Let's starting a series of article related to digital forensic focused on mobile devices.
In this first post i'd like to share some thoughts about image acquisition on android devices.



On android devices we can perform two kind of image acquisition:

  • Live acquisition: performed on a running device. Usually the analyst gains root permissions using various tools and extract the image using DD.
  • Dead acquisition: performed on device booted into another state. For example, if the device has the ClockwordMod installed, the analyst can reboot device to recovery and obtainn a root shell.

Today we will see how to perform  a live acquisition of Android data partition.

Note: in order to follow the below process, the device must be rooted.


Rooting Android

Rooting Android phones has become a common phenomenon and rooted phones are very often encountered during investigations. Also, depending on the situation and data to be extracted, the examiner himself has to root the device in order to extract certain data.

However, the process of rooting is specific to each phone model, version of Android and build number, so you always need to find the right tool according to your phone model.

A majority of modern Android phones can bee rooted using an app called KingoRoot, if for some reason this method doesn't work for you (locked bootloader, Knox, etc.), it may be useful find help at XDA Developers, a website with a large active user community dedicated to android development.

Android rooting software is sometimes repackaged with malware o some potentially unwanted programs, that may alter the filesystem and must be filtered during analysis process.
So, i suggest to use this kind of software only if the "official" methods not works.


Imaging the /data partition

We will use the popular “dd” tool to do our job.
“dd” is present in Android by default in “/system/bin” location.

In order to limit changes of the device filesystem, the image will be transferred to workstation using a tunnel created with NetCat.

So, the first step after rooting must be the installation of Busybox (download here), a collection of console utility containing netcat.

Once downloaded the busybox Apk, install it on device using adb:

adb -d install BusyBox.apk

Then, connect to the phone and check root access:

adb -d shell
ls /data
su
ls /data

We use ‘ls /data’ to test if we have access to a protected directory.

The first time you run it, it should fail. Next we use ‘su’ to switch the user to root.
We then use ‘ls /data’ again to test if we now have access to protected directories.

Next, we need to check the mounted partitions on the device:

root@VF-895N:/ # mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,size=450904k,nr_inodes=112726,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
adb /dev/usb-ffs/adb functionfs rw,relatime 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
none /sys/fs/cgroup tmpfs rw,seclabel,relatime,size=450904k,nr_inodes=112726,mode=750,gid=1000 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/asec tmpfs rw,seclabel,relatime,size=450904k,nr_inodes=112726,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,seclabel,relatime,size=450904k,nr_inodes=112726,mode=755,gid=1000 0 0
/dev/block/bootdevice/by-name/system /system ext4 ro,seclabel,relatime,discard,data=ordered 0 0
/dev/block/bootdevice/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,relatime,discard,noauto_da_alloc,data=ordered 0 0
/dev/block/bootdevice/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,relatime,data=ordered 0 0
/dev/block/bootdevice/by-name/persist /persist ext4 rw,seclabel,nosuid,nodev,relatime,data=ordered 0 0
/dev/block/bootdevice/by-name/tctpersist /tctpersist ext4 rw,seclabel,nosuid,nodev,relatime,data=ordered 0 0
/dev/block/bootdevice/by-name/modem /firmware vfat ro,context=u:object_r:firmware_file:s0,relatime,uid=1000,gid=1000,fmask=0337,dmask=0227,codepage=437,iocharset=iso8859-1,shortname=lower,errors=remount-ro 0 0
/dev/fuse /storage/uicc1 fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/fuse /storage/uicc0 fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/fuse /mnt/shell/emulated fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/fuse /storage/usbotg fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/fuse /storage/sdcard0 fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/block/vold/179:65 /mnt/media_rw/sdcard1 vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1023,gid=1023,fmask=0007,dmask=0007,allow_utime=0020,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/block/vold/179:65 /mnt/secure/asec vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1023,gid=1023,fmask=0007,dmask=0007,allow_utime=0020,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/fuse /storage/sdcard1 fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0

We are interested in the data partition, in this case “/dev/block/bootdevice/by-name/userdata”.

Next, we need to set out connection routing between the workstation and the mobile device, forwarding port 8888.

On the workstation run:

adb forward tcp:8888 tcp:8888

So, now let's starting imaging process using "dd" and pipe the data using netcat.
On root shell on phone run:

root@VF-895N:/ #dd if=/dev/block/bootdevice/by-name/userdata | busybox nc -l -p 8888

and on the forensic workstation:

nc 127.0.0.1 8888 > android_data.dd

Once the imaging process ends

we can start the analysis on the image disk, using sleuthkit tools or Autopsy.


References and further readings