This writing will cover the basics of Android, Android Forensics, and Deleted Text Messages. The goal of this page is to educate the legal professional and client alike on the benefits of including mobile devices in your discovery process. Cell phones can play a vital role in various types of civil litigation. If mobile devices are not included in eDiscovery, we typically find cause for concern. We hope this page is not too technical, yet educational on the benefits of cell phones in the discovery process.
Android Inc. was founded in 2003, it was acquired by Google in 2005. It is based on the open-source Linux kernel.
Android has grown to the most popular operating system for mobile phones and tablets. Android is an open source project with many variations or ROMs from different development communities. They usually share many similarities from a forensics standpoint.
Android 5.x or Lollipop was released 11/12/2014. A major change was that devices with this version were supposed to come out of the box with “whole disk encryption”. This means that the entire operating system is encrypted. Since encryption takes system resources and can drain battery life Google has changed its position on all devices being encrypted out of the box and have left the decision up to the manufacturer. If a device is found to be encrypted a password will normally need to be provided to gain access to the data. While previous versions of Android were compatible with encryption, the exposure of security concerns such as the NSA scandal and more powerful hardware and batteries that negate the drawbacks of encryption has made it more popular than ever and this has significantly changed the landscape of forensics for this operating system.
In previous versions of Android when data such as images or text messages were deleted they were not actually erased, it was put aside and marked as available to be overwritten. As long as the data had not been overwritten it could be retrieved through a process called “carving”.
Carving is the practice of searching an input for files or other kinds of objects based on content, rather than on metadata. File carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, as may be the case with old files that have been deleted or when performing an analysis on damaged media.
With disk encryption, however, once the data is deleted by the operating system it is non-recoverable. It is important to point out that this is the default of the operating system and not necessarily an application. In most cases, we run what is referred to as a “physical acquisition” can be obtained currently in Android versions 4.4.4 (Kit Kat) and older. Some versions of 5.0.1 and newer can obtain a physical acquisition through the rooting method. We simply need to know the make and model and software version of the device in question to know the capabilities of it. We currently can support 23,461 device profiles and 4816 app versions.
As with most things in digital forensics we always have exceptions to the standard rules. The exception is this. If you can “root” the device that has version 4.4.4 or later on it, you will more than likely be able to obtain a physical acquisition of the device. This is a rule of thumb and not a promise.
Rooting a device is simply gaining access to the root directory of the device and having the appropriate permissions to take developer level actions on the device itself. Sometimes rooting a device can be done in under a minute. At other times rooting, a device has required over two full days of work to gain root access. Every device is different when it comes to rooting.
Bricking is a term used in the electronics industry by software developers when updating a piece of hardware with a software update that renders the hardware useless after the update.
Applications on Android are run within what is called a “Sandbox”. This Sandbox feature is meant to quarantine an application from the larger part of the system so that if there is a security vulnerability it can be contained. This also helps to give applications the autonomy to create some of their own rules, such as choosing how to handle encryption and the deletion of data.
Luckily there is a growing movement towards the use of applications with multimedia features to send forensically useful data. This may include images, messages, contact information, call and chat logs, timestamps along with other info. These applications may not utilize encryption or may use encryption that is weak or has known exploits. Data is typically stored in a database and remains until space is needed, or the database cleans itself for maintenance.
So even with the move towards encryption of devices, some users may not be able or may choose not to use this feature do to hardware restraints.If the device can be accessed there may be a wealth of information that can be obtained.
More information can be found here: https://en.wikipedia.org/wiki/Android_%28operating_system%29
To learn more about recovering deleted text messages, please visit our page here.
Decipher Forensics LLC 686 East 110 South Ste. 104 American Fork, Utah 84003