dfm covers

Android on the Loose

Android on the Loose

Andrew Hoog explores the challenges posed by Google's mobile platform, Android.

  When Google, the world’s largest search company moved into the mobile application platform business, the lines between mobile/cell forensics and traditional computer forensics became even blurrier. Until recently, most cell phones have awkwardly tried to participate in the both the voice and data worlds; devices where phones first and data applications were a kludge add-on. However, Android was built from the ground up as a data-aware device and as such provides a wealth of information about how it was used and ultimately the user. This article will provide an overview of the Android platform including supported hardware devices, the structure of the Android development project, implementation of core services such as wireless communication, data storage and other lowlevel functions, strategies to forensically acquire an image of the device and finally techniques effective in the analysis of the file systems.

History and background

Android is an open source mobile device platform based on the Linux 2.6 kernel and managed by the Open Handset Alliance, a group of major mobile device hardware and software vendors. The first Android device was released in October 2008 and by early 2010, 41 Android devices will be commercially available. An October 2009 report released by Gartner predicted that by 2012, Android will be the 2nd largest smart phone provider with 18% of the market (totaling 94.5 million units sold). Already, Android devices account for 20% of the traffic generated by smart phones (the largest being the iPhone at 55%) according to an October 2009 report by Admob1. But enough statistics; nearly everyone agrees that Android is poised to make a significant impact on the smart phone (and forensics) market. The open source nature of the project has not only established a new direction for the industry (forcing behemoths like Nokia/Symbian to open source their platform) but enables a developer or code savvy forensic analyst to understand the device at the most fundamental level. As the core platform is quickly maturing and is provided free of charge, carriers and hardware vendors alike can focus their efforts in customizations intended to retain their customers. And let’s face it, Android has buzz. It is unlikely Motorola could have generated more than a mild yawn from consumers about their next phone if it wasn’t something radically new.

Technologies and forensic considerations

As mentioned earlier, Android is based on the Linux 2.6 kernel. For those of us involved in Linux and Unix over the year, the familiar architecture will aid in your understanding and analysis of the device. While the current devices available all use ARM-based processors, Android is being ported to other architectures. In the near future, expect to see ports to both Intel and MIPS, if not more. Unlike traditional Linux though, Android does not use the standard C-library and instead uses the Bionic C-library (a BSD-derived implementation) which means that executable must be compiled against that library to run on the device. However, only a small group of developers should be concerned with this as user application development in Android is done in Java and runs in a Dalvik virtual machine. The choice of the non-standard Dalvik VM has upset some, as standards in the Java world would have pointed to Java ME as the platform; so the promise of write-once, run-everywhere is once again thrown a curveball. Each user application is run in a separate Dalvik virtual machine (DVM) with a separate user id and process that is a key mechanism used to enforce data security. Applications can only access the data within their DVM unless another application and the phone owner specifically allows the data to be shared. So each time an application is installed on an Android device, the user is presented with screen to authorize the access the new application is requesting.

Discretion required

As a result of this secure architecture, forensic examiners do not have a built-in mechanism we can use on the phone to extract core user data. Instead, new techniques must be developed which required some interaction with the device. This brings us to the inevitable discussion about the challenges of mobile phone forensics. A fundamental goal in digital forensics is to prevent any modification of the target device by the examiner. However, mobile phones lack traditional hard drives which can be shutdown, connected to a write blocker and imaged in a forensically sound way. As such, the examiner must use their discretion when examining a mobile device and if the device is modified, they must explain how it was modified and as important why that choice was made. There are critics of this approach who point out that any modification of the targeted device is unacceptable and certainly that is a primary goal for every examiner. While I understand that position, the reality of smart phone dilemma is that short of physical memory chip extraction, every technique will modify the device in some way; sticking ones head in the sand about the evolving digital devices isn’t going to help solve any crimes. In fact, techniques which may alter the device in a known way have been in place for some time. Some examples of such approaches are a live memory analysis for a malware attack, a live image of an encrypted drive while it is still mounted or of a complex RAID environment; any examiner who cannot see the need and value in these examples should probably just focus on the traditional cases involving a hard drive which can be removed. But before we get into specific techniques, there are a few additional concepts keys to understand how Android devices work. The Linux kernel acts as an abstraction layer between the device hardware and the user applications. It provides memory and process management, hardware drivers and other core functionality, allow the application developer to focus on development through an application framework and its supporting libraries. The libraries cover needed functionality such as graphics rendering and acceleration (OpenGL), font rendering (FreeType), media support using OpenCORE (audio, pictures, videos, etc) and structured data storage (SQLite), to name a few. But an Android application developer interacts at one additional level of abstraction, the Application Framework. Using this layer, the developer has access to the devices core functionality is a simplified and structured way. Google has provided consideration documentation on these topics which should be reviewed to better understand how the device works. One key concept is that of a Content Provider. These interfaces allow applications to share their own data with other applications as well as access other applications data.



The full article appears in Issue 2 of Digital Forensics Magazine, published 1st February 2010. You must log in with a valid subscription to read on...


Please make cache directory writable.

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Angus Marshall

Angus Marshall is an independent digital forensic practitioner, author and researcher


Coming up in the Next issue of Digital Forensics Magazine

Graph Database Technology

Attackers examine how your assets are connected, looking for a vulnerable part of the network, and navigating via methods such as “spear phishing.” What they’re really doing is abstracting out the graph of your networked systems, which is the set of security dependencies. Read More »

Fraudulent Use of Digital Images and Detection Survey

This article looks at the basic concepts related to image forgery; the types, detection procedure algorithms and all possible techniques to detect malicious signatures ibased on forgery types and detection techniques. Read More »

Subscribe today

Discovery in the Cloud: An Investigator’s Close Look at Unexpected Risks and Challenges

Documents residing in cloud storage accounts are increasingly coming into scope in digital forensic investigations such as IP theft, regulatory, corruption, merger clearance and civil matters.  Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the future issues