This chapter will be covering physical data extraction using free and open source tools wherever possible. The majority of the material covered in this chapter will use the ADB methods previously discussed in this book. By the end of this chapter, the reader should be familiar with the following concepts:
- What physical extraction means
- What data to expect from physical extractions
- Physical data extractions using the
ddandnanddumpcommands - RAM imaging and analysis
- SD card acquisitions
- JTAG and chip-off methods
In digital forensics, a physical extraction is an exact bit-for-bit image of the electronic media, and this definition remains true for mobile devices too. In traditional computer forensics, this typically involves removing the evidence drive from the suspect's computer and imaging it via a write blocker without ever booting the drive, resulting in an image file containing an exact copy of the suspect's drive. The output is frequently referred to as a raw image, or simply a bin (binary) file. Physical extractions differ from logical, in that, they are an exact copy of the device's memory, and include unallocated space, file slack, volume slack, and so on.
In mobile forensics, the result is the same; an exact bit-for-bit image of the device, but the methods are somewhat different. For example, removing the flash memory from the device to image can be both time-consuming and expensive, and requires a lot of specialized knowledge (though it can be done as discussed in the chip-off section later in the chapter). Furthermore, short of using advanced Joint Test Action Group (JTAG) or chip-off methods, the device must be booted to some degree (and written to in many cases) in order to access the data. Finally, finding a tool that can even parse the final image file can be very difficult. Hard drive images and file systems have long been documented and studied, while mobile images and file systems change frequently; in some cases mobile file systems are even unique to a specific manufacturer. Knowing what to do with the image after it is acquired can be just as challenging as acquiring the image in the first place!
Many of the techniques discussed in Chapter 4, Extracting Data Logically from Android Devices, will still apply here. Booting into a custom recovery is still the most forensically sound process; physically acquiring a live device should be avoided if at all possible.
The short answer is: everything. As a physical acquisition is an exact image of the device, every bit of data on the device is in the image file. As mentioned previously, with a physical extraction, an examiner is usually only limited by their ability to find the relevant data. Generally, this is due to a lack of good image analysis tools in the mobile forensics space. To further compound the matter, applications have been known to encode or otherwise obfuscate user data, so simply browsing through the image in a hex editor will frequently miss valuable evidence. This chapter will show various methods to mount or otherwise view the filesystem of a physical extraction, while Chapter 7, Forensic Analysis of Android Applications, will focus on analyzing data from specific applications.
Once again, just as in logical extractions, root access is going to be a critically important aspect of physical extractions. To manually image a device, we are going to have to execute commands on the device from the ADB shell, and these will require root permissions. If root access cannot be obtained, the SD card can generally still be imaged. The only recourse beyond that is JTAG or chip-off methods.