General

Android DFI

The function a Digital Forensics Investigator (DFI) is rife with constant learning opportunities, particularly as technology expands and proliferates into each corner of communications, entertainment and company. As a DFI, we deal with a daily onslaught of new apparatus. A number of these devices, like the mobile phone or tablet forensics computer, utilize common operating systems that we need to be acquainted with. Certainly, the Android OS is predominant in the tablet and cell phone industry. Given the predominance of the Android OS from the mobile device market, DFIs will encounter Android devices in the course of many investigations. When there are numerous models that suggest approaches to acquiring data from Android apparatus, this article introduces four viable methods that the DFI should think about when evidence gathering from Android apparatus.

Android is the open source and ‘free to use’ operating system for mobile devices developed by Google. Significantly, early on, Google and other hardware companies formed the “Open Handset Alliance” (OHA) in 2007 to foster and support the development of the Android in the marketplace. The OHA now consists of 84 hardware companies including giants such as Samsung, HTC, and Motorola (to mention a couple). This alliance was established to compete with firms who had their particular market offerings, such as competitive apparatus offered by Apple, Microsoft (Windows Phone 10 – which is now reportedly dead to the market), and Blackberry (which has ceased making hardware). Regardless of if an OS is defunct or not, the DFI should know about the various versions of multiple operating system platforms, especially if their forensics focus is in a specific kingdom, for example mobile devices.

Linux and Android

The current iteration of this Android OS is based on Linux. Remember the “based on Linux” does not mean the usual Linux programs will always run on an Android and also, conversely, the Android apps which you may like (or are familiar with) will not automatically run on your Linux desktop computer. However, Linux is not Android. To clarify the point, please note that Google selected the Linux kernel, the essential part of the Linux operating platform, to deal with the hardware chipset processing to ensure Google’s programmers would not need to be concerned with the specifics of how processing happens on a given set of hardware. This allows their programmers to focus on the wider operating system layer and the user interface features of the Android OS.

A Large Market Share

The Android OS has a substantial market share of the mobile device market, primarily due to its open minded nature. An excess of 328 million Android apparatus were sent as of the third quarter in 2016. And, according to netwmarketshare.com, the Android operating system had the majority of installations in 2017 — nearly 67% — as of this writing.

As a DFI, we can expect to experience Android-based hardware at the course of a typical investigation. Due to the open source nature of their Android OS in combination with the diverse hardware platforms from Samsung, Motorola, HTC, etc., the assortment of combinations between hardware type and OS implementation introduces an extra challenge. Consider that Android is currently at version 7.1.1, yet each telephone manufacturer and mobile device supplier will typically modify the OS for the particular hardware and service offerings, giving another layer of complexity for the DFI, as the approach to data acquisition may vary.