A General Forensics Acquisition for Android Smartphones with Qualcomm Processor
A General Forensics Acquisition for Android Smartphones with Qualcomm Processor
Smartphones
have become more integrated into every aspect of our lives. However, it also
was witnessed that smartphones were increasing used in crimes [1].
Increasingly, mobile phones involved in crime actives often play an important
digital evidence for criminal investigations. Because of the largest market
share of Android, forensics on Android device always is a focus in the field of
digital forensics. Data extraction is a key aspect for mobile device forensics,
existing extraction solutions can be roughly divided into two categories,
logical acquisition and physical acquisition. The logical extraction is to copy
files from device storage through an ADB (Android Debug Bridge) connection. The
logical extraction just copy the logical data of the storage partition, “unused
space” will not be extracted, that results the deleted files to not be
recovered. A physical image is a bit-by-bit copy of a storage partition. This
image means all of data including logical files, deleted files, or “empty
space” [2]. Vidas et al. [3] outlined a general method for obtaining physical
storage images of Android device using the recovery mode. This approach flashes
a custom collection oriented recovery image onto the Android device, then
reboots the device into recovery mode and collects the data images. Son et al.
[4] continued that of Vidas et al., also focused specifically on data integrity
concerns in the case of using custom recovery image. Son et al. confirmed that
the acquisition method through recovery mode can preserve the integrity of user
data partition by comparing data images respectively collecting through
recovery mode and JTAG (Joint Test Action Group) [5]. However, if a device’s
bootloader is locked, it must be unlocked before flashing the recovery
partition, which is very likely to cause user data to be erased. In this paper,
we proposed an improved scheme of acquiring data images using special modes of
Qualcomm processors, which almost taken more than half of market share of
mobile smartphones’ CPU (Central Processing Unit). The main contributions of
this paper are as follows: xWe proposed physical acquire approaches by using
the Qualcomm’s 9008 mode and 9006 mode. Through 9008 mode, we could bypass the
bootloader lock and flash a custom collection oriented recovery image onto the
recovery partition of Android device. By using the Qualcomm 9006 mode, we could
acquire data images using forensics soundly toolkits. xWe discuss concerns of
our approach on preserving data integrity, and evaluate our approaches using
various smartphones, our experiments confirmed that the proposed methods are
practicable and the data integrity of extracted partition image was preserved.
Comments
Post a Comment