Join Us!

Android based phone...
 
Notifications
Clear all

Android based phones  

  RSS
seany86
(@seany86)
New Member

Hi,

Just out of my own personal study. I have been trying to image internal memory of an android based phone (G1).

After reading up on the android and how the system work i have come across a set of functions that developers are able to use in order to use them in making apps.

As its a linux based system, i was going to do the same as i have done with the iphone which was DD the memory and send it over wireless to my system. But, that required me to jailbreak the phone.

So anyways, i attempted to do these but it kept asking for root access ( which i thought all androids had root) I found out that only the older models had full function of root. So this would again require me to "JailBreak" the phone.

I am looking for a way in order to image the memory in a way that is still forensically sound. I have tried a number of tools, .XRY which i have had trouble in the past. Paraben device sezuire and Oxygen None were able to read the phone.

As i am a 3rd year forensics student i was unable to have a full run of all the tools that you members may have access to. Are there any tools that will allow me to do this?

Thank you

Sean

Quote
Posted : 19/02/2009 1:18 am
trewmte
(@trewmte)
Community Legend

seany86 I don't want to disappoint you but with mobile phones and the terms "image" and "forensically sound" may not always go together. Android only came out last year (June 2008) and the device is constantly changing.

Have you been through to developers website?

I also have the android USB windows app and user guides if that would help you?

ReplyQuote
Posted : 19/02/2009 3:18 am
ahoog
(@ahoog)
Junior Member

I think there are some possibilities to get a dd image from a phone running Android (although new phones have been announced, today it's only the G1/HTC Dream).

As Sean mentioned, Android is open source and based on Linux. The core OS actually has dd already complied and installed…not cp so if you want to copy files to and from at a low level you use dd. It should be simple to compile netcat for that version of Linux. So, basically install that package/binary, get root (not the same as jail breaking) and then telnet/ssh. After that, with WiFi support built in, I think imaging the user partition should be straight forward.

I am actively researching this as we speak. I hope to have some answers in the near future and will post on my blog. If anyone has direct experience with this/Android, I'd like to chat with you about it more.

ReplyQuote
Posted : 19/02/2009 8:27 am
seany86
(@seany86)
New Member

In the later models root access is locked out. So, at the moment the only way to do so it to downgrade the firmware to one where root access is allowed.

I saw that Oxygen is supposed to support android in later version, have to wait and see.

ReplyQuote
Posted : 19/02/2009 2:04 pm
trewmte
(@trewmte)
Community Legend

"In the later models root access is locked out."

What do you base that statement on seany86?

Do you have a statement from Android that says that or is that your own conclusion?

ReplyQuote
Posted : 19/02/2009 3:09 pm
DFICSI
(@dficsi)
Active Member

I have a G1 (and love it). Root access is not accessible on it without 'jailbreaking'. Older firmware version allowed this access but no longer.

This is a bit of a pain as the G1 keeps all data on the internal memory of the phone and only uses the memory card for music, etc.

Jailbreaking/custom firmware is not that easy either as most of the work on that has been done on the US phones, the firmware on UK phones is different and very few people have shared what information they have about jailbreaking the UK G1.

The other thing is that all apps on the G1 are run in a Java VM. So its not a simple case of writing a program to give you full access to the phone.

If you're going to play with the G1 might I recommend downloading and configuring the Android SDK as that provides a virtual android platform with which to play, with no risk to the actual device.

ReplyQuote
Posted : 19/02/2009 6:47 pm
trewmte
(@trewmte)
Community Legend

This is not my find. Does this work though, appreciate this may not meet the OP's requirement of forensically sound. I don't have an android so can't test this right now.

Apparently, there is a loophole in the G1 Android handsets using "PTerminal application".

"PTerminal is available for download from the Android Market and can apparently be used to start a telnet connection on your G1 which can then be accessed from your PC - giving you root access to the device."

- Turn on your phone's WiFi. This gives your phone an IP you can reach it at.

- Get to a command prompt on your device by using the PTerminal application from the Android Market. (adb shell does not seem to work with these instructions, telnetd does not start up)

- cd system

- cd bin

- telnetd

- netstat (get your phones IP)

- telnet into your phone's IP from your PC

you now have root!

ReplyQuote
Posted : 19/02/2009 7:21 pm
trewmte
(@trewmte)
Community Legend

Thought I would make a double post. Whilst searching I noted there is an app called 'Superuser' by JesusFreke "Superuser provides a sudo-style interface that notifies you whenever an application needs to perform an operation that requires root access."

s it the case that the barrier to root access seems to revolve around keystore certificates when access attempts occur?

ReplyQuote
Posted : 19/02/2009 7:29 pm
DFICSI
(@dficsi)
Active Member

PTerminal no longer works as root access was closed with the last round of updates.

Superuser requires a modded firmware/jailbroken phone. These apps worked once upon a time but have not worked since the last round of updates in December. If you're analysing a G1 from before December then you may have a chance with one of these two tools, if not, you'll have to hack it.

BTW neither one of these are currently available in the Market.

ReplyQuote
Posted : 19/02/2009 7:38 pm
trewmte
(@trewmte)
Community Legend

Thanks for that DFICSI. I was just reading about following reboot type in telnetd to the android and it speeds up the process. But the thread discussion I read was November 2008. So its after December 2008 - useful guideline.

ReplyQuote
Posted : 19/02/2009 7:57 pm
ahoog
(@ahoog)
Junior Member

Regarding commercial solutions, the latest firmware for Cellebrite's UFED states support for the G1. I wrote a short entry at

http//chicago-ediscovery.com/android-forensics/ufed-supports-tmobile-g1-android.html

ReplyQuote
Posted : 19/02/2009 8:05 pm
ahoog
(@ahoog)
Junior Member

FYI, I am collaborating with several people have have begun writing a book on Android Forensics. You can see an outline, keep up with the progress, sign up for an email alert, etc. at

http//viaforensics.com/android

If you have specific questions, let me know as I've experimented with many techniques. I will speak on this topic at Mobile Forensics World 2009…hope to meet some of you there.

ReplyQuote
Posted : 30/04/2009 1:28 am
Share: