Learning Android Forensics

Reviewed by Scar de Courcier, Forensic Focus

Learning Android Forensics was written by Rohit Tamma and Donnie Tindall, and aims to provide a thorough introduction to the forensic analysis of smartphones running the Android operating system, from the initial setup of a forensic workstation through to analysing some of the more important artefacts. With input from highly experienced reviewers in the digital forensics field, the book is an excellent resource for students and practitioners alike.

The idea for the book was born out of a desire to help practitioners to understand what goes on in the background when they press a ‘Find Evidence’ button on a forensics tool. To make this process easier, the authors have focused on free and open source tools throughout the book, which again makes it an accessible read.Unusually, the book is pitched at both ends of the forensic audience. Those who are just starting out in the field will find the first few chapters interesting, as these provide an in-depth look of Android architecture, from Linux kernels to application frameworks.

There is also an introduction to starting out in forensics: how to prepare for an investigation; seizure and isolation of devices – including the relative merits of Faraday bags and RF isolation boxes – and how to write a basic report.

A series of tables, flow charts and screenshots throughout the book provide useful visual references for each step of the processes described. These range from demonstrating how the Android Virtual Device Manager works, to dealing with questions about the best practices depending on whether custom recovery with boot access is possible.

After the introduction to digital forensics as a whole, and Android forensics in particular, the second chapter discusses how to set up an Android forensic environment. This, coupled with the fact that all of the tools used in Learning Android Forensics are free and open source, is one of the elements that make it an excellent book not only for the experienced practitioner, but also for individuals and small companies who are just starting out in their digital forensics careers.

For those with a limited amount of experience in back-end forensics, pages 51-59 have a helpful list of commands and options, as well as an overview of log data. This is followed by a brief discussion of device rooting, custom recovery and fastboot mode.

Again, due to the step-by-step layout of the chapters, the advice given in this section of Learning Android Forensics will be accessible to forensic investigators of any level, and would no doubt provide a useful refresher for people who have been working in the field for a while and wish to update their knowledge.

Common Android filesystems are discussed in chapter three, including pseudo filesystems, flash memory filesystems and media-based filesystems.

The remainder of the book is split into two main sections: logical and physical extraction of data from Android devices. Once again both subjects are discussed from the level of a beginner and gradually built upon, with steps clearly laid out allowing anyone to try to run through the various stages and successfully extract data from a given device.

Lock screens are one of the more challenging aspects of Android forensic investigations, and these have their own section in Learning Android Forensics, which deals with slide, pattern, password, PIN, smart, trusted face, trusted location and trusted device lock screens. Although it is not always possible to bypass each of these themselves, all of the smart lock options – the most difficult ones to crack – require a pattern, PIN or passcode as a backup security method. This means that all an investigator needs to do is be able to crack one of these three options, rather than for example having to foil a facial recognition test.

The book was published shortly after the release of Android Lollipop Version 5.0, which has included a number of new strong security features. The various complications and challenges that this brings about for forensic examiners are briefly discussed at the end of chapter four.

Physical extraction, along with verifying a physical image and analysing a full physical image, are the next subjects of discussion. There are also several pages of advice concerning SD card security and what an investigator can expect to find on an SD card. JTAG and chip-off extraction are also briefly dealt with, although since these methods tend to be more complex and intricate, they are not discussed at length.

Deleted data has a section all to itself, including using FTK Imager to extract the contents of an SD card. Other techniques discussed include recovering deleted data from internal memory, parsing SQLite files, and using file carving techniques to uncover data and reconstruct files.

Of course, one of the largest challenges facing any forensic investigator who needs to extract data from a smartphone or tablet device, whether Android or otherwise, is the vast number of applications available and the frequency with which these are updated. Luckily, Learning Android Forensics provides an overview of where to start with application analysis and what to look for. Although it would be impossible to look at every application available in the Play Store, some of the more common ones are dealt with in some detail, including Gmail, Facebook, Skype, Snapchat, Viber, WhatsApp, WeChat, Kik, and the user dictionary.

Reverse engineering applications, and obtaining and disassembling APK files, is also discussed in a way that is both accessible and sufficiently detailed.

Learning Android Forensics concludes with an overview of the free and open source Android forensic tools that have been used throughout the book, and once again this section includes step-by-step instructions with accompanying screenshots to help forensic examiners to be able to start extracting data from Android devices.

Overall, Learning Android Forensics by Rohit Tamma and Donnie Tindall is highly recommendable for digital forensic investigators, whether your goal is to refresh your knowledge or learn about a whole new area.

Learning Android Forensics is written by Rohit Tamma and Donnie Tindall and is available for purchase via Packt Publishing.

Leave a Comment