graphic file was small, recovered picture was a damning evidence of the criminal’s guilt in commiting this crime. Other recovering programs could not recover this file.

5.2. Example 2. Case of sexual violence towards a woman
A criminal took a video of him commiting sexual violence towards a woman on his mobile phone. It seemed impossible to recover deleted video. Via ThumbnailExpert Forensic [15] the search of unusual thumbnails has been done among files. It is worth noting that ThumbnailExpert is one of the best programs for searching unusual thumbnails. As a result of the examination file «/data/com.android.gallery3d/cache/imgcache.0» was found. It contained thumbnails of all videos that was created on this device. Also it contained thumbnails of videos that were taken by the criminal during the process of commiting crime.

5.3. Recovering log of mobile application WhatsApp
In this case, our task was to recover messages that were exchanged between criminal and his accomplices via mobile application WhatsApp. Decoding of msgstore.db [11] with our typical tools did not give investigators a sufficient result. Then examination was done via Belkasoft Evidence Center [12]. During this examination much more messages were extracted and conversation between criminals was recovered.

Conclusion
Combination of traditional programs for mobile devices analisys (such as [1],[2],[3]) and traditional programs that are used in cyber (computer) forensics (such as [9],[12],[15] etc.) gives the best results of dump analysis of mobile devices running Android operating system. Forensic experts can get more data, including deleted ones, and therefore they have more chances to prove criminals guilty of committed crimes.

 
References
1. .XRY http://www.msab.com
2. UFED, UFED Physical Analyzer http://www.cellebrite.com
3. Oxygen Forensic Suit, Oxygen Forensic® SQLite Viewer http://www.oxygen-forensic.com/en/
4. Secure View 3 http://secureview.us
5. Rooting (Android OS) http://en.wikipedia.org/wiki/Rooting_(Android_OS)
6. Android Forensics. Physical Techniques. https://viaforensics.com/resources/reports/android-forensics/physical-techniques/#su
7. FTK Imager http://www.accessdata.com/support/product-downloads
8. Robert Craig Samsung Galaxy Android 4.3 Jelly Bean acquisition using Joint Test Action Group (JTAG) http://articles.forensicfocus.com/2014/03/11/jtag-sch-r530u-that-has-android-4-3-on-it/
9. UFS Explorer http://www.ufsexplorer.com/index.php
10. Encase Forensic https://www.guidancesoftware.com
11. Supported Decoders data files and databases http://www.andriller.com/decoders
12. Belkasoft Evidence Center http://forensic.belkasoft.com/en
13. R-Studio http://www.r-studio.com
14. The Sleuth Kit http://www.sleuthkit.org
15. ThumbnailExpert Forensic http://computer-forensics-lab.org/en/news/25/
16. Android software development http://en.wikipedia.org/wiki/Android_software_development#Android_Debug_Bridge

About the Author: Igor Mikhaylov
Interests: Computer, Cell Phone & Chip-Off Forensics
Contacting the Author: http://linkedin.com/in/igormikhaylovcf
Site: http://computer-forensics-lab.org

8 thoughts on “Extracting data from dump of mobile devices running Android operating system”

  1. Interesting article, very well written! Quite a good analysis of the outcomes of using different tools for Android Forensics. Hope we can work together and give more details on decrypting Whatsapp Databases crypt7 using WhatsappXtract tool or some other sophisticated tool for decryption. Cheers!

  2. this is what i searching for all of timeeee. you helped mee thankyou somuch 😀 oh um i wanna ask you smthing abt the device. is the device in root access to be able to using belkasoft, ufs explorer and r-studio?

Leave a Comment