From an expert's standpoint, an Android phone is a large data repository that can be stored either locally or remotely. Besides, its platform allows analysts to acquire device data and evidence, collecting information about its owner and facts under investigation. This way, by means of exploring and cross referencing that rich data source, one can get information related to unlawful acts and its perpetrator. There are widespread and well documented approaches to forensic examining mobile devices and computers. Nevertheless, they are neither specific nor detailed enough to be conducted on Android cell phones. These approaches are not totally adequate to examine modern smartphones, since these devices have internal memories whose removal or mirroring procedures are considered invasive and complex, due to difficulties in having direct hardware access. The exam and analysis are not supported by forensic tools when having to deal with specific file systems, such as YAFFS2 (Yet Another Flash File System). Furthermore, specific features of each smartphone platform have to be considered prior to acquiring and analyzing its data. In order to deal with those challenges, this paper proposes a method to perform data acquisition and analysis of Android smartphones, regardless of version and manufacturer. The proposed approach takes into account existing techniques of computer and cell phone forensic examination, adapting them to specific Android characteristics, its data storage structure, popular applications and the conditions under which the device was sent to the forensic examiner. The method was defined in a broad manner, not naming specific tools or techniques. Then, it was deployed into the examination of six Android smartphones, which addressed different scenarios that an analyst might face, and was validated to perform an entire evidence acquisition and analysis.
Forensic analysis, data acquisition, evidence analysis, cell phone, smartphone, Android.
To return to the Volume/Number webpage, click here.
THE INTERNATIONAL JOURNAL OF FORENSIC COMPUTER SCIENCE - IJoFCS
Volume 6, Number 1, pages 28-43, DOI: 10.5769/J201101002 or http://dx.doi.org/10.5769/J201101002
Acquisition and Analysis of Digital Evidence in Android Smartphones
By André Simão, Fábio Sícoli, Laerte Melo, Flávio Deus, Rafael Sousa Júnior
To download this paper, click here.