Mobile forensics is a branch of digital forensics that is evolving in today’s digital era and is constantly changing as new phones are released and operating systems are updated. Android forensics deals with extracting, recovering, and analyzing data present on an Android device through various techniques. Due to the open nature of the Android operating system, these forensic techniques and methods can apply to more than just mobile phones: refrigerators, vehicle entertainment units, televisions, watches, and many
more devices run Android. It’s important to have a clear understanding of the platform and other fundamentals before we dive in and find out how to extract data. In this chapter, we’ll cover the following:
(1) Mobile forensics
(2) The mobile forensics approach
(3) Challenges in mobile forensics
(4) Android architecture
(5) Android security
(6) Android hardware components
(7) Android boot process
The world today is experiencing technological innovation like never before, and this growth is almost exponential in the field of mobile devices. Gartner, a technology research and advisory firm, in their forecasts published in January 2022, estimated that mobile phone shipments in 2021 totaled 2.28 billion units and would increase to 2.32 billion in 2022This statistic alone reflects the unprecedented growth of mobile devices. Mobile phones have not only increased in number but also have become more sophisticated in terms of functionality. The increase of mobile phone subscribers from 1997 to 2022 is
significantly high.
You probably don’t need to be told that smartphones are an increasingly large subset of mobile phones. The improvements in the computing power and data storage of these devices enable us to perform a wide range of activities, and we are increasingly becoming dependent on these mobile devices. Apart from performing routine tasks such as making calls and sending messages, and so on, these devices also support other activities such as sending emails, surfing the internet, recording videos, creating and storing documents,identifying locations with Global Positioning System (GPS) services, and managing
business tasks. In other words, mobile devices are now repositories of sensitive personal information.
Quite often, the data sitting in a device is more valuable than the device itself. Imagine a case involving the smartphone of a suspected terrorist; how useful would it be for law enforcement to access every contact, call, SMS, or email that the suspect had sent or received? Or, perhaps even better, every location that the phone had been? While much of this data is generally available through the service provider, that often requires additional warrants or subpoenas and can take a significant amount of time. And consider third-party applications; WhatsApp chat content, for example, is end-to-end encrypted, and no amount
of subpoenas to Facebook can recover that data. This book will show you how to recover data, such as WhatsApp chats, that may not be recoverable through any other method. The fact that mobile forensics played a crucial role in solving cases such as the 2010 Times Square car bombing attempt and Boston marathon bombings, reaffirms the increasing role of mobile forensics in solving many cases.
Mobile forensics
Mobile device forensics is a branch of digital forensics that deals with extracting, recovering, and analyzing digital evidence or data from a mobile device under forensically sound conditions. Simply put, it deals with accessing the data stored on devices, which includes SMS, contacts, call records, photos, videos, documents, application files, browsing history, and so on, and recovering data deleted from devices using various forensic techniques. It is important that the process of recovering or accessing details from a device is forensically sound if it has to be admitted in a court of law and to maintain the integrity of the evidence. If the evidence has to be admitted in a court of law, it’s important to work
only on the image file and not on the original device itself.The term forensically sound is often used in the digital forensics community.to clarify the correct use of a particular forensic technology or methodology. Mobile forensics, especially Android forensics, is evolving fast, owing to the fact that it has a total the market share of 85 percent (as per market research firm, IDC).
As explained by Eoghan Casey, in his book Digital Forensics and Investigation, forensic soundness is not just about keeping the original evidence unaltered. Even the routine task of acquiring data from a hard drive using a hardware write blocker may cause alterations (for example, making a hidden area of the hard drive accessible) on the drive. One of the keys to forensic soundness is documentation. Documenting how the device is handled from the beginning is very important. Hence, an investigation can be considered forensically sound if the acquisition process preserves the original data and its authenticity and integrity can be validated. Evidence integrity checks ensure that the evidence has not been tampered with from the time it was collected. Integrity checks are done by comparing the
digital fingerprint of the evidence taken at the time of collection with the digital fingerprint of the evidence in its current state.
There is a growing need for mobile forensics due to several reasons, some of which include
the following:
(1) Use of mobile phones to store personal information
(2) Increased use of mobile phones to perform online activities
(3) Use of mobile phones in several crimes
Mobile forensics on a particular device is primarily dependent on the underlying operating
system. Hence, we have different fields such as Android forensics, iOS forensics, and so oN.