Android Forensics and Deleted Text Messages

Android Forensics

This writing will cover the basics of Android, Android Forensics and Deleted Text Messages.
Android Inc. was founded in 2003, it was acquired by Google in 2005. It is based on the open source Linux kernel.

Android has grown to the most popular operating system for mobile phones and tablets. Android is an open source project with many variations, or ROMs from different development communities. They usually share many similarities from a forensics standpoint.

Android 5.x or Lollipop was released 11/12/2014. A major change was that devices with this version were supposed to come out of the box with “whole disk encryption”. This means that the entire operating system is encrypted. Since encryption takes system resources and can drain battery life Google has recently changed its position on all devices being encrypted out of the box and have left the decision up to the manufacturer. While previous versions of Android were compatible with encryption, recent exposure of security concerns such as the NSA scandal and more powerful hardware and batteries that negate the drawbacks of encryption has made it more popular than ever and this has significantly changed the landscape of forensics for this operating system.

In previous versions of Android when data such as images or text messages were deleted they were not actually erased, it was put aside and marked as available to be overwritten. As long as the data had not been overwritten it could be retrieved through a process called “carving”.

Android Investigations

Carving is the practice of searching an input for files or other kinds of objects based on content, rather than on metadata. File carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, as may be the case with old files that have been deleted or when performing an analysis on damaged media.

With disk encryption however, once the data is deleted by the operating system it is non recoverable. It is important to point out that this is the default of the operating system and not necessarily an application. In most cases we run into though carving or what is referred to as “physical acquisition” can be obtained currently in Android versions 4.4.3 (Kit Kat) and older. From version 4.4.4 (Kit Kat) and newer can only obtain a logical acquisition.

As with most things in digital forensics we always have exceptions to the standard rules. The exception is this. If you can “root” the device that has version 4.4.4 or later on it, you will more than likely be able to obtain a physical acquisition of the device.

Rooting a device is simply gaining access to the root directory of the device and having the appropriate permissions to take developer level actions on the device itself. Sometimes rooting a device can be done in under a minute. At other times rooting a device has required over two full days of work to gain root access. Every device is different when it comes to rooting.

If your case requires that you take the further steps of rooting a 4.4.4 device or newer, precautions should be taken and warnings given.
Let me start with the warning. Attempting to root a device will void the warranty and you run the possibility of “bricking” the device.

Bricking is a term used in the electronics industry by software developers when updating a piece of hardware with a software update that renders the hardware useless after the update.

From a precautionary stance you need to make sure that the device has been fully backed up to a computer. Doing this is simple insurance if in fact you do end up bricking your device. From a forensic point of view, rooting your device does change valuable metadata. I would highly recommend that a logical forensic extraction of the device also be taken before backing up the device or attempting to root the device. It is also a best practice to make sure you are documenting everything you do to the device as well when and why. Your changes to the device could come under scrutiny in the future in a deposition or while sitting on the stand. Making changes to any electronic device is a digital forensic no no. As I said earlier though, circumstances do arise that on occasion do require actions like rooting to gather all the evidence.

Applications on Android are run within what is called a “Sandbox”. This Sandbox feature is meant to quarantine an application from the larger part of the system so that if there is a security vulnerability it can be contained. This also helps to give applications the autonomy to create some of their own rules, such as choosing how to handle encryption and the deletion of data.

Luckily there is a growing movement towards the use of applications with multimedia features to send forensically useful data. This may include images, messages, contact information, call and chat logs, timestamps along with other info. These applications may not utilize encryption, or may use encryption that is weak or has known exploits. Data is typically stored in a database and remains until space is needed, or the database cleans itself for maintenance.

So even with the move towards encryption of devices, some users may not be able, or may choose not to use this feature do to hardware restraints.If the device can be accessed there may be a wealth of information that can be obtained.

More information can be found here:

To learn more about recovering deleted text messages, please visit our page here.

Decipher Forensics LLC   686 East 110 South Ste. 104 American Fork, Utah 84003