Successfully reported this slideshow.
Your SlideShare is downloading. ×

Android device imaging

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 10 Ad

Android device imaging

Download to read offline

The procedure of imaging an Android device using dc3dd; introduction to the typical data storage and partition layout of the Android Os, concept of rooting on Android and the difference between a logical and a physical data extraction, physical imaging of the internal and external storage using dc3dd.

The procedure of imaging an Android device using dc3dd; introduction to the typical data storage and partition layout of the Android Os, concept of rooting on Android and the difference between a logical and a physical data extraction, physical imaging of the internal and external storage using dc3dd.

Advertisement
Advertisement

More Related Content

Advertisement

Android device imaging

  1. 1. ANDROID DEVICE IMAGING
  2. 2. DATA STORAGE ON ANDROID • Two storage locations: internal and external. • Internal storage is the device flash memory that stores the kernel, system libraries and binaries, apps data and more. • External storage is usually a removable micro-SD card and mainly contains user data.
  3. 3. PARTITION LAYOUT • Main internal storage partitions: - Boot - Recovery - Data - System - Cache • The data partition is the most relevant to a forensic investigation as it contains the apps and user data.
  4. 4. ANDROID ROOTING • To access all the partitions and data we must have root permissions on the device. • The procedure to obtain root privileges is called rooting. • It is usually required to unlock the bootloader to root the device. • A very useful resource is the XDA Developer Forum: forum.xda-developers.com/
  5. 5. ANDROID DEBUG BRIDGE (ADB) • The Android Debug Bridge (ADB) is a CLI tool, part of the Android SDK Platform-Tools, to communicate with and control USB connected Android devices. • It allows to list connected devices, pull and push files from and to the device, execute a shell and install apps on the device. • If the device is turned on, the USB debugging option must be enabled under “Developer options” in the system settings.
  6. 6. LOGICAL AND PHYSICAL ACQUISITION • Two types of acquisition: logical and physical. • Logical acquisition involves the copy of all or part of the files and directories at the file system level. • Physical acquisition involves copying the device storage bit by bit at a raw level, like on computers.
  7. 7. PHYSICAL ACQUISITION OF EXTERNAL STORAGE • Physical imaging involves acquiring both the removable micro-SD card and the internal memory. • To image the micro-SD, we must remove it from the device, connect to the forensic workstation using a hardware or software write-blocking technique and then acquiring it directly with dc3dd, like with a hard drive.
  8. 8. PHYSICAL ACQUISITION OF INTERNAL STORAGE • Imaging the internal storage is trickier, as we have to execute dc3dd directly on the device. • So it must be an ARM statically cross-compiled binary, which we can download at: https://github.com/jakev/android-binaries/blob/master/dc3dd • We should not copy it on the internal storage, as it could overwrite possible evidence • We instead copy the dc3dd binary on a clean micro-SD card, with the sufficient capacity to store an image of the internal memory, and insert it into the device.
  9. 9. PHYSICAL ACQUISITION OF INTERNAL STORAGE • We connect the device to the forensic workstation and spawn a shell on the device with adb shell • We have to identify the input for dc3dd to image but dc3dd doesn’t accept directories as input. • We need to list the block device files, associated with the various partitions, with the command: ls –l /dev/block/ • The internal flash memory is usually associated with the mmcblk0 device file and all the files with this name followed by “p” and a number represent its partitions.
  10. 10. PHYSICAL ACQUISITION OF INTERNAL STORAGE • Before doing so, we must remount the sdcard to run dc3dd, as by default Android mounts SD cards with the -noexec option, that doesn’t allow to run applications on the SD card itself: mount -o remount,rw,exec /storage/sdcard1/ • Then we cd to /storage/sdcard1 and execute the command: ./dc3dd if=/dev/block/mmcblk0 of=mmcblk.img hash=sha512 log=mmcblk.log • Note that the image and log output files are written on the micro- SD card

×